IT GovernanceIT GovernanceInformation Security Governance

AcknowledgmentsMaterial is sourced from:CISA Review Manual 2011, 2010, ISACA. All rights reserved. Used by permission. CISM Review Manual 2012, 2011, ISACA. All rights reserved. Used by permission. Author: Susan J Lincke, PhDUniv. of Wisconsin-ParksideReviewers/Contributors: Todd Burri, Kahili Cheng

Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

ObjectivesStudents should be able to:Describe IT governance committees: IT strategic committee, IT steering committee, security steering committee**Describe mission, strategic plan, tactical plan, operational planDefine quality terms: quality assurance, quality controlDescribe security organization members: CISO, CIO, CSO, Board of Directors, Executive Management, Security Architect, Security Administrator Define policy, compliance, IT Balanced Scorecard, measure, ISO 9001, enterprise architectureDefine sourcing practices: insource, outsource, hybrid, onsite, offshoreDefine policy documents: data classification, acceptable usage policy, access control polices

Corporate GovernanceCorporate Governance: Leadership by corporate directors in creating and presenting value for all stakeholders

IT Governance: Ensure the alignment of IT with enterprise objectivesResponsibility of the board of directors and executive mgmt

IT Governance ObjectivesIT delivers value to the businessIT risk is managed

Processes include:Equip IS functionality and address riskMeasure performance of delivering value to the businessComply with legal and regulatory requirements

IT Governance CommitteesBoard members& specialistsBusiness executives(IT users), CIO, keyadvisors (IT, legal, audit,finance)IT Strategic CommitteeFocuses on Direction and StrategyAdvises board on IT strategy and alignmentOptimization of IT costs and riskIT Steering CommitteeFocuses on ImplementationMonitors current projectsDecides IT spending

IT Strategy CommitteeMain ConcernsAlignment of IT with BusinessContribution of IT to the BusinessExposure & containment of IT RiskOptimization of IT costsAchievement of strategic IT objectives

IT Steering CommitteeMain ConcernsMake decision of IT being centralized vs. decentralized, and assignment of responsibilityMakes recommendations for strategic plans Approves IT architectureReviews and approves IT plans, budgets, priorities & milestonesMonitors major project plans and delivery performance

Strategic Planning ProcessStrategic: Long-term (3-5 year) direction considers organizational goals, regulation (and for IT: technical advances)Tactical: 1-year plan moves organization to strategic goalOperational: Detailed or technical plans

Security Strategic PlanningRisk Mgmt LawsGovernance PolicyOrganizational SecurityData classification Audit Risk analysisBusiness continuityMetrics developmentIncident responsePhysical securityNetwork securityPolicy complianceMetrics use

Strategic PlanningStrategy:Achieve COBIT Level 4

Tactical: During next 12 months:Each business unit must identify current applications in use25% of all stored data must be reviewed to identify critical resourcesBusiness units must achieve regulatory complianceA comprehensive risk assessment must be performed for each business unitAll users must undergo general security trainingStandards must exist for all policies

Standard IT Balanced ScorecardMission = Direction E.g.:Serve business efficiently and effectivelyStrategies = Objectives E.g.:Quality thru AvailabilityProcess MaturityMeasures = Statistics E.g.:Customer satisfactionOperational efficiencyEstablish a mechanism for reporting IT strategic aims and progress to the board

IT Balanced Scorecard

Financial GoalsHow should we appear to stockholder?Vision:Metrics:Performance:Internal Business ProcessWhat business processes should we excel at?Vision:Metrics:Performance:Customer GoalsHow should we appear to our customer?Vision:Metrics:Performance:Learning and Growth GoalsHow will we improve internally?Vision:Metrics:Performance:

Case Study: IT Governance Strategic Plan Tactical Plan

Strategic PlanObjectiveTimeframeIncorporate the business5 yrsPass a professional audit4 yrs

Tactical Plan:ObjectiveTimeframePerform strategic-level security, includes:1 yrPerform risk analysis6 mos.Perform BIA1 yrDefine policies1 yr

Case Study: IT GovernanceOperational Planning

Objective and TimeframeResponsibilityHire an internal auditor and security professional2 months: March 1VP FinanceEstablish security team of business, IT, personnel: 1 month: Feb. 1VP Finance &Chief Info. Officer (CIO)Team initiates risk analysis and prepares initial report3 months: April 1CIO & Security Team

Enterprise ArchitectureConstructing IT is similar to constructing a buildingIt must be designed and implemented at various levels:Technical (Hardware, Software)IT Procedures & OperationsBusiness Procedures & Operations

DataFunctional (Applic.)Network(Tech)People(Org.)Process(Flow)StrategyScopeEnterprise ModelSystems ModelTech ModelDetailed Representation

Sourcing PracticesInsourced: Performed entirely by the organizations staffOutsourced: Performed entirely by a vendors staffHybrid: Partial insourced and outsourcedOnsite: Performed at IS dept siteOffsite or Nearshore: Performed in same geographical areaOffshore: Performed in a different geographical region

What advantages can you think of for insourcing versus outsourcing?

Quality with ISO 9001ISO 9001: Standard for Quality Mgmt Systems. Recommendations include:Quality Manual: Documented procedures HR: Documented standards for personnel hiring, training, evaluation,Purchasing: Documented standards for vendors: equipment & servicesGap Analysis: The difference between where you are and where you want to be

Quality DefinitionsQuality Assurance: Ensures that staff are following defined quality processes: e.g., following standards in design, coding, testing, configuration managementQuality Control: Conducts tests to validate that software is free from defects and meets user expectations

Performance OptimizationPhases of Performance Measurement include:Establish and update performance metricsEstablish accountability for performance measuresGather and analyze performance dataReport and use performance resultsNote: Strategic direction for how to achieve performance improvements is necessary

Categories of Performance MeasuresPerformance Measurement: What are indicators of good IT performance?IT Control Profile: How can we measure the effectiveness of our controls?Risk Awareness: What are the risks of not achieving our objectives?Benchmarking: How do we perform relative to others and standards?

IS Auditor & IT GovernanceIs IS function aligned with organizations mission, vision, values, objectives and strategies?Does IS achieve performance objectives established by the business?Does IS comply with legal, fiduciary, environmental, privacy, security, and quality requirements?Are IS risks managed efficiently and effectively?Are IS controls effective and efficient?

Audit: Recognizing ProblemsEnd-user complaintsExcessive costs or budget overrunsLate projectsPoor motivation - high staff turnoverHigh volume of H/W or S/W defectsInexperienced staff lack of trainingUnsupported or unauthorized H/W S/W purchasesNumerous aborted or suspended development projectsReliance on one or two key personnelPoor computer response timeExtensive exception reports, many not tracked to completion

Audit: Review DocumentationIT Strategies, Plans, BudgetsSecurity Policy DocumentationOrganization charts & Job DescriptionsSteering Committee ReportsSystem Development and Program Change ProceduresOperations ProceduresHR ManualsQA ProceduresContract Standards and CommitmentsBidding, selection, acceptance, maintenance, compliance

Question The MOST important function of the IT department is:Cost effective implementation of IS functionsAlignment with business objectives24/7 AvailabilityProcess improvement

Question Product testing is most closely associated with which department:AuditQuality AssuranceQuality ControlCompliance

Question Implement virtual private network in the next year is a goal at the level:StrategicOperationalTacticalMission

Question Which of the following is not a valid purpose of the IS Audit?Ensure IS strategic plan matches the intent of the enterprise strategic planEnsure that IS has developed documented processes for software acquisition and/or development (depending on IS functions)Verify that contracts followed a documented process that ensures no conflicts of interestInvestigate program code for backdoors, logic bombs, or Trojan horses

Question Documentation that would not be viewed by the IT Strategy Committee would be:IT Project PlansRisk Analysis & Business Impact AnalysisIT Balanced ScorecardIT Policies

Information SecurityGovernanceGovernancePolicyRisk

Information Security ImportanceOrganizations are dependent upon and are driven by informationSoftware = information on how to processData, graphics retained in filesInformation & computer crime has escalatedTherefore information security must be addressed and supported at highest levels of the organization

Security OrganizationBoard of DirectorsReview Risk assessment & Business Impact AnalysisDefine penalties for non-compliance of policiesExecutive MgmtDefines security objectives and institutes security organizationSecurity SteeringCommitteeChief InfoSecurityOfficer (CISO)Senior representativesof business functionsensures alignmentof security programwith business objectivesOther positions:Chief Risk Officer (CRO)Chief Compliance Officer (CCO)

Security GovernanceStrategic Alignment: Security solution consistent with organization goals and cultureRisk Management: Understand threats and cost-effectively control riskValue Delivery: Prioritized and delivered for greatest business benefitPerformance Measurement: Metrics, independent assuranceResource Management: Security architecture development & documentationProcess Integration: Security is integrated into a well-functioning organization

Executive Mgmt Info Security ConcernsReduce civil and legal liability related to privacyProvide policy and standards leadershipControl risk to acceptable levelsOptimize limited security resourcesBase decisions on accurate informationAllocate responsibility for safeguarding informationIncrease trust and improve reputation outside organization

Legal IssuesInternational trade, employment may be liable to different regulations than exist in the U.S. affecting:HiringInternet businessTrans-border data flowsCryptographyCopyright, patents, trade secretsIndustry may be liable under legislation:SOX: Sarbanes-Oxley: Publicly traded corp.FISMA: Federal Info Security Mgmt ActHIPAA: Health Insurance Portability and Accountability ActGLBA: Gramm-Leach-Bliley: Financial privacyEtc.

Road Map for Security (New Program)Interview stakeholders (HR, legal, finance) to determine org. issues & concernsDevelop securitypolicies for approvalto MgmtSecurity PoliciesSecurity IssuesInfo SecuritySteering CommitteeConduct securitytraining & test forcomplianceImprove standardsDevelop compliancemonitoring strategyTrainingmaterialsDocumentation

Security RelationshipsSecurity Strategy, Risk, & AlignmentSecurity requirements sign-off, Acceptance test,Access authorizationLaws & RegulationsSecurity monitoring, Incident resp.,Site inventory, Crisis managementSecurity requirements and reviewChange controlSecurity upgrade/testSecurity requirements in RFPContract requirementsSecurity requirementsAccess controlHiring, training,roles & responsibility,Incident handling

Security Governance Framework

Secure Strategy:Risk AssessmentFive Steps include:Assign Values to Assets: Where are the Crown Jewels?Determine Loss due to Threats & VulnerabilitiesConfidentiality, Integrity, AvailabilityLoss = Downtime + Recovery + Liability + ReplacementEstimate Likelihood of ExploitationWeekly, monthly, 1 year, 10 years?Compute Expected LossRisk Exposure = ProbabilityOfVulnerability * $LossTreat RiskSurvey & Select New ControlsReduce, Transfer, Avoid or Accept Risk

Example Policy DocumentsData Classification: Defines data security categories, ownership and accountabilityAcceptable Usage Policy: Describes permissible usage of IT equipment/resourcesEnd-User Computing Policy: Defines usage and parameters of desktop toolsAccess Control Policies: Defines how access permission is defined and allocatedAfter policy documents are created, they must be officially reviewed, updated, disseminated, and tested for compliance

Compliance FunctionCompliance: Ensures compliance with organizational policiesE.g.: Listen to selected help desk calls to verify proper authorization occurs when resetting passwordsBest if compliance tests are automatedTimeAudit: Snapshot of compliance in timeCompliance: ongoing processEnsures adherence to policies

Compliance Program Security Review or Audit TestObjective: Is our web-interface to DB safe?Scope: Penetration test on DBConstraints: Must test between 1-4 AMApproach: Tester has valid session credentialsSpecific records allocated for testTest: SQL InjectionResult:These problems were found:

Security PositionsSecurity ArchitectDesign secure network topologies, access control, security policies & standards. Evaluate security technologies Work with compliance, risk mgmt, auditSecurity AdministratorAllocate access to data under data ownerPrepare security awareness programTest security architectureMonitor security violations and take corrective actionReview and evaluate security policy

Security Architect: Control AnalysisPlacementEffectivenessEfficiencyPolicyImplemen-tationWhere are controls located? Are controls layered? Is control redundancy needed? Does control protect broadly or one application?If control fails, is there a control remaining? (single point of failure)If control fails, does appl. fail?Are controls reliable?Do they inhibit productivity?Are they automated or manual?Are key controls monitored in real-time?Are controls easily circumvented?Do controls fail secure or fail open?Is restrictive or permissive policy (denied unless expressly permitted or vice versa?)Does control align with policy & business expectation?Have controls been tested?Are controls self-protecting?Do controls meet control objectives?Will controls alert security personnel if they fail?Are control activities logged and reviewed?

Control PracticesThese may be useful in particular conditions:Automate Controls: Make technically infeasible to bypassAccess Control: Users should be identified, authenticated and authorized before accessing resourcesSecure Failure: If compromise possible, stop processingCompartmentalize to Minimize Damage: Access control required per system resource setTransparency: Communicate so that average layperson understands control->understanding & supportTrust: Verify communicating partner through trusted 3rd party (e.g., PKI)Trust No One: Oversight controls (e.g., CCTV)Segregation of Duties: Require collusion to defraud the organizationPrinciple of Least Privilege: Minimize system privileges

Security Administrator:Security OperationsIdentity Mgmt & Access controlSystem patching & configuration mgmtChange control & release mgmtSecurity metrics collection & reportingControl technology maintenanceIncident response, investigation, and resolution

Summary of Security Mgmt FunctionsDevelop security strategyLinked with business objectivesRegulatory & legal issues are addressedSr Mgmt acceptance & supportComplete set of policiesStandards & Procedures for all relevant policiesSecurity awareness for all users and security training as neededClassified information assets by criticality and sensitivity

Summary of Security Mgmt FunctionsEffective compliance & enforcement processesMetrics are maintained and disseminatedMonitoring of compliance & controlsUtilization of security resources is effectiveNoncompliance is resolved in a timely mannerEffective risk mgmt and business impact assessmentRisks are assessed, communicated, and managedControls are designed, implemented, maintained, testedIncident and emergency response processes are testedBusiness Continuity & Disaster Recover Plans are tested

Summary of Security Mgmt FunctionsDevelop security strategy, oversee security program, liaise with business process owners for ongoing alignmentClear assignment of roles & responsibilitiesSecurity participation with Change ManagementAddress security issues with 3rd party service providersLiaise with other assurance providers to eliminate gaps and overlaps

Question Who can contribute the MOST to determining the priorities and risk impacts to the organizations information resources?Chief Risk OfficerBusiness Process OwnersSecurity ManagerAuditor

Question A document that describes how access permission is defined and allocated is the:Data ClassificationAcceptable Usage PolicyEnd-User Computing PolicyAccess Control Policies

Question The role of the Information Security Manager in relation to the security strategy is:Primary author with business inputCommunicator to other departmentsReviewerApproves the strategy

Question The role most likely to test a control is the:Security AdministratorSecurity ArchitectQuality Control AnalystSecurity Steering Committee

Question The Role responsible for defining security objectives and instituting a security organization is the:Chief Security OfficerExecutive ManagementBoard of DirectorsChief Information Security Officer

Question When implementing a control, the PRIMARY guide to implementation adheres to:Organizational PolicySecurity frameworks such as COBIT, NIST, ISO/IECPrevention, Detection, CorrectionA layered defense

Question The persons on the Security Steering Committee who can contribute the BEST information relating to insuring Information Security success is:Chief Information Security OfficerBusiness process ownersExecutive ManagementChief Information Officer

Reference

Slide #Slide TitleSource of Information4Corporate GovernanceCISA: page 87, 886IT Governance CommitteesCISA: page 907IT Strategy CommitteeCISA: page 9012Standard IT Balance ScorecardCISA: page 9116Enterprise ArchitectureCISA: page 94, 95 Exhibit 2.517Sourcing PracticesCISA: page 10618Quality with ISO 9001CISA: page 11219Quality DefinitionsCISA: page 11620Performance OptimizationCISA: page 113, 11421Categories of Performance MeasuresCISA: page 11432Security OrganizationCISA: page 94, 95 Exhibit 2.433Security GovernanceCISA: page 92, 9339Secure Strategy: Risk AssessmentCISM: page 10040Example Policy DocumentsCISA: page 10043Security PositionsCISA: page 116, 117

*This chapter covers CISA Review Manual up to Section 2.7 IS Management Practices. Much of 2.7 is not included for this Information Security course, particularly designed for undergraduates. The vocabulary for 2.7 Sourcing is included, but hiring/promotion/training/termination, most of outsourcing are not included. IS Roles & Responsibilities are not discussed, but Segregation of Duties is covered in the Fraud presentation. Risk is covered in the Risk Presentation.Much or some of CISM Chapter 1 and 4 is also covered in this presentation. Sections of CISM Chapter 1 and 4 are covered in other presentations: Risk, Security Program Development, Network Security.The big idea here is that IT Governance serves the business, not itself (or IT).presenting value = helping the organization pursue its goals, i.e. not an unnecessary expenditure.Stakeholders are anyone who has an interest in organizational goals (and is affected by policies) including business managers, partners, employees, and investors.*The main goal of business is to provide value to the shareholders and be a good community neighbor (e.g., obey laws)The main purpose of IT is to support the business in its goals of providing value to the shareholders. *IT Strategic is highest level they APPROVE business strategy and may help to DEFINE/DECIDE it.IT Steering is lower than IT Strategic, but involves management.Think Steering = Deciding where to turn when driving a car. The car is still on the ground and navigates through real traffic.*This group provides direction and high-level overview. They will be concerned that:IT plans align with business plansIT delivers promised benefits and objectivesAll understand riskIT Delivers IT services at optimized costsGroup can track IT performance via metrics, scheduling, costsIT Strategy Committee ensures availability of IT resources, skills and infrastructure to meet strategic objectivesIT Strategy Committee provides direction to management relative to IT strategy

Source: CISA Review Manual 2011 2010, ISACA. All rights reserved. Used by permission.

*This is the functions of the lower management committee, the one which steers. They monitor progress of projects, detailed funding.*Strategic is highest level and involves Directors and top executives.Each level below that involves lower level rungs on the management/employee ladder.**The aspects covered at each level (Strategic/Tactical/Operational) are each listed beside that level. Thus, Risk Management is a Strategic Plan concern, while metrics use and policy compliance is an Operational Plan concern. Some concerns are concerns of two levels, such as Incident Response, which is a concern both at the Tactical and Operational levels. CMM = Capability Maturity ModelCOBIT is a IT maturity model provided by ISACA. Level 4 means that all processes are documented and measured (via statistics). Levels range between 0 and 5.Here, the Tactical implements the Strategic goal of achieving COBIT level 4.*The IT Balanced Scorecard defines ITs goals and how the goals will be measured.The mission is the direction for the department.The strategies are the specific objectives that support the mission.The measures are the statistics or measurements to determine whether the objectives and mission is being accomplished.Both the management committees would be interested in this performance summary data.The IT Balanced scorecard can address different areas, such as Financial goals, customer goals, internal business process goals, and learning and growth goals. In the Workbook/Case Study, you will prepare a Strategic Plan, Tactical Plan and Operational Plan. Notice that the business longer-term goals are part of the Strategic Plan. The Tactical plan begins to achieve those goals, with shorter term goals.The Operational Plan sets out specific tasks, milestone dates, and responsible persons.This model is for defining Business & IT system Horizontal = Different aspects to be consideredVertical = Different levels of abstractionEnterprise Model = Business ModelSystems Model = Architecture of systemsTechnology Model = Technology selectionDetailed Representation = Configuration of TechnologyIf each entry is filled in, then the design is complete.**Advantages outsourcing: Advantages insourcing:Economies of scale for reusable component softwareRetain control over ISMore experience or cheaper Loss of internal IS experienceDisgruntled employees

ISO 9001 is a worldwide quality standard from the International Standards Organization (ISO) that evaluates organizations to determine their maturity. There is a focus on Project Management and Defined Processes.HR = Human ResourcesGap analysis is an important concept. It defines where you currently are and where you want to be.*Quality Assurance: Determines that the process (or creation/factory) is a quality process. Therefore few errors will occur since defects do not ever enter the process.Quality Control: Concerned with testing. After we build something we test it.Often both exist and should.Performance measurement tries to determine how effective a process is by using metrics (statistics) to gauge the performance of the current process versus future process. Recent thought is that managers cant simply expect higher numbers without defining good strategies to get there otherwise, people may cheat to get those numbers without actually improving anything.*Measures are effectively statistics. This provides some categories for performance metrics.*These are functions that an IS Auditor would we concerned with relative to IT governance.Fiduciary = Financial*These are things that an auditor would look for. Auditors would review this documentation. Do they follow best practices? Do they document processes well?**2 Alignment with enterprise objectives3. Quality Control = TestAudit and Compliance verify controls are defined and implemented properly but this assumes product testing, not security controls.Quality Assurance is concerned with quality throughout the process.*3 This is a 1-year type general goal that can be broken down into multiple smaller Operational goals.**4 The auditor is most concerned with documented processes and implementation. Where documentation is voluminous (e.g., code or transactions) randomly selected or selectively chosen samples may be evaluated.*1 Project Plans. The IT Strategy Committee is the highest level committee, and thus would be interested in high-level documentation, such as Risk, BIA, IT Balanced Scorecard, and policies. However detailed project plans are not a concern.The previous section was on IT. This section is on IT Security.This slide emphasizes the increasing importance of both IS in the organization, as well as the escalation in computer crime. Thus, it would be appropriate to have an IS security representative at the highest levels of the organization.**The CISO exists whether one is allocated or not. If the responsibility is not explicitly delegated then it will be held by default by the Chief Information Officer (CIO), Chief Technical Officer, Chief Financial Officer, or Chief Executive Officer.Again the positions on the top are the highest level.The Security Steering committee consists of senior representatives of business functions in combination with IS security. The point is alignment with business objectives.ISACA really stresses Strategic Alignment: IS serves business.For a doctors office, the primary aim is not implementing a VPN. The primary aim is to serve patients, and this includes having patient records available full time. Also, staying legal is very important all aspects of HIPAA are important.Process Integration: Security is not just the security departments responsibility. It should be everyones responsibility.*The column on the right are security-oriented regulation for the U.S.The left column indicates that regulation for other countries differs from the U.S., often in these areas.*The steering committee is comprised of department heads or other management types. Their participation ensures both that security is aligned with business objectives and that management is on board with the security program.

The IS Steering Committee is developed as part of the first step gathering interested parties. This committee is then involved with the further steps. The left-hand side shows documentation this is created or read by each stage. In other words, Security Policies are developed, then used to generate training materials.

The Security Manager needs to establish and maintain relationships throughout the organization.

RFP= Request for Proposal: A document sent to vendors stating requirements and asking for bids**The security strategy must be linked with business objectives. The security organization must be devoid of conflicts of interest.A security framework considers all 4 of these aspects.See Risk presentation for more details on this and subsequent Risk slides. This is here for review and emphasis.Risk is important to get management buy-in. Without management support, security has little opportunity. If they can see how expensive it is to ignore security, then perhaps they are willing to pay for it. The risk aspect puts a $ value on the security functions.*Automated tests could include:PC check for good passwords, open applications, security settingsCheck for backup tape/disk registrationComparison of access control planned versus actual**This shows the format of a security review (audit test)The security administrator does system administration things related to security.The Security architect understands more about security and can do more related to design.Here are some good control objectives, and audit questions.*CCTV=Close Circuit TelevisionIdentity management = authentication System patching: updating OS and applications with security fixes, as required.Change control: Documenting and tracking changes to systems

Without senior management support, everyone will be too busy to do security. Therefore, this is of utmost importance.If you have policies, you must monitor that employees adhere to the policies. Controls assume that procedures are documented and technologies provided for security. Compliance ensures that the policies are implemented.Companies that are audited are actually tested for all this. This is not just theory.Liaise = communicate/meet/come to agreement3rd Party service providers: You contract with an organization that contracts with another organization.Change management a formal procedure for proposing, approving and introducing changes into a process*2**4 Access Control Polices is concerned with permissions. Acceptable Use and End-User Computing are concerned with end user use of computers, including access. But Access Control Policies are detailed directions on how permissions are granted.1 Primary author with help from business mgmt. Security strategy is approved by Executive Mgmt.

*Security Administrator like a system administrator runs security software & hardware*Instituting the security organization cant be the CSO or CISO who is part of the security organization (since you cant institute yourself). So Executive Management is the correct answer: 2.Board of Directors approves security objectives, but does not define them.CSO = Security guard management**Controls are designed from Policy*2 Business Process owners. They know the most what needs protecting. They provide the requirements for security.