Information Security and Risk Management



Information Security

 Industry Standards and COBIT Framework

 Relation to COSO Internal Control



Risk Management

 IT and Security Concepts

 COBIT and COSO Perspectives



Monitoring

 Procedural and Technical



Some Industry Standards

 International Standards Organization (ISO) 27000 Series

 Information Security Forum (ISF) – Standard of

Good Practice for Information Security

 National Institutes of Standards and Technology (NIST)

 Payment Card Industry Data Security Standard (PCI DSS)



ISACA defines information security as something

that:

Ensures that within the enterprise, information is protected against disclosure to unauthorized users (confidentiality), improper modification (integrity), and non-access when required (availability).



Extended view of COBIT 5

 Explains each component from information security perspective

 Provides:

 Guidance on drivers and benefits

 Principles from an information security perspective

 Enablers for support

 Alignment with standards

COBIT 5 for Information Security

Information Security Principles

Information Security Policy Specific Information Security Policies



Information Security Principles

 Support The Business

 Defend the Business

 Promote Responsible Information Security Behavior



Information Security Policy Scope – including:

 A definition for the enterprise

 Responsibilities

 Vision, with appropriate goals and metrics



Policy Driven by Information Security

 Access Control

 Personnel Information Security Policy

 Physical and Environmental Information Security Policy



Policy Driven by the Enterprise – including:

 Business Continuity and Disaster Recovery

 Acceptable Use

 Communication and Operations

 Risk Management



Control Environment

 Principal 1: The organization demonstrates a commitment to integrity and ethical values

 Principal 3: Management establishes, with board oversight, structures, reporting lines, and

appropriate authorities and responsibilities in the pursuit of objectives

 Principal 5: The organization holds individuals accountable for their internal control

responsibilities in the pursuit of objectives



Risk Assessment

 Principal 6: Identifies and analyzes risk

 Principal 9: Identifies and analyzes change



Control Activities

 Principal 12: Deploys policies and procedures



Monitoring Activities

 Principal 16: Conducts evaluations



PCI DSS 3.0 Requirements



COBIT 5 Enabling Processes



Example Mapping



Top 5 Threat Actions

1) Use of Stolen Credentials (hack) 2) Export Data (malware)

3) Phishing (social engineering)

4) _{Ram Scraper (malware)}

5) Backdoor (malware)



_{Top 5 Breach Incident Methods}

1) 35% Web App Attacks

2) 22% Cyber-espionage

3) 14% POS Intrusions

4) 9% Card Skimmers

5) 8% Insider Misuse



Have you assessed the risk of your IT environment?



For example, your Internal Controls may prevent an

employee from creating fraudulent checks, but...



Is your (or your customer’s) information being siphoned

off the network?



The Goal of an IT Risk Assessment

 Define threats and potential threats (internal or external)

 Identify areas that are not adequately protected

 Identify areas that do not meet regulatory requirements (compliance)

 Understand the security impact of new technologies



Identify Threats and Vulnerabilities

Risk Management (cont.)

Critical Asset Known Threats Vulnerabilities

Information, Server, Website

Cyber attack, DDOS attack, Staff errors



_{Rank the risk to each asset}

 _{Likelihood or Probability – How likely is the threat to}

occur? Or how likely is the vulnerability to be exploited?

 _{Severity or Impact – What would be the cost to the}

business? Consider downtime, brand name, cost of recovery, and cost of penalties.



_{One way to rank risks (time for some math)}

Probability (%) =

Likelihood of threat occurring and being successful (Threat + Vulnerability)

Impact (1-5, where 5 is highest impact) = Actual or anticipated cost to the business



_{Remember the threats from earlier?}



98% of all attacks lead to a compromise in LESS THAN

1 DAY!



_{Only 25% of all companies detected the compromise in}

less than 1 day



_*

_{Median days to discovery – 229 DAYS}

_!



_{COSO Monitoring and COBIT 5}

Monitoring

16

The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

MEA02

The COBIT 5 Processes enabler guidance specifically addresses monitoring, evaluation and assessment of internal control adequacy (COBIT 5 process MEA02 Monitor, evaluate and assess the system

of internal control).

17

The organization evaluates and

communicates internal control deficiencies in a timely manner to those parties

responsible for taking corrective action, including senior management and the board of directors, as appropriate.

EDM05 MEA02

In addition to MEA02, COBIT 5 process EDM05 Ensure stakeholder transparency includes practices and

activities to evaluate, direct and monitor stakeholder reporting and communication requirements, including those related to control deficiencies, to senior



_{Network Monitoring}



It is necessary to understand your network

 “_{If you do not know what is on your network, you cannot}

defend it effectively. If you do not know how devices on your network are configured and set up, you cannot know how to protect and secure them.”

--Dr. Eric Cole, recent inductee to the Infosecurity Europe Hall of Fame



Don’t forget to look inside



There’s a whole network behind your firewall

Monitoring – Network Activity



Look inside your network to discover



_{Malicious software, trojan horses, spam-bots, etc.}



_{All “phone home” to a command and control (C2)}

system



Watch your outgoing traffic, not just incoming