1 / 29

Computer Security Management

Computer Security Management. Session 1 How IT Affects Risks and Assurance. David Chan. David.c.chan@ontario.ca. What We Will Cover. Nature, types and use of information System assurance criteria System assurance responsibilities System components Types of systems.

cathrinet
Download Presentation

Computer Security Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Security Management Session 1 How IT Affects Risks and Assurance EECS 4482 2017 David C. Chan

  2. David Chan David.c.chan@ontario.ca EECS 4482 2017 David C. Chan

  3. What We Will Cover • Nature, types and use of information • System assurance criteria • System assurance responsibilities • System components • Types of systems EECS 4482 2017 David C. Chan

  4. Information Ownership and Classification • Each information system and the information should be assigned to a senior manager to own • Owner accountable for information reliability including classifying information based on risk and affording the respective protection EECS 4482 2017 David C. Chan

  5. Information Assurance • “Information assurance is the bedrock upon which enterprise decision-making is built. Without assurance, enterprises cannot feel certain that the information upon which they base their mission-critical decisions is reliable, confidential, secure and available when needed.” - Information Systems Audit and Control Association (ISACA) EECS 4482 2017 David C. Chan

  6. System Assurance Criteria • Completeness • Authorization • Accuracy • Timeliness • Occurrence EECS 4482 2017 David C. Chan

  7. Completeness • All transactions are recorded. • Financial information and reports are complete. • Customer statements are complete. • Management information is complete. • Statutory reports are complete. • Applies to input, processing and output. EECS 4482 2017 David C. Chan

  8. Authorization • Only authorized transactions are processed. • Reports are produced only for authorized users. • Proper authorization for access to information to ensure integrity and confidentiality. EECS 4482 2017 David C. Chan

  9. Accuracy • Transactions are recorded accurately. • Reports are accurate. • Information in storage is maintained and checked regularly to ensure accuracy. EECS 4482 2017 David C. Chan

  10. Timeliness • Transactions are recorded on a timely basis. • Reports are current. • Information in storage is regularly checked for currency. EECS 4482 2017 David C. Chan

  11. Occurrence • Only real transactions are recorded. • Accounting balances reflect real assets, liabilities and equity. • Underlying assumptions can realistically occur, e.g., valuation. EECS 4482 2017 David C. Chan

  12. Components of System • Infrastructure • Software • People • Procedures • Information EECS 4482 2017 David C. Chan

  13. IT Infrastructure • Network • Hardware • Real estate EECS 4482 2017 David C. Chan

  14. Software • System software e.g., operating system, database management system. • Application software. EECS 4482 2017 David C. Chan

  15. People • Management • Systems developers (analysts and programmers) • Systems administrators who control servers and workstations. • Systems operations staff. • Users EECS 4482 2017 David C. Chan

  16. IT Organization • Chief Information Officer • Systems development and maintenance • System operations • Quality assurance – may be part of systems development in a small organization • Security- may be part of operation in a small organization. EECS 4482 2017 David C. Chan

  17. Information System Roles and Responsibilities • Chief information officer (CIO) – Oversees all uses of IT and ensures the strategic alignment of IT with business goals and objectives • Chief knowledge officer (CKO) - Responsible for collecting, maintaining, and distributing the organization’s knowledge • Chief privacy officer (CPO) – Responsible for ensuring the ethical and legal use of information EECS 4482 2017 David C. Chan

  18. Information Systems Roles and Responsibilities Learning Outcomes 1-2 • Chief security officer (CSO) – Responsible for ensuring the safety of IT resources including data, hardware, software, and people • Chief technology officer (CTO) – Responsible for ensuring the throughput, speed, accuracy, availability, and reliability of IT EECS 4482 2017 David C. Chan

  19. Information Security Functions • Risk assessment (Session 2) • Policies and procedures development (Session 3) • Security education (Session 9) • Security design (session 6) • Authentication and authorization assurance (Sessions 9 and 10) EECS 4482 2017 David C. Chan

  20. Info Sec Functions • Compliance monitoring (Session 9) • Intrusion prevention and detection (Session 9) • Vulnerability management (Session 9) • Disaster recovery (Session 3) • Forensic (Session 8) EECS 4482 2017 David C. Chan

  21. Management Responsibilities • Management includes executives and managers in business functions and corporate functions (like chief financial officer). • Define information requirement • Assess significance of information • Take ownership of business and functional systems like enterprise resource planning system. EECS 4482 2017 David C. Chan

  22. Management Responsibilities • Design and implement internal controls (using staff who are control experts). • Review system information for reliability. • Define system reliability criteria in relation to business requirements. • Provide information assurance to senior executives. EECS 4482 2017 David C. Chan

  23. User Responsibilities • Control information under their custody in accordance with corporate policy and procedures. • Inform management of irregularities and exceptions. • Use information systems only for corporate purposes. EECS 4482 2017 David C. Chan

  24. Procedures • System operations procedures • User procedures EECS 4482 2017 David C. Chan

  25. Information Ownership and Classification • Each information system and the information should be assigned to a senior manager to own • Owner accountable for information reliability including classifying information based on risk and affording the respective protection EECS 4482 2017 David C. Chan

  26. Management Checklist • Assign business executives to own information systems and infrastructure. • Establish corporate policies and standards for information risk assessment. • Establish a process for periodic risk assessment, internal control formulation and internal control reporting to senior management and the board of directors. EECS 4482 2017 David C. Chan

  27. Management Checklist • Involve the board of directors in IT governance and ensure this is addressed at least twice a year in board meetings. • Establish a policy on the use of I & IT in the organization with respect to how to use IT as a business enabler and the approval process for IT investment. EECS 4482 2017 David C. Chan

  28. Management Checklist • Develop an IT strategy to be congruent with the business strategy. The IT strategy should consider the applicability of new technology. • Develop a process to continuously assess the cost effectiveness of IT applications. • Ensure that the job description and performance contract of each executive includes the appropriate I & IT assurance accountability. EECS 4482 2017 David C. Chan

  29. Management Checklist • Establish an IT steering committee consisting of a cross section of senior executives including the CIO to carry out IT governance. EECS 4482 2017 David C. Chan

More Related