The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the napier.ac.uk site.

1. Security Audit & Compliance
Subject overview
Security Audit & Compliance
Peter Cruickshank

2. • Scope and context
• What do we mean by security
• Topics we will cover
Overview
• The aim is to let you see the scope
• And to get you familiar with the concepts and issues
2SAC

3. Stereotype 1
3SAC

4. Stereotype 2
4SAC

5. The aim of this course
Mutual
understanding
Mutual
understanding
TechiesTechies ManagersManagers
5SAC

6. THE SCOPE OF THE
INFORMATION SYSTEM
6SAC

7. Six components of an information system
7SAC
Procedures
People
Data
Applications
Networks
Hardware
?

8. Another view:
8SAC
Computing
system
Computing
system
Computing
environment
Computing
environment
Application
environment
Application
environment
Socio-
economic
environment
Socio-
economic
environment

9. IS in context: Application Environment
• Growing business dependence on IS/IT
• Development of general purpose rather than dedicated
applications
– Build using common toolsets.
– Less variety in structure & design
• Large scale integration of data sets
• Computer to computer transactions
• Autonomous trading systems
9SAC

10. IS in context: Computing Environment
• Growth in the power and availability of technology
• Rapid spread of data communications networks
• Development of powerful databases and search engines
• High degree of component commonality
10SAC

11. IS in context: Socio-economic-legal
• Increasing computer fraud
• Concerns about privacy
• Greater public knowledge of computing
• Rising globalisation of trade
• Introduction of specific laws to control the use of IT
• Public policy v personal preference?
11SAC

12. The scope of this course:
(Business) Computer and Information Systems
The scope of this course:
(Business) Computer and Information Systems
• That is: we’re taking the viewpoint of an organisation and its
management
– Could be government, public sector or NGO
• Issues around consumers or individual citizen rights are not central
to what we cover
• …nor is the role of ‘national security’ in setting the computer
environment
…though these are interesting and important in their own right
12SAC

13. WHAT IS SECURITY
13SAC

14. What is security?
Mordac the preventer of information
14SAC
© Dilbert.com

15. What is security?
“ If we make security trade-offs based on the feeling of security rather than the reality,
we choose security that makes us feel more secure over security that actually
makes us more secure. And that’s what governments, companies, family members,
and everyone else provide. Of course, there are two ways to make people feel more
secure.
1. The first is to make people actually more secure, and hope they notice.
2. The second is to make people feel more secure without making them actually
more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice when 1)
there are enough positive and negative examples to draw a conclusion, and 2) there
isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
“ If we make security trade-offs based on the feeling of security rather than the reality,
we choose security that makes us feel more secure over security that actually
makes us more secure. And that’s what governments, companies, family members,
and everyone else provide. Of course, there are two ways to make people feel more
secure.
1. The first is to make people actually more secure, and hope they notice.
2. The second is to make people feel more secure without making them actually
more secure, and hope they don’t notice.
The key here is whether we notice. The feeling and reality of security tend to
converge when we take notice, and diverge when we don’t. People notice when 1)
there are enough positive and negative examples to draw a conclusion, and 2) there
isn’t too much emotion clouding the issue.
The feeling and the reality of security Schneier 2008
15SAC

16. 16SAC
…Watch for Security theatre
that iS…

17. Security
• Complex passwords are
secure
• Encryption protects assets
Access
• Complex passwords prevent
access
• Encryption slows things down
17SAC
The security balance
• Technology is not enough
• Controls often conflict with usability and business objectives
Risk

18. The security balance 2
18SAC
Effectiveness
Level of technical security
Too complex
to work
Optimum balance
Too risky

19. What is security?
Information security as…
• Security as an engineering discipline
• Subject to systems thinkingScienceScience
• When things get complicated, it gets to much to plan
• The security manager is left to judge the best way(s)
forward
ArtArt
• People interact with systems: users need to do things
• Behavioural aspects of organisations and change
management
Social
science
Social
science
19SAC

20. What is security?
Example of making a business secure
Schneier’s three steps
to improved security:
1. Enforce liabilities
2. Allow liabilities to be
transferred
3. Outsource security
“Network security is a business
problem, and the only way to fix it
is to concentrate on the business
issues…
I have a three-step program
towards improving computer and
network security. None of the
steps has anything to do with the
technology; they all have to do
with businesses, economics, and
people.”
Liability & Security
in Schneier (2008)
“Network security is a business
problem, and the only way to fix it
is to concentrate on the business
issues…
I have a three-step program
towards improving computer and
network security. None of the
steps has anything to do with the
technology; they all have to do
with businesses, economics, and
people.”
Liability & Security
in Schneier (2008)
20SAC

21. Security in business: Concept map
Business
model
Raval & Fichadia 2007, Ch 1
Control &
Security
Manage-
ment
Structure
Process
Inform-
ation
Is comprised of
Warrant actions for
by
21SAC

22. CORE TOPICS

23. Information Security Attributes
• Protecting privacyConfidentiality
• Protection from accidental or deliberate
(malicious) modificationIntegrity
• …for legitimate users
• Prevention of DoS attacks etcAvailability
• who are you – supports non-deniabilityAuthentication
• what can you do?Authorization
• Effective auditing and logging is the key to
non-repudiationAuditing
23SAC

24. Business requirements in COBIT
• Relevant and pertinent
• Timely, correct, consistentEffectiveness
• Productive and economicalEfficiency
• No unauthorised disclosureConfidentiality
• Protection from accidental or malicious modification
• Accurate, complete, validIntegrity
• …for legitimate users
• Prevention of DoS attacks etcAvailability
• Appropriate information to support management
decisionsReliability
24SAC
COBIT 4.1

25. Secure Computing
• A computing regime under which
information may be stored and
processed:
– To defined standards of confidentiality, integrity
and availability.
– To an assessable level of assurance
Security is not a commodity
Security is a state of being!
Security is not a commodity
Security is a state of being!
26SAC

26. RELATED TOPICS
27SAC

27. Another theme
GovernanceGovernance
Risk
Management
Risk
Management
ComplianceCompliance
28SAC

28. Governance frameworks
• From the state: Legal
– Privacy Laws
– Property legislation – computers, IPR etc
• Sources of law
– National
– European
– USA
• Standards
– Security Criteria
– Published Standards
29SAC

29. Ethics
• Computing poses a new environment for
ethical consideration
• Who decides the ethical aspects?
– Computer Professionals
– Leaders of Commerce & Industry
– Computer Users
– Citizens
• What happens when different values collide?
30SAC

30. Governance: Privacy
• Holding of data relating to people
• Aggregation of personal data
– Data matching
– Marketing of data
– Universal Identifiers
• Enforcement of fair practice
• Need for a legal context
– Local
– Global
• Interacts with individuals’ expression of their identity online
32SAC

31. Governance: Fraud & Abuse
• Corrupting information
• Damage and disruption
• Threats to the person
• Theft of property and services
• Financial crime
33SAC

32. Managing threats and vulnerabilities
ThreatThreat
Potential
event that can
adversely
affect an
asset
Potential
event that can
adversely
affect an
asset
AttackAttack
A successful
attack
exploits
vulnerabilities
in your
system
A successful
attack
exploits
vulnerabilities
in your
system
RiskRisk
Likelihood
and impact of
that threat
occurring
Likelihood
and impact of
that threat
occurring
35SAC

33. Security management
36SAC
Implemented throughImplemented through
Practices Procedures Guidelines
StandardsStandards
Built on sound policy Carry the weight of policy
PoliciesPolicies
Sanctioned by senior management

34. Incident response and business continuity
Impact
Analysis
• Accept
• Mitigate
Impact
Analysis
• Accept
• Mitigate
Response
planning
• Detection
• Reaction
• Recovery
Response
planning
• Detection
• Reaction
• Recovery
Disaster
recovery
planning
• Crisis
management
• Operations
recovery
Disaster
recovery
planning
• Crisis
management
• Operations
recovery
Business
continuity
planning
• Strategies
• Planning
• Management
Business
continuity
planning
• Strategies
• Planning
• Management
37SAC
An extension of risk management
Whitman & Mattord p212

35. System design principles
• Authorisation
– Rule driven controls
• Least Privilege
– Need to Know principle
• Separation of duty
– No individuals in complete control
• Redundancy
– To allow graceful degradation
38SAC

36. 39SAC
Controls

37. Controls
• Control activities are:
– actions, supported by policies and procedures that,
• when carried out properly and in a timely manner,
–manage or reduce risks.
40SAC

38. Controls
Prevent Controls
• Preventive controls attempt to
deter or prevent undesirable
events from occurring.
• They are proactive controls
that help to prevent a loss.
• Examples of preventive
controls are separation of
duties, proper authorization,
adequate documentation, and
physical control over assets.
Detect Controls
• Detective controls, on the other
hand, attempt to detect
undesirable acts.
• They provide evidence that a
loss has occurred but do not
prevent a loss from occurring.
• Examples of detective controls
are reviews, analyses,
variance analyses,
reconciliations, physical
inventories, and audits.
41SAC

39. Controls
• Both types of controls are essential to an effective internal control
system.
• From a quality standpoint, preventive controls are essential because
they are proactive and emphasize quality.
• However, detective controls play a critical role providing evidence that
the preventive controls are functioning and preventing losses
42SAC

40. Final thought
47SAC
http://xkcd.com/936/