Information Security Governance and Risk

Chapter 2Part 1

Pages 21 to 69

Security in the Company

• “Organizations have many other things to do than practice security. Businesses exist to make money.”

Fundamental Principles

• Core goals of security (CIA)

• Confidentiality• Integrity• Availability

• Key Terms – page 25

Security Definitions

• Vulnerability• Threat• Risk• Exposure• Control

• Key Terms – page 28

Control Types

• Administrative• Technical• Physical

• Defense in Depth

Functionalities of Controls

• Deterrent• Preventive• Corrective• Recovery• Detective• Compensating• See page 30

Security through obscurity

• Dangerous• Attackers are smart, motivated, and

dedicated.

Security Frameworks

• A security program• BS7799– 1995– How an ISMS (Information Security Management

System) can be set up and maintained.– Topics pages 36-37

ISO/IEC 27000

• ISO/IEC 27xxx modularized components.• Figure 2-3 on page 39 (Plan-Do-Check-Act)• How to develop and maintain a ISMS

Standards, Best Practices, Frameworks

• Page 40• How can we make sense out of this?

Enterprise Architecture Development

• “understand the environment, understand the security requirements of the business and the environment and layout a strategy”

TOGAF

• The Open Group Architecture Framework• Page 47 Figure• Note

Zachman Architecture Framework

• Business enterprise architecture – not security oriented

• Used to define the business environment.• Table 2-2 on page 45

Enterprise Security Architecture

• Subset of enterprise architecture• “The main reason to develop an enterprise

security architecture is to ensure that security efforts align with business practices in a standardized and cost-effective manner.”

• If no ESA, the answers on page 49 are “yes”

SABSA

• Sherwood Applied Business Security Architecture

• Table 2-3 on page 50• “Each layer of the model decreases in

abstraction and increases in detail so it build upon others and moves from policy to practical implementation of technology and solutions.”

SABSA

• Strategic alignment – Business drivers and regulatory and legal requirements are being met

• Business enablement – security cannot stand in the way of the business process, but should enable it.

SABSA

• Process enhancement – while securing the environment look at the improving the business process

• Security investment – metrics to determine the usefulness of security solutions.

ISMS vs Enterprise Security Architecture

• ISMS (ISO/IEC 27000) specifies the pieces and parts that need to put in place for a security program.

• ESA (SABSA) specifies how the components of a ISMS have to be interwoven throughout the business environment.

Enterprise vs System Architecture

• EA – Security supports the organization• SA – Systems need to support security

policies.

Security Control Development

• CobiT• NIST 800-53• COSO

Controls

• Management• Technical• Operational• See Table 2-4 on page 58

CobiT

• ISACA• The majority of security compliance auditing

practices used today in the industry are based off of CobiT

• Checklist for IT governance

NIST 800-53

• U.S. Government checklist to insure agencies are compliant with Federal Information Security Management Act of 2002.

COSO

• Model for corporate governance• Developed in 1985 to deal with fraudulent

financial activities and reporting• SOX – Sarbanes-Oxley is based on COSO• Companies implement ISO/IEC 27000 and

CobiT for COSO

Process Management Development

• How to manage the development of security controls

ITIL

• Information Technology Infrastructure Library• De facto standard for IT service management• Divide between business and IT people• ITIL security component focuses on security

level agreement between IT department and internal customers.

• Figure 2-6 on page 61

Six Sigma

• Improve process quality using statistics• Removing defect in manufacturing

CMMI

• Capability Maturity Model Integration• Figure 2-7 on page 62

CMMI

1. Plan and organize2. Implement3. Operate and maintain4. Monitor and evaluate

Top-down Approach

• The initiation and direction of security programs should come from top management

Functionality vs Security

• Balancing act between security and allowing the necessary level of functionality so that productivity is not affected.

• Consult user and understand the business