Embed Size (px)
Citation preview
1
1
Australian Crime Commission
THE ART OF DIS-CONNECTING, SOCIAL NETWORKING RISK MANAGEMENTISACA Perth Chapter 13 October 2011
http://www.youtube.com/watch?v=8iQLkt5CG8I
THE ART OF DIS-CONNECTING SOCIAL NETWORKING RISK MANAGEMENTISACA Perth Chapter 13 October 2011
2
ENISA Ad-hoc Working Group on Risk Assessment and Risk Management
Lewis Carroll's Through the Looking-Glass (1872)
“When I use a word,”
Humpty Dumpty said, in rather a scornful tone,
“it means just what I choose it to mean—
neither more nor less.”
3
ISACA: Social MediaAudit/Assurance Program
Social Media
“Social media” is defined as using Internet-based applications or broadcast capabilities to disseminate and/or collaborate on information. This is different than traditional advertising and marketing channels due to the populist nature of social media, in which anyone with an Internet-attached device can, with near anonymity and without accountability, participate in public or private information or disinformation sharing, depending on access privileges to a social media web site.
Current social media tools include: Blogs (e.g., WordPress, Drupal™, TypePad®)Microblogs (e.g., Twitter, Tumblr)Instant messaging (e.g,, AOL Instant Messenger [AIM™], Microsoft® Windows Live Messenger) Online communication systems (e.g., Skype™)Image and video sharing sites (e.g., Flickr®, YouTube)Social networking sites (e.g., Facebook, MySpace)Professional networking sites (e.g., LinkedIn, Plaxo)Online communities that may be sponsored by the company itself (Similac.com, “Open” by American Express)Online collaboration sites (e.g., Huddle)
The common link is that all of the tools are implemented and managed by individuals.
These technologies can also be hacked, hijacked and leveraged by unscrupulous individuals.
4
10
HB 158-2010 Delivering assurance based on ISO 31000:2009 - Risk management - Principles and guidelines
ISACA: IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control (figure 2)
Figure 2—Maturity Model for Internal ControlMaturity Level Status of the Internal Control Environment Establishment of Internal Controls0 Non-existent There is no recognition of the need for internal control. Control is not part of the
organization’s culture or mission. There is a high risk of control deficiencies and incidents.
There is no intent to assess the need for internal control. Incidents are dealt with as they arise.
1 Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and control requirements is ad hoc and disorganized, without communication or monitoring. Deficiencies are not identified. Employees are not aware of their responsibilities.
There is no awareness of the need for assessment of what is needed in terms of IT controls. When performed, it is only on an ad hoc basis, at a high level and in reaction to significant incidents. Assessmen t addresses only the actual incident.
2 Repeatable but Intuitive Controls are in place but are not documented. Their operation is dependent on the knowledge and motivation of individuals. Effectiveness is not adequately evaluated. Many control weaknesses exist and are not adequately addressed; the impact can be severe. Management actions to resolve control issues are not prioritized or consistent. Employees may not be aware of their responsibilities.
Assessment of control needs occurs only when needed for selected IT processes to determine the current level of control maturity, the target level that should be reached and the gaps that exist. An informal workshop approach, involving IT managers and the team involv ed in the process, is used to define an adequate approach to controls for the process and to motivate an agreed-upon action plan.
3 Defined Controls are in place and adequately documented. Operating effectiveness is evaluated on a periodic basis and there is an average number of issues. However, the evaluation process is not documented. While management is able to deal predictably with most control issues, some control weaknesses persist and impacts could still be severe. Employees are aware of their responsibilities for control.
Critical IT processes are identified based on value and risk drivers. A detailed analysis is performed to identify control requireme nts and the root cause of gaps and to develop improvement opportunities. In a ddition to facilitated workshops, tools are used and interviews are perfor med to support the analysis and ensure that an IT process owner owns a nd drives the assessment and improvement process.
4 Managed and Measurable
There is an effective internal control and risk management environment. A formal, documented evaluation of controls occurs frequently. Many controls are automated and regularly reviewed. Management is likely to detect most control issues, but not all issues are routinely identified. There is consistent follow-up to address identified control weaknesses. A limited, tactical use of technology is applied to automate controls.
IT process criticality is regularly defined with fu ll support and agreement from the relevant business process owners. Assessment of control requirements is based on policy and the actual maturity of these pr ocesses, following a thorough and measured analysis involving key stakeh olders. Accountability for these assessments is clear and enforced. Improv ement strategies are supported by business cases. Performance in achievi ng the desired outcomes is consistently monitored. External control reviews are organized occasionally.
5 Optimized An enterprise-wide risk and control prog ram provides continuous and effective control and risk issues resolution. Inter nal control and risk management are integrated with enterprise practices , supported with automated real-time monitoring with full accountabi lity for control monitoring, risk management and compliance enforcement. Control evaluation is continuous, based on self-assessments and gap and r oot cause analyses. Employees are proactively involved in control impro vements.
Business changes consider the criticality of IT pro cesses and cover any need to reassess process control capability. IT process owners regularly perform self-assessments to confirm that controls are at th e right level of maturity to meet business needs and they consider maturity attr ibutes to find ways to make controls more efficient and effective. The organization benchmarks to external best practi ces and seeks external advice on internal control effec tiveness. For critical processes, independent reviews take pl ace to provideassurance that the controls are at the desired leve l of maturityand working as planned.
5
Australian Government Protective Security Policy Fra mework V1.2 (January 2011), Protective Security Policy Branch, Attorney General’s Department
Agencies MUST adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management.
HB 167:2006 Security risk management
‘Security risk management is really a special applic ation that should fit within an organisation’s establishe d risk management framework.
It introduces a new element, the concept of someone deliberately introducing an exposure to potential h arm and seeking actively to bypass controls in place.
However, the similarities between organisational an d security risk management far outweigh any differenc es.’
© ACC 2010
15
6
Australian GovernmentProtective Security Manual
Threat intent = the optimism a threat agent has about successfully attacking a target
Threat capability = the force a threat agent can bring to bear on a target
7
8
Category Objective Control
Mobile computing and teleworking
To ensure information security when using mobile computing and teleworking facilities.
A formal policy shall be in place, and appropriate security measuresshall be adopted to protect against the risks of using mobilecomputing and communication facilities.
A policy, operational plans and procedures shall be developed andimplemented for teleworkingactivities.
Security requirements of information systems
To ensure that security is an integral part of information systems.
Statements of business requirements for new information systems,or enhancements to existing information systems shall specify therequirements for security controls.
LOCATION/USAGE
HOME/HOME WORK/HOME
HOME/WORK WORK/WORK
ENISA: Online as soon as it happens
9
ENISA: Online as soon as it happens
Category Objective ControlManagement of information security incidents and improvements
To ensure a consistent and effective approach is applied to the management of information securityincidents.
Management responsibilities and procedures shall be established toensure a quick, effective, and orderly response to informationsecurity incidents.
There shall be mechanisms in place to enable the types, volumes,and costs of information security incidents to be quantified andmonitored.
Where a follow-up action against a person or organization after aninformation security incident involves legal action (either civil orcriminal), evidence shall be collected, retained, and presented toconform to the rules for evidence laid down in the relevantjurisdiction(s).
Compliance with legal requirements
Identification of applicablelegislation
All relevant statutory, regulatory and contractual requirements andthe organization’s approach to meet these requirements shall beexplicitly defined, documented, and kept up to date for eachinformation system and the organization.
ENISA - Online as soon as it happens
10
ENISA - Online as soon as it happens
ENISA - Online as soon as it happens
ENISA - Online as soon as it happens
11
ENISA - Online as soon as it happens
ENISA - Online as soon as it happens
12
The Australian Government Performance Reference Mode (PRM) is a part of the Australian Government Architecture Reference Models which itself is based on
the US Government’s Federal Enterprise Architecture Framework See also:http://en.wikipedia.org/wiki/Federal_Enterprise_Architecture
13
HB 254-2005 Governance, risk management and control assurance
