Security Governance Framework
Security Governance Framework
Security Governance Framework
• IT security governance is the system by which an organization directs and controls IT security
(adapted from ISO 38500).
• IT security governance should not be confused with IT security management. IT security
management is concerned with making decisions to mitigate risks; governance determines
who is authorized to make decisions.
• Governance specifies the accountability framework and provides oversight to ensure that
risks are adequately mitigated, while management ensures that controls are implemented to
mitigate risks.
• Governance ensures that security strategies are aligned with business objectives and
consistent with regulations.
The five general governance areas:
• Govern the operations of the organization and protect its critical assets
• Protect the organization's market share and stock price (perhaps not appropriate for
education)
• Govern the conduct of employees (educational AUP and other policies that may apply to use
of technology resources, data handling, etc.)
• Protect the reputation of the organization
• Ensure compliance requirements are met
Security Governance Frameworks:
• 3 major frameworks,
• COSO (Committee of Sponsoring Organizations of the Treadway Commission)
• COBIT (Control Objectives for Information and Related Technology )
• ITIL (Information Technology Infrastructure Library)
Committee of Sponsoring Organizations of the Treadway Commission (COSO):
• In 1985, the Committee of Sponsoring Organizations of the Treadway Commission (COSO)
developed a model for evaluating internal controls.
• This model has been adopted as the generally accepted framework for internal control.
• It is widely recognized as the definitive standard against which organizations measure the
effectiveness of their systems of internal control.
• Internal Control: Internal controls are the mechanisms, rules, and procedures implemented
by a company to ensure the integrity of financial and accounting information, promote
accountability, and prevent fraud.
• The updated COSO principles, which supersedes the original 1992 framework, now explicitly
describes its principles rather than simply implying them, thus making it easier for
companies to apply the principles.
• These concepts shows relationship between people and process the effective control define
the principles which to implement them
• Internal control is the process and not a one-time activity.
• Internal control affected by people; it must be adopted through the organization and is not
simply a policy document that gets filled away.
• Internal control can provide only reasonable assurance. A control cannot be ensure success.
• Internal control are designed for the achievement of business objectives.
Control Environment
• Exercise integrity and ethical values.
• Make a commitment to competence.
• Use the board of directors and audit committee.
• Facilitate management’s philosophy and operating style.
• Create organizational structure.
• Issue assignment of authority and responsibility.
• Utilize human resources policies and procedures.
Risk Assessment
• Create companywide objectives.
• Incorporate process-level objectives.
• Perform risk identification and analysis.
• Manage change.
Control Activities
• Follow policies and procedures.
• Improve security (application and network).
• Conduct application change management.
• Plan business continuity/backups.
• Perform outsourcing.
Information and Communication
• Measure quality of information.
• Measure effectiveness of communication.
Monitoring
• Perform ongoing monitoring.
• Conduct separate evaluations.
• Report deficiencies.
COBIT stands for Control Objectives for Information and Related Technology
A framework created by the ISACA (Information Systems Audit and Control Association) for
IT governance and management
Supports managers and allows balancing technical issues, business risks and control
requirements
Ensures quality, control and reliability of information systems in organization
Provides various maturity models and metrics that measure the achievement while
identifying associated business responsibilities of IT processes
Main focus on four specific domains:
Planning and Organization
Delivering and Support
Acquiring and Implementation
Monitoring and Evaluation
Used by all organizations whose primary responsibilities happen to be business processes
and related technologies
Helps in increasing the sensibility of IT processes to a great extent
Helps organizing the objectives of IT governance and bringing in the best practices in IT
processes and domains, while linking business requirements
Used by both the government departments, federal departments and other private
commercial organizations
Components of COBIT:
Control objectives:
Provides a complete list of requirements that has been considered by the
management for effective IT business control
Process descriptions:
Acts as a common language for every individual of the organization
Include planning, building, running and monitoring of all IT processes
Maturity models:
Accesses the maturity and the capability of every process while addressing the gaps
Management Guidelines:
Helps in better assigning responsibilities, measuring performances, agreeing on
common objectives and illustrate better interrelationships with every other process
Domain and process of COBIT: Plan and Organize: The Planning and Organization domain covers the
use of information & technology and how best it can be used in a company to help achieve the
company’s goals and objectives.
Acquire and Implement (AI): It covers identifying IT requirements, acquiring the technology, and
implementing it within the company’s current business processes.
Delivery and Support (DS): It focuses on the delivery aspects of the information technology.
Monitor and Evaluate (ME): The Monitoring and Evaluation domain deals with a company’s strategy
in assessing the needs of the company and whether or not the current IT system still meets the
objectives for which it was designed and the controls necessary to comply with regulatory
requirements.
Level 0 - Non-existent
• The process is not existent at all.
Level 1 - Initial/Ad Hoc
• No standardized processes are in place.
Level 2 - Repeatable but Intuitive
• Procedures are followed but there is still a high degree of reliance on the knowledge of
individuals.
Level 3 - Defined Process
• Procedures are standardized but not sophisticated enough.
Level 4 - Managed and Measurable
• The compliance with required procedures is measured and significant errors are detected.
Level 5 – Optimized
• A refinement of processes to a good level of practice took place and variances are constantly
reduced.
• ITIL security management is based on the ISO 27001 standard. "ISO/IEC 27001:2005 covers
all types of organizations (e.g. commercial enterprises, government agencies, not-for profit
organizations).
• The Primary objective of ITIL Information Security Management Process (ITIL ISM) is to
align IT security with business security and ensure that information security is effectively
managed in all service and IT Service Management activities.
• It also ensures the confidentiality, integrity, availability, and role-based accessibility of an
organization’s assets, information, data and IT Services are maintained.
• Service Strategy: The Service Strategy phase of the Service Lifecycle provides guidance on
how to design, develop, and implement IT Service Management.
• Service Design: The Service Design phase of the Service Lifecycle provides guidance on how
to design and develop services and IT Service Management processes that will support the
service strategies already developed.
• Service Transition: The Service Transition phase of the Service Lifecycle teaches IT
professionals and their business associates to manage changes in a productive manner.
• Service Operation: The Service Operation phase of the Service Lifecycle provides guidance
on the practical aspects of day-to-day business operations. The goal is for the IT department
to keep things running smoothly, reliably, efficiently and cost-effectively.
• Continual Service Improvement:Even if nothing changes in an organization, there is always
room for development and improvement in IT services. Continual assessment is the key to
understanding where improvements can be made.
ISO:
ISO 27001:
“….This International Standard has been prepared to provide a model for establishing,
implementing, operating, monitoring, reviewing, maintaining and improving an Information
Security Management System (ISMS)…..”
“…The design and implementation of an organization’s ISMS is influenced by their needs and
objectives, security requirements, the processes employed and the size and structure of the
organization.
These and their supporting systems are expected to change over time.
It is expected that an ISMS implementation will be scaled in accordance with the needs of the
organization…”
Difference to other Security Standards:
PCI DSS Payment Card Industry Data Security Standard
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and
enhance cardholder data security and facilitate the broad adoption of consistent data
security measures globally. PCI DSS provides a baseline of technical and operational
requirements designed to protect cardholder data. …
11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic
at the perimeter of the cardholder data environment as well as at critical points inside of the
cardholder data environment, and alert personnel to suspected compromises.
Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.
Supporting ISO 27x Standards:
NIST:
CIS benchmarks:
• The Center for Internet Security is a nonprofit entity whose mission is to 'identify, develop,
validate, promote, and sustain best practice solutions for cyber defense.'
• It draws on the expertise of cybersecurity and IT professionals from government, business,
and academia from around the world. To develop standards and best practices, including CIS
benchmarks, controls, and hardened images, they follow a consensus decision-making
model.
• CIS benchmarks are configuration baselines and best practices for securely configuring a
system. Each of the guidance recommendations references one or more CIS controls that
were developed to help organizations improve their cyberdefense capabilities.
CIS benchmarks provide two levels of security settings:
• Level 1 recommends essential basic security requirements that can be configured on any
system and should cause little or no interruption of service or reduced functionality.
• Level 2 recommends security settings for environments requiring greater security that could
result in some reduced functionality.
NSA (National Security Agency)
• The National Security Agency (NSA) is a national-level intelligence agency of the United
States Department of Defense, under the authority of the Director of National Intelligence.
• The NSA is responsible for global monitoring, collection, and processing of information and
data for foreign and domestic intelligence and counterintelligence purposes, specializing in a
discipline known as signals intelligence (SIGINT).
• The NSA is also tasked with the protection of U.S. communications networks and
information systems.
DISA (The Defence Information Security Agency)
• The Defense Information Systems Agency (DISA), known as the Defense Communications
Agency (DCA) until 1991, is a United States Department of Defense (DoD) combat support
agency composed of military, federal civilians, and contractors.
• DISA provides information technology (IT) and communications support to the President,
Vice President, Secretary of Defense, the military services, the combatant commands, and
any individual or system contributing to the defense of the United States.
SANS (Sys Admin, Audit and Network Security)
• The SANS Institute (officially the Escal Institute of Advanced Technologies) is a private U.S.
for-profit company founded in 1989 that specializes in information security, cybersecurity
training, and selling certificates.
• Topics available for training include cyber and network defenses, penetration testing,
incident response, digital forensics, and auditing.
• The information security courses are developed through a consensus process involving
administrators, security managers, and information security professionals.
• The courses cover security fundamentals and technical aspects of information security. The
institute has been recognized for its training programs and certification programs.
ISACA(Information System Audit and control Association)
• ISACA is an international professional association focused on IT governance.
• ISACA originated in United States in 1967, when a group of individuals working on auditing controls in
computer systems started to become increasingly critical of the operations of their organizations.
They identified a need for a centralized source of information and guidance in the field. In 1969,
Stuart Tyrnauer, an employee of the (later) Douglas Aircraft Company, incorporated the group as the
EDP Auditors Association (EDPAA).
• Tyrnauer served as the body's founding chairman for the first three years. In 1976 the association
formed an education foundation to undertake large-scale research efforts to expand the knowledge
of and value accorded to the fields of governance and control of information technology.
• The association became the Information Systems Audit and Control Association in 1994.
• By 2008 the organization had dropped its long title and branded itself as ISACA.
• In March 2016, ISACA bought the CMMI Institute who is behind the Capability Maturity Model
Integration.
• In January 2020, ISACA updated refreshed its look and digital presence, introducing a new logo
IEEE Standards: IEEE is a standardized activity in network and information security space and in Anti-malware
technology like encryption, fixed and removable devices hardcopy devices as well as application of these
technologies in Grid computing.
ISO 17799: ISO/ IEC 17799: 2005 establishes guidelines ad general principles for initiating , implementing,
maintaining and improving information security management in organization.
ISO 17799 – 10 domains