This document provides an overview of an Information Systems Security Review (ISR). It discusses that everyone has a role in security according to their job function. It outlines the objectives of information systems security as confidentiality, integrity and availability of data. It also discusses the business needs for security depending on the business model and areas of security review including legal and regulatory sources, standards, and the scope of an ISR.
2. Everyone has a job in Security
♦ There is a misconception that security is a job for
the Experts or the security professionals.
♦ Everyone plays an important role in security
♦ Security should be a part of everyone’s job
description
♦ History comes from accountants and military
– Auditors
– Network Admins
– Business Managers
3. Part 1: Objectives of IS Security
♦ The Confidentiality of Data
♦ The Integrity of Data
♦ The Availability of Data
C.I.A.
4. Basic Security Triad
As more and more
information
becomes available
electronically, IS security
will become more and more
important.
5. Business Need for Security
♦ Each business model requires emphasis on
different security objectives.
♦ A national defense system will place the
greatest emphasis on confidentiality.
♦ A bank has a greater need for integrity.
♦ An emergency medical system will
emphasize availability.
7. Part 3: ISR Sources
♦ Legal and Regulatory Sources
♦ NIST - National Institute of Standards and
Technology
♦ ISO - International Standards Organization
♦ RFCs – Request for Comments
♦ Industry Standards
♦ Yellow Book
♦ SAS 94
8. Part 4: ISR Scope
♦ Limited Scope
– Not a full risk assessment
– Review not an Audit
– Based on information provided by client
♦ Benefits include
– Gaining better understanding of FS environment
– Raise awareness about controls
– Highlight managements responsibilities
– Uncover major risks to Financial data
– Raise awareness about regulatory requirements
– Helped clients improve security
– Dispel client myth that everything is public knowledge
Maze & Associates
CE June 2003
Do not consider painful what is good for you.
--Euripedes (Medea)
"Security should be the focus of every IT employee,"
Steve Williams, CIO Mattress Giant in Addison, Texas
Every employee should have security as a part of their job description, from the CEO all the way down.
Ortmeir, PJ, Security Management An Introduction, (New Jersey: Pearson Education Ltd., 2002)
1. Confidentiality
For Secret or Private Information
Confidentiality is the concept that information is unavailable to those who are unauthorized to access it.
The concept of allowing access to information or resources only to those who need it is called access control.
The privacy of customer and employee information is becoming more and more important, if not the business to the customer or employee.
Legislation does mandate due diligence.
We should ensure that only the proper people have access to the information needed to perform their job or that they have been authorized to access it
Is often the last concern because it can impede business productivity.
2. Integrity
For Accuracy and Authenticity
Integrity ensures that information cannot be modified in unexpected ways.
Loss of integrity could result from human error, intentional tampering, or even catastrophic events.
The consequences of using inaccurate information be disastrous or even dangerous.
For information to have any value and in order to produce quality product, the data must by protected against unauthorized or inadvertent modification.
If the authenticity of the information is in doubt or compromised, the integrity is jeopardized.
3. Availability
For Utility and Recovery
Availability prevents resources from being deleted or becoming inaccessible.
This applies not only to information, but also to network machines and other aspects of the technology infrastructure
The inability to access required resources is called “denial of service” or D.O.S.
Information must be available and usable when needed.
What is the cost of unavailability (Downtime)?
What good is information if you can’t get it?
Redundancy, regular backups and limiting physical access helps to increase availability
As corporate America tries to work more closely with the federal government to improve network security, a primary goal among CEOs is avoiding new federal regulations. However, executives who are directly responsible for network security do not necessarily share that goal. CIOs and chief security officers across the country are quietly advocating regulation to spur their bosses into acting more effectively on network security, according to Tom Noonan, president and CEO of Internet Security Systems Inc.
There is a widespread feeling among executives accountable for IT that security is not receiving the attention it deserves from the helm, Noonan told top corporate executives gathered for a teleconference of the National Infrastructure Advisory Council Tuesday. "I've wanted to head for the hills every time I hear it," Noonan said.
Noonan's disclosure was met with resistance by members of the NIAC, many of which already face considerable regulation. "Another layer of regulation [in the pharmaceutical industry] would probably just make it more complicated to get things done," said Karen Katen, president of Pfizer Global Pharmaceuticals and executive vice president of Pfizer Inc.
The financial services industry is particularly eager to discourage Washington from adding any new mandates to its lengthy roster of federal rules. Alfred Berkeley, vice chairman of NASDAQ Stockmarket Inc., and Martin McGuinn, chairman and CEO of Mellon Financial Corp., voiced opposition to any further direct federal regulation.
Nonetheless, the NIAC will take a closer look at the potential need for regulatory guidance, particularly within sectors that are not necessarily motivated by profit to enhance security, such as the water and electricity industries, said Richard Davidson, NIAC chairman and president and CEO of Union Pacific Corp. "In some unusual situations, it might take regulation to make this happen," Davidson said.
The NIAC, made up of chief executives from companies hosting critical infrastructure, is now administered by the Department of Homeland Security. Robert Liscouski, who was appointed assistant secretary of Homeland Security for Infrastructure Protection in late March, sat in on Tuesday's meeting.
Addressing a concern expressed lately by prominent IT experts, including Richard Clarke, former cyber-security adviser to the president, Liscouski said that the Information Assurance and Infrastructure Protection division of the new department "places an especially high priority on protecting our cyber infrastructure."
"Lacking existing guidelines, people invent solutions," Chambers said, adding that ad hoc solutions can create new problems. A task force set up by the council will complete a study on the matter by the end of June, Chambers said, and the initial assessment is that disclosure can cause more risks than it eliminates.
Information Security consists of maintaining the (goals) confidentiality, integrity and availability of information while (time) data is stored, processed and transmitted by (means) having a policy, training users and administrator and technology controls.
This graphic informs the fundamental approach of security and can be used to illustrate the intersection of information states (x-axis), key objectives of C.I.A. (y-axis) and the three primary means to implement (policy, education and technology).
C. I. A. is the Goals
S. P. T. is the phases
P. E. T. is the means
Think of them as check boxes.
N National
S Security
T Telecommunication and
I Information
S Systems
S Security
C Committee
Now called Committee on National Security Systems (CNSS)
http://www.nstissc.gov
Legal and Regulatory Sources
U.S. Public Law 104-191, Health Insurance Portability and Accountability Act of 1996
U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act
The Security Breach Information Act, CA Civil Code §1798.29 (Security Breach Disclosure)
CA Civil Code §1798.85 (Use of Social Security Numbers)
Information Security Management Handbook,
GASSP Generally Accepted System Security Principles
RFC 2196 Site Security Handbook
NIST Special Publications 800 Series
ISO 17799 From BS7799
OECD Guidelines for Securing Information Systems
AICPA / CCIA Trust Services Principles and Criteria (SysTrust and WebTrust)
Limited Scope
Not a full risk assessment – beyond what we can provide
Review not an Audit
Based on information provided by client - truthfulness
Benefits include
Gaining better understanding of FS environment – SAS 94
Raise awareness about controls – many clients don’t have a clue what they should be doing
Highlight managements responsibilities – management does not know they must be leaders in this area
Uncover major risks to Financial data – Big problems, hacking, water dripping on server rack
Raise awareness about regulatory requirements – Online bill pay
Helped clients improve security – many have implemented our recommendations
Dispel client myth that everything is public knowledge – there is still confidential information and they tend to forget integrity is a part of security
"Not to know yet to think that one knows will lead to difficulty."
Lao-Tzu (6th century B.C.); Legendary Chinese philosopher
Each Section covers different areas of security and may require interviews with different people to include:
Person or persons who control access to the Financial System
Person or persons who control access to the Network
Person or persons in charge of security or privacy
May also require policies
Security Policy
Terms of Use policy
Disaster Recovery Policy or Plan
Please have a blank copy of an ISR to review as we go over the different sections.
Remember the ISR is confidential information and disclosure could significantly compromise the clients security. Clients can have a copy.
The Internal Memo is here to aid you in the creation of recommendations for the AIM
Do not pass this form on to the client, you can copy and paste from the word version.
Do you have any questions?