ACG 6415 SPRING 2012
KRISTIN DONOVAN&
BETH WILDMAN
IT Security Frameworks
IT Security Frameworks
Governance Framework – specify how to do security planning and implementation
Multiple framework exists CobIT ISO/IEC 27000 COSO
Why are IT Security Frameworks needed?
Sarbanes-Oxley Act of 2002 (SOX) Section 404 – public companies must use an internal
control framework and perform annual assessments No specific framework is required
PCAOB Audit Standard No. 2 A control framework should be used to test the
effectiveness of accurate financial reporting
Information can be the most valuable asset a company has
COBIT & ISO 27000 FAMILY
Two Popular IT Security Frameworks
CobIT
Control Objectives for Information and Related Technology
Developed in conjunction with the “Big Four” accounting firms
Published by the IT Governance Institute
Broad framework to implement IT controls
CobIT
Focuses on four areas of control Planning and Organization (Plan) Acquisition and Implementation (Do) Delivery and Support (Check) Monitoring (Correct)
34 high level control objectives
318 detailed control objectives
CobIT
Maturity Model Tool for management to go through the company’s
current IT process and determine if they are effective or non-existent
Assists in determining which areas require more effort
Once the environment has been assessed, management can develop: Critical success factors Key performance indicators Key goal indicators
CobIT
Plan and Organize Necessary to ensure objectives of “Acquire &
Implement” and “Delivery & Support” are met
Establish the corporate vision
Determine level of acceptable risk
Focuses on the best way to implement the IT structure
CobIT
Plan and Organize Control Objectives1. PO1 – Define a strategic IT plan2. PO2 – Define the information architecture3. PO3 – Determine technological direction4. PO4 – Define the IT processes, organization, and
relationships5. PO5 – Manage the IT investment6. PO6 – Communicate management aims and direction7. PO7 – Manage IT human resources8. PO8 – Manage quality9. PO9 – Assess and manage IT risks10. PO10 – Manage projects
CobIT
Acquire and Implement After planning is completed, the company must
determine how to implement the new internal control process
Can involve acquiring new technologies
CobIT
Acquire and Implement Control Objectives1. AI1 – Identify automated solutions2. AI2 – Acquire and maintain application software3. AI3 – Acquire and maintain technology infrastructure4. AI4 – Enable operation and use5. AI5 – Procure IT resources6. AI6 – Manage changes7. AI7 – Install and accredit solutions and changes
CobIT
Deliver and Support Controls cost
Guarantees the three initiatives of confidentiality, availability, and integrity are in place
Ensures new controls are maintained
CobIT
Deliver and Support Control Objectives1. DS1 – Define and manage service levels2. DS2 – Manage third party services3. DS3 – Manage performance and capacity4. DS4 – Ensure continuous service5. DS5 – Ensure systems security6. DS6 – Indentify and allocate costs7. DS7 – Educate and train users8. DS8 – Manage service desk incidents9. DS9 – Manage the configuration10. DS10 – Manage problems11. DS11 – Manage data12. DS12 – Manage the physical environment13. DS13 – Manage operations
CobIT
Monitor and Evaluate Measures if the controls implemented are sufficient
Assurance that the company is meeting regulatory requirements
Attends to the issue of ongoing evaluation
CobIT
Monitor and Evaluate Control Objectives ME1 – Monitor and evaluate IT performance ME2 – Monitor and evaluate internal controls ME 3- Ensure compliance with external requirements ME4 – Provide IT governance
CobIT
Broad framework, covering a large range of internal controls
Does not give specific ways to make the companies information more secure
ISO 27000 Series
Issued by the International Standards Organization
Popular globally, used by companies within the US and those abroad
Includes multiple standards 27001 27002 27003 27004 27005 27006 27007 27008
ISO 27000 Series
ISO 27001 “Specifies the requirements for establishing,
implementing, operating, monitoring, reviewing, maintaining, and improving a documented Information Security Management System.” ISO
ISO 27002 Focuses on information security and lists controls and
control mechanisms which can be implemented to comply with ISO 27001
ISO 27000 Series
ISO 27002 Covers 11 main areas of information security management1. Security Policy – creating policies based on the
organization’s needs2. Organization of Information Security – managing of the
security infrastructure3. Asset Management – assigning responsibility for assets &
physical security of the assets4. Human Resource Security – personnel screening, code of
conduct, training, and a process to address violations5. Physical & Environmental Security – analyzing the
environment, securing physical perimeter, and appropriate controls
ISO 27000 Series
ISO 270026. Communications and Operations Management -
ensures correct and secure operations of assets7. Access Control – “Properly protect access to an
organization’s information, such as controls required to combat hacker attempts and other malicious attempts to access organization networks and information.” –Wallace
8. Information Systems Acquisition, Development, & Maintenance – discusses security requirements needed
9. Information Security Incident Management – plan for reporting and managing security events, incidents, and weaknesses
ISO 27000 Series
ISO 2700210. Business Continuity Management – plans to address
disruptions in normal operations and ongoing reassessment of plans
11. Compliance – “is intended to ensure that the organization avoids breaches of any criminal or civil law, as well as any statutory, regulator or contractual obligations, and of any security requirements.” - Calder
ISO 27000 Series
If all controls are implemented properly the company with be in compliance with SOX (in regards to IT security)
Focuses solely on IT security
CobIT vs. ISO 27000 Series
Compare Both relate to IT controls Created based on past experience Continuously refined
Contrast CobIT is a broad framework on how to implement internal
controls ISO focuses exclusively on IT security
Combination of CobIT & ISO 27000 provides an organization the best IT security.
ISO 27000 and CobIT Mapping
IT Governance institute has created a mapping between ISO 27000 and CobIT
Links ISO 27000 control objectives to each dimension in the CobIT framework
Results in a framework is high level enough to be integrated with IT governance and overall corporate governance
Also detailed enough to provide mangers with the necessary steps to implement these controls
ISO 27000 and CobIT Mapping
CobIT: Deliver & Support 5.2 Relates to identification, access, and authorization
“The logical access to and use of IT computing resources should be restricted by the implementation of adequate identification, authentication and authorization mechanisms, linking users and resources with access rules.” (IT Governance, COBIT Mapping)
ISO 27000 and CobIT Mapping
ISO objectives (listed in parenthesis next to detail below) state exactly what should be done to meet the requirements of COBIT DS5.2 Access of third parties should be controlled (4.2). Adequate privilege management should be included in
application systems. Authorizations should be documented and follow a defined process (9.2.2).
Passwords should be used for authentication. Passwords should be given to identified users in a secure manner and not in unprotected electronic mail messages (9.2.3).
Access controls to internal and external networked services should be in place (9.4).
ISO 27000 and CobIT Mapping
User authentication for external connections should be controlled. Access restrictions should be based on a risk assessment. Authentication should consider hardware tokens, challenge/response protocols, dial-back or other mechanisms (9.4.3).
Authentication mechanisms should be based on node authentication, if applicable (9.4.4).
Access controls (e.g., key locks) should ensure that only required access can be obtained. This should include procedures and arrangements (9.4.5).
Special access controls should be in place for shared networks (9.4.7).
Identity should be verified as part of operation system access control. Identification of the user’s location should be considered (9.5).
ISO 27000 and CobIT Mapping
Connection to specific locations should be based on automatic terminal identification, when appropriate (9.5.1).
Requirements for terminal logon procedures (e.g., maximum number of unsuccessful logon attempts) provided in the ISO standard should be considered (9.5.2).
A unique user ID should be required for all individuals. Users’ privileges should not be identifiable by the user ID. A shared user ID should be used only when a clear business case exists. Identification and authentication can be based on passwords, biometric technologies or a combination of technologies (9.5.3).
A good password management system raises the quality of passwords and should be implemented. Requirements for password management systems are provided in the ISO standard (9.5.4).
Access should be ended after defined time-out delay. Alternatively, screen savers that prevent unauthorized access to terminals can be used (9.5.7).
Conclusion
SOX strong focus on internal controls has required organizations to implement an IT governance framework
Companies must review and report on internal controls with management and external auditors
A combination of CobIT and ISO 27000 series is the best way to ensure compliance