cybersecurity assurance at cloudsec 2015 kuala lumpur
TRANSCRIPT
CYBERSECURITY ASSURANCE ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTER
Like any information security processes, there should be an adequate and reasonable level of assurance for cyber security, which completes the security perspective when combined with governance and management processes. Cyber security assurance requires a comprehensive set of controls that covers risk as well as management processes. These controls are supported by appropriate metrics and indicators for security goals and factual security risk. This session will share the cybesecurity self assessment program in carrying out an audit or self-assessment review on cyber security controls and practices in a typical organisation. This assurance program will leverage on COBIT 5 framework and COBIT 5 for Information Security as a baseline.
CYBERSECURITY ASSURANCE
2
CYBERSECURITY ASSURANCE
3 <insert speaker organization logo>
This session aims to bring forth the following to the delegates: • General understanding of cyber security assurance. • Exposure to a cyber security assurance program, which is leveraging on
COBIT 5 as a baseline. • Provide guideline in conducting cybersecurity audit
AUDITING & REVIEWING CYBERSECURITY
4
5
AUDITING & REVIEWING CYBERSECURITY
• Review is required to validate the controls are designed and operating effectively.
• Audit & review universe is distributed across all 3 lines of defense, which provides the required degree of independence needed.
6
AUDITING & REVIEWING CYBERSECURITY
7
AUDIT UNIVERSE
• Include all control sets, management practices and GRC provisions in force.
• Possible to be extended to 3rd parties – contract with audit rights.
• Keep within the right boundaries –
! Corporate sphere of influence vs private sphere of controls.
! Internal IT infrastructure vs external infrastructure.
! Corporate sovereignty vs legal provisions.
8
AUDIT BOUNDARIES
9
AUDIT OBJECTIVES
• Can range from high-level governance reviews to technical reviews.
• Needs to be clearly defined and concise manner.
• Consider time and effort.
• Audit objectives are best defined in line with the governance and management activities defined for cyber security.
• For complex audits, the underlying audit program may spans several years.
10
KEY CONSIDERATIONS
• Legal consideration
• Privacy and data protection
• Logging, data retention and archiving
• Audit data storage and archiving. Should be within the standard criteria:
• Confidentiality
• Integrity
• Availability
11
EXAMPLE – CYBERSECURITY AUDIT GOALS
12
EXAMPLE – CYBERSECURITY AUDIT GOALS
13
EXAMPLE – CYBERSECURITY AUDIT GOALS
14
EXAMPLE – CYBERSECURITY AUDIT GOALS
15
TRANSFORMING CYBERSECURITY – COBIT 5
Eight Key Principles: 1. Understand the potenAal impact of cybercrime and warfare on your
enterprise. 2. Understand end users, their cultural values and their behavior paQerns. 3. Clearly state the business case for cybersecurity and the risk appeAte of the
enterprise. 4. Establish cybersecurity governance. 5. Manage cybersecurity using principles and enablers. (The principles and
enablers found in COBIT 5 will help your organizaAon ensure end-‐to-‐end governance that meets stakeholder needs, covers the enterprise to end and provides a holisAc approach, among other benefits. The processes, controls, acAviAes and key performance indicators associated with each enabler will provide the enterprise with a comprehensive picture of cybersecurity.)
6. Know the cybersecurity assurance universe and objecTves. 7. Provide reasonable assurance over cybersecurity. (This includes monitoring,
internal reviews, audits and, as needed, invesAgaAve and forensic analysis.) 8. Establish and evolve systemic cybersecurity.
CYBERSECURITY ASSURANCE USING
16
17
CYBERSECURITY ASSURANCE– COBIT 5
18
CYBERSECURITY ASSURANCE – COBIT 5
EDM01: ENSURE GOVERNANCE FRAMEWORK SETTING AND MAINTENANCE Key Areas / Points
1 Cyber security management is supported by enAty standards, processes and procedures.
2 Cyber security prevenAon is monitored on a regular basis by senior management.
3 Business and IT Unit Leaders are trained and acTvely involved in the oversight and significant decisions relaAng to cyber security preparedness and incidents.
4 A cyber security task force / panel has been established and includes appropriate funcAonal members.
5 Cyber security risks and vulnerabiliTes are idenTfied and evaluated on a periodic basis.
19
CYBERSECURITY ASSURANCE – COBIT 5 EDM01: ENSURE GOVERNANCE FRAMEWORK SETTING AND MAINTENANCE
Other notable cyber security assurance concepts
1 IdenAfy and validate governance model in terms of cyber security aYacks (e.g. ‘Zero Tolerance’ vs ‘Living with it’). This model should be aligned with the enTty’s overall risk appeTte.
2 Determine an opTmal decision making model for cyber security. This may be disAnct and different from the ‘ordinary’ informaAon security model.
3 Embed cyber security transformaAon acAviAes that is driven by a steering commiQee. These acAviAes should be included in the overall security strategy.
4 Develop and foster an informaAon security-‐posiTve culture and environment within all business units.
5 Integrate cyber security measures measurements and metrics into rouAne compliance check mechanisms.
20
CYBERSECURITY ASSURANCE – COBIT 5 APO01: MANAGE THE IT MANAGEMENT FRAMEWORK
Key Areas / Points
1 IT management establishes, maintains and monitors a secure infrastructure
2 IT management receives and reviews key reports and analysis of security, vulnerability, intrusions and penetraAon test results.
3 IT management supports the cyber security task force and informaAon security iniAaAves
21
CYBERSECURITY ASSURANCE – COBIT 5
APO01: MANAGE THE IT MANAGEMENT FRAMEWORK
Other notable cyber security assurance concepts
1 Define the expectaAons with regard to cyber security, including ethics and culture. The expectaAons should match the overall governance model.
2
IT General Controls (‘ITGC’) should be tested and updated regularly. IT General Controls provides the support and baseline assurance for cyber security specific objecAves.
3 Controls and objecAves that are performed by third parAes should also be evaluated periodically by management.
22
CYBERSECURITY ASSURANCE – COBIT 5 AP003 MANAGE ENTERPRISE ARCHITECTURE (ARCHITECTURE REVIEW)
23
CYBERSECURITY ASSURANCE – COBIT 5
Security Incident Management
1 Policies and procedures are established to ensure that a risk analysis and asset prioriAzaAon is part of the evaluaAon process
2 Asset value and prioriAzaAon are components of the incident response analysis
3 Incident response policies and processes should idenAfy the scope, objecAves and requirements defining how and who should respond to an incident, what consTtutes an incident, and the specific processes for monitoring and reporAng the incident acAviAes.
4 An incident response team has been organized with appropriate management, staffing and senior management support.
5 Forensic policies and procedures should ensure that documented management trails are preserved to permit internal invesTgaTons and support any legal or regulatory invesTgaTons (internal and external).
6 Incident response tools should be installed, scheduled, monitored, and secured to avoid unauthorised access to invesAgaAon acAviAes.
7 The crisis management funcTon is part of the cyber security preparedness process.
AP013 MANAGE SECURITY (SECURITY INCIDENT MANAGEMENT)
24
CYBERSECURITY ASSURANCE – COBIT 5 AP013 MANAGE SECURITY (SECURITY INCIDENT MANAGEMENT)
25
SUMMARY
• Understand CyberSecurity from a holistic, organizational perspective
• Understand the approach to CyberSecurity Assurance • Develop audit programmes by identifying risks and
relevant controls • Know how to test controls related to CyberSecurity
ALAN YAU TI DUN CISA CISM CGEIT CRISC CISSP CSXF ITIL SPECIAL INTEREST GROUP 1 ISACA MALAYSIA CHAPTER