1. IT Policies, Standards
and Technical Directives
Sarah Cortes, PMP, CISA
www.inmantechnologyIT.com
Sarah’s blog: SecurityWatch
Sarah’s ITtechEx column
twitter: SecuritySpy
LinkedIn: Sarah Cortes
07/19/09 Copyright 2009 Sarah Cortes 1
2. IT Policies, Standards and Technical Directives
Agenda
Who are we?
Purpose?
Standards Frameworks
COBIT Framework
ISACA Framework
Case Study
07/19/09 Copyright 2009 Sarah Cortes 2
3. Sarah Cortes, PMP, CISA
Clients:
• Harvard University
• Biogen
• Fidelity
Professional Associations:
• Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the
Massachusetts Legislature
Practice expertise
• Complex Application Development/Implementation
• IT Security/Privacy/Risk Management/Audit Management
• Data Center Operations Management
• Disaster Recovery/High Availability
• Program/Project Management
Background
• SVP in charge of Security, DR, IT Audit, and some Data Center Operations at
Putnam Investments
• As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan
failed over to our facility from the World Trade Center 99th floor data center
• Coordinated over 65 audits per year
• Previously ran major applications development for Trading/Analytics Systems
07/19/09 Copyright 2009 Sarah Cortes 3
4. IT Policies, Standards and Technical Directives
Standards Overview
ISO/IEC 27000 - International Organization for
Standardization/International Electrotechnical Commission
ITIL – Information Technology Infrastructure Library
NIST - National Institute of Standards and Technology
PMBOK – Project Management Body of Knowledge
TOGAF - The Open Group Architecture Framework
CMMI for Development - Capability Maturity Model Integration
SEI’s CMM (Capability Maturity Model) for SW
(US DoD) Software Engineering Institute
COBIT - Control Objectives for Information & related Technology
Information Systems Audit and Control Association
07/19/09 Copyright 2009 Sarah Cortes 4
5. IT Policies, Standards and Technical Directives
Is the Purpose to…?
Drive you crazy?
Waste your precious resources in a
pointless task that will soon be out of
date?
Serve as evidence to be used against
you later?
07/19/09 Copyright 2009 Sarah Cortes 5
6. IT Policies, Standards and Technical Directives
Could policies help….?
Save you after you have already
gotten into trouble?
Attempt, however lamely, to keep
you out of trouble
Prove that, however obvious the
trouble is, it is not your fault
07/19/09 Copyright 2009 Sarah Cortes 6
7. IT Policies, Standards and Technical Directives
Calling in the Experts
07/19/09 Copyright 2009 Sarah Cortes 7
8. IT Policies, Standards and Technical Directives
Did you know….?
Seven out of ten attacks are from…
07/19/09 Copyright 2009 Sarah Cortes 8
9. IT Policies, Standards and Technical Directives
You may be wondering…
Why develop and document IT
policies, standards and technical
directives?
Is it really worth it? What’s in it for
me?
Who will pay for the resources thusly
diverted?
07/19/09 Copyright 2009 Sarah Cortes 9
10. IT Policies, Standards and Technical Directives
COBIT Control Objectives - Overview
• PLAN AND ORGANISE - 10
• ACQUIRE AND IMPLEMENT - 7
• DELIVER AND SUPPORT - 13
• MONITOR AND EVALUATE – 4
• Total - 34
07/19/09 Copyright 2009 Sarah Cortes 10
11. IT Policies, Standards and Technical Directives
COBIT Control Objectives - PLAN AND ORGANISE
PO1 Define a Strategic IT Plan
PO2 Define the Information Architecture
PO3 Determine Technological Direction
PO4 Define the IT Processes, Organization and
Relationships
PO5 Manage the IT Investment
PO6 Communicate Management Aims and
Direction
PO7 Manage IT Human Resources
PO8 Manage Quality
PO9 Assess and Manage IT Risks
PO10 Manage Projects
07/19/09 Copyright 2009 Sarah Cortes 11
12. IT Policies, Standards and Technical Directives
COBIT Control Objectives - ACQUIRE AND IMPLEMENT
AI1 Identify Automated Solutions
AI2 Acquire and Maintain Application Software
AI3 Acquire and Maintain Technology
Infrastructure
AI4 Enable Operation and Use
AI5 Procure IT Resources
AI6 Manage Changes
AI7 Install and Accredit Solutions and Changes
07/19/09 Copyright 2009 Sarah Cortes 12
13. IT Policies, Standards and Technical Directives
COBIT Control Objectives - DELIVER AND SUPPORT
DS1 Define and Manage Service Levels
DS2 Manage Third-party Services
DS3 Manage Performance and Capacity
DS4 Ensure Continuous Service
DS5 Ensure Systems Security
DS6 Identify and Allocate Costs
DS7 Educate and Train Users
DS8 Manage Service Desk and Incidents
DS9 Manage the Configuration
DS10 Manage Problems
DS11 Manage Data
DS12 Manage the Physical Environment
DS13 Manage Operations Sarah Cortes
07/19/09 Copyright 2009 13
14. IT Policies, Standards and Technical Directives
COBIT Control Objectives – MONITOR AND EVALUATE
ME1 Monitor and Evaluate IT Performance
ME2 Monitor and Evaluate Internal Control
ME3 Ensure Regulatory Compliance
ME4 Provide IT Governance
07/19/09 Copyright 2009 Sarah Cortes 14
15. IT Policies, Standards and Technical Directives
COBIT Control Objectives – DS5 Ensure Systems Security
DS5.1 Management of IT Security
DS5.2 IT Security Plan
DS5.3 Identity Management
DS5.4 User Account Management
DS5.5 Security Testing, Surveillance and Monitoring
DS5.6 Security Incident Definition
DS5.7 Protection of Security Technology
DS5.8 Cryptographic Key Management
DS5.9 Malicious SW Prevention, Detection,Correction
DS5.10 Network Security
DS5.11 Exchange of Sensitive Data
07/19/09 Copyright 2009 Sarah Cortes 15
16. IT Policies, Standards and Technical Directives
ISACA Standards, Guidelines & Procedures
IS Guideline: G18 IT Governance
IS Guideline: G20 Reporting
IS Guideline: G21 Enterprise Resource Planning (ERP) Systems
IS Guideline: G22 Business to Consumer (B2C) E-commerce
IS Guideline: G23 System Development Life Cycle (SDLC)
IS Guideline: G24 Internet Banking
IS Guideline: G25 Review of Virtual Private Networks
IS Guideline: G26 Business Process Reengineering (BPR) Project
IS Guideline: G27 Mobile Computing
IS Guideline: G28 Computer Forensics
IS Guideline: G29 Post Implementation Review
IS Guideline: G30 Competence
IS Guideline: G31 Privacy
IS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective
IS Guideline: G33 General Considerations on the Use of Internet
IS Guideline: G34 Responsibility, Authority and Accountability
IS Guideline: G35 Follow-up Activities
07/19/09 Copyright 2009 Sarah Cortes 16
17. IT Policies, Standards and Technical Directives
ISACA Standards, Guidelines & Procedures
IS Guideline: G36 Biometric Controls
IS Guideline: G38 Access Controls
IS Guideline: G39 IT Organization
IS Guideline: G40 Review of Security Management Practices
IS Procedure: P01 IS Risk Assessment Measurement
IS Procedure: P02 Digital Signatures
IS Procedure: P03 Intrusion Detection
IS Procedure: P04 Viruses and Other Malicious Logic
IS Procedure: P05 Control Risk Self-assessment
IS Procedure: P06 Firewalls
IS Procedure: P07 Irregularities and Illegal Acts
IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis
IS Procedure: P09 Mgt Controls Over Encryption Methodologies
IS Procedure: P10 Business Application Change Control
IS Procedure: P11 Electronic Funds Transfer (EFT)
07/19/09 Copyright 2009 Sarah Cortes 17
18. IT Policies, Standards and Technical Directives
Company A Process
Over 50 subsidiaries
Over 30,000 employees worldwide
Over 12,000 employees in Boston area
Over 250 IT Policy categories
Over 500 Technical directives
Periodic Advisory Board Review process
07/19/09 Copyright 2009 Sarah Cortes 18
19. IT Policies, Standards and Technical Directives
Company A Issues
Who, specifically by name, is responsible
for ensuring policies & standards are
applied? (designated scapegoat)
Need to break down policy categories into
specific policy elements (1 policy becomes
100 policies)
A policy begets formal training and
training recordkeeping (applications unto
themselves)
07/19/09 Copyright 2009 Sarah Cortes 19
20. IT Policies, Standards and Technical Directives
Company A Issues
“Required,” “Recommended,” or “Highly
Recommended?” (the shell game)
Need to self-assess at the policy element
level (a/k/a your new full-time job)
07/19/09 Copyright 2009 Sarah Cortes 20