security, audit and compliance: course overview
DESCRIPTION
The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the napier.ac.uk site.TRANSCRIPT
Security Audit & Compliance
Subject overview
Security Audit & Compliance
Peter Cruickshank
• Scope and context
• What do we mean by security
• Topics we will cover
Overview
• The aim is to let you see the scope
• And to get you familiar with the concepts and issues
2 SAC
Stereotype 1
3 SAC
Stereotype 2
4 SAC
The aim of this course
Mutual understanding
Mutual understanding
Techies Techies Managers Managers
5 SAC
THE SCOPE OF THE
INFORMATION SYSTEM
6 SAC
Six components of an information system
7 SAC
Procedures People
Data Applications
Networks
Hardware
?
Another view:
8 SAC
Computing system
Computing system
Computing environment Computing
environment
Application environment Application
environment
Socio-economic
environment
Socio-economic
environment
IS in context: Application Environment
• Growing business dependence on IS/IT
• Development of general purpose rather than dedicated applications – Build using common toolsets.
– Less variety in structure & design
• Large scale integration of data sets
• Computer to computer transactions
• Autonomous trading systems
9 SAC
IS in context: Computing Environment
• Growth in the power and availability of technology
• Rapid spread of data communications networks
• Development of powerful databases and search engines
• High degree of component commonality
10 SAC
IS in context: Socio-economic-legal
• Increasing computer fraud
• Concerns about privacy
• Greater public knowledge of computing
• Rising globalisation of trade
• Introduction of specific laws to control the use of IT
• Public policy v personal preference?
11 SAC
The scope of this course:
(Business) Computer and Information Systems The scope of this course:
(Business) Computer and Information Systems
• That is: we’re taking the viewpoint of an organisation and its
management
– Could be government, public sector or NGO
• Issues around consumers or individual citizen rights are not central
to what we cover
• …nor is the role of ‘national security’ in setting the computer
environment
…though these are interesting and important in their own right
12 SAC
WHAT IS SECURITY
13 SAC
What is security?
Mordac the preventer of information
14 SAC
© Dilbert.com
What is security?
“ If we make security trade-offs based on the feeling of security rather than the reality,
we choose security that makes us feel more secure over security that actually
makes us more secure. And that’s what governments, companies, family members,
and everyone else provide. Of course, there are two ways to make people feel more
secure.
1. The first is to make people actually more secure, and hope they notice.
2. The second is to make people feel more secure without making them actually
more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice when 1)
there are enough positive and negative examples to draw a conclusion, and 2) there
isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
“ If we make security trade-offs based on the feeling of security rather than the reality,
we choose security that makes us feel more secure over security that actually
makes us more secure. And that’s what governments, companies, family members,
and everyone else provide. Of course, there are two ways to make people feel more
secure.
1. The first is to make people actually more secure, and hope they notice.
2. The second is to make people feel more secure without making them actually
more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice when 1)
there are enough positive and negative examples to draw a conclusion, and 2) there
isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
15 SAC
16 SAC
…Watch for Security theatre
that iS…
Security
• Complex passwords are secure
• Encryption protects assets
Access
• Complex passwords prevent access
• Encryption slows things down
17 SAC
The security balance
• Technology is not enough
• Controls often conflict with usability and business objectives
Risk
The security balance 2
18 SAC
Eff
ecti
ven
ess
Level of technical security
Too complex
to work
Optimum balance
Too risky
What is security?
Information security as…
• Security as an engineering discipline
• Subject to systems thinking Science Science
• When things get complicated, it gets to much to plan
• The security manager is left to judge the best way(s) forward
Art Art
• People interact with systems: users need to do things
• Behavioural aspects of organisations and change management
Social science Social
science
19 SAC
What is security?
Example of making a business secure
Schneier’s three steps
to improved security:
1. Enforce liabilities
2. Allow liabilities to be
transferred
3. Outsource security
“Network security is a business
problem, and the only way to fix it is to concentrate on the business issues…
I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.”
Liability & Security
in Schneier (2008)
“Network security is a business
problem, and the only way to fix it is to concentrate on the business issues…
I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.”
Liability & Security
in Schneier (2008)
20 SAC
Security in business: Concept map
Business
model
Raval & Fichadia 2007, Ch 1
Control &
Security
Manage-
ment
Structure
Process Inform-ation
Is comprised of
Warrant actions for
by
21 SAC
CORE TOPICS
Information Security Attributes
• Protecting privacy Confidentiality
• Protection from accidental or deliberate (malicious) modification Integrity
• …for legitimate users
• Prevention of DoS attacks etc Availability
• who are you – supports non-deniability Authentication
• what can you do? Authorization
• Effective auditing and logging is the key to non-repudiation Auditing
23 SAC
Business requirements in COBIT
• Relevant and pertinent
• Timely, correct, consistent Effectiveness
• Productive and economical Efficiency
• No unauthorised disclosure Confidentiality
• Protection from accidental or malicious modification
• Accurate, complete, valid Integrity
• …for legitimate users
• Prevention of DoS attacks etc Availability
• Appropriate information to support management decisions Reliability
24 SAC COBIT 4.1
Secure Computing
• A computing regime under which
information may be stored and
processed: – To defined standards of confidentiality, integrity
and availability.
– To an assessable level of assurance
Security is not a commodity
Security is a state of being!
Security is not a commodity
Security is a state of being!
26 SAC
RELATED TOPICS
27 SAC
Another theme
Governance Governance Risk
Management Risk
Management
Compliance Compliance
28 SAC
Governance frameworks
• From the state: Legal – Privacy Laws
– Property legislation – computers, IPR etc
• Sources of law – National
– European
– USA
• Standards – Security Criteria
– Published Standards
29 SAC
Ethics
• Computing poses a new environment for
ethical consideration
• Who decides the ethical aspects? – Computer Professionals
– Leaders of Commerce & Industry
– Computer Users
– Citizens
• What happens when different values collide?
30 SAC
Governance: Privacy
• Holding of data relating to people
• Aggregation of personal data – Data matching
– Marketing of data
– Universal Identifiers
• Enforcement of fair practice
• Need for a legal context – Local
– Global
• Interacts with individuals’ expression of their identity online 32 SAC
Governance: Fraud & Abuse
• Corrupting information
• Damage and disruption
• Threats to the person
• Theft of property and services
• Financial crime
33 SAC
Managing threats and vulnerabilities
Threat Threat
Potential event that can
adversely affect an
asset
Potential event that can
adversely affect an
asset
Attack Attack
A successful attack
exploits vulnerabilities
in your system
A successful attack
exploits vulnerabilities
in your system
Risk Risk
Likelihood and impact of
that threat occurring
Likelihood and impact of
that threat occurring
35 SAC
Security management
36 SAC
Implemented through Implemented through
Practices Procedures Guidelines
Standards Standards
Built on sound policy Carry the weight of policy
Policies Policies
Sanctioned by senior management
Incident response and business continuity
Impact Analysis
• Accept
• Mitigate
Impact Analysis
• Accept
• Mitigate
Response planning
• Detection
• Reaction
• Recovery
Response planning
• Detection
• Reaction
• Recovery
Disaster recovery planning
• Crisis management
• Operations recovery
Disaster recovery planning
• Crisis management
• Operations recovery
Business continuity planning
• Strategies
• Planning
• Management
Business continuity planning
• Strategies
• Planning
• Management
37 SAC
An extension of risk management
Whitman & Mattord p212
System design principles
• Authorisation – Rule driven controls
• Least Privilege – Need to Know principle
• Separation of duty – No individuals in complete control
• Redundancy – To allow graceful degradation
38 SAC
39 SAC
Controls
Controls
• Control activities are:
– actions, supported by policies and procedures that,
• when carried out properly and in a timely manner,
–manage or reduce risks.
40 SAC
Controls Prevent Controls
• Preventive controls attempt to
deter or prevent undesirable
events from occurring.
• They are proactive controls
that help to prevent a loss.
• Examples of preventive
controls are separation of
duties, proper authorization,
adequate documentation, and
physical control over assets.
Detect Controls
• Detective controls, on the other
hand, attempt to detect
undesirable acts.
• They provide evidence that a
loss has occurred but do not
prevent a loss from occurring.
• Examples of detective controls
are reviews, analyses,
variance analyses,
reconciliations, physical
inventories, and audits.
41 SAC
Controls
• Both types of controls are essential to an effective internal control
system.
• From a quality standpoint, preventive controls are essential because
they are proactive and emphasize quality.
• However, detective controls play a critical role providing evidence that
the preventive controls are functioning and preventing losses
42 SAC