SlideShare a Scribd company logo

zSecurity_L9_Standards and Policies.ppt

Download as PPT, PDF
S
ssuser45a8a6

Security

Software
1 of 13
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies
© 2006 IBM Corporation Objectives  Describe governance, compliance and legal requirements that the business community operates under today  Understand the need for information security guidelines  Understand what system certification and evaluation are and why they are necessary  Explain regulatory acts and their benefits to corporations  Identify the components of an information security program
© 2006 IBM Corporation Key Terms  Compliance  Governance Requirements  Policy  CIPP  CISO  GIAC, CISSP, and SSCP  Sarbanes-Oxley  COSO Framework  CoBIT
© 2006 IBM Corporation Introduction  Implementing security on a system requires a plan.  Creating a plan requires guidelines.  Governments and standards bodies develop laws and guidelines which direct security policies.  Standards and guidelines bring ‘best practices’ to the IT industry.  Standards and guidelines put all IT shops on an even playing field when it comes to auditing and evaluations.
© 2006 IBM Corporation Governance, compliance and legal requirements  Government and professional bodies impose strict control requirements through legislation or certification requirements  Organizations integrate these regulatory controls into their business practices.  It is easier to establish uniform standards and monitor their compliance rather than inspect each company to ensure that it is protecting customer identities and is of the utmost integrity, although governments may check.  Governments and standards boards impose standards or controls only to protect the viability of the corporate environment, consumer privacy and confidence.  The CEO and CISO have to be familiar with the legal requirements and ensure that their organization follows all the laws and implements the procedures necessary.
© 2006 IBM Corporation Regulatory acts  There are two major categories of US laws regulating an organization and its IT operation. The first group covers core business security regulations, such as: –Basel II, Solvency II, IAS/IFRS, and HIPAA.  The second group includes the regulation of specific business processes related to IT security, such as: –FISMA, CobIT, British Standard 7799 (ISO 17799), Sarbanes- Oxley Act (US), and Homeland Security Act.  Although most of these acts are originated in the U.S., they already have been or will be adopted in other countries, especially in the European Union.  They apply to all companies acting in the U.S. or being registered at stock exchanges.
© 2006 IBM Corporation Information security guidelines  Essential to managing our information business assets is the creation of the information security program.  Organizations create Critical Infrastructure Protection Programs (CIPP) to protect business-critical infrastructure.  Organizations, mostly in the public sector, have always had such security and control programs and processes with varying degrees of coherence and corresponding effectiveness.
© 2006 IBM Corporation Information security programs  The Executive Information Security Policy, a component of the ISP, defines the scope of the policy and describes the need to protect information infrastructure in general.  Management needs to draft a document defining the program for:  the protection of information infrastructure and assets  the compliance with regulatory requirements  the creation of service level agreements with security included with partners  the creation of Service Level Requirements (SLR) of business unit communications  the creation of the office of the Chief Information Security Officer (CISO) to oversee the program  the update and change of the Corporate Information Security Policy documentation, that includes assigning of specific responsibilities so everyone knows what they are supposed to do and what is expected of them.
© 2006 IBM Corporation System certification and evaluation  Certification involves assessment that all the prescribed measures and controls are in place and that qualified people have technical responsibility for maintaining them.  It is performed independently from the staff who maintain the system.  Certification can be divided into three main areas –Certification for technical personnel –Certification for systems –Certification for processes
© 2006 IBM Corporation Certification for technical personnel  Global Information Assurance Certification (GIAC) –SysAdmin, Audit, Network, Security (SANS) Institute founded GIAC (Global Information Assurance Certification) in 1999 to develop a technical certification standard for security professionals. •See the organizational Web site at: http://www.giac.org/  Certified Information Systems Security Professional (CISSP) –Tests competence in the 10 domains or subject areas and in relevant work experience in the security field. –CISSPs are most often CISOs or senior level information security managers with policy or senior management responsibilities. –See the Web site at: http://www.isc2.org  Systems Security Certified Practitioner (SSCP) –targeted towards the information security technologists that are on the “front-lines”. SSCP are operational technologists who are working as Network Security Engineers, Security Systems Analysts or Administrators. –The SSCP certification requires proficiency in 7 subject areas. –See the Web site at: http://www.isc2.org
© 2006 IBM Corporation Certification for systems Common Criteria  The Common Criteria enables corporate technologists a means of standardizing a common set of requirements for the security functions of IT products.  These standardized requirements are backed by the International Standards Organization (ISO/IEC15408:1999) and are known as the Common Evaluation Methodologies (CEM).  Using CEM we can evaluate between different application and appliances judging how best they address an organization’s security requirements.  In 1999, six countries (Canada, France, Germany, Netherlands, United Kingdom, United States) became signatory to Common Criteria 2.0 making it an international standard.  See the Web site at: http://www.commoncriteriaportal.org
© 2006 IBM Corporation Certification for processes  One challenge companies will face in complying with the regulations is choosing an appropriate methodology and developing a sequence of steps from which to evaluate their internal controls.  Here are two frameworks that are suitable to this task: –COSO Framework • This framework describes that internal controls should be comprised of five components and that all components must be in place in order for the internal control to be considered effective. –Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring –CoBIT: Control Objectives for Information and Technology (CoBIT) • The objective for creating COBIT was to interpret the COSO Framework specifically from an IT perspective, resulting in a framework that, according to the Information Systems Audit and Control Association (ISACA), is increasingly internationally accepted as good practice for control over information, IT and related risks.’ • In examining COBIT specifically to Sarbanes-Oxley, ITGI has published IT Control Objectives for Sarbanes-Oxley,’ resulting in a framework containing detailed IT processes and control objectives specific to financial reporting. • Like ISO 17799 the control objectives provide a common framework in what would otherwise require each organization to maintain individualized standards. –Being able to normalize IT governance standards allows organizations to adopt the best practices gleaned from experience.
© 2006 IBM Corporation Summary  Legislative and corporate governance and compliance requirements required that we create the means by which we manage information security and measure our compliance efforts.  Over the years methods have been developed by the industry and professional associations to ensure that a method existed by which standardized methods and best practices can be shared.  Common Criteria Certification allows consumers to evaluate different products using common guidelines  Personnel, systems, and processes can be certified as compliant with standards

Recommended

Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.pptClashWithGROUDON
 
crucet1crucet2crucet
crucet1crucet2crucetcrucet1crucet2crucet
crucet1crucet2crucetMargenePurnell14
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 

Recommended

Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Facility Environmental Audit Guidelines
Facility Environmental Audit GuidelinesFacility Environmental Audit Guidelines
Facility Environmental Audit Guidelinesamburyj3c9
 
Automatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security StandardsAutomatski - The Internet of Things - Security Standards
Automatski - The Internet of Things - Security Standardsautomatskicorporation
 
Unit 4 standards.ppt
Unit 4 standards.pptUnit 4 standards.ppt
Unit 4 standards.pptClashWithGROUDON
 
crucet1crucet2crucet
crucet1crucet2crucetcrucet1crucet2crucet
crucet1crucet2crucetMargenePurnell14
 
CHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapCHAPTER 3 Security Policies and Regulations In this chap
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
 
20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptx20220911-ISO27000-SecurityStandards.pptx
20220911-ISO27000-SecurityStandards.pptxSuman Garai
 
The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.The Demystification of successful cybersecurity initiatives.
The Demystification of successful cybersecurity initiatives.FitCEO, Inc. (FCI)
 
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ssKashif Rana ACCA
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdfSoniaCristina49
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxNapoleon NV
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan MMohan M
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 sKhaltar Togtuun
 
Chapter 5
Chapter 5Chapter 5
Chapter 5sivadnolram
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalTowards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalSmita S. Ghaisas
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 

More Related Content

Similar to zSecurity_L9_Standards and Policies.ppt

TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15FitCEO, Inc. (FCI)
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdfSoniaCristina49
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceTripwire
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxNapoleon NV
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Frameworkbarnetdh
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptxPrashant Singh
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan MMohan M
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practiceparves kamal
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security StandardsConferencias FIST
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis PYA, P.C.
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer PlatformShanmugavel Sankaran
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalTowards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalSmita S. Ghaisas
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Yerlin Sturdivant
 

Similar to zSecurity_L9_Standards and Policies.ppt (20)

TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
TheDemystification_of_SuccessfulCyberSecurity_VIMRO_LB_VH_MHF_10_11_15
 
Internal controls & ai ss
Internal controls & ai ssInternal controls & ai ss
Internal controls & ai ss
 
9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf9-Steps-Info-Sec-Whitepaper-final.pdf
9-Steps-Info-Sec-Whitepaper-final.pdf
 
Achieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 ComplianceAchieving Effective IT Security with Continuous ISO 27001 Compliance
Achieving Effective IT Security with Continuous ISO 27001 Compliance
 
ISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptxISO27k ISMS implementation and certification process overview v2.pptx
ISO27k ISMS implementation and certification process overview v2.pptx
 
Compliance Framework
Compliance FrameworkCompliance Framework
Compliance Framework
 
Governance and management of IT.pptx
Governance and management of IT.pptxGovernance and management of IT.pptx
Governance and management of IT.pptx
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 
CV of Mohan M
CV of Mohan MCV of Mohan M
CV of Mohan M
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Information security management best practice
Information security management best practiceInformation security management best practice
Information security management best practice
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Metholodogies and Security Standards
Metholodogies and Security StandardsMetholodogies and Security Standards
Metholodogies and Security Standards
 
The IT Analysis Paralysis
The IT Analysis Paralysis The IT Analysis Paralysis
The IT Analysis Paralysis
 
Khas bank isms 3 s
Khas bank isms 3 sKhas bank isms 3 s
Khas bank isms 3 s
 
Chapter 5
Chapter 5Chapter 5
Chapter 5
 
The Virtual Security Officer Platform
The Virtual Security Officer PlatformThe Virtual Security Officer Platform
The Virtual Security Officer Platform
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_finalTowards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
Towards Automating Security Compliance Value Chain_FSE15_2June_submitted_final
 
Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001Planning for-and implementing ISO 27001
Planning for-and implementing ISO 27001
 

Recently uploaded

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 

Recently uploaded (20)

Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 

zSecurity_L9_Standards and Policies.ppt

  • 1. © 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies
  • 2. © 2006 IBM Corporation Objectives  Describe governance, compliance and legal requirements that the business community operates under today  Understand the need for information security guidelines  Understand what system certification and evaluation are and why they are necessary  Explain regulatory acts and their benefits to corporations  Identify the components of an information security program
  • 3. © 2006 IBM Corporation Key Terms  Compliance  Governance Requirements  Policy  CIPP  CISO  GIAC, CISSP, and SSCP  Sarbanes-Oxley  COSO Framework  CoBIT
  • 4. © 2006 IBM Corporation Introduction  Implementing security on a system requires a plan.  Creating a plan requires guidelines.  Governments and standards bodies develop laws and guidelines which direct security policies.  Standards and guidelines bring ‘best practices’ to the IT industry.  Standards and guidelines put all IT shops on an even playing field when it comes to auditing and evaluations.
  • 5. © 2006 IBM Corporation Governance, compliance and legal requirements  Government and professional bodies impose strict control requirements through legislation or certification requirements  Organizations integrate these regulatory controls into their business practices.  It is easier to establish uniform standards and monitor their compliance rather than inspect each company to ensure that it is protecting customer identities and is of the utmost integrity, although governments may check.  Governments and standards boards impose standards or controls only to protect the viability of the corporate environment, consumer privacy and confidence.  The CEO and CISO have to be familiar with the legal requirements and ensure that their organization follows all the laws and implements the procedures necessary.
  • 6. © 2006 IBM Corporation Regulatory acts  There are two major categories of US laws regulating an organization and its IT operation. The first group covers core business security regulations, such as: –Basel II, Solvency II, IAS/IFRS, and HIPAA.  The second group includes the regulation of specific business processes related to IT security, such as: –FISMA, CobIT, British Standard 7799 (ISO 17799), Sarbanes- Oxley Act (US), and Homeland Security Act.  Although most of these acts are originated in the U.S., they already have been or will be adopted in other countries, especially in the European Union.  They apply to all companies acting in the U.S. or being registered at stock exchanges.
  • 7. © 2006 IBM Corporation Information security guidelines  Essential to managing our information business assets is the creation of the information security program.  Organizations create Critical Infrastructure Protection Programs (CIPP) to protect business-critical infrastructure.  Organizations, mostly in the public sector, have always had such security and control programs and processes with varying degrees of coherence and corresponding effectiveness.
  • 8. © 2006 IBM Corporation Information security programs  The Executive Information Security Policy, a component of the ISP, defines the scope of the policy and describes the need to protect information infrastructure in general.  Management needs to draft a document defining the program for:  the protection of information infrastructure and assets  the compliance with regulatory requirements  the creation of service level agreements with security included with partners  the creation of Service Level Requirements (SLR) of business unit communications  the creation of the office of the Chief Information Security Officer (CISO) to oversee the program  the update and change of the Corporate Information Security Policy documentation, that includes assigning of specific responsibilities so everyone knows what they are supposed to do and what is expected of them.
  • 9. © 2006 IBM Corporation System certification and evaluation  Certification involves assessment that all the prescribed measures and controls are in place and that qualified people have technical responsibility for maintaining them.  It is performed independently from the staff who maintain the system.  Certification can be divided into three main areas –Certification for technical personnel –Certification for systems –Certification for processes
  • 10. © 2006 IBM Corporation Certification for technical personnel  Global Information Assurance Certification (GIAC) –SysAdmin, Audit, Network, Security (SANS) Institute founded GIAC (Global Information Assurance Certification) in 1999 to develop a technical certification standard for security professionals. •See the organizational Web site at: http://www.giac.org/  Certified Information Systems Security Professional (CISSP) –Tests competence in the 10 domains or subject areas and in relevant work experience in the security field. –CISSPs are most often CISOs or senior level information security managers with policy or senior management responsibilities. –See the Web site at: http://www.isc2.org  Systems Security Certified Practitioner (SSCP) –targeted towards the information security technologists that are on the “front-lines”. SSCP are operational technologists who are working as Network Security Engineers, Security Systems Analysts or Administrators. –The SSCP certification requires proficiency in 7 subject areas. –See the Web site at: http://www.isc2.org
  • 11. © 2006 IBM Corporation Certification for systems Common Criteria  The Common Criteria enables corporate technologists a means of standardizing a common set of requirements for the security functions of IT products.  These standardized requirements are backed by the International Standards Organization (ISO/IEC15408:1999) and are known as the Common Evaluation Methodologies (CEM).  Using CEM we can evaluate between different application and appliances judging how best they address an organization’s security requirements.  In 1999, six countries (Canada, France, Germany, Netherlands, United Kingdom, United States) became signatory to Common Criteria 2.0 making it an international standard.  See the Web site at: http://www.commoncriteriaportal.org
  • 12. © 2006 IBM Corporation Certification for processes  One challenge companies will face in complying with the regulations is choosing an appropriate methodology and developing a sequence of steps from which to evaluate their internal controls.  Here are two frameworks that are suitable to this task: –COSO Framework • This framework describes that internal controls should be comprised of five components and that all components must be in place in order for the internal control to be considered effective. –Control Environment, Risk Assessment, Control Activities, Information and Communication, Monitoring –CoBIT: Control Objectives for Information and Technology (CoBIT) • The objective for creating COBIT was to interpret the COSO Framework specifically from an IT perspective, resulting in a framework that, according to the Information Systems Audit and Control Association (ISACA), is increasingly internationally accepted as good practice for control over information, IT and related risks.’ • In examining COBIT specifically to Sarbanes-Oxley, ITGI has published IT Control Objectives for Sarbanes-Oxley,’ resulting in a framework containing detailed IT processes and control objectives specific to financial reporting. • Like ISO 17799 the control objectives provide a common framework in what would otherwise require each organization to maintain individualized standards. –Being able to normalize IT governance standards allows organizations to adopt the best practices gleaned from experience.
  • 13. © 2006 IBM Corporation Summary  Legislative and corporate governance and compliance requirements required that we create the means by which we manage information security and measure our compliance efforts.  Over the years methods have been developed by the industry and professional associations to ensure that a method existed by which standardized methods and best practices can be shared.  Common Criteria Certification allows consumers to evaluate different products using common guidelines  Personnel, systems, and processes can be certified as compliant with standards