SlideShare a Scribd company logo

Educause+V4.ppt

Download as PPT, PDF
S
ssuser0e5cee

Auditoria de sistemas de información

Technology
1 of 61
An Auditor's Perspective on Frameworks for Information Systems Security in Higher Education Erwin “Chris” Carrow, University System of Georgia Brian Markham, University of Maryland, College Park Copyright Erwin L. Carrow & Brian Markham 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution.
Session Agenda  Key Takeaways and Introductions  What Makes Higher Education Different  Business Risk and Functional Practices  Internal Controls: Quick Overview  Frameworks for Security  Specific Guidance and Standards  Additional Audit Considerations  Q&A
Key Takeaways At the end of this session you should be able to:  Identify business goals, functions, and associated roles and risk;  Understand the critical success factors during an audit;  Evaluate the internal control structure of your environment;  Know the standards and frameworks available for use in your environment;
Your Session Guides  Erwin “Chris” Carrow - IT Auditor, University System of Georgia Board of Regents  High level  General focus  Brian Markham - IT Compliance Specialist, University of Maryland at College Park  Low level  Specific focus
Auditing Higher Education: Challenges and Business Requirements Where are you at? Can seem like … HERDING CATS! EDS “Cat Herding” 1:07 minutes
What Makes Higher Education Similar and Yet Different?  Universities are not Corporations, but …  Herding Cats may be a common or predominate phenomena  Business functions and processes are similar  Objectives, rules and requirements are similar  Resources, e.g., people information, infrastructure, applications, etc.  Different set of risks, challenges, and regulatory mandates  “Open System” Attitude (moving target)! “Academic Freedom” is a privilege, not a right!  Diversity of administrative operational requirements  Diversity of instructional and faculty requirements  Operational and Functional sides of the house not always in agreement – leadership changes and challenges do exist!  Freedom of information  Difficulties in blocking or outlawing certain risky behaviors  Mandated safe guard information and information systems  Bottom-line: Environment must foster Learning and Research!
Auditors Ask the Question… What High Criticality Risks Exist? Categories of risk that may or may not apply:  Strategic : Affects the entities’ ability to achieve goals and objectives  Compliance : Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.  Reputational : Affects reputation, public perception, political issues, etc.  Financial : Affects loss of assets, technology, etc.  Operational : Affects on-going management processes and procedures
Enterprise Risk Management - Risk Probability and Impact
Threats and the Facts  Privacy Right Clearinghouse  Chronology of Data Breaches 2,500,000 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]  Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)  Self evaluation of overall performance of organization: -- 9% gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D” – 5% gave a “F” [www.HRH.com/privacy]  80 % believed their organizations experienced information system data breaches and loss of customer and personal information  50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;  36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more
Recognized Method for … Risk Prevention Assurance Risk Prevention “IT Trunk Monkey” 1:01 minutes
Regulatory Standards  FERPA, FISMA, HIPAA, PCI DSS, SOX, NCAA, A-21, A-133, PATRIOT, GLBA, ADA, CAA, CWA, OSHA, FLSA, FMLA, EEO, and possibly many others!  State, Local, and University System and Institution Guidelines  “Due Negligence” violations have cost institutions financially, but few if any individuals have gone to jail for lack of compliance  Reputational losses are the critical issue!  Avoid FUD – Fear, Uncertainty, and Doubt
Information Security and Compliance Responsibilities  Know and comply with Federal, State, Local, and University System and Institution Regulations  Talk to auditors, colleagues, peers, and administrators about information and information system regulatory compliance and security  Make the “alphabet soup” and security a top priority when evaluating new systems and initiatives  Understand how the regulations trickle down to through policies, standards, procedures, and the people involved (in a practical method)
What should a Risk Assessment identify about our environment?  What are the risks?  What are the impacts?  What is the likelihood it will happen?  Who is involved?  Are we willing to accept the risk?  What are we currently doing to mitigate this risk? Is it working like we think it should?
Making the Lose/Lose Situation … a Win/Win  A PERFECT information technology operational environment or risk prevention assurance system does not exist (e.g., IT Trunk Monkey)!  Priority directed to likely threats for known vulnerabilities by:  Affirming good controls and practices  Uncovering unknown vulnerabilities or inappropriate practices  Focus upon what is essential for the success of Your Institutions “Business Functions.” Which comprise of:  Business Rules or Requirements: A statement that defines or constrains some aspect of the business. It is intended to assert business structure or to control or influence the behavior of the business.  Business Standards or Practices: A related group of business processes that support some aspects of the mission of an enterprise.
Doing Business and Dealing with the Nuts The Old Way…! Assessing Risk? 20th Century FOX “Ice Age” 1:55 min/sec
Nuts Can Be Challenging Business Process – Gathering and Storing NUTS and the Big Squeeze  Tasks of Dealing with the NUTS–  1. Gather Nuts  2. Store Nuts  3. The Big Squeeze? Operational versus Functional needs!  What are the Associated Risks? 20th Century FOX “Ice Age”
In Time, Nut Requirements Change The New Way …! Risk Assessment? 20th Century FOX “Ice Age 2: The Meltdown” 55 sec
Different Nuts, Different Methods History has a Way of Repeating Itself!  Old Ways can Influence New Ways of …,  Different Business Requirements – Use of Different Methods (Variety of NUTS)  Sometimes the NUTS get Bigger and Harder to CRACK  Risk may Change or Increase! 20th Century FOX “Ice Age 2: The Meltdown”
Making Peanut Butter Out of Nuts Moral: Life is Always Going to Be a Little Squirrelly  Business function Goals and Objectives can make the IT requirements a little NUTTY  Risk Implications associated with IT Implementations are NOT always CONSIDERED  Clearly Define the Task: Try making PEANUT BUTTER out of a difficult situation – it is easier to Store  WHERE DO YOU START? 20th Century FOX “Ice Age 2: The Meltdown”
Know Yourself – Know Your Enemy! The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise that was written during the 6th century BC by Sun Tzu.  Two Possible not Recommended Responses to the Challenge  Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play Computer games until the Inevitable Occurs  Idealistic and Unrealistic: Do the “Don Quixote (To Dream the Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out!  Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoid it?” Take ONE BITE at a time by…  Strategizing a Response  Create a deliberate Long term Plan  Identify Short term Objectives and Milestones  Gain Key Shareholder ownership of the challenges  Test and Monitor the process with Identifiable Outcomes  Start with Business Functions – Gathering and Storing of NUTS
Business Functions (other Nuts)  It still comes down to …, Business Needs and Outcomes  Goals or Objectives  Rules and Requirements  Identifying critical business functions  Finance and Accounting  Financial Aid  Human Resources  Registration  Student Services  Other administrative functions  Identify the departments and who are the key personnel, e.g., Business owner, Trustees and Stewards?  Identify the systems that support these functions  How are the people and systems integrated into the business process?  What internal controls exist to mitigate risk?
Business Function’s Objective, Requirements, Resources, and Practices  YOU MUST KNOW …  What Business Principles are in Operation?  Reasons -Why you do things a certain Way Control Objectives for Information and related Technology (COBIT®)
Business Functions and their Characteristics Control Objectives for Information and related Technology (COBIT®)
Business Function Information from Origin to Destination  Identify how the information travels and is managed throughout the business function life cycle!  How packets of data are managed, provisioned, formatted, and transferred throughout business functions  How information is handled per its classification and intended use  Assess information and information system security from various perspectives  Who are the business owners, trustees, and stewards?
“Life Cycle” of Security & Process Provisioning
Risk Assessment Flow  The methodology for auditing the information and information systems for compliance and security is a Top Down process  Business Goals to Standards and Practices  Business Function to Information System  Leadership (administrator) to Technician or Staff member (end user)  Assess Requirements, Resources, and Processes  The approach will focus on key business functions and their associated Business Goals and Objectives as it relates to the audited entity e.g., Identity and Access Control Management (IAM), Perimeter and Network Security (NETSEC), etc.  Once identified and agreed upon for each business function, the key associated requirements, resources, and processes will be identified and assessed to determine if high or critical risk is being managed.  Focus on Control Practices, Responsibility / Accountability, associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes.
Principles for Consideration  1st Top-down Risk Based identification of threats and vulnerabilities for key Business processes and related IT support processes, e.g., change management, access security, operations, etc. (General Risk Assessment)  2nd Control of IT Risk that affect critical IT functionality in financially significant applications and related data (Particularized Risk Assessment)  3rd Layered Controls to mitigate risk for application program code, databases, operating systems, and the network (Operational processes that align with precedence of Risk)  4th Risk mitigation based upon Business and Control objectives (not the limitations of individual controls), have a Framework, structure, and methodology to support your risk strategy
When Assessing for Risk …  Risk assessment evaluates components of information, information system security and compliance as it relates to the business function  Assess  Mitigate / Monitor  Re-Assess  Ongoing risk management program must be in place  Business owner or key shareholder must own the process  Establish a standard for considering and negotiating risk  Annual (periodic) risk assessment deliverable with recommendations for corrective action  Clearly define and document accepted risk – someone needs to sign off on the responsibility
Risk Mitigation  Once risks are identified, they must be mitigated via internal controls  Internal Controls: a practice approved by management to mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance  Preventive - controls to stop the problem from occurring  Detective - controls to find the problem  Corrective - controls to repair the problem after detection  Administrative - policies, standards, guidelines, and procedures  Technical - controls using hardware or software for processing and analysis  Physical - controls to implement barriers or deterrents  Document and retain artifacts.  Design  Document  Implement  Test the controls prior to implementation to validate expectations  Monitor results  Re-test controls periodically.
High Level IT Control Model IT Services OS/Data/Telecom/Continuity/Networks Business Process Procurement Business Process Accounts Payable Business Process Accounts Receivable/ Claiming Business Process Programs and Operations Executive Manag ement Agency Level IT Considerations IT General Controls Application Controls *End User Computing*
Re-Assess Risks  Risk Assessments are an on-going exercise;  Track mitigation strategies, did they work?  What “Framework(s)” are being applied?  Is there an identifiable “Structure” in place e.g., risk management program?  Is the “Methodology” recognizable, e.g., documented and not arbitrary?  Are you using Tools to monitor, manage, and validate the associated processes?  Test, re-test controls (Design and Effectiveness)  Document test results, corrective actions, changes in business needs/requirements.
Better Controls = Improved Security  IT Security comes down to presence and effectiveness of internal controls;  Weak controls = weak security  Audits are an evaluation of controls, audits are FREE consulting services!  All of the security practices that we utilize are really just controls, from firewalls to IPS to virus scanning.  How these controls come together ultimately determines out overall control environment (and our control gaps).  Framework?
Frameworks for IT Security  COBIT - High level business objectives and outcomes  ISO & NIST - Standards and checklists for consideration  Criteria - CMMI  CIS - Tools  ITIL - Process Models  Any framework is better than NO framework!  Frameworks map to structure which should produce a consistent methodology for addressing risk  Be able to explain …!  How it was derived  Why your strategy makes sense  How it manages risk
COBIT  Developed by the ITGI (Current v4.1)  Value of IT, Risk, and Control  Links IT service delivery to business requirements (already defined, right?)  A lifecycle; constantly adapting, improving, re- adapting  Four Responsibility Domains:  Plan and Organize (PO)  Acquire and Implement (AI)  Deliver and Support (DS)  Monitor and Evaluate (ME)  Make a grocery list of needs and then go shopping
COBIT Control Objectives for Information and related Technology (COBIT®)
COBIT Control Objectives for Information and related Technology (COBIT®)
ISO 27002  Code of Practice for Information Security Management  Divides IT Security into 11 Categories (Clauses)  Defines key controls over specific sub-categories  Defines implementation guidance for each key control  39 Control Objectives with 139 Controls  Control objectives are generic functional requirement specifications for an organization’s information and information system security management control architecture
ISO 27002 ISO 27002 Security Policy Organizing IT Security Physical Security Compliance HR Security Incident Mgmt Comm and Ops Mgmt IS Acquisition Mgmt Access Control Asset Mgmt BCM
ISO 27002  Benefits:  ISO 27002 is a very hands-on control guideline  DIY Framework, no consultants required  Proactive – not reactive.  Certification  Less stressful audits!  How do we get to ISO 27002?  Evaluate/Implement Key Controls;  This will require policies/processes/procedures;  Executive level buy-in;  Team effort, IT Security is EVERYONES responsibility.
NIST  NIST offers security guidance in many areas  Special Publications  Useful high level governance standards and practices  Practically every IT security subject is covered here  Written for the Feds but very useful for any organization  Current government agency 2007 self assessment average grade is “C-”, e.g., Academic probation  http://csrc.nist.gov/publications/PubsSPs.html
NIST Special Publications  Life Cycle of Risk Consideration
Center for Internet Security (CIS)  CIS Benchmarks provide guidelines for operating systems and databases;  User originated, widely accepted, and reflect the consensus of expert users worldwide;  Compliance with these benchmarks will reduce findings and lead to more secure computing platforms  Some benchmarks include :  Windows Server  Solaris  Oracle  Exchange
Center for Internet Security (CIS)  Use benchmarks from CIS for standard builds of servers, databases, and applications;  A self-appraisal/audit of current systems, builds;  Hardening guide to ward off attacks;  CIS certifies automated tools. Some providers include:  Belarc  CA  ConfigureSoft  Symantec  Tenable  Tripwire
CMMI  An identifiable criteria by which you should be evaluated!  Capability Maturity Model Integrated created by the Software Engineering Institute (SEI)  Level 0 - 5 (Non-Existent to Optimized)
CMMI  Variants of the CMMI: CMM & ISO 15504  Identifies WHERE you are at in the application of IT risk mitigation controls and HOW to get to the next level  Levels of Application  Level 0: No Recognizable Process, though one is needed  Level 1: Process is Ad-hoc and perform by key individuals  Level 2: Process is Repeatable , but not controlled  Level 3: Process is Defined & Documented and periodically Evaluated  Level 4: Managed & Measurable; effective Internal Controls with Risk Management  Level 5: Optimized Enterprise wide risk and control program
CMMI  Capability Maturity Model Integrated created by the Software Engineering Institute (SEI)  Level 0 - 5 (Non-Existent to Optimized)  Auditors need to be able to do more than “take someone's word for it”  Therefore … Level 3 is a minimum requirement  Defined processes  Documented processes to identify risk and associate roles and responsibility to mitigate risk  Processes in place to periodically review and evaluate controls
What Does Evidence Look Like?  Definition: Evidence must be Sufficient, Reliable and Relevant  The various types of audit evidence that the IS auditor consider using include:  Observed processes and existence of physical items, e.g., A computer room security system in operation  Documentary audit evidence, e.g., Activity and control logs, System development documentation  Representations, e.g., Written policies and procedures, System flowcharts, Written or oral statements  Analysis, e.g., Benchmarking IS performance against other organizations or past periods; Comparison of error rates between applications, transactions and users  Evidence gathering procedures considered are: Inquiry, Observation, Inspection, Confirmation, Re-performance, and Monitoring  Audit evidence should be useful to form an opinion or support the findings and conclusions.  Evidence gathered should be appropriately documented and organized to support the findings and conclusions.
ITIL - Process Modeling  When you don’t have a good understanding of “what right looks like”  Models most “Industry Standard “ information and information system technology processes  When in doubt “check it out and test it out”  Maps to COBIT  Complimentive to NIST and ISO  Helps to provide a starting place  Caution - can be overtly complicated
Example of IAM - Audited Entity to be Assessed for Risk  IAM: Identity and Access Control Management  Identity Management; the management of user credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities  Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares
Users Involved in Business Functions and Types of System Information? (Provisioning of High Risk or Critical Information)  Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization  Business Owner: Responsible for the provisioning and delegation of the processes or functions and associated privileges, e.g., Payroll, Registrar, FinAid, HR, ConEd, etc.  Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated departments that conduct day to day operations  Stewards: Responsible to service and support the business function, typically provide a technical system or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.  Types of Information (Data Classification) per institution or university system standards  Unrestricted / Public: No consequence typically general information  Sensitive: typically references’ legal or externally imposed constraints that requires this restriction  Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or inappropriate use, e.g., FERPA
Example associated Key Process – Ecommerce e.g., One Card System  COBIT high level framework for controls relating to the Ecommerce systems  Plan and Organize (PO) — Provides direction to solution delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11  Acquire and Implement (AI) —Provides the solutions and passes them to be turned into services AI5 and AI4  Deliver and Support (DS) —Receives the solutions and makes them usable for end users: DS1, DS5 and DS11  Map the requirements to your preferred checklist, e.g. NIST or ISO  Requirements for Ecommerce Compliment other Processes  Less work required for other system implementations  No duplication of effort if requirements are properly addressed  Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases
Example: Identity and Access Control Management (IAM) COBIT Slide 1  COBIT 4.1 DS5.3 Identity Management  Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.  Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities.  Ensure that user access rights are requested by user management, approved by system owners and implemented by the security- responsible person.  Maintain user identities and access rights in a central repository.  Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.
Example: Identity and Access Control Management (IAM) COBIT Slide 2 Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated)  Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents  By focusing on  defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents  Is achieved by  Understanding security requirements, vulnerabilities and threats  Managing user identities and authorizations in a standardized manner  Testing security regularly  And is measured by  Number of incidents damaging the organization's reputation with the public  Number of systems where security requirements are not met  Number of violations in segregation of duties
How to Measure Success? Maturity Model – CMMI DS5 Snapshoot (Criteria) DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is: 0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process. 1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable. 2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain. 3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed. 4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured. 5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated ….
COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)
NIST 800-53, Revision 1 Standards Terminology and Application
Additional Considerations  Develop a strong working relationship with your auditors  Communicate with them even when not being audited (typically the most lonely folks on campus)!  Challenge and question their defined and documented processes for auditing (IIA)  Understand what auditors are looking for and why  Ask them where they see the risk and why  Run questions by them (VM Ware)  Some auditors are fallible, but …, NOT Brian or Chris (joke)!
Call to Action & Challenge “Birds of a Feather, Flock Together” or “Life is For the Birds” Be Different? PIXAR “For the Birds” 3:16 minutes
Thank you for your participation - any questions?  Higher Education is Different!  Understanding Business Risk and Functional Practices are critical  Internal Controls must be defined, documented, and reviewed  Chose and apply a security Framework that provides identifiable structure and an effective methodology to address risk  Lots of Guidance Standards, tools and modeled process to emulate  Internal Auditors can be a valuable resource!
Helpful Resources  CIS Benchmarks - http://www.cisecurity.org/benchmarks.html  IIA - www.theiia.org  ISACA - www.isaca.org  ISC(2) - www.isc2.org  ISO - www.iso.org  ITGI - www.itgi.org  NIST - csrc.nist.gov  NSA - www.nsa.gov  IASE - iase.disa.mil  Web App Consortium - www.webappsec.org  EDUCAUSE - educause.edu/security  Univ. Austin Texas Sec. - security.utexas.edu  Univ. Cornell Sec. - www.cit.cornell.edu/security  Virginia Tech Sec. - security.vt.edu  Ga. Tech Info Sec. Center - www.gtisc.gatech.edu
Last minute additions…  Thanks to the feedback of some of our participants, we wanted to add the following:  While CMMI is a maturity model, it is still primarily aimed towards software delivery. You may want to look into CMMI for service (SVC) and acquisition. Check them out here. The maturity model in COBIT is separate from CMM but is the same basic idea.  The ISO 27000 series in it’s entirety is worth a look. Check them out here.  COBIT & ITIL are less technical/IT Security related, NIST and ISO, more so. Keep this in mind when selecting a framework.

Recommended

Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small BusinessJulius Clark, CISSP, CISA
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 

Recommended

Educause+V4
Educause+V4Educause+V4
Educause+V4ecarrow
 
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...
ISO/IEC 27032 vs. ISO 31000 – How do they help towards Cybersecurity Risk Man...PECB
 
BSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessBSIDES DETROIT 2015: Data breaches cost of doing business
BSIDES DETROIT 2015: Data breaches cost of doing businessJoel Cardella
 
Information & Cyber Security Risk
Information & Cyber Security RiskInformation & Cyber Security Risk
Information & Cyber Security RiskMurray Security Services
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small BusinessJulius Clark, CISSP, CISA
 
DeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItDeltaV Security - Don’t Let Your Business Be Caught Without It
DeltaV Security - Don’t Let Your Business Be Caught Without ItEmerson Exchange
 
Best practices to mitigate data breach risk
Best practices to mitigate data breach riskBest practices to mitigate data breach risk
Best practices to mitigate data breach riskLivingstone Advisory
 
Role of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseRole of The Board In IT Governance & Cyber Security-Steve Howse
Role of The Board In IT Governance & Cyber Security-Steve HowseCGTI
 
IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls PresentationBill Lisse
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docxchristiandean12115
 
Building a business case & selecting an ehs mis platform
Building a business case & selecting an ehs mis platformBuilding a business case & selecting an ehs mis platform
Building a business case & selecting an ehs mis platformProcessMAP Corporation
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGBrian T. O'Hara CISA, CISM, CRISC, CCSP, CISSP
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdfMd. Sajjat Hossain
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20Marc S. Sokol
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Devendra kashyap
 
Information security for small business
Information security for small businessInformation security for small business
Information security for small businessBDPA Charlotte - Information Technology Thought Leaders
 
Organizational Security: When People are Involved
Organizational Security: When People are InvolvedOrganizational Security: When People are Involved
Organizational Security: When People are InvolvedSocial Media Performance Group
 
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docx
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docxWeek 8 discussion Maintenance Tasks – Operational and Maintenanc.docx
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docxhelzerpatrina
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

More Related Content

Similar to Educause+V4.ppt

IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls PresentationBill Lisse
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsForcepoint LLC
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown JewelsIBM Security
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber SecurityStacy Willis
 
1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docxchristiandean12115
 
Building a business case & selecting an ehs mis platform
Building a business case & selecting an ehs mis platformBuilding a business case & selecting an ehs mis platform
Building a business case & selecting an ehs mis platformProcessMAP Corporation
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingTory Quinton
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfTheWalkerGroup1
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20Marc S. Sokol
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Devendra kashyap
 
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docx
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docxWeek 8 discussion Maintenance Tasks – Operational and Maintenanc.docx
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docxhelzerpatrina
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementDaren Dunkel
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009asundaram1
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachGraydon McKee
 

Similar to Educause+V4.ppt (20)

IT Controls Presentation
IT Controls PresentationIT Controls Presentation
IT Controls Presentation
 
Addressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider ThreatsAddressing Future Risks and Legal Challenges of Insider Threats
Addressing Future Risks and Legal Challenges of Insider Threats
 
5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels5 Steps to Securing Your Company's Crown Jewels
5 Steps to Securing Your Company's Crown Jewels
 
Credit Union Cyber Security
Credit Union Cyber SecurityCredit Union Cyber Security
Credit Union Cyber Security
 
1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx1.5 Pages are requiredYou have been hired .docx
1.5 Pages are requiredYou have been hired .docx
 
Building a business case & selecting an ehs mis platform
Building a business case & selecting an ehs mis platformBuilding a business case & selecting an ehs mis platform
Building a business case & selecting an ehs mis platform
 
Wisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LGWisegate_GeekSpeak_LG
Wisegate_GeekSpeak_LG
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your BusinessConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
ConnXus myCBC Webinar Series: Cybersecurity Risks to Your Business
 
Audit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge TrainingAudit and Compliance BDR Knowledge Training
Audit and Compliance BDR Knowledge Training
 
Cybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdfCybersecurity risk assessments help organizations identify.pdf
Cybersecurity risk assessments help organizations identify.pdf
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
2015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 202015 LOMA Conference - Third party risk management - Session 20
2015 LOMA Conference - Third party risk management - Session 20
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 
Information security for small business
Information security for small businessInformation security for small business
Information security for small business
 
Organizational Security: When People are Involved
Organizational Security: When People are InvolvedOrganizational Security: When People are Involved
Organizational Security: When People are Involved
 
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docx
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docxWeek 8 discussion Maintenance Tasks – Operational and Maintenanc.docx
Week 8 discussion Maintenance Tasks – Operational and Maintenanc.docx
 
A CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk ManagementA CIRO's-eye view of Digital Risk Management
A CIRO's-eye view of Digital Risk Management
 
2009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-20092009 iapp-the corpprivacydeptmar13-2009
2009 iapp-the corpprivacydeptmar13-2009
 
Risk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational ApproachRisk Management: A Holistic Organizational Approach
Risk Management: A Holistic Organizational Approach
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Hyundai Motor Group
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2Next-generation AAM aircraft unveiled by Supernal, S-A2
Next-generation AAM aircraft unveiled by Supernal, S-A2
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 

Educause+V4.ppt

  • 1. An Auditor's Perspective on Frameworks for Information Systems Security in Higher Education Erwin “Chris” Carrow, University System of Georgia Brian Markham, University of Maryland, College Park Copyright Erwin L. Carrow & Brian Markham 2009. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author and other identified entities. To disseminate otherwise or to republish requires written permission from the author. Videos and specific graphics presented are not for public distribution.
  • 2. Session Agenda  Key Takeaways and Introductions  What Makes Higher Education Different  Business Risk and Functional Practices  Internal Controls: Quick Overview  Frameworks for Security  Specific Guidance and Standards  Additional Audit Considerations  Q&A
  • 3. Key Takeaways At the end of this session you should be able to:  Identify business goals, functions, and associated roles and risk;  Understand the critical success factors during an audit;  Evaluate the internal control structure of your environment;  Know the standards and frameworks available for use in your environment;
  • 4. Your Session Guides  Erwin “Chris” Carrow - IT Auditor, University System of Georgia Board of Regents  High level  General focus  Brian Markham - IT Compliance Specialist, University of Maryland at College Park  Low level  Specific focus
  • 5. Auditing Higher Education: Challenges and Business Requirements Where are you at? Can seem like … HERDING CATS! EDS “Cat Herding” 1:07 minutes
  • 6. What Makes Higher Education Similar and Yet Different?  Universities are not Corporations, but …  Herding Cats may be a common or predominate phenomena  Business functions and processes are similar  Objectives, rules and requirements are similar  Resources, e.g., people information, infrastructure, applications, etc.  Different set of risks, challenges, and regulatory mandates  “Open System” Attitude (moving target)! “Academic Freedom” is a privilege, not a right!  Diversity of administrative operational requirements  Diversity of instructional and faculty requirements  Operational and Functional sides of the house not always in agreement – leadership changes and challenges do exist!  Freedom of information  Difficulties in blocking or outlawing certain risky behaviors  Mandated safe guard information and information systems  Bottom-line: Environment must foster Learning and Research!
  • 7. Auditors Ask the Question… What High Criticality Risks Exist? Categories of risk that may or may not apply:  Strategic : Affects the entities’ ability to achieve goals and objectives  Compliance : Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.  Reputational : Affects reputation, public perception, political issues, etc.  Financial : Affects loss of assets, technology, etc.  Operational : Affects on-going management processes and procedures
  • 8. Enterprise Risk Management - Risk Probability and Impact
  • 9. Threats and the Facts  Privacy Right Clearinghouse  Chronology of Data Breaches 2,500,000 since January 2005 that have been reported [www.privacyrights.org/ar/ChronDataBreaches.htm]  Ponemon –HRH 2008 Privacy Breach Index Survey (Sept 2008)  Self evaluation of overall performance of organization: -- 9% gave an “A” -- 31% gave a “B” -- 26% gave a ”C” -- 29% gave a “D” – 5% gave a “F” [www.HRH.com/privacy]  80 % believed their organizations experienced information system data breaches and loss of customer and personal information  50% Negligence, -- 29% Third-Party, 3% Hacker, --1% other criminal activity;  36% 1 to 4 breaches involving 100 or records; 32% 5 to 8; 31% 9 or more
  • 10. Recognized Method for … Risk Prevention Assurance Risk Prevention “IT Trunk Monkey” 1:01 minutes
  • 11. Regulatory Standards  FERPA, FISMA, HIPAA, PCI DSS, SOX, NCAA, A-21, A-133, PATRIOT, GLBA, ADA, CAA, CWA, OSHA, FLSA, FMLA, EEO, and possibly many others!  State, Local, and University System and Institution Guidelines  “Due Negligence” violations have cost institutions financially, but few if any individuals have gone to jail for lack of compliance  Reputational losses are the critical issue!  Avoid FUD – Fear, Uncertainty, and Doubt
  • 12. Information Security and Compliance Responsibilities  Know and comply with Federal, State, Local, and University System and Institution Regulations  Talk to auditors, colleagues, peers, and administrators about information and information system regulatory compliance and security  Make the “alphabet soup” and security a top priority when evaluating new systems and initiatives  Understand how the regulations trickle down to through policies, standards, procedures, and the people involved (in a practical method)
  • 13. What should a Risk Assessment identify about our environment?  What are the risks?  What are the impacts?  What is the likelihood it will happen?  Who is involved?  Are we willing to accept the risk?  What are we currently doing to mitigate this risk? Is it working like we think it should?
  • 14. Making the Lose/Lose Situation … a Win/Win  A PERFECT information technology operational environment or risk prevention assurance system does not exist (e.g., IT Trunk Monkey)!  Priority directed to likely threats for known vulnerabilities by:  Affirming good controls and practices  Uncovering unknown vulnerabilities or inappropriate practices  Focus upon what is essential for the success of Your Institutions “Business Functions.” Which comprise of:  Business Rules or Requirements: A statement that defines or constrains some aspect of the business. It is intended to assert business structure or to control or influence the behavior of the business.  Business Standards or Practices: A related group of business processes that support some aspects of the mission of an enterprise.
  • 15. Doing Business and Dealing with the Nuts The Old Way…! Assessing Risk? 20th Century FOX “Ice Age” 1:55 min/sec
  • 16. Nuts Can Be Challenging Business Process – Gathering and Storing NUTS and the Big Squeeze  Tasks of Dealing with the NUTS–  1. Gather Nuts  2. Store Nuts  3. The Big Squeeze? Operational versus Functional needs!  What are the Associated Risks? 20th Century FOX “Ice Age”
  • 17. In Time, Nut Requirements Change The New Way …! Risk Assessment? 20th Century FOX “Ice Age 2: The Meltdown” 55 sec
  • 18. Different Nuts, Different Methods History has a Way of Repeating Itself!  Old Ways can Influence New Ways of …,  Different Business Requirements – Use of Different Methods (Variety of NUTS)  Sometimes the NUTS get Bigger and Harder to CRACK  Risk may Change or Increase! 20th Century FOX “Ice Age 2: The Meltdown”
  • 19. Making Peanut Butter Out of Nuts Moral: Life is Always Going to Be a Little Squirrelly  Business function Goals and Objectives can make the IT requirements a little NUTTY  Risk Implications associated with IT Implementations are NOT always CONSIDERED  Clearly Define the Task: Try making PEANUT BUTTER out of a difficult situation – it is easier to Store  WHERE DO YOU START? 20th Century FOX “Ice Age 2: The Meltdown”
  • 20. Know Yourself – Know Your Enemy! The Art of War (Chinese: 孫子兵法; pinyin: Sūn Zǐ Bīng Fǎ) is a Chinese military treatise that was written during the 6th century BC by Sun Tzu.  Two Possible not Recommended Responses to the Challenge  Freak Out: Embrace Hopelessness, Hide, Ignore, Deny, and Play Computer games until the Inevitable Occurs  Idealistic and Unrealistic: Do the “Don Quixote (To Dream the Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out!  Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoid it?” Take ONE BITE at a time by…  Strategizing a Response  Create a deliberate Long term Plan  Identify Short term Objectives and Milestones  Gain Key Shareholder ownership of the challenges  Test and Monitor the process with Identifiable Outcomes  Start with Business Functions – Gathering and Storing of NUTS
  • 21. Business Functions (other Nuts)  It still comes down to …, Business Needs and Outcomes  Goals or Objectives  Rules and Requirements  Identifying critical business functions  Finance and Accounting  Financial Aid  Human Resources  Registration  Student Services  Other administrative functions  Identify the departments and who are the key personnel, e.g., Business owner, Trustees and Stewards?  Identify the systems that support these functions  How are the people and systems integrated into the business process?  What internal controls exist to mitigate risk?
  • 22. Business Function’s Objective, Requirements, Resources, and Practices  YOU MUST KNOW …  What Business Principles are in Operation?  Reasons -Why you do things a certain Way Control Objectives for Information and related Technology (COBIT®)
  • 23. Business Functions and their Characteristics Control Objectives for Information and related Technology (COBIT®)
  • 24. Business Function Information from Origin to Destination  Identify how the information travels and is managed throughout the business function life cycle!  How packets of data are managed, provisioned, formatted, and transferred throughout business functions  How information is handled per its classification and intended use  Assess information and information system security from various perspectives  Who are the business owners, trustees, and stewards?
  • 25. “Life Cycle” of Security & Process Provisioning
  • 26. Risk Assessment Flow  The methodology for auditing the information and information systems for compliance and security is a Top Down process  Business Goals to Standards and Practices  Business Function to Information System  Leadership (administrator) to Technician or Staff member (end user)  Assess Requirements, Resources, and Processes  The approach will focus on key business functions and their associated Business Goals and Objectives as it relates to the audited entity e.g., Identity and Access Control Management (IAM), Perimeter and Network Security (NETSEC), etc.  Once identified and agreed upon for each business function, the key associated requirements, resources, and processes will be identified and assessed to determine if high or critical risk is being managed.  Focus on Control Practices, Responsibility / Accountability, associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes.
  • 27. Principles for Consideration  1st Top-down Risk Based identification of threats and vulnerabilities for key Business processes and related IT support processes, e.g., change management, access security, operations, etc. (General Risk Assessment)  2nd Control of IT Risk that affect critical IT functionality in financially significant applications and related data (Particularized Risk Assessment)  3rd Layered Controls to mitigate risk for application program code, databases, operating systems, and the network (Operational processes that align with precedence of Risk)  4th Risk mitigation based upon Business and Control objectives (not the limitations of individual controls), have a Framework, structure, and methodology to support your risk strategy
  • 28. When Assessing for Risk …  Risk assessment evaluates components of information, information system security and compliance as it relates to the business function  Assess  Mitigate / Monitor  Re-Assess  Ongoing risk management program must be in place  Business owner or key shareholder must own the process  Establish a standard for considering and negotiating risk  Annual (periodic) risk assessment deliverable with recommendations for corrective action  Clearly define and document accepted risk – someone needs to sign off on the responsibility
  • 29. Risk Mitigation  Once risks are identified, they must be mitigated via internal controls  Internal Controls: a practice approved by management to mitigate risk or produce a desired outcome in a business process for implementing and enforcing information security and compliance  Preventive - controls to stop the problem from occurring  Detective - controls to find the problem  Corrective - controls to repair the problem after detection  Administrative - policies, standards, guidelines, and procedures  Technical - controls using hardware or software for processing and analysis  Physical - controls to implement barriers or deterrents  Document and retain artifacts.  Design  Document  Implement  Test the controls prior to implementation to validate expectations  Monitor results  Re-test controls periodically.
  • 30. High Level IT Control Model IT Services OS/Data/Telecom/Continuity/Networks Business Process Procurement Business Process Accounts Payable Business Process Accounts Receivable/ Claiming Business Process Programs and Operations Executive Manag ement Agency Level IT Considerations IT General Controls Application Controls *End User Computing*
  • 31. Re-Assess Risks  Risk Assessments are an on-going exercise;  Track mitigation strategies, did they work?  What “Framework(s)” are being applied?  Is there an identifiable “Structure” in place e.g., risk management program?  Is the “Methodology” recognizable, e.g., documented and not arbitrary?  Are you using Tools to monitor, manage, and validate the associated processes?  Test, re-test controls (Design and Effectiveness)  Document test results, corrective actions, changes in business needs/requirements.
  • 32. Better Controls = Improved Security  IT Security comes down to presence and effectiveness of internal controls;  Weak controls = weak security  Audits are an evaluation of controls, audits are FREE consulting services!  All of the security practices that we utilize are really just controls, from firewalls to IPS to virus scanning.  How these controls come together ultimately determines out overall control environment (and our control gaps).  Framework?
  • 33. Frameworks for IT Security  COBIT - High level business objectives and outcomes  ISO & NIST - Standards and checklists for consideration  Criteria - CMMI  CIS - Tools  ITIL - Process Models  Any framework is better than NO framework!  Frameworks map to structure which should produce a consistent methodology for addressing risk  Be able to explain …!  How it was derived  Why your strategy makes sense  How it manages risk
  • 34. COBIT  Developed by the ITGI (Current v4.1)  Value of IT, Risk, and Control  Links IT service delivery to business requirements (already defined, right?)  A lifecycle; constantly adapting, improving, re- adapting  Four Responsibility Domains:  Plan and Organize (PO)  Acquire and Implement (AI)  Deliver and Support (DS)  Monitor and Evaluate (ME)  Make a grocery list of needs and then go shopping
  • 35. COBIT Control Objectives for Information and related Technology (COBIT®)
  • 36. COBIT Control Objectives for Information and related Technology (COBIT®)
  • 37. ISO 27002  Code of Practice for Information Security Management  Divides IT Security into 11 Categories (Clauses)  Defines key controls over specific sub-categories  Defines implementation guidance for each key control  39 Control Objectives with 139 Controls  Control objectives are generic functional requirement specifications for an organization’s information and information system security management control architecture
  • 39. ISO 27002  Benefits:  ISO 27002 is a very hands-on control guideline  DIY Framework, no consultants required  Proactive – not reactive.  Certification  Less stressful audits!  How do we get to ISO 27002?  Evaluate/Implement Key Controls;  This will require policies/processes/procedures;  Executive level buy-in;  Team effort, IT Security is EVERYONES responsibility.
  • 40. NIST  NIST offers security guidance in many areas  Special Publications  Useful high level governance standards and practices  Practically every IT security subject is covered here  Written for the Feds but very useful for any organization  Current government agency 2007 self assessment average grade is “C-”, e.g., Academic probation  http://csrc.nist.gov/publications/PubsSPs.html
  • 41. NIST Special Publications  Life Cycle of Risk Consideration
  • 42. Center for Internet Security (CIS)  CIS Benchmarks provide guidelines for operating systems and databases;  User originated, widely accepted, and reflect the consensus of expert users worldwide;  Compliance with these benchmarks will reduce findings and lead to more secure computing platforms  Some benchmarks include :  Windows Server  Solaris  Oracle  Exchange
  • 43. Center for Internet Security (CIS)  Use benchmarks from CIS for standard builds of servers, databases, and applications;  A self-appraisal/audit of current systems, builds;  Hardening guide to ward off attacks;  CIS certifies automated tools. Some providers include:  Belarc  CA  ConfigureSoft  Symantec  Tenable  Tripwire
  • 44. CMMI  An identifiable criteria by which you should be evaluated!  Capability Maturity Model Integrated created by the Software Engineering Institute (SEI)  Level 0 - 5 (Non-Existent to Optimized)
  • 45. CMMI  Variants of the CMMI: CMM & ISO 15504  Identifies WHERE you are at in the application of IT risk mitigation controls and HOW to get to the next level  Levels of Application  Level 0: No Recognizable Process, though one is needed  Level 1: Process is Ad-hoc and perform by key individuals  Level 2: Process is Repeatable , but not controlled  Level 3: Process is Defined & Documented and periodically Evaluated  Level 4: Managed & Measurable; effective Internal Controls with Risk Management  Level 5: Optimized Enterprise wide risk and control program
  • 46. CMMI  Capability Maturity Model Integrated created by the Software Engineering Institute (SEI)  Level 0 - 5 (Non-Existent to Optimized)  Auditors need to be able to do more than “take someone's word for it”  Therefore … Level 3 is a minimum requirement  Defined processes  Documented processes to identify risk and associate roles and responsibility to mitigate risk  Processes in place to periodically review and evaluate controls
  • 47. What Does Evidence Look Like?  Definition: Evidence must be Sufficient, Reliable and Relevant  The various types of audit evidence that the IS auditor consider using include:  Observed processes and existence of physical items, e.g., A computer room security system in operation  Documentary audit evidence, e.g., Activity and control logs, System development documentation  Representations, e.g., Written policies and procedures, System flowcharts, Written or oral statements  Analysis, e.g., Benchmarking IS performance against other organizations or past periods; Comparison of error rates between applications, transactions and users  Evidence gathering procedures considered are: Inquiry, Observation, Inspection, Confirmation, Re-performance, and Monitoring  Audit evidence should be useful to form an opinion or support the findings and conclusions.  Evidence gathered should be appropriately documented and organized to support the findings and conclusions.
  • 48. ITIL - Process Modeling  When you don’t have a good understanding of “what right looks like”  Models most “Industry Standard “ information and information system technology processes  When in doubt “check it out and test it out”  Maps to COBIT  Complimentive to NIST and ISO  Helps to provide a starting place  Caution - can be overtly complicated
  • 49. Example of IAM - Audited Entity to be Assessed for Risk  IAM: Identity and Access Control Management  Identity Management; the management of user credentials and the means by which users might log onto and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities  Access Control; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares
  • 50. Users Involved in Business Functions and Types of System Information? (Provisioning of High Risk or Critical Information)  Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization  Business Owner: Responsible for the provisioning and delegation of the processes or functions and associated privileges, e.g., Payroll, Registrar, FinAid, HR, ConEd, etc.  Trustees: Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated departments that conduct day to day operations  Stewards: Responsible to service and support the business function, typically provide a technical system or infrastructure to facilitate business needs, e.g., Information Technology Services, etc.  Types of Information (Data Classification) per institution or university system standards  Unrestricted / Public: No consequence typically general information  Sensitive: typically references’ legal or externally imposed constraints that requires this restriction  Confidential: highest level of restriction, applies to the risk or harm that may result from disclosure or inappropriate use, e.g., FERPA
  • 51. Example associated Key Process – Ecommerce e.g., One Card System  COBIT high level framework for controls relating to the Ecommerce systems  Plan and Organize (PO) — Provides direction to solution delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11  Acquire and Implement (AI) —Provides the solutions and passes them to be turned into services AI5 and AI4  Deliver and Support (DS) —Receives the solutions and makes them usable for end users: DS1, DS5 and DS11  Map the requirements to your preferred checklist, e.g. NIST or ISO  Requirements for Ecommerce Compliment other Processes  Less work required for other system implementations  No duplication of effort if requirements are properly addressed  Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases
  • 52. Example: Identity and Access Control Management (IAM) COBIT Slide 1  COBIT 4.1 DS5.3 Identity Management  Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.  Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities.  Ensure that user access rights are requested by user management, approved by system owners and implemented by the security- responsible person.  Maintain user identities and access rights in a central repository.  Deploy cost-effective technical and procedural measures, and keep them current to establish user identification, implement authentication and enforce access rights.
  • 53. Example: Identity and Access Control Management (IAM) COBIT Slide 2 Logical Didactic Approach - DS5.3 Identity Management (How it is Evaluated)  Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents  By focusing on  defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents  Is achieved by  Understanding security requirements, vulnerabilities and threats  Managing user identities and authorizations in a standardized manner  Testing security regularly  And is measured by  Number of incidents damaging the organization's reputation with the public  Number of systems where security requirements are not met  Number of violations in segregation of duties
  • 54. How to Measure Success? Maturity Model – CMMI DS5 Snapshoot (Criteria) DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is: 0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process. 1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses, … to IT security breaches are unpredictable. 2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed. IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain. 3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis. Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed. 4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized. Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives. IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured. 5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives. IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage. Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated ….
  • 55. COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)
  • 56. NIST 800-53, Revision 1 Standards Terminology and Application
  • 57. Additional Considerations  Develop a strong working relationship with your auditors  Communicate with them even when not being audited (typically the most lonely folks on campus)!  Challenge and question their defined and documented processes for auditing (IIA)  Understand what auditors are looking for and why  Ask them where they see the risk and why  Run questions by them (VM Ware)  Some auditors are fallible, but …, NOT Brian or Chris (joke)!
  • 58. Call to Action & Challenge “Birds of a Feather, Flock Together” or “Life is For the Birds” Be Different? PIXAR “For the Birds” 3:16 minutes
  • 59. Thank you for your participation - any questions?  Higher Education is Different!  Understanding Business Risk and Functional Practices are critical  Internal Controls must be defined, documented, and reviewed  Chose and apply a security Framework that provides identifiable structure and an effective methodology to address risk  Lots of Guidance Standards, tools and modeled process to emulate  Internal Auditors can be a valuable resource!
  • 60. Helpful Resources  CIS Benchmarks - http://www.cisecurity.org/benchmarks.html  IIA - www.theiia.org  ISACA - www.isaca.org  ISC(2) - www.isc2.org  ISO - www.iso.org  ITGI - www.itgi.org  NIST - csrc.nist.gov  NSA - www.nsa.gov  IASE - iase.disa.mil  Web App Consortium - www.webappsec.org  EDUCAUSE - educause.edu/security  Univ. Austin Texas Sec. - security.utexas.edu  Univ. Cornell Sec. - www.cit.cornell.edu/security  Virginia Tech Sec. - security.vt.edu  Ga. Tech Info Sec. Center - www.gtisc.gatech.edu
  • 61. Last minute additions…  Thanks to the feedback of some of our participants, we wanted to add the following:  While CMMI is a maturity model, it is still primarily aimed towards software delivery. You may want to look into CMMI for service (SVC) and acquisition. Check them out here. The maturity model in COBIT is separate from CMM but is the same basic idea.  The ISO 27000 series in it’s entirety is worth a look. Check them out here.  COBIT & ITIL are less technical/IT Security related, NIST and ISO, more so. Keep this in mind when selecting a framework.