1 / 19

Control and Security Frameworks

Raval • Fichadia John Wiley & Sons, Inc. 2007. Control and Security Frameworks. Chapter Three Prepared by: Raval, Fichadia . Chapter Three Objectives. Understand risks faced by information assets.

aquarius
Download Presentation

Control and Security Frameworks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Raval • Fichadia John Wiley & Sons, Inc. 2007 Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia

  2. Chapter Three Objectives • Understand risks faced by information assets. • Comprehendthe relationship between risk and asset vulnerabilities, and comprehend the nature and types of threats faced by the asset. • Understandthe objectives of control and security of information assets and how these objectives are interrelated. • Understandthe building blocks of control and security frameworks for information systems. • Apply a controls framework to a financial accounting system.

  3. Protecting Information Assets • It is necessary to protect information assets • There is a potential for compromises of such assets. • There may attacks on the information assets. • There may be unintentional compromises of information assets. • Systems are subject to regulatory protection requirements.

  4. Vulnerabilities and Threats • Vulnerability: A weakness in the information assets that leads to risk. • Threat: The probability of an attack on the information asset. • Attack: A series of steps taken by an attacker to achieve an unauthorized result. • Threat agent: An entity, typically a person, who triggers a threat. • Countermeasure: An antidote or an action that dilutes the potential impact of a known vulnerability.

  5. Internal Control • Definition of internal control • A process, affected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives. • Classification of internal controls • General controls and application controls • Detective, preventive, and corrective controls

  6. Information Security • Definition of information security • Protection of information assets from harm • Classification of information security measures • Physical and logical security

  7. Relationship between internal control and information security • Steps taken to protect a system are called measures, or countermeasures. • These measures are essentially various types of controls. • Thus, security is ensured through the implementation of controls. • Reference to specific controls implemented for information security is often made as “security controls.” • Terms security and control are often used as if they are synonyms. • General controls often overlap with security measures.

  8. Frameworks for Control and Security • COBIT: Control Objectives for Information and related Technology • The framework helps bridge the gap between business risk, control needs, and technical issues. • The framework’s approach is process oriented. • IT Processes are classified into five categories (domains): Manage IT investment, acquire and implement, deliver and support, and monitor and evaluate. • The framework includes 34 high level control objectives, which are translated into over 300 detailed objectives. • Control activities support control objectives. • Control activities, linked to IT processes, include policies, organizational structures, and practices and procedures.

  9. Frameworks for Control and Security • ISO 17799 • Is a standard focused on the protection of information assets. • It is broadly applicable across industries, therefore it is a high-level standard. • It is a general model that follows from Part I of British Standard 7799 (BS 7799). • The standard is organized into ten categories (sections). • Each section is divided into subcategories, each of which includes a broad implementation approach (method).

  10. Frameworks for Control and Security • COSO: The Committee of Sponsoring Organizations • It is an integrated framework of internal controls. • It proposes five components of internal controls. • Together, the five components and relationships among them make a holistic framework of internal controls.

  11. COSO: Components of Internal Control • Risk assessment • Control environment • Control activities • Information and communication • Monitoring

  12. Internal Control and Information Security Objectives • Internal control objectives • Efficiency of operations • Effectiveness of operations • Reliability of information • Compliance with applicable laws and regulations • Information security objectives • Information integrity • Message integrity • Confidentiality • User authentication • Nonrepudiation • Systems availability

  13. A Comparison of Internal Control and Information Security Objectives

  14. Implementing a Framework

  15. Assurance Considerations • Without a framework, no objectives can be achieved with a high degree of assurance. • A first step toward assurance is to adopt a holistic framework. • Elements of more than one framework can be combined into the framework adopted by an entity, to provide necessary granularity. • The framework allows for a systematic approach to the design, implementation, and audit of control and security systems. • The business may seek assurance regarding proper implementation of a chosen framework.

More Related