Control and Security Frameworks

1
Control and Security Frameworks
Raval Fichadia John Wiley Sons, Inc. 2007

• Chapter Three
• Prepared by Raval, Fichadia

2
Chapter Three Objectives

• Understand risks faced by information assets.
• Comprehend the relationship between risk and
  asset vulnerabilities, and comprehend the nature
  and types of threats faced by the asset.
• Understand the objectives of control and security
  of information assets and how these objectives
  are interrelated.
• Understand the building blocks of control and
  security frameworks for information systems.
• Apply a controls framework to a financial
  accounting system.

3
(No Transcript)
4
Protecting Information Assets

• It is necessary to protect information assets
• There is a potential for compromises of such
  assets.
• There may attacks on the information assets.
• There may be unintentional compromises of
  information assets.
• Systems are subject to regulatory protection
  requirements.

5
Vulnerabilities and Threats

• Vulnerability A weakness in the information
  assets that leads to risk.
• Threat The probability of an attack on the
  information asset.
• Attack A series of steps taken by an attacker to
  achieve an unauthorized result.
• Threat agent An entity, typically a person, who
  triggers a threat.
• Countermeasure An antidote or an action that
  dilutes the potential impact of a known
  vulnerability.

6
(No Transcript)
7
Internal Control

• Definition of internal control
• A process, affected by an entitys board of
  directors, management, and other personnel,
  designed to provide reasonable assurance
  regarding the achievement of objectives.
• Classification of internal controls
• General controls and application controls
• Detective, preventive, and corrective controls

8
Information Security

• Definition of information security
• Protection of information assets from harm
• Classification of information security measures
• Physical and logical security

9
Relationship between internal control and
information security

• Steps taken to protect a system are called
  measures, or countermeasures.
• These measures are essentially various types of
  controls.
• Thus, security is ensured through the
  implementation of controls.
• Reference to specific controls implemented for
  information security is often made as security
  controls.
• Terms security and control are often used as if
  they are synonyms.
• General controls often overlap with security
  measures.

10
Frameworks for Control and Security

• COBIT Control Objectives for Information and
  related Technology
• The framework helps bridge the gap between
  business risk, control needs, and technical
  issues.
• The frameworks approach is process oriented.
• IT Processes are classified into five categories
  (domains) Manage IT investment, acquire and
  implement, deliver and support, and monitor and
  evaluate.
• The framework includes 34 high level control
  objectives, which are translated into over 300
  detailed objectives.
• Control activities support control objectives.
• Control activities, linked to IT processes,
  include policies, organizational structures, and
  practices and procedures.

11
Frameworks for Control and Security

• ISO 17799
• Is a standard focused on the protection of
  information assets.
• It is broadly applicable across industries,
  therefore it is a high-level standard.
• It is a general model that follows from Part I of
  British Standard 7799 (BS 7799).
• The standard is organized into ten categories
  (sections).
• Each section is divided into subcategories, each
  of which includes a broad implementation approach
  (method).

12
Frameworks for Control and Security

• COSO The Committee of Sponsoring Organizations
• It is an integrated framework of internal
  controls.
• It proposes five components of internal controls.
• Together, the five components and relationships
  among them make a holistic framework of internal
  controls.

13
COSO Components of Internal Control

• Risk assessment
• Control environment
• Control activities
• Information and communication
• Monitoring

14
(No Transcript)
15
Internal Control and Information Security
Objectives

• Internal control objectives
• Efficiency of operations
• Effectiveness of operations
• Reliability of information
• Compliance with applicable laws and regulations
• Information security objectives
• Information integrity
• Message integrity
• Confidentiality
• User authentication
• Nonrepudiation
• Systems availability

16
A Comparison of Internal Control and Information
Security Objectives
17
Implementing a Framework
18
Assurance Considerations

• Without a framework, no objectives can be
  achieved with a high degree of assurance.
• A first step toward assurance is to adopt a
  holistic framework.
• Elements of more than one framework can be
  combined into the framework adopted by an entity,
  to provide necessary granularity.
• The framework allows for a systematic approach to
  the design, implementation, and audit of control
  and security systems.
• The business may seek assurance regarding proper
  implementation of a chosen framework.

19
(No Transcript)