Date post: | 05-Dec-2014 |
Category: |
Technology |
Upload: | sarah-cortes |
View: | 8,888 times |
Download: | 2 times |
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 11
IT Policies, Standards IT Policies, Standards and Technical Directivesand Technical Directives
Sarah Cortes, PMP, CISASarah Cortes, PMP, CISAwww.inmantechnologyIT.comwww.inmantechnologyIT.com
Sarah’s blog: SecurityWatchSarah’s blog: SecurityWatchSarah’s ITtechEx columnSarah’s ITtechEx column
twitter: SecuritySpytwitter: SecuritySpyLinkedIn: Sarah CortesLinkedIn: Sarah Cortes
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 22
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
AgendaAgenda
Who are we?Who are we? Purpose?Purpose? Standards FrameworksStandards Frameworks COBIT FrameworkCOBIT Framework ISACA FrameworkISACA Framework Case StudyCase Study
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 33
Sarah Cortes, PMP, CISASarah Cortes, PMP, CISA Clients: Clients:
• Harvard UniversityHarvard University• BiogenBiogen• FidelityFidelity
Professional Associations:Professional Associations:• Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the Sarah is a member of the AIM Advisory Board on Data Privacy Laws to the
Massachusetts Legislature Massachusetts Legislature
Practice expertisePractice expertise• Complex Application Development/ImplementationComplex Application Development/Implementation• IT Security/Privacy/Risk Management/Audit ManagementIT Security/Privacy/Risk Management/Audit Management• Data Center Operations ManagementData Center Operations Management• Disaster Recovery/High AvailabilityDisaster Recovery/High Availability• Program/Project ManagementProgram/Project Management
BackgroundBackground• SVP in charge of Security, DR, IT Audit, and some Data Center Operations at SVP in charge of Security, DR, IT Audit, and some Data Center Operations at
Putnam InvestmentsPutnam Investments• As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan As head of DR, ran Putnam's failover during 9/11 when parent Marsh McLennan
failed over to our facility from the World Trade Center 99th floor data centerfailed over to our facility from the World Trade Center 99th floor data center• Coordinated over 65 audits per yearCoordinated over 65 audits per year• Previously ran major applications development for Trading/Analytics SystemsPreviously ran major applications development for Trading/Analytics Systems
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 44
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Standards Overview Standards Overview
ISO/IEC 27000 - ISO/IEC 27000 - International Organization for International Organization for Standardization/International Electrotechnical CommissionStandardization/International Electrotechnical Commission
ITIL ITIL – Information Technology Infrastructure Library– Information Technology Infrastructure Library
NIST NIST - National Institute of Standards and Technology - National Institute of Standards and Technology
PMBOK PMBOK – Project Management Body of Knowledge– Project Management Body of Knowledge
TOGAF - TOGAF - The Open Group Architecture FrameworkThe Open Group Architecture Framework
CMMI for Development - CMMI for Development - Capability Maturity Model IntegrationCapability Maturity Model Integration SEI’s CMM SEI’s CMM (Capability Maturity Model)(Capability Maturity Model) for SW for SW
(US DoD) Software Engineering Institute (US DoD) Software Engineering Institute
COBIT - COBIT - Control Objectives for Information & related TechnologyControl Objectives for Information & related Technology Information Systems Audit and Control AssociationInformation Systems Audit and Control Association
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 55
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Is the PIs the Purpose to…?urpose to…?
Drive you crazy?Drive you crazy?
Waste your precious resources in a Waste your precious resources in a pointless task that will soon be out of pointless task that will soon be out of date?date?
Serve as evidence to be used against Serve as evidence to be used against you later?you later?
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 66
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Could policies help….?Could policies help….?
Save you after you have already Save you after you have already gotten into trouble?gotten into trouble?
Attempt, however lamely, to keep Attempt, however lamely, to keep you out of troubleyou out of trouble
Prove that, however obvious the Prove that, however obvious the trouble is, it is not your faulttrouble is, it is not your fault
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 77
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Calling in the ExpertsCalling in the Experts
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 88
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Did you know….?Did you know….?
Seven out of ten attacks are from…Seven out of ten attacks are from…
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 99
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
You may be wondering…You may be wondering…
Why develop and document IT policies, Why develop and document IT policies, standards and technical directives?standards and technical directives?
Is it really worth it? What’s in it for Is it really worth it? What’s in it for me?me?
Who will pay for the resources thusly Who will pay for the resources thusly diverted?diverted?
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1010
IT IT Policies, Standards and Technical DirectivesPolicies, Standards and Technical Directives COBIT Control ObjectivesCOBIT Control Objectives - - Overview
• PLAN AND ORGANISE - 10PLAN AND ORGANISE - 10
• ACQUIRE AND IMPLEMENT - 7ACQUIRE AND IMPLEMENT - 7
• DELIVER AND SUPPORT - 13DELIVER AND SUPPORT - 13
• MONITOR AND EVALUATE – 4MONITOR AND EVALUATE – 4
• Total - 34Total - 34
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1111
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
COBIT Control ObjectivesCOBIT Control Objectives -- PLAN AND ORGANISE
PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and
Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and
Direction PO7 Manage IT Human Resources PO8 Manage Quality PO9 Assess and Manage IT Risks PO10 Manage Projects
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1212
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical DirectivesCOBIT Control ObjectivesCOBIT Control Objectives - - ACQUIRE AND IMPLEMENT
AI1 Identify Automated Solutions AI2 Acquire and Maintain Application Software AI3 Acquire and Maintain Technology Infrastructure AI4 Enable Operation and Use AI5 Procure IT Resources AI6 Manage Changes AI7 Install and Accredit Solutions and Changes
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1313
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
COBIT Control ObjectivesCOBIT Control Objectives -- DELIVER AND SUPPORT
DS1 Define and Manage Service Levels DS2 Manage Third-party Services DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration DS10 Manage Problems DS11 Manage Data DS12 Manage the Physical Environment DS13 Manage Operations
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1414
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
COBIT Control ObjectivesCOBIT Control Objectives –– MONITOR AND EVALUATE
ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1515
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
COBIT Control Objectives –COBIT Control Objectives – DS5 Ensure Systems Security
DS5.1 Management of IT Security DS5.2 IT Security Plan DS5.3 Identity Management DS5.4 User Account Management DS5.5 Security Testing, Surveillance and Monitoring DS5.6 Security Incident Definition DS5.7 Protection of Security Technology DS5.8 Cryptographic Key Management DS5.9 Malicious SW Prevention, Detection,Correction DS5.10 Network Security DS5.11 Exchange of Sensitive Data
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1616
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
ISACA Standards, Guidelines & ProceduresISACA Standards, Guidelines & Procedures
IS Guideline: G18 IT GovernanceIS Guideline: G18 IT Governance IS Guideline: G20 ReportingIS Guideline: G20 Reporting IS Guideline: G21 Enterprise Resource Planning (ERP) SystemsIS Guideline: G21 Enterprise Resource Planning (ERP) Systems IS Guideline: G22 Business to Consumer (B2C) E-commerceIS Guideline: G22 Business to Consumer (B2C) E-commerce IS Guideline: G23 System Development Life Cycle (SDLC)IS Guideline: G23 System Development Life Cycle (SDLC) IS Guideline: G24 Internet BankingIS Guideline: G24 Internet Banking IS Guideline: G25 Review of Virtual Private NetworksIS Guideline: G25 Review of Virtual Private Networks IS Guideline: G26 Business Process Reengineering (BPR) Project IS Guideline: G26 Business Process Reengineering (BPR) Project IS Guideline: G27 Mobile ComputingIS Guideline: G27 Mobile Computing IS Guideline: G28 Computer ForensicsIS Guideline: G28 Computer Forensics IS Guideline: G29 Post Implementation ReviewIS Guideline: G29 Post Implementation Review IS Guideline: G30 CompetenceIS Guideline: G30 Competence IS Guideline: G31 PrivacyIS Guideline: G31 Privacy IS Guideline: G32 Business Continuity Plan (BCP)-IT PerspectiveIS Guideline: G32 Business Continuity Plan (BCP)-IT Perspective IS Guideline: G33 General Considerations on the Use of InternetIS Guideline: G33 General Considerations on the Use of Internet IS Guideline: G34 Responsibility, Authority and AccountabilityIS Guideline: G34 Responsibility, Authority and Accountability IS Guideline: G35 Follow-up ActivitiesIS Guideline: G35 Follow-up Activities
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1717
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
ISACA Standards, Guidelines & ProceduresISACA Standards, Guidelines & Procedures
IS Guideline: G36 Biometric ControlsIS Guideline: G36 Biometric Controls IS Guideline: G38 Access ControlsIS Guideline: G38 Access Controls IS Guideline: G39 IT OrganizationIS Guideline: G39 IT Organization IS Guideline: G40 Review of Security Management PracticesIS Guideline: G40 Review of Security Management Practices IS Procedure: P01 IS Risk Assessment MeasurementIS Procedure: P01 IS Risk Assessment Measurement IS Procedure: P02 Digital SignaturesIS Procedure: P02 Digital Signatures IS Procedure: P03 Intrusion DetectionIS Procedure: P03 Intrusion Detection IS Procedure: P04 Viruses and Other Malicious LogicIS Procedure: P04 Viruses and Other Malicious Logic IS Procedure: P05 Control Risk Self-assessmentIS Procedure: P05 Control Risk Self-assessment IS Procedure: P06 FirewallsIS Procedure: P06 Firewalls IS Procedure: P07 Irregularities and Illegal Acts IS Procedure: P07 Irregularities and Illegal Acts IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis IS Procedure: P08 Security-Pen Testing/Vulnerability Analysis IS Procedure: P09 Mgt Controls Over Encryption Methodologies IS Procedure: P09 Mgt Controls Over Encryption Methodologies IS Procedure: P10 Business Application Change Control IS Procedure: P10 Business Application Change Control IS Procedure: P11 Electronic Funds Transfer (EFT) IS Procedure: P11 Electronic Funds Transfer (EFT)
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1818
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Company A ProcessCompany A Process
Over 50 subsidiaries Over 50 subsidiaries Over 30,000 employees worldwideOver 30,000 employees worldwide Over 12,000 employees in Boston areaOver 12,000 employees in Boston area Over 250 IT Policy categoriesOver 250 IT Policy categories Over 500 Technical directivesOver 500 Technical directives Periodic Advisory Board Review processPeriodic Advisory Board Review process
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 1919
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Company A IssuesCompany A Issues
Who, specifically by name, is responsible Who, specifically by name, is responsible for ensuring policies & standards are for ensuring policies & standards are applied? (designated scapegoat)applied? (designated scapegoat)
Need to break down policy categories into Need to break down policy categories into specific policy elements (1 policy becomes specific policy elements (1 policy becomes 100 policies)100 policies)
A policy begets formal training and A policy begets formal training and training recordkeeping (applications unto training recordkeeping (applications unto themselves)themselves)
04/09/2304/09/23 Copyright 2009 Sarah CortesCopyright 2009 Sarah Cortes 2020
IT Policies, Standards and Technical DirectivesIT Policies, Standards and Technical Directives
Company A IssuesCompany A Issues
““Required,” “Recommended,” or “Highly Required,” “Recommended,” or “Highly Recommended?” (the shell game)Recommended?” (the shell game)
Need to self-assess at the policy element Need to self-assess at the policy element level (a/k/a your new full-time job)level (a/k/a your new full-time job)