?
Critical business applications (CB): By understanding the business impact surrounding a loss of confidentiality, integrity, or availability of information, it is possible to establish the level of criticality of an application. This provides a sound basis for identifying business risks and determining the level of protection required to keep risks within acceptable limits.
?
Computer installations (CI):This aspect provides a common standard of good practice for information security that should be applied irrespective of where, or on what scale or type of computer, information is processed.
?
Networks (NW): Secure network design is essential to network services. This aspect enforces sound discipline in running networks and managing security. This discipline applies equally to local and wide area networks, and to data and voice communications.
Control Mapping—ISF Standard of Good Practice (SoGP)
The ISF Standard of Good Practice (SoGP) addresses the control requirements of the domains of
? ? ? ? ?
Trusted access Change management
Business continuity and availability Operational monitoring Audit and risk management
The standard concedes as out of its scope the control areas of
? ? ? ?
Records management Operational transparency Segregation of duties Operational controls
GAIT and GAISP
GAIT stands for Guide to the Assessment of IT General Controls Scope Based on Risk. GAIT provides guidance in support of the internal control objectives of the IT-related Committee of Sponsoring Organizations of the Treadway Commission (COSO), including operational and financial reporting. Although not a control framework, GAIT provides information to appropriately identify and link COSO constructs of internal control assertions, risks, controls, and objectives. These principles define the relationship between IT and business objectives, how IT differs from company to company, and how to make assertions on IT processes, for example, how to reach an educated decision on which controls to include and exclude. GAIT also addresses the balance of manual and automated controls, entity and process- or activity-level controls, and percentage of business automation supported or enabled by IT.
Related to GAIT is GAISP, the successor project to the Generally Accepted System Security Principles (GASSP). GAISP is organized in a three-level hierarchy, comprising
? ?
Pervasive principles—Fundamental in nature, and rarely changing (target: governance) Broad functional principles—Subordinate to one or more of the pervasive principles; change only when reflecting major developments in technology or other affecting issues (target: operational management)
?
Detailed principles —Subordinate to one or more of the broad functional principles; change frequently as technology and other affecting issues evolve (target: the information security practitioner)
Control Mapping—GAIT and GAISP
GAIT and GAISP address the domain control requirements of
? ? ? ?
Trusted access Records management Audit and risk management Operational controls
Functionally, the standard concedes as out of its scope the control areas of
? ? ? ? ? ?
Change management
Business continuity and availability Operational monitoring Records management Operational transparency Segregation of duties
NIST 800 Series
NIST special publication 800-12 provides a broad overview of computer security and control areas. The standard highlights the importance of the security controls and details ways to implement them.
The first section establishes the basic elements of computer security, defines the associated roles and responsibilities, and exposes common threats. The second section on management controls defines the computer security policy and how to implement this in the computer security program management, computer security risk management, security and planning in the computer security life cycle, and the required assurance measures. The third section outlines the operational controls. These include personnel and user issues, how to prepare for disasters, computer security, incident handling, training and education, security considerations in computer support and operations, and physical and environmental security. The fourth section outlines the
technical controls, defining identification and authentication controls, logical access controls, the necessary audit trails, and cryptography techniques.
The Management Controls section addresses security topics that can be characterized as managerial. They focus on the management of the computer security program and the
management of risk within the organization. The Operational Controls section addresses security controls that focus on controls that are implemented and executed by people. These controls are put in place to improve the security of a particular system (or group of systems). The Technical Controls section addresses security controls that the computer system executes. These controls are dependent on the proper functioning of the system for their effectiveness.
NIST special publication 800-14 describes common security principles. The standard provides a high-level description of what should be incorporated within an information security policy. Eight principles and fourteen practices are described within this document. The eight principles are 1. 2. 3. 4. 5. 6. 7. 8.
Computer security supports the mission of the organization. Computer security is an integral element of sound management. Computer security should be cost effective.
Systems owners have security responsibilities outside their own organizations. Computer security responsibilities and accountability should be made explicit. Computer security requires a comprehensive and integrated approach. Computer security should be periodically reassessed. Computer security is constrained by societal factors.
NIST special publication 800-26 provides guidance on managing IT security. The standard emphasizes the importance of self-assessments as well as risk assessments.
The NIST self-assessment questionnaire defines specific control objectives and suggested techniques against which the security of a system. The questionnaire can be based primarily on an examination of relevant documentation and a rigorous examination and test of the controls. Most controls cross the boundaries between management, operational, and technical. Each chapter in the three sections provides a basic explanation of the control; approaches to implementing the control; some cost considerations in selecting, implementing, and using the control; and selected interdependencies that may exist with other controls.
Control Mapping—NIST 800 Series
NIST addresses the domain control requirements of
? ?
Records management Operational monitoring
? ? ?
Records management Operational transparency Segregation of duties
The standard functionally, concedes as out of its scope the control areas of
? ? ? ? ? ?
Trusted access Change management
Business continuity and availability Audit and risk management Operational controls Operational transparency
COSO and Turnbull Guidance
The COSO framework is a document called Internal Control, Internal Framework (COSO, 1994). The acronym COSO comes from the organization that created the document, the Committee of Sponsoring Organizations of the Treadway Commission (http://www.coso.org). In the COSO framework, there are three objectives:
? ? ?
Operations—The firm wishes to operate effectively and efficiently. It is necessary for the firm to control its general internal operations to do this.
Financial reporting—The firm must create accurate financial reports. Compliance—The firm wishes to be in compliance with external regulations.
Control Environment
The component at the base of the COSO framework is the corporation's control environment. This is the company's overall control culture. It includes the \
management, the company's commitment to training employees in the importance of control, the punishment of employees (including senior managers) who violate control rules, attention by the board of directors, and other broad matters. If the broad control environment is weak, other control elements are not likely to be effective.
Risk Assessment
A company needs to assess the risks that it faces. Without systematic risk analysis, it is impossible to understand what level of controls to apply to individual assets. Risk assessment must be an ongoing preoccupation for the firm because the risk environment constantly changes.
Control Activities
An organization will spend most of its control effort on control activities that actually implement and maintain controls. This includes approvals and authorization, IT security, the separation of duties, and many other matters. Controls usually have two elements: One is a general policy, which says what must be done. The other is a set of procedures, which explains how to do it.
Monitoring
Having controls in place means nothing if organizations do not monitor and enforce them. Monitoring includes both human vigilance and audit trails in information technology. It is essential to have an independent monitoring function that is free to report on problems even if these problems deal with senior management.
Information and Communication
For the control environment, risk assessment, control activities, and monitoring to work well, the company needs to ensure that it has the required information and communication across all levels of the corporation.
Page 49 of the COSO framework notes the existence of manual controls, computer controls, and management controls. On page 50, it provides the following process:
? ? ? ? ?
Top-level review: Comparing budgets with actual performance, tightly monitoring major initiatives.
Direct functional or activity management: Examining the appropriate reports for their level in the role of managers who run individual operations.
Information processing: Including the enforcement of manual procedures. Information processing must focus on business processes, not merely on IT processes. Physical controls: Taking inventory of cash stores and archival media.
Performance indicators: Relating different sets of data to each other for checking inconsistencies, noting deviations from normal performance (in either direction), unusual trends, and so forth.
?
Segregation of duties: Requiring sensitive processes to be completed by two or more people so that no single person can engage in improper activities without this becoming apparent.