Security Audit & Compliance
Subject overview
Security Audit & Compliance
Peter Cruickshank
• Scope and context
• What do we mean by security
• Topics we will cover
Overview
• The aim is to let you see the scope
• ...
Stereotype 1
3SAC
Stereotype 2
4SAC
The aim of this course
Mutual
understanding
Mutual
understanding
TechiesTechies ManagersManagers
5SAC
THE SCOPE OF THE
INFORMATION SYSTEM
6SAC
Six components of an information system
7SAC
Procedures
People
Data
Applications
Networks
Hardware
?
Another view:
8SAC
Computing
system
Computing
system
Computing
environment
Computing
environment
Application
environment
A...
IS in context: Application Environment
• Growing business dependence on IS/IT
• Development of general purpose rather than...
IS in context: Computing Environment
• Growth in the power and availability of technology
• Rapid spread of data communica...
IS in context: Socio-economic-legal
• Increasing computer fraud
• Concerns about privacy
• Greater public knowledge of com...
The scope of this course:
(Business) Computer and Information Systems
The scope of this course:
(Business) Computer and In...
WHAT IS SECURITY
13SAC
What is security?
Mordac the preventer of information
14SAC
© Dilbert.com
What is security?
“ If we make security trade-offs based on the feeling of security rather than the reality,
we choose sec...
16SAC
…Watch for Security theatre
that iS…
Security
• Complex passwords are
secure
• Encryption protects assets
Access
• Complex passwords prevent
access
• Encryptio...
The security balance 2
18SAC
Effectiveness
Level of technical security
Too complex
to work
Optimum balance
Too risky
What is security?
Information security as…
• Security as an engineering discipline
• Subject to systems thinkingScienceSci...
What is security?
Example of making a business secure
Schneier’s three steps
to improved security:
1. Enforce liabilities
...
Security in business: Concept map
Business
model
Raval & Fichadia 2007, Ch 1
Control &
Security
Manage-
ment
Structure
Pro...
CORE TOPICS
Information Security Attributes
• Protecting privacyConfidentiality
• Protection from accidental or deliberate
(malicious)...
Business requirements in COBIT
• Relevant and pertinent
• Timely, correct, consistentEffectiveness
• Productive and econom...
Secure Computing
• A computing regime under which
information may be stored and
processed:
– To defined standards of confi...
RELATED TOPICS
27SAC
Another theme
GovernanceGovernance
Risk
Management
Risk
Management
ComplianceCompliance
28SAC
Governance frameworks
• From the state: Legal
– Privacy Laws
– Property legislation – computers, IPR etc
• Sources of law
...
Ethics
• Computing poses a new environment for
ethical consideration
• Who decides the ethical aspects?
– Computer Profess...
Governance: Privacy
• Holding of data relating to people
• Aggregation of personal data
– Data matching
– Marketing of dat...
Governance: Fraud & Abuse
• Corrupting information
• Damage and disruption
• Threats to the person
• Theft of property and...
Managing threats and vulnerabilities
ThreatThreat
Potential
event that can
adversely
affect an
asset
Potential
event that ...
Security management
36SAC
Implemented throughImplemented through
Practices Procedures Guidelines
StandardsStandards
Built ...
Incident response and business continuity
Impact
Analysis
• Accept
• Mitigate
Impact
Analysis
• Accept
• Mitigate
Response...
System design principles
• Authorisation
– Rule driven controls
• Least Privilege
– Need to Know principle
• Separation of...
39SAC
Controls
Controls
• Control activities are:
– actions, supported by policies and procedures that,
• when carried out properly and i...
Controls
Prevent Controls
• Preventive controls attempt to
deter or prevent undesirable
events from occurring.
• They are ...
Controls
• Both types of controls are essential to an effective internal control
system.
• From a quality standpoint, prev...
Final thought
47SAC
http://xkcd.com/936/
Upcoming SlideShare
Loading in …5
×

Security, Audit and Compliance: course overview

1,388 views

Published on

The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the napier.ac.uk site.

1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
1,388
On SlideShare
0
From Embeds
0
Number of Embeds
69
Actions
Shares
0
Downloads
46
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Security, Audit and Compliance: course overview

  1. 1. Security Audit & Compliance Subject overview Security Audit & Compliance Peter Cruickshank
  2. 2. • Scope and context • What do we mean by security • Topics we will cover Overview • The aim is to let you see the scope • And to get you familiar with the concepts and issues 2SAC
  3. 3. Stereotype 1 3SAC
  4. 4. Stereotype 2 4SAC
  5. 5. The aim of this course Mutual understanding Mutual understanding TechiesTechies ManagersManagers 5SAC
  6. 6. THE SCOPE OF THE INFORMATION SYSTEM 6SAC
  7. 7. Six components of an information system 7SAC Procedures People Data Applications Networks Hardware ?
  8. 8. Another view: 8SAC Computing system Computing system Computing environment Computing environment Application environment Application environment Socio- economic environment Socio- economic environment
  9. 9. IS in context: Application Environment • Growing business dependence on IS/IT • Development of general purpose rather than dedicated applications – Build using common toolsets. – Less variety in structure & design • Large scale integration of data sets • Computer to computer transactions • Autonomous trading systems 9SAC
  10. 10. IS in context: Computing Environment • Growth in the power and availability of technology • Rapid spread of data communications networks • Development of powerful databases and search engines • High degree of component commonality 10SAC
  11. 11. IS in context: Socio-economic-legal • Increasing computer fraud • Concerns about privacy • Greater public knowledge of computing • Rising globalisation of trade • Introduction of specific laws to control the use of IT • Public policy v personal preference? 11SAC
  12. 12. The scope of this course: (Business) Computer and Information Systems The scope of this course: (Business) Computer and Information Systems • That is: we’re taking the viewpoint of an organisation and its management – Could be government, public sector or NGO • Issues around consumers or individual citizen rights are not central to what we cover • …nor is the role of ‘national security’ in setting the computer environment …though these are interesting and important in their own right 12SAC
  13. 13. WHAT IS SECURITY 13SAC
  14. 14. What is security? Mordac the preventer of information 14SAC © Dilbert.com
  15. 15. What is security? “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 15SAC
  16. 16. 16SAC …Watch for Security theatre that iS…
  17. 17. Security • Complex passwords are secure • Encryption protects assets Access • Complex passwords prevent access • Encryption slows things down 17SAC The security balance • Technology is not enough • Controls often conflict with usability and business objectives Risk
  18. 18. The security balance 2 18SAC Effectiveness Level of technical security Too complex to work Optimum balance Too risky
  19. 19. What is security? Information security as… • Security as an engineering discipline • Subject to systems thinkingScienceScience • When things get complicated, it gets to much to plan • The security manager is left to judge the best way(s) forward ArtArt • People interact with systems: users need to do things • Behavioural aspects of organisations and change management Social science Social science 19SAC
  20. 20. What is security? Example of making a business secure Schneier’s three steps to improved security: 1. Enforce liabilities 2. Allow liabilities to be transferred 3. Outsource security “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) 20SAC
  21. 21. Security in business: Concept map Business model Raval & Fichadia 2007, Ch 1 Control & Security Manage- ment Structure Process Inform- ation Is comprised of Warrant actions for by 21SAC
  22. 22. CORE TOPICS
  23. 23. Information Security Attributes • Protecting privacyConfidentiality • Protection from accidental or deliberate (malicious) modificationIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • who are you – supports non-deniabilityAuthentication • what can you do?Authorization • Effective auditing and logging is the key to non-repudiationAuditing 23SAC
  24. 24. Business requirements in COBIT • Relevant and pertinent • Timely, correct, consistentEffectiveness • Productive and economicalEfficiency • No unauthorised disclosureConfidentiality • Protection from accidental or malicious modification • Accurate, complete, validIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • Appropriate information to support management decisionsReliability 24SAC COBIT 4.1
  25. 25. Secure Computing • A computing regime under which information may be stored and processed: – To defined standards of confidentiality, integrity and availability. – To an assessable level of assurance Security is not a commodity Security is a state of being! Security is not a commodity Security is a state of being! 26SAC
  26. 26. RELATED TOPICS 27SAC
  27. 27. Another theme GovernanceGovernance Risk Management Risk Management ComplianceCompliance 28SAC
  28. 28. Governance frameworks • From the state: Legal – Privacy Laws – Property legislation – computers, IPR etc • Sources of law – National – European – USA • Standards – Security Criteria – Published Standards 29SAC
  29. 29. Ethics • Computing poses a new environment for ethical consideration • Who decides the ethical aspects? – Computer Professionals – Leaders of Commerce & Industry – Computer Users – Citizens • What happens when different values collide? 30SAC
  30. 30. Governance: Privacy • Holding of data relating to people • Aggregation of personal data – Data matching – Marketing of data – Universal Identifiers • Enforcement of fair practice • Need for a legal context – Local – Global • Interacts with individuals’ expression of their identity online 32SAC
  31. 31. Governance: Fraud & Abuse • Corrupting information • Damage and disruption • Threats to the person • Theft of property and services • Financial crime 33SAC
  32. 32. Managing threats and vulnerabilities ThreatThreat Potential event that can adversely affect an asset Potential event that can adversely affect an asset AttackAttack A successful attack exploits vulnerabilities in your system A successful attack exploits vulnerabilities in your system RiskRisk Likelihood and impact of that threat occurring Likelihood and impact of that threat occurring 35SAC
  33. 33. Security management 36SAC Implemented throughImplemented through Practices Procedures Guidelines StandardsStandards Built on sound policy Carry the weight of policy PoliciesPolicies Sanctioned by senior management
  34. 34. Incident response and business continuity Impact Analysis • Accept • Mitigate Impact Analysis • Accept • Mitigate Response planning • Detection • Reaction • Recovery Response planning • Detection • Reaction • Recovery Disaster recovery planning • Crisis management • Operations recovery Disaster recovery planning • Crisis management • Operations recovery Business continuity planning • Strategies • Planning • Management Business continuity planning • Strategies • Planning • Management 37SAC An extension of risk management Whitman & Mattord p212
  35. 35. System design principles • Authorisation – Rule driven controls • Least Privilege – Need to Know principle • Separation of duty – No individuals in complete control • Redundancy – To allow graceful degradation 38SAC
  36. 36. 39SAC Controls
  37. 37. Controls • Control activities are: – actions, supported by policies and procedures that, • when carried out properly and in a timely manner, –manage or reduce risks. 40SAC
  38. 38. Controls Prevent Controls • Preventive controls attempt to deter or prevent undesirable events from occurring. • They are proactive controls that help to prevent a loss. • Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Detect Controls • Detective controls, on the other hand, attempt to detect undesirable acts. • They provide evidence that a loss has occurred but do not prevent a loss from occurring. • Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. 41SAC
  39. 39. Controls • Both types of controls are essential to an effective internal control system. • From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. • However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses 42SAC
  40. 40. Final thought 47SAC http://xkcd.com/936/

×