Control and Security Frameworks

Chapter Three

Prepared by: Raval, Fichadia

Raval • FichadiaRaval • FichadiaJohn Wiley & Sons, Inc. 2007

Chapter Three Objectives1. Understand risks faced by information assets.

2. Comprehend the relationship between risk and asset vulnerabilities, and comprehend the nature and types of threats faced by the asset.

3. Understand the objectives of control and security of information assets and how these objectives are interrelated.

1. Understand the building blocks of control and security frameworks for information systems.

2. Apply a controls framework to a financial accounting system.

Information Assets

Risks

Risk Management Control Measures

Threats Vulnerabilities

Internal control objectives

Information Security Objectives

Frameworks for control and security

increase exploit

experience have

are mitigated by

are a part of

are exposed to

that are addressed by

to attain

using using

Protecting Information Assets It is necessary to protect information assets

There is a potential for compromises of such assets. There may attacks on the information assets. There may be unintentional compromises of information assets.

Systems are subject to regulatory protection requirements.

Information Assets

Unintentional CompromisesAttacks

need protection

from

Regulatory Protection

RequirementsPrivacysuch as

should meet

Control and Security Measures

which require

To protect

Vulnerabilities and Threats Vulnerability: A weakness in the information assets

that leads to risk. Threat: The probability of an attack on the

information asset. Attack: A series of steps taken by an attacker to

achieve an unauthorized result. Threat agent: An entity, typically a person, who

triggers a threat. Countermeasure: An antidote or an action that

dilutes the potential impact of a known vulnerability.

Information Assets

Unintentional Compromises

Vulnerabilities Internal Sources External Sources

Threats

Attacks

result inon

have

from

result in add to or exploit

face

Internal Control Definition of internal control

A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.

Classification of internal controls General controls and application controls Detective, preventive, and corrective controls

Information Security Definition of information security

Protection of information assets from harm Classification of information security

measures Physical and logical security

Relationship between internal control and information security Steps taken to protect a system are called measures, or

countermeasures. These measures are essentially various types of

controls. Thus, security is ensured through the implementation of

controls. Reference to specific controls implemented for

information security is often made as “security controls.” Terms security and control are often used as if they are

synonyms. General controls often overlap with security measures.

Frameworks for Control and Security COBIT: Control Objectives for Information and

related Technology The framework helps bridge the gap between business

risk, control needs, and technical issues. The framework’s approach is process oriented. IT Processes are classified into five categories (domains):

Manage IT investment, acquire and implement, deliver and support, and monitor and evaluate.

The framework includes 34 high level control objectives, which are translated into over 300 detailed objectives.

Control activities support control objectives. Control activities, linked to IT processes, include policies,

organizational structures, and practices and procedures.

Frameworks for Control and Security ISO 17799

Is a standard focused on the protection of information assets.

It is broadly applicable across industries, therefore it is a high-level standard.

It is a general model that follows from Part I of British Standard 7799 (BS 7799).

The standard is organized into ten categories (sections). Each section is divided into subcategories, each of which

includes a broad implementation approach (method).

Frameworks for Control and Security COSO: The Committee of Sponsoring

Organizations It is an integrated framework of internal

controls. It proposes five components of internal

controls. Together, the five components and

relationships among them make a holistic framework of internal controls.

COSO: Components of Internal Control Risk assessment Control environment Control activities Information and communication Monitoring

C O S O F ra m e w o rk

R is k As s es s m ent

C on tro l E nvironm en t

C on tro l Ac tiv it ies

In form a tion andC om m un ic a tion Mon ito r ing

Internal Control and Information Security Objectives Internal control objectives

Efficiency of operations Effectiveness of operations Reliability of information Compliance with applicable laws and regulations

Information security objectives Information integrity

Message integrity Confidentiality User authentication Nonrepudiation Systems availability

A Comparison of Internal Control and Information Security Objectives

Objectives of internal controls

Objectives of information security

Effectiveness of operations

Efficiency of operations

Reliability of information

Compliance with regulations

Information integrity X

Confidentiality X

User authentication X X

Non-repudiation X

Availability X

Implementing a FrameworkA class of

transactions Process

Risks

Information assets

Controls

Design effectiveness

Operational effectiveness

General Application

IT general controls Non-IT general controls

Affects

Is processed by

has

Are to be managed through

impact

impact

impact

Classified as

Assurance Considerations Without a framework, no objectives can be achieved

with a high degree of assurance. A first step toward assurance is to adopt a holistic

framework. Elements of more than one framework can be combined

into the framework adopted by an entity, to provide necessary granularity.

The framework allows for a systematic approach to the design, implementation, and audit of control and security systems.

The business may seek assurance regarding proper implementation of a chosen framework.

Information Assets

Risks

Risk Management Control Measures

Threats Vulnerabilities

Internal control objectives

Information Security Objectives

Frameworks for control and security

increase exploit

experience have

are mitigated by

are a part of

are exposed to

that are addressed by

to attain

using using