Essential Guide to Information Systems Security Reviews (ISR
•Download as PPT, PDF•
0 likes•671 views
This document provides an overview of an Information Systems Security Review (ISR). It discusses that everyone has a role in security according to their job function. It outlines the objectives of information systems security as confidentiality, integrity and availability of data. It also discusses the business needs for security depending on the business model and areas of security review including legal and regulatory sources, standards, and the scope of an ISR.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Essential Guide to Information Systems Security Reviews (ISR
Similar to Essential Guide to Information Systems Security Reviews (ISR (20)
More from Donald E. Hester
More from Donald E. Hester (20)
Recently uploaded
Recently uploaded (20)
Essential Guide to Information Systems Security Reviews (ISR
- 1. Information Systems Security Review (ISR) A Brief Overview Maze & Associates Instructor: Donald E. Hester CISSP, MCSE, Security+, CTT+
- 2. Everyone has a job in Security ♦ There is a misconception that security is a job for the Experts or the security professionals. ♦ Everyone plays an important role in security ♦ Security should be a part of everyone’s job description ♦ History comes from accountants and military – Auditors – Network Admins – Business Managers
- 3. Part 1: Objectives of IS Security ♦ The Confidentiality of Data ♦ The Integrity of Data ♦ The Availability of Data C.I.A.
- 4. Basic Security Triad As more and more information becomes available electronically, IS security will become more and more important.
- 5. Business Need for Security ♦ Each business model requires emphasis on different security objectives. ♦ A national defense system will place the greatest emphasis on confidentiality. ♦ A bank has a greater need for integrity. ♦ An emergency medical system will emphasize availability.
- 6. Part 2: Areas of Security
- 7. Part 3: ISR Sources ♦ Legal and Regulatory Sources ♦ NIST - National Institute of Standards and Technology ♦ ISO - International Standards Organization ♦ RFCs – Request for Comments ♦ Industry Standards ♦ Yellow Book ♦ SAS 94
- 8. Part 4: ISR Scope ♦ Limited Scope – Not a full risk assessment – Review not an Audit – Based on information provided by client ♦ Benefits include – Gaining better understanding of FS environment – Raise awareness about controls – Highlight managements responsibilities – Uncover major risks to Financial data – Raise awareness about regulatory requirements – Helped clients improve security – Dispel client myth that everything is public knowledge
- 9. Part 5: Parts of ISR ♦ Sec 1: Statistics ♦ Sec 2: Disaster Plans ♦ Sec 3A: Security Management ♦ Sec 3B: Physical Security ♦ Sec 3C: Personnel Security ♦ Sec 3D: Application Security ♦ Sec 3E: Network Security ♦ Sec 4: Open Questions
- 10. Review ISR ♦ Review Sections of ISR ♦ Review Internal Memo ♦ Questions
Editor's Notes
- Maze & Associates CE June 2003 Do not consider painful what is good for you. --Euripedes (Medea)
- "Security should be the focus of every IT employee," Steve Williams, CIO Mattress Giant in Addison, Texas Every employee should have security as a part of their job description, from the CEO all the way down. Ortmeir, PJ, Security Management An Introduction, (New Jersey: Pearson Education Ltd., 2002)
- 1. Confidentiality For Secret or Private Information Confidentiality is the concept that information is unavailable to those who are unauthorized to access it. The concept of allowing access to information or resources only to those who need it is called access control. The privacy of customer and employee information is becoming more and more important, if not the business to the customer or employee. Legislation does mandate due diligence. We should ensure that only the proper people have access to the information needed to perform their job or that they have been authorized to access it Is often the last concern because it can impede business productivity. 2. Integrity For Accuracy and Authenticity Integrity ensures that information cannot be modified in unexpected ways. Loss of integrity could result from human error, intentional tampering, or even catastrophic events. The consequences of using inaccurate information be disastrous or even dangerous. For information to have any value and in order to produce quality product, the data must by protected against unauthorized or inadvertent modification. If the authenticity of the information is in doubt or compromised, the integrity is jeopardized. 3. Availability For Utility and Recovery Availability prevents resources from being deleted or becoming inaccessible. This applies not only to information, but also to network machines and other aspects of the technology infrastructure The inability to access required resources is called “denial of service” or D.O.S. Information must be available and usable when needed. What is the cost of unavailability (Downtime)? What good is information if you can’t get it? Redundancy, regular backups and limiting physical access helps to increase availability
- As corporate America tries to work more closely with the federal government to improve network security, a primary goal among CEOs is avoiding new federal regulations. However, executives who are directly responsible for network security do not necessarily share that goal. CIOs and chief security officers across the country are quietly advocating regulation to spur their bosses into acting more effectively on network security, according to Tom Noonan, president and CEO of Internet Security Systems Inc. There is a widespread feeling among executives accountable for IT that security is not receiving the attention it deserves from the helm, Noonan told top corporate executives gathered for a teleconference of the National Infrastructure Advisory Council Tuesday. "I've wanted to head for the hills every time I hear it," Noonan said. Noonan's disclosure was met with resistance by members of the NIAC, many of which already face considerable regulation. "Another layer of regulation [in the pharmaceutical industry] would probably just make it more complicated to get things done," said Karen Katen, president of Pfizer Global Pharmaceuticals and executive vice president of Pfizer Inc. The financial services industry is particularly eager to discourage Washington from adding any new mandates to its lengthy roster of federal rules. Alfred Berkeley, vice chairman of NASDAQ Stockmarket Inc., and Martin McGuinn, chairman and CEO of Mellon Financial Corp., voiced opposition to any further direct federal regulation. Nonetheless, the NIAC will take a closer look at the potential need for regulatory guidance, particularly within sectors that are not necessarily motivated by profit to enhance security, such as the water and electricity industries, said Richard Davidson, NIAC chairman and president and CEO of Union Pacific Corp. "In some unusual situations, it might take regulation to make this happen," Davidson said. The NIAC, made up of chief executives from companies hosting critical infrastructure, is now administered by the Department of Homeland Security. Robert Liscouski, who was appointed assistant secretary of Homeland Security for Infrastructure Protection in late March, sat in on Tuesday's meeting. Addressing a concern expressed lately by prominent IT experts, including Richard Clarke, former cyber-security adviser to the president, Liscouski said that the Information Assurance and Infrastructure Protection division of the new department "places an especially high priority on protecting our cyber infrastructure." "Lacking existing guidelines, people invent solutions," Chambers said, adding that ad hoc solutions can create new problems. A task force set up by the council will complete a study on the matter by the end of June, Chambers said, and the initial assessment is that disclosure can cause more risks than it eliminates.
- Information Security consists of maintaining the (goals) confidentiality, integrity and availability of information while (time) data is stored, processed and transmitted by (means) having a policy, training users and administrator and technology controls. This graphic informs the fundamental approach of security and can be used to illustrate the intersection of information states (x-axis), key objectives of C.I.A. (y-axis) and the three primary means to implement (policy, education and technology). C. I. A. is the Goals S. P. T. is the phases P. E. T. is the means Think of them as check boxes. N National S Security T Telecommunication and I Information S Systems S Security C Committee Now called Committee on National Security Systems (CNSS) http://www.nstissc.gov
- Legal and Regulatory Sources U.S. Public Law 104-191, Health Insurance Portability and Accountability Act of 1996 U.S. Public Law 106-102, the Financial Services Modernization Act commonly known as the Gramm-Leach-Bliley Act The Security Breach Information Act, CA Civil Code §1798.29 (Security Breach Disclosure) CA Civil Code §1798.85 (Use of Social Security Numbers) Information Security Management Handbook, GASSP Generally Accepted System Security Principles RFC 2196 Site Security Handbook NIST Special Publications 800 Series ISO 17799 From BS7799 OECD Guidelines for Securing Information Systems AICPA / CCIA Trust Services Principles and Criteria (SysTrust and WebTrust)
- Limited Scope Not a full risk assessment – beyond what we can provide Review not an Audit Based on information provided by client - truthfulness Benefits include Gaining better understanding of FS environment – SAS 94 Raise awareness about controls – many clients don’t have a clue what they should be doing Highlight managements responsibilities – management does not know they must be leaders in this area Uncover major risks to Financial data – Big problems, hacking, water dripping on server rack Raise awareness about regulatory requirements – Online bill pay Helped clients improve security – many have implemented our recommendations Dispel client myth that everything is public knowledge – there is still confidential information and they tend to forget integrity is a part of security "Not to know yet to think that one knows will lead to difficulty." Lao-Tzu (6th century B.C.); Legendary Chinese philosopher
- Each Section covers different areas of security and may require interviews with different people to include: Person or persons who control access to the Financial System Person or persons who control access to the Network Person or persons in charge of security or privacy May also require policies Security Policy Terms of Use policy Disaster Recovery Policy or Plan
- Please have a blank copy of an ISR to review as we go over the different sections. Remember the ISR is confidential information and disclosure could significantly compromise the clients security. Clients can have a copy. The Internal Memo is here to aid you in the creation of recommendations for the AIM Do not pass this form on to the client, you can copy and paste from the word version. Do you have any questions?