SlideShare uma empresa Scribd logo

Security, Audit and Compliance: course overview

Edinburgh Napier University
Edinburgh Napier University

The presentation I use to introduce the post-grad module on information security and governance I teach at Edinburgh Napier University. If you want to find out more, google for 'INF11109' on the napier.ac.uk site.

NegóciosTecnologiaNotícias e política
1 de 40
Baixar para ler offline
Security Audit & Compliance Subject overview Security Audit & Compliance Peter Cruickshank
• Scope and context • What do we mean by security • Topics we will cover Overview • The aim is to let you see the scope • And to get you familiar with the concepts and issues 2SAC
Stereotype 1 3SAC
Stereotype 2 4SAC
The aim of this course Mutual understanding Mutual understanding TechiesTechies ManagersManagers 5SAC
THE SCOPE OF THE INFORMATION SYSTEM 6SAC
Six components of an information system 7SAC Procedures People Data Applications Networks Hardware ?
Another view: 8SAC Computing system Computing system Computing environment Computing environment Application environment Application environment Socio- economic environment Socio- economic environment
IS in context: Application Environment • Growing business dependence on IS/IT • Development of general purpose rather than dedicated applications – Build using common toolsets. – Less variety in structure & design • Large scale integration of data sets • Computer to computer transactions • Autonomous trading systems 9SAC
IS in context: Computing Environment • Growth in the power and availability of technology • Rapid spread of data communications networks • Development of powerful databases and search engines • High degree of component commonality 10SAC
IS in context: Socio-economic-legal • Increasing computer fraud • Concerns about privacy • Greater public knowledge of computing • Rising globalisation of trade • Introduction of specific laws to control the use of IT • Public policy v personal preference? 11SAC
The scope of this course: (Business) Computer and Information Systems The scope of this course: (Business) Computer and Information Systems • That is: we’re taking the viewpoint of an organisation and its management – Could be government, public sector or NGO • Issues around consumers or individual citizen rights are not central to what we cover • …nor is the role of ‘national security’ in setting the computer environment …though these are interesting and important in their own right 12SAC
WHAT IS SECURITY 13SAC
What is security? Mordac the preventer of information 14SAC © Dilbert.com
What is security? “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 15SAC
16SAC …Watch for Security theatre that iS…
Security • Complex passwords are secure • Encryption protects assets Access • Complex passwords prevent access • Encryption slows things down 17SAC The security balance • Technology is not enough • Controls often conflict with usability and business objectives Risk
The security balance 2 18SAC Effectiveness Level of technical security Too complex to work Optimum balance Too risky
What is security? Information security as… • Security as an engineering discipline • Subject to systems thinkingScienceScience • When things get complicated, it gets to much to plan • The security manager is left to judge the best way(s) forward ArtArt • People interact with systems: users need to do things • Behavioural aspects of organisations and change management Social science Social science 19SAC
What is security? Example of making a business secure Schneier’s three steps to improved security: 1. Enforce liabilities 2. Allow liabilities to be transferred 3. Outsource security “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) 20SAC
Security in business: Concept map Business model Raval & Fichadia 2007, Ch 1 Control & Security Manage- ment Structure Process Inform- ation Is comprised of Warrant actions for by 21SAC
CORE TOPICS
Information Security Attributes • Protecting privacyConfidentiality • Protection from accidental or deliberate (malicious) modificationIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • who are you – supports non-deniabilityAuthentication • what can you do?Authorization • Effective auditing and logging is the key to non-repudiationAuditing 23SAC
Business requirements in COBIT • Relevant and pertinent • Timely, correct, consistentEffectiveness • Productive and economicalEfficiency • No unauthorised disclosureConfidentiality • Protection from accidental or malicious modification • Accurate, complete, validIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • Appropriate information to support management decisionsReliability 24SAC COBIT 4.1
Secure Computing • A computing regime under which information may be stored and processed: – To defined standards of confidentiality, integrity and availability. – To an assessable level of assurance Security is not a commodity Security is a state of being! Security is not a commodity Security is a state of being! 26SAC
RELATED TOPICS 27SAC
Another theme GovernanceGovernance Risk Management Risk Management ComplianceCompliance 28SAC
Governance frameworks • From the state: Legal – Privacy Laws – Property legislation – computers, IPR etc • Sources of law – National – European – USA • Standards – Security Criteria – Published Standards 29SAC
Ethics • Computing poses a new environment for ethical consideration • Who decides the ethical aspects? – Computer Professionals – Leaders of Commerce & Industry – Computer Users – Citizens • What happens when different values collide? 30SAC
Governance: Privacy • Holding of data relating to people • Aggregation of personal data – Data matching – Marketing of data – Universal Identifiers • Enforcement of fair practice • Need for a legal context – Local – Global • Interacts with individuals’ expression of their identity online 32SAC
Governance: Fraud & Abuse • Corrupting information • Damage and disruption • Threats to the person • Theft of property and services • Financial crime 33SAC
Managing threats and vulnerabilities ThreatThreat Potential event that can adversely affect an asset Potential event that can adversely affect an asset AttackAttack A successful attack exploits vulnerabilities in your system A successful attack exploits vulnerabilities in your system RiskRisk Likelihood and impact of that threat occurring Likelihood and impact of that threat occurring 35SAC
Security management 36SAC Implemented throughImplemented through Practices Procedures Guidelines StandardsStandards Built on sound policy Carry the weight of policy PoliciesPolicies Sanctioned by senior management
Incident response and business continuity Impact Analysis • Accept • Mitigate Impact Analysis • Accept • Mitigate Response planning • Detection • Reaction • Recovery Response planning • Detection • Reaction • Recovery Disaster recovery planning • Crisis management • Operations recovery Disaster recovery planning • Crisis management • Operations recovery Business continuity planning • Strategies • Planning • Management Business continuity planning • Strategies • Planning • Management 37SAC An extension of risk management Whitman & Mattord p212
System design principles • Authorisation – Rule driven controls • Least Privilege – Need to Know principle • Separation of duty – No individuals in complete control • Redundancy – To allow graceful degradation 38SAC
39SAC Controls
Controls • Control activities are: – actions, supported by policies and procedures that, • when carried out properly and in a timely manner, –manage or reduce risks. 40SAC
Controls Prevent Controls • Preventive controls attempt to deter or prevent undesirable events from occurring. • They are proactive controls that help to prevent a loss. • Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Detect Controls • Detective controls, on the other hand, attempt to detect undesirable acts. • They provide evidence that a loss has occurred but do not prevent a loss from occurring. • Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. 41SAC
Controls • Both types of controls are essential to an effective internal control system. • From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. • However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses 42SAC
Final thought 47SAC http://xkcd.com/936/

Recomendados

Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptxGovt. P.G. College Sendhwa, Barwani (M.P.)
 
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEnterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEMC
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityEMC
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
CCA study group
CCA study groupCCA study group
CCA study groupIIBA UK Chapter
 

Recomendados

Information Security Intelligence
Information Security IntelligenceInformation Security Intelligence
Information Security Intelligenceguest08b1e6
 
Information security.pptx
Information security.pptxInformation security.pptx
Information security.pptxGovt. P.G. College Sendhwa, Barwani (M.P.)
 
Enterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEnterprise Strategy Group: The Big Data Security Analytics Era is Here
Enterprise Strategy Group: The Big Data Security Analytics Era is HereEMC
 
Adopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityAdopting Intelligence-Driven Security
Adopting Intelligence-Driven SecurityEMC
 
Information Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesInformation Security - Back to Basics - Own Your Vulnerabilities
Information Security - Back to Basics - Own Your VulnerabilitiesJack Nichelson
 
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber ResilienceDonald Tabone
 
Beyond top secret
Beyond top secretBeyond top secret
Beyond top secretgorin2008
 
CCA study group
CCA study groupCCA study group
CCA study groupIIBA UK Chapter
 
IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligencethinkASG
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaDale Butler
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesEMC
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of securitySouthern Cross Group Services
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationEnergySec
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEOMicheal Axelsen
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
Become CISSP Certified
Become CISSP CertifiedBecome CISSP Certified
Become CISSP CertifiedHamed Moghaddam
 
GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 

Mais conteúdo relacionado

Mais procurados

IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligencethinkASG
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security PolicyRobot Mode
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaDale Butler
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the Warcentralohioissa
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Avinash Ramineni
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...PECB
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analyticsChristian Have
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guideAdilsonSuende
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseEnergySec
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017Doug Copley
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardEnergySec
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesEMC
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesTripwire
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationEnergySec
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEOMicheal Axelsen
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityErnest Staats
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber DefenseEnergySec
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 

Mais procurados (20)

IT Executive Guide to Security Intelligence
IT Executive Guide to Security IntelligenceIT Executive Guide to Security Intelligence
IT Executive Guide to Security Intelligence
 
The Role of Information Security Policy
The Role of Information Security PolicyThe Role of Information Security Policy
The Role of Information Security Policy
 
SMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North AmericaSMi Group's Oil and Gas Cyber Security North America
SMi Group's Oil and Gas Cyber Security North America
 
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the WarGary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
Gary Sheehan - Winning a Battle Doesn't Mean We Are Winning the War
 
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
 
How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...How an Integrated Management system helps you comply with new Cyber Laws and ...
How an Integrated Management system helps you comply with new Cyber Laws and ...
 
Next generation security analytics
Next generation security analyticsNext generation security analytics
Next generation security analytics
 
Cybersecurity solution-guide
Cybersecurity solution-guideCybersecurity solution-guide
Cybersecurity solution-guide
 
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber DefenseGary Leatherman - A Holistic Approach for Reimagining Cyber Defense
Gary Leatherman - A Holistic Approach for Reimagining Cyber Defense
 
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
 
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced ScorecardHow to Build Your Own Cyber Security Framework using a Balanced Scorecard
How to Build Your Own Cyber Security Framework using a Balanced Scorecard
 
SBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic TechnologiesSBIC Enterprise Information Security Strategic Technologies
SBIC Enterprise Information Security Strategic Technologies
 
Improving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & ExecutivesImproving Cyber Security Literacy in Boards & Executives
Improving Cyber Security Literacy in Boards & Executives
 
Looking into the future of security
Looking into the future of securityLooking into the future of security
Looking into the future of security
 
NESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development PresentationNESCO Town Hall Workforce Development Presentation
NESCO Town Hall Workforce Development Presentation
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEO
 
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber SecurityA guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
 
Dynamic Cyber Defense
Dynamic Cyber DefenseDynamic Cyber Defense
Dynamic Cyber Defense
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
 
Become CISSP Certified
Become CISSP CertifiedBecome CISSP Certified
Become CISSP Certified
 

Semelhante a Security, Audit and Compliance: course overview

GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security TwistSecurity Innovation
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Shawn Tuma
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptxrabeetkashif
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskHealth Catalyst
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfYounesChafi1
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for CybersecurityShawn Tuma
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security TrendsPriyanka Aash
 
Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...XeniT Solutions nv
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadVinoth Sn
 
Information Security
Information Security Information Security
Information Security Alok Katiyar
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachJim Brashear
 

Semelhante a Security, Audit and Compliance: course overview (20)

GDPR: The Application Security Twist
GDPR: The Application Security TwistGDPR: The Application Security Twist
GDPR: The Application Security Twist
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
Cybersecurity is a Team Sport: How to Use Teams, Strategies, and Processes to...
 
Presentation 1.pptx
Presentation 1.pptxPresentation 1.pptx
Presentation 1.pptx
 
Challenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber ConfidenceChallenging Insecurity: A Roadmap to Cyber Confidence
Challenging Insecurity: A Roadmap to Cyber Confidence
 
Sem 001 sem-001
Sem 001 sem-001Sem 001 sem-001
Sem 001 sem-001
 
Security Analytics Beyond Cyber
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
 
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
 
Cloud & Sécurité
Cloud & SécuritéCloud & Sécurité
Cloud & Sécurité
 
Cloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor RiskCloud Cybersecurity: Strategies for Managing Vendor Risk
Cloud Cybersecurity: Strategies for Managing Vendor Risk
 
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdfsecureit-cloudsecurity-151130141528-lva1-app6892.pdf
secureit-cloudsecurity-151130141528-lva1-app6892.pdf
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
The Legal Case for Cybersecurity
The Legal Case for CybersecurityThe Legal Case for Cybersecurity
The Legal Case for Cybersecurity
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Introduction and a Look at Security Trends
Introduction and a Look at Security TrendsIntroduction and a Look at Security Trends
Introduction and a Look at Security Trends
 
Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...Data Security in the Insurance Industry: what you need to know about data pro...
Data Security in the Insurance Industry: what you need to know about data pro...
 
Week 1&2 intro_ v2-upload
Week 1&2 intro_ v2-uploadWeek 1&2 intro_ v2-upload
Week 1&2 intro_ v2-upload
 
Information Security For Small Business
Information Security For Small BusinessInformation Security For Small Business
Information Security For Small Business
 
Information Security
Information Security Information Security
Information Security
 
A Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data BreachA Brave New World of Cyber Security and Data Breach
A Brave New World of Cyber Security and Data Breach
 

Mais de Edinburgh Napier University

Assisting information practice: from information intermediary to digital proxy
Assisting information practice: from information intermediary to digital proxyAssisting information practice: from information intermediary to digital proxy
Assisting information practice: from information intermediary to digital proxyEdinburgh Napier University
 
Information literacy as a joint competence shaped by everyday life and workpl...
Information literacy as a joint competence shaped by everyday life and workpl...Information literacy as a joint competence shaped by everyday life and workpl...
Information literacy as a joint competence shaped by everyday life and workpl...Edinburgh Napier University
 
Practices of community representatives in exploiting information channels for...
Practices of community representatives in exploiting information channels for...Practices of community representatives in exploiting information channels for...
Practices of community representatives in exploiting information channels for...Edinburgh Napier University
 
Security managment risks, controls and incidents
Security managment risks, controls and incidentsSecurity managment risks, controls and incidents
Security managment risks, controls and incidentsEdinburgh Napier University
 
Community councils, participation, CoP and knowledge
Community councils, participation, CoP and knowledgeCommunity councils, participation, CoP and knowledge
Community councils, participation, CoP and knowledgeEdinburgh Napier University
 
Hyperlocal e-participation: Scottish community councils on the internet, for ...
Hyperlocal e-participation: Scottish community councils on the internet, for ...Hyperlocal e-participation: Scottish community councils on the internet, for ...
Hyperlocal e-participation: Scottish community councils on the internet, for ...Edinburgh Napier University
 
Using performance-feedback-revision when teaching KM
Using performance-feedback-revision when teaching KMUsing performance-feedback-revision when teaching KM
Using performance-feedback-revision when teaching KMEdinburgh Napier University
 
Trans european petitions and the eci - PEP-NET summit
Trans european petitions and the eci - PEP-NET summitTrans european petitions and the eci - PEP-NET summit
Trans european petitions and the eci - PEP-NET summitEdinburgh Napier University
 

Mais de Edinburgh Napier University (13)

Assisting information practice: from information intermediary to digital proxy
Assisting information practice: from information intermediary to digital proxyAssisting information practice: from information intermediary to digital proxy
Assisting information practice: from information intermediary to digital proxy
 
Information literacy as a joint competence shaped by everyday life and workpl...
Information literacy as a joint competence shaped by everyday life and workpl...Information literacy as a joint competence shaped by everyday life and workpl...
Information literacy as a joint competence shaped by everyday life and workpl...
 
Practices of community representatives in exploiting information channels for...
Practices of community representatives in exploiting information channels for...Practices of community representatives in exploiting information channels for...
Practices of community representatives in exploiting information channels for...
 
Security managment risks, controls and incidents
Security managment risks, controls and incidentsSecurity managment risks, controls and incidents
Security managment risks, controls and incidents
 
Community councils, participation, CoP and knowledge
Community councils, participation, CoP and knowledgeCommunity councils, participation, CoP and knowledge
Community councils, participation, CoP and knowledge
 
Hyperlocal e-participation: Scottish community councils on the internet, for ...
Hyperlocal e-participation: Scottish community councils on the internet, for ...Hyperlocal e-participation: Scottish community councils on the internet, for ...
Hyperlocal e-participation: Scottish community councils on the internet, for ...
 
Scottish community councils online
Scottish community councils onlineScottish community councils online
Scottish community councils online
 
Using performance-feedback-revision when teaching KM
Using performance-feedback-revision when teaching KMUsing performance-feedback-revision when teaching KM
Using performance-feedback-revision when teaching KM
 
Smart cities codesign overview
Smart cities codesign overviewSmart cities codesign overview
Smart cities codesign overview
 
Trans european petitions and the eci - PEP-NET summit
Trans european petitions and the eci - PEP-NET summitTrans european petitions and the eci - PEP-NET summit
Trans european petitions and the eci - PEP-NET summit
 
Euro petition review evaluation
Euro petition review evaluationEuro petition review evaluation
Euro petition review evaluation
 
Smart cities benchmarking egov and codesign
Smart cities benchmarking egov and codesignSmart cities benchmarking egov and codesign
Smart cities benchmarking egov and codesign
 
Overview: co-design in the smart cities project
Overview: co-design in the smart cities projectOverview: co-design in the smart cities project
Overview: co-design in the smart cities project
 

Último

Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsIndiaMART InterMESH Limited
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataExhibitors Data
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingrajputmeenakshi733
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsGOKUL JS
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationAnamaria Contreras
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersPeter Horsten
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamArik Fletcher
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxran17april2001
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsKnowledgeSeed
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterJamesConcepcion7
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdfChris Skinner
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesDoe Paoro
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFChandresh Chudasama
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...ssuserf63bd7
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...ssuserf63bd7
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers referencessuser2c065e
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOne Monitar
 

Último (20)

Welding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan DynamicsWelding Electrode Making Machine By Deccan Dynamics
Welding Electrode Making Machine By Deccan Dynamics
 
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptxThe Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
The Bizz Quiz-E-Summit-E-Cell-IITPatna.pptx
 
NAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors DataNAB Show Exhibitor List 2024 - Exhibitors Data
NAB Show Exhibitor List 2024 - Exhibitors Data
 
digital marketing , introduction of digital marketing
digital marketing , introduction of digital marketingdigital marketing , introduction of digital marketing
digital marketing , introduction of digital marketing
 
Supercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebsSupercharge Your eCommerce Stores-acowebs
Supercharge Your eCommerce Stores-acowebs
 
PSCC - Capability Statement Presentation
PSCC - Capability Statement PresentationPSCC - Capability Statement Presentation
PSCC - Capability Statement Presentation
 
EUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exportersEUDR Info Meeting Ethiopian coffee exporters
EUDR Info Meeting Ethiopian coffee exporters
 
Technical Leaders - Working with the Management Team
Technical Leaders - Working with the Management TeamTechnical Leaders - Working with the Management Team
Technical Leaders - Working with the Management Team
 
BAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptxBAILMENT & PLEDGE business law notes.pptx
BAILMENT & PLEDGE business law notes.pptx
 
Introducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applicationsIntroducing the Analogic framework for business planning applications
Introducing the Analogic framework for business planning applications
 
Healthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare NewsletterHealthcare Feb. & Mar. Healthcare Newsletter
Healthcare Feb. & Mar. Healthcare Newsletter
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
20220816-EthicsGrade_Scorecard-JP_Morgan_Chase-Q2-63_57.pdf
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Unveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic ExperiencesUnveiling the Soundscape Music for Psychedelic Experiences
Unveiling the Soundscape Music for Psychedelic Experiences
 
Guide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDFGuide Complete Set of Residential Architectural Drawings PDF
Guide Complete Set of Residential Architectural Drawings PDF
 
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
Intermediate Accounting, Volume 2, 13th Canadian Edition by Donald E. Kieso t...
 
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
Horngren’s Financial & Managerial Accounting, 7th edition by Miller-Nobles so...
 
Excvation Safety for safety officers reference
Excvation Safety for safety officers referenceExcvation Safety for safety officers reference
Excvation Safety for safety officers reference
 
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring CapabilitiesOnemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
Onemonitar Android Spy App Features: Explore Advanced Monitoring Capabilities
 

Security, Audit and Compliance: course overview

  • 1. Security Audit & Compliance Subject overview Security Audit & Compliance Peter Cruickshank
  • 2. • Scope and context • What do we mean by security • Topics we will cover Overview • The aim is to let you see the scope • And to get you familiar with the concepts and issues 2SAC
  • 5. The aim of this course Mutual understanding Mutual understanding TechiesTechies ManagersManagers 5SAC
  • 6. THE SCOPE OF THE INFORMATION SYSTEM 6SAC
  • 7. Six components of an information system 7SAC Procedures People Data Applications Networks Hardware ?
  • 9. IS in context: Application Environment • Growing business dependence on IS/IT • Development of general purpose rather than dedicated applications – Build using common toolsets. – Less variety in structure & design • Large scale integration of data sets • Computer to computer transactions • Autonomous trading systems 9SAC
  • 10. IS in context: Computing Environment • Growth in the power and availability of technology • Rapid spread of data communications networks • Development of powerful databases and search engines • High degree of component commonality 10SAC
  • 11. IS in context: Socio-economic-legal • Increasing computer fraud • Concerns about privacy • Greater public knowledge of computing • Rising globalisation of trade • Introduction of specific laws to control the use of IT • Public policy v personal preference? 11SAC
  • 12. The scope of this course: (Business) Computer and Information Systems The scope of this course: (Business) Computer and Information Systems • That is: we’re taking the viewpoint of an organisation and its management – Could be government, public sector or NGO • Issues around consumers or individual citizen rights are not central to what we cover • …nor is the role of ‘national security’ in setting the computer environment …though these are interesting and important in their own right 12SAC
  • 14. What is security? Mordac the preventer of information 14SAC © Dilbert.com
  • 15. What is security? “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 “ If we make security trade-offs based on the feeling of security rather than the reality, we choose security that makes us feel more secure over security that actually makes us more secure. And that’s what governments, companies, family members, and everyone else provide. Of course, there are two ways to make people feel more secure. 1. The first is to make people actually more secure, and hope they notice. 2. The second is to make people feel more secure without making them actually more secure, and hope they don’t notice. The key here is whether we notice. The feeling and reality of security tend to converge when we take notice, and diverge when we don’t. People notice when 1) there are enough positive and negative examples to draw a conclusion, and 2) there isn’t too much emotion clouding the issue. The feeling and the reality of security Schneier 2008 15SAC
  • 16. 16SAC …Watch for Security theatre that iS…
  • 17. Security • Complex passwords are secure • Encryption protects assets Access • Complex passwords prevent access • Encryption slows things down 17SAC The security balance • Technology is not enough • Controls often conflict with usability and business objectives Risk
  • 18. The security balance 2 18SAC Effectiveness Level of technical security Too complex to work Optimum balance Too risky
  • 19. What is security? Information security as… • Security as an engineering discipline • Subject to systems thinkingScienceScience • When things get complicated, it gets to much to plan • The security manager is left to judge the best way(s) forward ArtArt • People interact with systems: users need to do things • Behavioural aspects of organisations and change management Social science Social science 19SAC
  • 20. What is security? Example of making a business secure Schneier’s three steps to improved security: 1. Enforce liabilities 2. Allow liabilities to be transferred 3. Outsource security “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) “Network security is a business problem, and the only way to fix it is to concentrate on the business issues… I have a three-step program towards improving computer and network security. None of the steps has anything to do with the technology; they all have to do with businesses, economics, and people.” Liability & Security in Schneier (2008) 20SAC
  • 21. Security in business: Concept map Business model Raval & Fichadia 2007, Ch 1 Control & Security Manage- ment Structure Process Inform- ation Is comprised of Warrant actions for by 21SAC
  • 23. Information Security Attributes • Protecting privacyConfidentiality • Protection from accidental or deliberate (malicious) modificationIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • who are you – supports non-deniabilityAuthentication • what can you do?Authorization • Effective auditing and logging is the key to non-repudiationAuditing 23SAC
  • 24. Business requirements in COBIT • Relevant and pertinent • Timely, correct, consistentEffectiveness • Productive and economicalEfficiency • No unauthorised disclosureConfidentiality • Protection from accidental or malicious modification • Accurate, complete, validIntegrity • …for legitimate users • Prevention of DoS attacks etcAvailability • Appropriate information to support management decisionsReliability 24SAC COBIT 4.1
  • 25. Secure Computing • A computing regime under which information may be stored and processed: – To defined standards of confidentiality, integrity and availability. – To an assessable level of assurance Security is not a commodity Security is a state of being! Security is not a commodity Security is a state of being! 26SAC
  • 28. Governance frameworks • From the state: Legal – Privacy Laws – Property legislation – computers, IPR etc • Sources of law – National – European – USA • Standards – Security Criteria – Published Standards 29SAC
  • 29. Ethics • Computing poses a new environment for ethical consideration • Who decides the ethical aspects? – Computer Professionals – Leaders of Commerce & Industry – Computer Users – Citizens • What happens when different values collide? 30SAC
  • 30. Governance: Privacy • Holding of data relating to people • Aggregation of personal data – Data matching – Marketing of data – Universal Identifiers • Enforcement of fair practice • Need for a legal context – Local – Global • Interacts with individuals’ expression of their identity online 32SAC
  • 31. Governance: Fraud & Abuse • Corrupting information • Damage and disruption • Threats to the person • Theft of property and services • Financial crime 33SAC
  • 32. Managing threats and vulnerabilities ThreatThreat Potential event that can adversely affect an asset Potential event that can adversely affect an asset AttackAttack A successful attack exploits vulnerabilities in your system A successful attack exploits vulnerabilities in your system RiskRisk Likelihood and impact of that threat occurring Likelihood and impact of that threat occurring 35SAC
  • 33. Security management 36SAC Implemented throughImplemented through Practices Procedures Guidelines StandardsStandards Built on sound policy Carry the weight of policy PoliciesPolicies Sanctioned by senior management
  • 34. Incident response and business continuity Impact Analysis • Accept • Mitigate Impact Analysis • Accept • Mitigate Response planning • Detection • Reaction • Recovery Response planning • Detection • Reaction • Recovery Disaster recovery planning • Crisis management • Operations recovery Disaster recovery planning • Crisis management • Operations recovery Business continuity planning • Strategies • Planning • Management Business continuity planning • Strategies • Planning • Management 37SAC An extension of risk management Whitman & Mattord p212
  • 35. System design principles • Authorisation – Rule driven controls • Least Privilege – Need to Know principle • Separation of duty – No individuals in complete control • Redundancy – To allow graceful degradation 38SAC
  • 37. Controls • Control activities are: – actions, supported by policies and procedures that, • when carried out properly and in a timely manner, –manage or reduce risks. 40SAC
  • 38. Controls Prevent Controls • Preventive controls attempt to deter or prevent undesirable events from occurring. • They are proactive controls that help to prevent a loss. • Examples of preventive controls are separation of duties, proper authorization, adequate documentation, and physical control over assets. Detect Controls • Detective controls, on the other hand, attempt to detect undesirable acts. • They provide evidence that a loss has occurred but do not prevent a loss from occurring. • Examples of detective controls are reviews, analyses, variance analyses, reconciliations, physical inventories, and audits. 41SAC
  • 39. Controls • Both types of controls are essential to an effective internal control system. • From a quality standpoint, preventive controls are essential because they are proactive and emphasize quality. • However, detective controls play a critical role providing evidence that the preventive controls are functioning and preventing losses 42SAC