1. Info. Security Program Development

2. Acknowledgments

Material is from:

CISM Review Manual, 2009

How to Comply with Sarbanes-Oxley Section 404, M Ramos, Wiley, 2006

Author: Susan J Lincke, PhD

Univ. of Wisconsin-Parkside

Reviewers:

Funded by National Science Foundation (NSF) Course, Curriculum and Laboratory Improvement (CCLI) grant 0837574: Information Security: Audit, Case Study, and Service Learning.

Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and/or source(s) and do not necessarily reflect the views of the National Science Foundation.

3. Security Relationships Security Strategy & Alignment IT Risk Assessment Security requirements sign-off,Acceptance test, Access authorization Laws & Regulations Security monitoring, Incident response, Site inventory, Crisis management Security requirements and review Change control Security upgrade/test Security requirements in RFP Contract requirements Pur- chasing Quality Control ITOpera- tions Legal Dept Dept. Mgmt Business Risk Mgmt Executive Mgmt Security Manager 4. Road Map for Security(New Program) Interview stakeholders(HR, legal, finance) todetermine org. issues& concerns Develop security policies for approval to Mgmt SecurityPolicies Security Issues Info Security Steering Committee Conduct security training & test for compliance Improve standards Develop compliance monitoring strategy Training materials Documentation 5. Road Map for Security: Continuation Program Security Review or Audit Test

Objective : Is our web-interface to DB safe?

Scope : Penetration test on DB

Constraints : Must test between 1-4 AM

Approach :

Tester has valid session credentials

Specific records allocated for test

Test: SQL Injection

Result :

These problems were found:

6. Security Program Requirements

Must develop anenterprise security architectureat conceptual, logical, functional, and physical levels

Must manageriskto acceptable levels

• Risk develops theBusiness Casethat convinces mgmt security should be performed

Must be defined inbusiness termsto help nontechnical stakeholders understand and endorse program goals

Must provide security-relatedfeedbackto business owners and stakeholders

7. Security Functions Strategy Policy Awareness Implemen- tation Compliance Monitoring Training & Publishing Monitor industry practices Provide recommendations Policy, Procedure, Standards Security architecture and engineering Testing, logs, metrics Metrics, investigation, security escalation 8. Policy Function: Policies & Procedures

Policies

Direction of Management

Requires approval from senior mgmt

Should change infrequently

Communicated to entire workforce via varied means

Technology-independent

Should have 24 or less

One general mandate stated in fewer than 1-3 sentences

Procedures

Specific Directions

• Document every step

• Changes with procedure

Provided on Need-to-Know basis

Should be tested

Technology-specific

9. Example Policies

Risksand potential impacts must be managed utilizing appropriate controls and countermeasure to achieve acceptable levels at acceptable costs

Monitoring and metricsmust be implemented, managed, and maintained to provide ongoing assurance that all security polices are enforced and control objectives are met.

Incident responsecapabilities sufficient to ensure that impacts do not materially affect the ability of the organization to continue operations must be implemented and managed

Business continuity and disaster recovery plansshall be developed, maintained and tested in a manner that ensures the ability of the organization to continue operations under all conditions

10. Awareness Function: Types of Security Training Awareness: Create security-conscious workforce Employees, partners & vendors Newsletters, surveys, quizzes, video training, forums, posters Training:Necessary skills for a particular position HR, legal, middle or top mgmt Workshops, conferences Education: High level skills High-skilled professions: audit, security admin/mgmt, Risk mgmt Organized and gradual development: teaching & coaching 11. Awareness Training

Signed employment agreements, video, memos, emails, posters, seminars and training classes

A combination of parallel approaches

Knowledge areas:

• Back-up work-related files

• Choosing passwords and avoiding exposure

• Avoiding email and web viruses

• Recognizing social engineers

• Recognizing & reporting security incidents

• Securing electronic & paper media against theft & exposure

• Spotting malware that could lead to identity theft & desktop spying

Metrics should be established to determine effectiveness of change in behavior and workforce attitude

12. Implementation Function Publicly Available Framework Guided Implementation Policy Level COBIT: Free NIST: Free ISO 17799: $50 SABSA Standards Level ISO 15408: $90 Procedures Level You Develop 13. Security Standards

These standards can be used to develop or advance a security program (if one is not in place):

ISO/IEC 27001

ISACA COBIT

Lvl 1 Initial/ Ad hoc Lvl 2 Repeatable but intuitive Lvl 3 Defined Process Lvl 4 Managed & Measurable Lvl 5 Optimized Lvl 0 Nonexistent Where we are Where we want to be Gap Analysis:What do we need to do to achieve our goal? COBIT Levels 14. Monitoring Function: Includes Metrics

Metrics allow independent auditors to attest that the security program is in place

Monitoring achievement of control objective is more important than perfecting security procedures

15. Monitoring Function: Metrics Project Plan or Budget Metrics Risk performance Disaster Recovery Test results Audit results Regulatory compliance results Policy compliance metrics Exceptions to policy/standards Changes in process or systemaffecting risk Incident management effectiveness Vulnerability Scan results Server config. standardscompliance IDS monitoring results Firewall log analysis Patch mgmt status Tactical Metrics Opera- tional Metrics Strategic Metrics Metrics 16. Monitoring Function: Metrics Risk: The aggregate ALE % of risk eliminated, mitigated, transferred # of open risks due to inaction Cost Effectiveness: What is:Cost of workstation security per user Cost of email spam and virus protection per mailbox Operational Performance Time to detect and contain incidents % packages installed without problem % of systems audited in last quarter Organizational Awareness: % of employees passing quiz, after training vs. 3 months later % of employees taking training Technical Security Architecture # of malware identified and neutralized Types of compromises, by severity & attack type Attack attempts repelled by control devices Volume of messages, KB processed by communications control devices Security Process Monitoring: Last date and type of BCP, DRP, IRP testing Last date asset inventories were reviewed & updated Frequency of executive mgmt review activities compared to planned 17. Compliance Function

Compliance : Ensures compliance with organizational policies

E.g.: Listen to selected help desk calls to verify proper authorization occurs when resetting passwords

Best if compliance tests are automated

Time Audit: Snapshot of compliance in time Compliance: ongoing process Ensures adherence to policies 18. Security Baseline Todays Baseline We are at 50% compliance but are striving for 100% Goal Baseline We hope to be COBIT Level 3 (Or NIST compliant) within one year 19. Security Framework & Architecture Framework: COBIT Architecture: SABSA/Zachman Controls 20. COSO Comm. of Sponsoring Org. of the Treadway Commission Information & Communication Proper tone & action from top mgmt. Identify & manage risk Manage change Define policies &procedures Monitor/audit controls Consider all Info. sources: Non-routine, external,informal Control Environment RiskAssessment Control Activities Monitoring 21. COSO:Two Levels of Controls

Entity-Level Control

Cuts cross functions:

• Personnel policies

• Computer controls

• Risk identification

• Financial reporting processes

• System-wide monitoring

Process Activity Level

Transaction processing is independent:

• Purchasing transaction

• Sales (credit) transaction

• Account balances

• Disclosures

Often documented via flowcharts

22. COBIT COSO SOX http://www.isaca.org/ 23. COBIT: Planning & Organization

Define a strategic plan

Define the information architecture

Define the IT organization and relationships

Communicate mgmt aims and direction

Manage human resources

Ensure compliance with external requirements

Assess risks

Manage quality

From: How to Comply with Sarbanes-Oxley Section 404, M Ramos, Wiley, 2006 24. COBIT: Acquisition and Implementation

Acquire and maintain application software

Acquire and maintain technology infrastructure

Develop and maintain procedures

Install and accredit systems

Manage changes

From: How to Comply with Sarbanes-Oxley Section 404, M Ramos, Wiley, 2006 25. COBIT: Delivery & Support

Define & manage service levels

Manage 3 rdparty service levels

Manage performance & capacity

Ensure continuous service

Ensure systems security

Educate & train users

Manage the configuration

Manage problems & incidents

Manage data, facilities, operations

From: How to Comply with Sarbanes-Oxley Section 404, M Ramos, Wiley, 2006 26. COBIT: Monitoring

Monitor the process

Assess internal control adequacy

Obtain independent assurance

From: How to Comply with Sarbanes-Oxley Section 404, M Ramos, Wiley, 2006 27. SSE-CMM Process Overview Engineering Process RiskProcess Assurance Process 28. SSE-CMM: System Security Eng Capability Maturity Model Stage 0 Nonexistent: Control processes are not recognized as important Stage 1 Initial/Ad Hoc Control processes are important but no coordinated effort exists Stage 2 Repeatable but Intuitive Many controls are in place but not documented; events are tracked Stage 5 Optimized Continual reevaluation ensures responsiveness and improvement Stage 4 Managed and Measurable Operating effectiveness is evaluated; automatic processes introducedStage 3 Defined Process Controls, policies, procedures, and event handling are fully documented 29. Level 1 Performed Informally

Security design is poorly-defined

Security issues are dealt with in a reactive way

No contingency plan exists

Budgets, quality, functionality and project scheduling is ad hoc

No Process Areas

30. Level 2 Planned & Tracked

Procedures are established at the project level

Definition, planning & performance become de-facto standards from project to project

Events are tracked

Common Features include:

Planning Performance

Disciplined Performance

Verifying Performance

Tracking Performance

31. Level 3 Well Defined

Standardized security processes across organization

Personnel are trained to ensure knowledge and skills

Assurance (audits) track performance

Measures are defined based upon the defined process

Common Features include:

Defining a Standard Process

Perform the Defined Process

Coordinate Security Practices

32. Level 4 Quantitatively Controlled

Measurable goals for security quality exist

Measures are tied to the business goals of the organization

Common Features include:

Establish Measurable Quality Goals

Objectively Manage Performance (SLA)

33. Level 5 Continuously Improving

Continuous improvement arise from measures and security events

New technologies and processes are evaluated

Common Features include:

Improve Organizational Capability

Improve Process Effectiveness (ROI)

34. Security Architecture:SABSA Contextual Security Architecture: Business View: Business Risk Model Business Process Model Conceptual Security Architecture: Architects View: Control Objectives Security Strategies & Architecture Logical Security Architecture: Designers View: Security Policies Security Services Physical Security Architecture Builders view: Security Rules, Practices, Procedures Security Mechanisms Component Security Architecture Tradesmans view: Security Standards Security Products & Tools Operational Security Architecture : Facility ManagersView: Operational Risk Mgmt Security Service Mgmt Copyright SABSA Limited.Printed with permission From: www.SABSA.com 35. SABSA Lifecycle Strategy & Concept Design Implement Manage & Measure Logical, Physical, Component, Operational Contextual Conceptual Attributes defined and measured Copyright SABSA Limited.Printed with permission From: www.SABSA.com 36. Implementation of SABSA

Do first 2 stages first there can be considerable work in parallel for the subsequent stages.

For each stage answer: what, why, how, who, where, when

• On previous slide what and why are provided.

When all 6 stages x 6 questions = 36 answers are done plan is complete

DevelopContextual (Business Risk) Develop Conceptual (Control Objectives) Develop Logical (Security Policies) Develop Physical (SecurityProcedures) DevelopComponent (Security Tools) Develop Operational (Service Mgmt) Copyright SABSA Limited.Printed with permission From: www.SABSA.com 37. Zachman Framework(Abbrev.) www.ZIFA.com: Zachman Institute for Framework Architecture Layer What (Data) How (Function) Where (Network) Who (People) When (Time) Why (Motive) Scope (Planner) BusinessModel (Owner) System Model (Designer) Technology (Builder) Component (Implementer) Functioning (Worker) 38. Control Practices

These may be useful in particular conditions:

Automate Controls : Make technically infeasible to bypass

Access Control:Users should be identified, authenticated and authorized before accessing resources

Secure Failure : If compromise possible, stop processing

Compartmentalize to Minimize Damage : Access control required per system resource set

Transparency : Communicate so that average layperson understands control->understanding & support

Trust : Verify communicating partner through trusted 3 rdparty (e.g., PKI)

Trust No One : Oversight controls (e.g., CCTV)

Segregation of Duties:See next page

Principle of Least Privilege : Minimize system privileges

39. Separation of Duties Development System/ NetworkAdmin Business Audit Security/ Compliance Quality Control advises delivers S/W to serves tests or ensures quality of S/W or production advises & monitors for security Ensures procedures are professionally done 40. Summary of Physical Controls

Access Control

Walls, Doors, Locks

Badges, smart cards

Biometrics

Security cameras & guards

Fences, lighting, sensors

Locked files

Clean desk

Paper shredders

Environmental Controls

Backup power

Air conditioning

Fire suppressant

41. Control Analysis Placement Effectiveness Efficiency Policy Implemen- tation Where are controls located? Are controls layered? Is control redundancy needed? Does control protect broadly or one application? If control fails, is there acontrol remaining? (single point of failure) If control fails, does appl. fail? Are controls reliable? Do they inhibit productivity? Are they automated or manual? Are key controls monitored in real-time? Are controls easily circumvented? Do controls fail secure or fail open? Is restrictive or permissive policy (denied unless expressly permitted or vice versa?) Does control align with policy & business expectation? Have controls been tested? Are controls self-protecting? Do controls meet control objectives? Will controls alert securitypersonnel if they fail? Are control activities logged and reviewed? 42. Due Diligence Due Diligence= Did careful risk assessment (RA) Due Care= Implemented recommended controls from RA Liability minimized if reasonable precautions taken Senior Mgmt Support Risk Assessment Backup & Recovery Policies & Procedures Adequate Security Controls Compliance Monitoring& Metrics Business Continuity & Disaster Recovery 43. Question

Which is MOST important for a successful security awareness program?

Technical training for security administrators

Aligning the training to organization requirements

Training management for security awareness

Using metrics to ensure that training is effective

44. Question

Who can contribute the MOST to determining the priorities and risk impacts to the organizations information resources?

Chief Risk Officer

Business Process Owners

Security Manager

Auditor

45. Question

Passwords shall be at least 8 characters long, and require a combination of at least 3 of lower case, upper case, numeric, or symbols characters.This is an example of a:

Policy

Procedure

Guideline

Standard

46. Question

When implementing a control, the PRIMARY guide to implementation adheres to:

Organizational Policy

Security frameworks such as COBIT, NIST, ISO/IEC

Prevention, Detection, Correction

A layered defense

47. Question

To detect fraud, the BEST type of audit trail to log would be:

User session logs

Firewall incidents

Operating system incidents

Application transactions

48. Question

The FIRST step in the SABSA approach is to

Evaluate existing controls

Determine current security practices

Determine business risk

Define policies and procedures

49. Question

In the architectural or design stage of the security life cycle, the MOST important guideline is:

Least Privilege

Management approval

Prevention, detection, correction

Confidentiality, Integrity, Availability

50. Question

The PRIMARY focus of COBIT or CMM Level 4 is

Security Documentation

Metrics

Risk

Business Continuity

51. Question

The MOST important metrics when measuring compliance include:

Metrics most easily automated

Metrics related to intrusion detection

Those recommended by best practices

Metrics measuring conformance to policy

52. Question

Due Diligence ensures that

An organization has exercised the best possible security practices according to best practices

An organization has exercised acceptably reasonable security practices addressing all major security areas

An organization has implemented risk management and established the necessary controls

An organization has allocated a Chief Information Security Officer who is responsible for securing the organizations information assets

53. Vocabulary

Baseline, gap analysis, metrics, compliance

Security awareness, security training, security education

COBIT, CMM, Levels 1-5

Due Diligence, Due Care

Answer questions from book page 1101: 1-10, 19, 24-25.