COBIT Security Baseline: An Information. Survival Kit, 2nd Edition. IT Governance Institute. Click here if your download doesn”t start automatically. This login page is the result of either: Taping “Sign In”; Attempting to access content or functionality which requires login (such as a purchase, registration or My. An Information Security Survival Kit IT Governance Institute derived from COBIT : • Board Briefing on IT Governance, 2nd Edition—Designed to help executives.
|Published (Last):||20 June 2004|
|PDF File Size:||11.25 Mb|
|ePub File Size:||2.44 Mb|
|Price:||Free* [*Free Regsitration Required]|
Documents Flashcards Grammar checker.
COBIT Security Baseline
Effective IT governance helps ensure that IT supports business goals, optimises business investment in IT, and appropriately manages IT-related risks and opportunities. The IT Governance Institute offers symposia, original research and case studies to assist enterprise leaders and boards of directors in their IT governance responsibilities.
The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtaining the same results. No part of this publication may be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in any form by any means electronic, mechanical, photocopying, recording or otherwisewithout the prior written authorisation of the IT Governance Institute.
No other right or permission is granted with respect to this work. Information Security Survival Kit 4— Executives Summary of Technical Security Risks Information Security Survival Kit 3— Managers As computer systems have become more and more commonplace in all walks of life, from home to school and office, unfortunately so too have the security risks.
The widespread use of the Internet, handheld and portable computer devices, and mobile and wireless technologies has made access to data and information easy and affordable. On the other hand, these developments have provided new opportunities for information technologyrelated problems to occur, such as theft of data, malicious attacks using viruses, hacking, denialof-service DoS attacks and even new ways to commit organised crime.
These risks, as well as the potential for careless mistakes, can all result in serious financial, reputational and other damages. Recognising the need for better security guidance, securrity booklet has been developed to provide essential advice and practical tools to help protect computer users from these risks.
This guide focuses on the specific risk of IT security in a way that is simple to follow and implement for the home user or the user in small to medium enterprises, as well as for srcurity executives and board members of larger organisations. It provides the following elements: Although this guide is not exhaustive, if all the guidance provided is implemented, security protection will be well above the average found in most organisations. IT environments keep changing, securigy new security risks can occur at any time.
The amount of effort applied to implementing a safe and secure working environment should be based on how much of an impact a security problem could have at home or at work.
However, implementing good security does not necessarily mean investing large amounts of time or expense. Implementing technical safeguards can be more complex and expensive; therefore, proven products from reputable suppliers should always be used and, if necessary, experts should be called on for advice.
In any case, these are not one-time efforts but require constant and continuous attention. This guide cannot highlight every risk or suggest precisely what level of control is needed, but it will significantly improve the ability to identify what must be done and why. Good security will improve reputation, confidence and trust from others with whom business is conducted, and can even improve efficiency by baselnie wasted time and effort recovering from a security incident.
In this context, valuable assets are the information recorded on, processed by, stored in, shared by, transmitted from or retrieved from an electronic medium. The information must be protected against harm from threats leading to different types of impacts such as loss, inaccessibility, alteration or wrongful disclosure.
Threats include errors and omissions, fraud, accidents and intentional damage. The objective of information security is protecting the interests of those relying on information and the systems and communications that deliver the information from harm resulting from failures of availability, confidentiality and integrity.
The impact of the Internet and the growth of the networked economy have added the need for trust in electronic transactions. Overall, for most computer users the security objective is met when: For example, integrity of management information is especially important to a business that relies on critical strategyrelated decisions, and integrity of an online purchase is very important to the home user doing Internet shopping.
The amount of protection required depends on how likely a security risk might occur, and how big an impact it would have if it did occur. Protection is achieved by a combination of technical and nontechnical safeguards.
For the home user, this means installation of reputable security tools, maintenance of up-to-date software, care with backups, and being careful and alert to the hazards of using computers and connecting to the Internet. For large enterprises, protection will be a major task with a layered series of safeguards such as physical security measures, background checks, user identifiers, passwords, smart cards, biometrics and firewalls.
In the ever-changing technological environment, security that is state-of-the-art today may be obsolete tomorrow. Therefore, security protection must keep pace with these changes. Paul Dorey, director, digital business security, BP Plc. IT has become an integral part of everyday business and private life, and dependency on information systems is ever growing.
New technologies have emerged that allow unprecedented functionality securigy introduce new risks and environments that are harder to control, e. Increased dependency on IT means a higher impact when things go wrong. Whether it occurs to a home user relying on home banking or an enterprise relying on online customers, an Internet security breach has a real and major impact. With the widespread use of networks, individuals are rightly concerned about the privacy of bazeline personal information and companies need to protect cobitt confidentiality of corporate data, ssecurity encouraging electronic business.
In chapter 11, Summary of Technical Security Risks, a primer on current technical risks is provided.
Liite 5. Standardit
While it is not exhaustive, it is indicative of the technical risks that all users might face today. Gaps in security are usually caused by: It can also enable new and easier ways to process electronic transactions and generate trust. If there is a doubt of the significance of IT security, the potential impact of a security incident personally, or on the organisation or working environment, should be considered. Figure 2 might make one think: What if an incident were to occur? What would be the consequences?
Could business revenues or profits be lost if information is disclosed, wrong or lost? If information is disclosed or lost, could there be a damaging effect on staff morale or motivation? If information is disclosed or altered, could goods or funds be improperly diverted?
Could incorrect business decisions be made as a result of errors in or unauthorised changes to information? Could the business be otherwise disrupted by the unavailability of applications or information services? Could disclosure of information result in a breach of legal, regulatory or contractual obligations?
There is no sense in turning on the house alarm and leaving the back door open. There is also no sense in implementing the latest network security devices if staff does not know how to operate the devices or know what to do if a breach is detected.
Information security is even more about behaviour than it is about technical safeguards. To help an organisation focus on the essential steps to take, the most important security-related objectives have been extracted from the COBIT framework, and shaded in the simple-to-follow table in figure 3. In total, the tables contain 39 steps toward better information security.
Figures 4 through 7 also note related control objectives in ISO Based on business impact for critical business information processes, identify: Define specific responsibilities for the management of security and: Consistently communicate and regularly discuss the basic rules for implementing security requirements and responding to security incidents.
Establish minimum dos and do nots and regularly remind people of security risks and their personal responsibilities. When hiring, verify with reference checks. Obtain through hiring or training the skills needed properly by to support the enterprise security requirements. Ensure that no key security task is critically to fulfill dependent upon a single resource. Identify what, if anything, needs to be done with security functions respect to security obligations to comply with comply with privacy, intellectual property rights, and other applicable laws, legal, regulatory, contractual and insurance regulations and requirements.
Encourage staff to understand other external and be responsive to these security obligations. At appropriate times, discuss with key staff what can go wrong with IT security that could significantly impact the business objectives.
Consider how best to secure services, data and transactions that are critical for the success of the business. Prepare a risk management action plan to address the most significant risks.
Establish staff understanding of the need for responsiveness and consider cost-effective means to manage the identified security risks through security practices e.
Consider how automated solutions may when identifying introduce security risks to the business and automated supporting processes they plan to change.
Ensure that the solution is functional and that operational security requirements are specified and compatible with current systems. Control Objective Acquire and maintain technology infrastructure Consider security Ensure that the technology infrastructure when acquiring properly supports automated security practices. Consider what additional security requirements the technology are needed to protect the technology infrastructure.
Identify and monitor sources for keeping up to date with security patches and implement those appropriate for the enterprise infrastructure. Ensure that staff knows how to integrate security 6.
Document procedures and maintaining and train staff. Test the system or major change against 4. Consider testing how the security after sufficient functions integrate with existing systems. Perform final security acceptance by evaluating 8.
Evaluate all changes, including patches, to changes, establish the impact on the integrity, exposure including patches, or loss of sensitive data, availability of critical support services, and validity of important transactions.
Record and authorise all changes, including secure manner. Ensure that management establishes security requirements and regularly reviews compliance of internal service level agreements and contracts with third-party service providers. Assess the professional capability of third parties and ensure they provide adequate contact with the authority to act upon enterprise security requirements and concerns.
Consider the dependence on third-party suppliers for security requirements, and mitigate continuity, confidentiality and intellectual property risk by, for example, escrow, legal liabilities, penalties and rewards. Identify critical business functions and enterprise is information, and those resources capable of e. Ensure that significant with minimal incidents are identified and resolved in a timely interruption from a manner. Establish basic principles for safeguarding and reconstructing IT services, including alternative processing procedures, how to obtain supplies and services in an emergency, how to return to normal processing after the security incident, and how to communicate with customers and suppliers.
Together with key employees, define what needs to be backed up and stored offsite to support recovery of the business, e. At regular intervals, ensure that the backup resources are usable and complete. Control Objective Ensure systems security Ensure that all Ensure that these responsibilities are not assigned to the same person.