INFORMATION SECURITY

LUSUNGU MKANDAWIRE

MARCH 12, 2015

IIAM IT AUDIT

ESSENTIALS

WORKSHOP

AGENDA

What is Information Security

Core Principles of Information

Security

Security Governance

Organizational Structures

Roles and Responsibilities

Information Classification

Risk Management

Information Systems Controls

General Controls

Application Controls

Auditing Information Security

OBJECTIVES

Provide an overview of

Information Security and describe

its importance

Describe one approach to

Auditing Information Security.

Describe current trends in

Information Security and how

they can be incorporated into IT

Security Audits

WHAT IS INFORMATION SECURITY

The protection of information and its critical

elements, including systems and hardware that

use, store, and transmit that information.

Information security is protecting information and

information systems from unauthorized access,

use, disclosure, disruption, modification, reading,

inspection, recording or destruction.

CORE PRINCIPLES OF INFORMATION SECURITY

The core principles of information security are:

Confidentiality - to prevent the disclosure of information to unauthorized individuals or systems

Integrity - to ensure that data is accurate and complete and it cannot be modified by unauthorized person(s)

Availability - to ensure the information is available when it is needed, where it is needed, and by whom it is needed

Accountability - to ensure users are responsible for their actions

CORE PRINCIPLES OF INFORMATION SECURITY

Organizational Structures

Typical Organization of and official responsibilities

for Information security include

BoD, CEO

CFO, CIO, CSO, CISO

Director, Manager

IT/IS Security

Audit

INFORMATION SECURITY GOVERNANCE

Organizational Structures

INFORMATION SECURITY GOVERNANCE

Organizational Structures

Audit should be separate from implementation and

operations

Independence is not compromised

Responsibilities for security should be defined in job

descriptions

Senior management has ultimate responsibility for

security

Security officers/managers have functional

responsibility

INFORMATION SECURITY GOVERNANCE

Roles and Responsibilities

Best Practices

Least Privilege

Mandatory Vacations

Job Rotation

Separation of Duties

INFORMATION SECURITY GOVERNANCE

Roles and Responsibilities

Owners

Determine security requirements

Custodians

Manage security based on

requirements

Users

Access as allowed by security

requirements

INFORMATION SECURITY GOVERNANCE

Information Classification

Not all information has the

same value

Need to evaluate value based on CIA

Value determines protection level

Protection levels determine procedures

Labeling informs users on handling

INFORMATION SECURITY GOVERNANCE

RISK MANAGEMENT

“Risk management is the process of

identifying vulnerabilities and threats to the

information resources used by an

organization in achieving business objectives,

and deciding what countermeasures, if any, to

take in reducing risk to an acceptable level,

based on the value of the information

resource to the organization.”

(ISACA)

RISK MANAGEMENT

The Risk management Process

Identification of assets and estimating their value.

Conduct a threat assessment.

Conduct a vulnerability assessment.

Calculate the impact that each threat would have

on each asset.

Identify, select and implement appropriate controls.

Evaluate the effectiveness of the control measures.

INFORMATION SYSTEM CONTROLS

Information system controls are methods

and devices that attempt to ensure the

accuracy, validity, and propriety of

information system activities.

Controls must be developed to ensure

proper data entry, processing techniques,

storage methods, and information output

INFORMATION SYSTEM CONTROLS

General Controls

General controls apply to informationsystem activities throughout anorganization.

The most important general controls are themeasures that control access to computersystems and the information stored there ortransmitted over telecommunicationsnetworks.

INFORMATION SYSTEM CONTROLS

Application Controls

Application controls are specific to a given

application and include such measures as

validating input data, logging the accesses

to the system, regularly archiving copies of

various databases, and ensuring that

information is disseminated only to

authorized users

AUDITING INFORMATION SECURITY

Auditing information security covers the

following topics:

the physical security of offices and data

centers

the logical security of networks databases

technical, physical and administrative

controls.

AUDITING INFORMATION SECURITY

Auditing Core Systems: Areas to Focus on

include;

Network vulnerabilities

Controls

Encryption and IT audit

Logical security audit

Specific tools used in network security

AUDITING INFORMATION SECURITY

Auditing Applications: Areas to Focus on

include;

Application security

Segregation of duties

Controls

SUMMARY

Information security is a “well-informed sense of assurance that the information risks and controls are in balance.”

Successful organizations have multiple layers of security in place: physical, personal, operations, communications, network, and information.

Security should be considered a balance between protection and availability

Thank You! Lusungu Mkandawire

Lusungu.Mkandawire@mw.airtel.com

265999989153www.linkedin.com/pub/lusungu-mkandawire/57/102/283

https://twitter.com/MLusungu