Upload
randolf-eaton
View
219
Download
0
Embed Size (px)
Citation preview
Control and Security Frameworks
Chapter Three
Prepared by: Raval, Fichadia
Raval • FichadiaRaval • FichadiaJohn Wiley & Sons, Inc. 2007
Chapter Three Objectives1. Understand risks faced by information assets.
2. Comprehend the relationship between risk and asset vulnerabilities, and comprehend the nature and types of threats faced by the asset.
3. Understand the objectives of control and security of information assets and how these objectives are interrelated.
1. Understand the building blocks of control and security frameworks for information systems.
2. Apply a controls framework to a financial accounting system.
Information Assets
Risks
Risk Management Control Measures
Threats Vulnerabilities
Internal control objectives
Information Security Objectives
Frameworks for control and security
increase exploit
experience have
are mitigated by
are a part of
are exposed to
that are addressed by
to attain
using using
Protecting Information Assets It is necessary to protect information assets
There is a potential for compromises of such assets. There may attacks on the information assets. There may be unintentional compromises of information assets.
Systems are subject to regulatory protection requirements.
Information Assets
Unintentional CompromisesAttacks
need protection
from
Regulatory Protection
RequirementsPrivacysuch as
should meet
Control and Security Measures
which require
To protect
Vulnerabilities and Threats Vulnerability: A weakness in the information assets
that leads to risk. Threat: The probability of an attack on the
information asset. Attack: A series of steps taken by an attacker to
achieve an unauthorized result. Threat agent: An entity, typically a person, who
triggers a threat. Countermeasure: An antidote or an action that
dilutes the potential impact of a known vulnerability.
Information Assets
Unintentional Compromises
Vulnerabilities Internal Sources External Sources
Threats
Attacks
result inon
have
from
result in add to or exploit
face
Internal Control Definition of internal control
A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives.
Classification of internal controls General controls and application controls Detective, preventive, and corrective controls
Information Security Definition of information security
Protection of information assets from harm Classification of information security
measures Physical and logical security
Relationship between internal control and information security Steps taken to protect a system are called measures, or
countermeasures. These measures are essentially various types of
controls. Thus, security is ensured through the implementation of
controls. Reference to specific controls implemented for
information security is often made as “security controls.” Terms security and control are often used as if they are
synonyms. General controls often overlap with security measures.
Frameworks for Control and Security COBIT: Control Objectives for Information and
related Technology The framework helps bridge the gap between business
risk, control needs, and technical issues. The framework’s approach is process oriented. IT Processes are classified into five categories (domains):
Manage IT investment, acquire and implement, deliver and support, and monitor and evaluate.
The framework includes 34 high level control objectives, which are translated into over 300 detailed objectives.
Control activities support control objectives. Control activities, linked to IT processes, include policies,
organizational structures, and practices and procedures.
Frameworks for Control and Security ISO 17799
Is a standard focused on the protection of information assets.
It is broadly applicable across industries, therefore it is a high-level standard.
It is a general model that follows from Part I of British Standard 7799 (BS 7799).
The standard is organized into ten categories (sections). Each section is divided into subcategories, each of which
includes a broad implementation approach (method).
Frameworks for Control and Security COSO: The Committee of Sponsoring
Organizations It is an integrated framework of internal
controls. It proposes five components of internal
controls. Together, the five components and
relationships among them make a holistic framework of internal controls.
COSO: Components of Internal Control Risk assessment Control environment Control activities Information and communication Monitoring
C O S O F ra m e w o rk
R is k As s es s m ent
C on tro l E nvironm en t
C on tro l Ac tiv it ies
In form a tion andC om m un ic a tion Mon ito r ing
Internal Control and Information Security Objectives Internal control objectives
Efficiency of operations Effectiveness of operations Reliability of information Compliance with applicable laws and regulations
Information security objectives Information integrity
Message integrity Confidentiality User authentication Nonrepudiation Systems availability
A Comparison of Internal Control and Information Security Objectives
Objectives of internal controls
Objectives of information security
Effectiveness of operations
Efficiency of operations
Reliability of information
Compliance with regulations
Information integrity X
Confidentiality X
User authentication X X
Non-repudiation X
Availability X
Implementing a FrameworkA class of
transactions Process
Risks
Information assets
Controls
Design effectiveness
Operational effectiveness
General Application
IT general controls Non-IT general controls
Affects
Is processed by
has
Are to be managed through
impact
impact
impact
Classified as
Assurance Considerations Without a framework, no objectives can be achieved
with a high degree of assurance. A first step toward assurance is to adopt a holistic
framework. Elements of more than one framework can be combined
into the framework adopted by an entity, to provide necessary granularity.
The framework allows for a systematic approach to the design, implementation, and audit of control and security systems.
The business may seek assurance regarding proper implementation of a chosen framework.
Information Assets
Risks
Risk Management Control Measures
Threats Vulnerabilities
Internal control objectives
Information Security Objectives
Frameworks for control and security
increase exploit
experience have
are mitigated by
are a part of
are exposed to
that are addressed by
to attain
using using