ebook img

Information Security Governance PDF

140 Pages·2009·3.107 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Information Security Governance

Information Security Governance S.H. von Solms R. von Solms l Information Security Governance 1 3 S.H.vonSolms R.vonSolms UniversityofJohannesburg NelsonMandelaMetropolitanUniversity SouthAfrica SouthAfrica [email protected] [email protected] ISBN:978-0-387-79983-4 e-ISBN:978-0-387-79984-1 DOI10.1007/978-0-387-79984-1 LibraryofCongressControlNumber:2008931013 #SpringerScienceþBusinessMedia,LLC2009 Allrightsreserved.Thisworkmaynotbetranslatedorcopiedinwholeorinpartwithoutthewritten permissionofthepublisher(SpringerScience+BusinessMedia,LLC,233SpringStreet,NewYork, NY10013,USA),exceptforbriefexcerptsinconnectionwithreviewsorscholarlyanalysis.Usein connectionwithanyformofinformationstorageandretrieval,electronicadaptation,computer software,orbysimilarordissimilarmethodologynowknownorhereafterdevelopedisforbidden. Theuseinthispublicationoftradenames,trademarks,servicemarks,andsimilarterms,evenifthey arenotidentifiedassuch,isnottobetakenasanexpressionofopinionastowhetherornottheyare subjecttoproprietaryrights. Printedonacid-freepaper springer.com Prologue Thisbookisbasedonmanyyearsofteaching,researchandconsultationinthe field of Information Security. Between the two of us, we have in excess of 30 yearsofexperienceinthisfield. Duringthisperiod,wepublishedandpresentedmanyresearchpapersinthis fieldinternationally.BothbrothersplayedasignificantroleinTechnicalCom- mittee 11 (Information Security) of IFIP, the International Federation for Information Processing, both as Working Group Chairs and as Executive CommitteemembersofTC11. We have seen Information Security develop from a purely technical discipline, with responsibility stopping with the technical IT staff, to a discipline which is now internationally accepted as an integral part of good Corporate Governance, with responsibility stopping with the Board mem- bers of the company. Furthermore we have experienced the development of the environment from a situation where there were basically no regula- tory framework, to an environment where more and more legal and regulatory prescriptions are dictating the implementation and proper hand- ling of Information Security. All these developments had resulted in the eventual arrival of Information SecurityGovernance,thesubjectofthisbook. As discussed in this book, we see Information Security Governance as the complete environment created and managed to ensure the confidentiality, integrity and availability of the company’s information. This include every- body,fromtheChairpersonoftheBoardtoeveryend-user. Again, based on our experience, we know that this book will add value over a wide spectrum of potential users – from Board members who can evaluate their responsibilities in Chapters 1, 2 and 3, to Information Security Managers, IT Managers and CIOs who can use some of the specific guidelines provided, to create a proper Information Security Gov- ernance environment. v vi Prologue The book will also be very useful as a text book on both under- and post- graduatelevel,inbothScienceandBusinesscourses.Wetrustthatyouwillfind thisbookveryuseful. BothofusalsogivealltheglorytoourLordandSaviour,JesusChrist,who madeallthispossible,andwhostillguidesourdailyactivities. Johannesburg S.H.(Basie)vonSolms PortElizabeth RossouwvonSolms May2008 Abstract Inanycompany,informationhasbecomethelifebloodofthecompany.Inmost suchcompanies,ifnotall,thisinformationiscaptured,stored,processedand transmittedusingITsystems.Thesesystemsarecontinuouslyexposedtoawide range of threats, which can result in huge risks, eventually compromising the confidentiality,integrityandavailabilityofsuchinformation. Thebigchallengetodayistoensurethatacompany’selectronicinformation is protected against possible risks which can arise against this information. A wide range of legal and regulatory prescriptions make this challenge even greater. Information Security is the discipline used to ensure such protection, and Information Security Governance is the complete environment existing in a companytoensurethisprotection. Information Security Governance involves all stakeholders in a company, fromtheChairmanoftheBoardtotheyoungestdepartmentalsecretary. ThisbookintroducestheconceptofInformationSecurityGovernanceina non-technical,butveryusableway. Thefirst3chapterspositionInformationSecurityGovernanceinrelationto Corporate Governance and Information Technology Governance, and clearly identifyaccountabilityroles.ItclearlyindicatesthatInformationSecurityGov- ernanceisanintegralpartofgoodCorporateGovernance,andthatthebuckfor InformationSecurityGovernancestopswiththeBoardofthecompany. In Chapter 4 a model for Information Security Governance is introduced, based on international best practices. These best practices, COBIT and ISO 27002, and their role in Information Security Governance, are discussed in detailinChapter5. Chapters 6, 7, 8, 9 and 10 discuss each of the components of the model, introducedinChapter4,indetail.Thesecomponentsare: (cid:2) TheInformationSecurityPolicyArchitecture (cid:2) ComplianceandControlinInformationSecurityGovernance (cid:2) RiskManagementinInformationSecurityGovernance (cid:2) OrganizingtheInformationSecurityfunctioninacompany (cid:2) InformationSecurityAwareness. vii viii Abstract The last chapter, Chapter 11, provides a methodology, based on the full content of the book, to establish a sound Information Security Governance Programinacompany. This book should be very useful for Board members, Executive Manage- ment, Business System Owners, CIOs, IT Managers, Information Security Managers, Risk Managers and everyone involved with information security programsinacompany. Contents 1 AnIntroductiontoCorporateGovernance..................... 1 1.1 Introduction....................................... 1 1.2 CorporateGovernance............................... 1 1.3 WhatisCorporateGovernance? ....................... 1 1.4 WhoarethePlayersinCorporateGovernance? ........... 2 1.5 TheDynamicNatureofCorporateGovernance........... 3 1.6 InternationalBestPracticesforCorporateGovernance ..... 4 1.7 CorporateGovernanceandRiskManagement............ 4 1.8 TheComponentsofCorporateGovernance .............. 6 1.9 Summary ......................................... 7 References.............................................. 7 2 InformationTechnologyGovernance ......................... 9 2.1 Introduction....................................... 9 2.2 WhatisITGovernance?.............................. 9 2.3 ITGovernanceandRisks............................. 9 2.4 ABestPracticeGuidelineforITGovernance............. 11 2.4.1 TheStructureofCOBIT........................ 12 2.4.2 TheUseofCOBITinaCompany................. 12 2.4.3 The34High-LevelProcessesofCOBIT............ 13 2.5 TheComponentsofITGovernance .................... 14 2.6 Summary ......................................... 15 References.............................................. 15 3 InformationSecurityandInformationSecurityGovernance ....... 17 3.1 Introduction....................................... 17 3.2 InformationSecurityasaMulti-DimensionalDiscipline .... 17 3.3 TheMulti-DimensionalCharacterofInformationSecurity .. 18 3.3.1 The(Corporate)GovernanceDimension ........... 18 3.3.2 TheRiskManagementDimension ................ 19 3.3.3 TheOrganizationalDimension................... 19 3.3.4 ThePolicyDimension.......................... 19 3.3.5 TheBestPracticeDimension..................... 20 ix x Contents 3.3.6 TheCertificationDimension..................... 20 3.3.7 TheEthicalDimension ......................... 21 3.3.8 TheLegal/RegulatoryDimension................. 21 3.3.9 TheInsuranceDimension....................... 21 3.3.10 TheAwarenessDimension ..................... 21 3.3.11 TheMeasurement/Monitoring/MetricsDimension .. 21 3.3.12 TheManagementDimension ................... 22 3.3.13 TheITForensicsDimension.................... 22 3.3.14 TheTechnicalDimension ...................... 23 3.4 TheInterdependencyoftheDifferentDimensionsof InformationSecurity ................................ 23 3.5 WhatisInformationSecurityGovernance?............... 24 3.6 InformationSecurityManagementandInformationSecurity Governance ....................................... 25 3.7 BestPracticesforInformationSecurityGovernance........ 26 3.8 PositioningInformationSecurityGovernanceinRelationto InformationTechnologyandCorporateGovernance....... 26 3.9 Summary ......................................... 27 References.............................................. 27 4 IntroducingtheInformationSecurityGovernanceModel.......... 29 4.1 Introduction....................................... 29 4.2 TheModel ........................................ 30 4.3 ADiagrammaticRepresentationoftheModelforInformation SecurityGovernance ................................ 31 4.3.1 TheCorePartoftheModel ..................... 31 4.3.2 TheExpandedPartoftheModel ................. 32 4.4 TheCorePartoftheModel........................... 32 4.4.1 TheCorePrinciplesoftheModel................. 33 4.4.2 TheDirectandControlPrincipleinMoreDetail..... 34 4.5 RevisitingInformationSecurityGovernance(ISG)and InformationSecurityManagement(ISM)................ 37 4.6 Summary ......................................... 38 References.............................................. 38 5 TheUseofBestPracticeStandardsandGuidelinesinInformation SecurityGovernance ..................................... 39 5.1 Introduction....................................... 39 5.2 WhatisanInternationalBestPractice(CodeofPractice)for InformationSecurityGovernance? ..................... 40 5.3 UsingCOBITasaFrameworkforInformationSecurity Governance ....................................... 41 5.4 COBITandInformationSecurity ...................... 41 5.4.1 ControlObjectiveDS5.4UserAccountManagement. 41 5.4.2 DS5.6SecurityIncidentHandling ................ 42 Contents xi 5.4.3 DS5.9MaliciousSoftwarePrevention,Detectionand Correction ................................... 42 5.5 OtherInformationSecurity-RelatedCOBITHigh-Level Processes.......................................... 43 5.6 ISO27002......................................... 43 5.7 TheBackgroundofISO27002......................... 44 5.8 MoreAboutISO27002andISO27001.................. 45 5.9 TheUseofISO27002inaCompany.................... 45 5.10 ISO27002andRiskManagement ..................... 46 5.11 TheUseofISO27001inaCompany................... 47 5.12 TheStructureofISO27002 .......................... 47 5.13 ISO27002andCOBIT.............................. 48 5.14 AMoreDetailedLookatISO27002................... 49 5.14.1 TheClauseStructureofISO27002............... 49 5.14.2 SomeSub-ClausesinMoreDetail................ 56 5.15 TheCertificationProcessAgainstISO27001 ............ 58 5.15.1 GeneralRequirementsoftheISMS:.............. 58 5.15.2 EstablishingandManagingtheISMS............. 59 5.16 Summary......................................... 59 References.............................................. 59 6 TheDirectPartoftheModel–AnInformationSecurityPolicy Architecture............................................ 61 6.1 Introduction....................................... 61 6.2 ISO27002onPolicyAspects .......................... 61 6.3 COBITonPolicyAspects ............................ 62 6.4 InformationSecurityGovernance-RelatedDocuments ProducedintheDirectPartoftheDirect/ControlCycle .... 62 6.4.1 TheDocuments............................... 62 6.4.2 TheStructure................................. 63 6.4.3 TheBoardDirective ........................... 63 6.4.4 TheCorporateInformationSecurityPolicy(CISP)... 64 6.4.5 TheInformationSecuritySub-Policies............. 67 6.4.6 TheProcedures ............................... 71 6.5 Summary ......................................... 72 References.............................................. 72 7 TheControlPartoftheModel–AnInformationSecurityCompliance ManagementEnvironment................................. 73 7.1 Introduction....................................... 73 7.2 ISO27002onComplianceAspects ..................... 73 7.3 COBITonComplianceAspects........................ 74 7.4 ComplianceEnforcement............................. 74 7.5 TheTraditionalApproachtoControlandCompliance Monitoring........................................ 74

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.