Is this the 80/20 of Security?

For the past 10 years or so, I have been teaching what has been considered the IT prep course for the major exam students right in Canada to get their CA designation. Now with the merger of the accounting designations in Canada, the revised CPA Competency has altered the focus on IT and reduced it. However, the upside of this, is now the course I teach can be more about what's useful from a practical perspective. In the past I taught security as a list of controls:

• Security Architecture/Boundary
• Policies and Standards
• Asset Classification & Management
• Risk Assessment
• Personnel Qualification & Trustworthiness 
• Responsibility & Accountability
• Security Awareness
• User Access Management
• Physical Access Controls 
• Network Access and Communication Control 
• Logical Access Controls 
• Intrusion Detection & Response
• Eliciting Compliance
• Monitoring & Learning

But I thought how do you think about security conceptually? So I thought about using the SysTrust definition of a system as the way to group the key InfoSec controls. Here's what I came up with:

What do you think? 

Below are some notes from the deck that elaborates on the above.

Risk Assessment

• Key components of risk analysis? Risk = Impact X Likelihood

Governance

• Governance, responsibilities & accountabilities 
• Develop security function 
• “tone at the top”: CEO has ultimate responsibility
• CISO versus no CISO: 
• Would you trust a bank without a CISO? How about a hotel?
• Board & Management
• Security integral part of IT governance
• Funding security function
• Average 6 to 7% of the IT Budget
• Manage security risk that emanates from relationships with third parties
• Policies & standards
• Policies and standards:
• Serious about security: take steps needed
• Consult ISO 27001/2, etc. 
• Have a methodology, define risk appetite, etc.
• Manufacturing versus cloud computing provider 
• Other
• Define security roles
• Define security responsibilities for everybody
• Role for internal audit 

People

• Background Checks
• Human resource procedures to verify background work history of new hires.
• Check qualifications
•  Employees first line and last line of defense
• E.g. Insider threat
• Incentives: fire bottom 20% = problem?
• Acceptable Use Policy
•  Acceptable Use Policy
•  Provides limits as to how computing facilities can be used, e.g. LAN, laptops, PDAs, etc
•  Level personal of use
• Controls: 
•  Awareness/Orientation training/Sign statement
•  Block sites (hotmail, gmail, facebook, etc)
•  Monitor usage 
• Security Awareness & Training
• New employee training
• Need to communicate policies and standards to employees, customers (e.g. online banking), suppliers, service providers (e.g. SLA), etc
• Marketing Security: Remind employees regularly 
• Provide easy access to policies
• Policies need to be properly worded (should vs must)
• Workshops/Tutorials on security: e.g. encrypting USB
• Awareness posters, screensavers
• Automate security
• Termination
• Terminate all access upon on letting an employee go
• Must make part of HR processes

Data

• Asset Classification
• Data Classification
•  Sensitivity: impact of  unauthorized disclosure; privacy, confidentiality
• Public, internal, confidential, highly confidential
• Inventory & Asset Management (Data > Devices)
• Devices and information held; incl. outsourced entities
• Classification drives who can access and modify the information
•  Cost-benefit analysis: encrypt what needs to be encrypted
• Monitor access to sensitive systems, files, databases,   
• Encryption
• Used to prevent data alteration, unauthorized viewing, verify authenticity
• Depend on mathematical algorithms to transform data, 
• "Key" is the  data that is that is used to make an encryption or decryption unique 
• Rely on mathematical algorithms
• private key system - receiver must know what key is used to encipher message. Such keys must be protected
• public key system - use 2 keys
• encipher  is made public
• different key used to decipher
• Encryption Standards
• Algorithm + Key
• DES, AES:  Private Key (symmetric) Algorithms
• RSA:  Public Key Algorithm
• PGP:  Open source equivalent of RSA
• 128, 256 bit technology (length of key - longer keys are harder to break with brute force methods)
• In a good approach, the security should be in knowledge of the key, not the encryption algorithm
• Wireless: WEP is no good, use WPA, e.g. TJX
• Data Retention and Disposal Policy
• Data should be retained based on reg/stat/oper
• If retain longer than required could be breached
• Data should be destroyed after its no longer needed
•  Secure overwriting, degaussing, (not formatting!)
•  Physical destruction (e.g. incineration, shred, etc)
•  Integrate into asset disposal/sale process

Infrastructure

• Network: Firewall 
• Firewall
• “Filters” traffic from inside to outside & outside to in
• Permits traffic based configuration
• Protected against tampering
• Packet filter
• Intrusion Detection/Prevention
• Intrusion Detection System (IDS)
• Firewall: Permit/Blocks, IDS Analyzes activity
• Analyzes user activity: threat score
• Sends alerts to security admin: problem with false positives - may dismiss actual threat 
• IPS can log off users
• IDS: Can it detect encrypted attacks?
• Link to SDLC?
• Physical access controls
• Safeguard against physical abuse, damage and destruction.
• Isolation and restriction - use locks, effective key management, video, sensing devices
• Tailgating: Man-trap, awareness
• Locations of Systems: away from fire water sources (e.g. kitchen)
• Hardening
• Physical Access Control Considerations
• Cost
• Number of Type I (False negative) and Type II (False positive)
• Average response time
• Ability to manage multiple users
• Satisfy ergonomic issues (E.g. retinal scan is quite invasive)
• Virtual Private Network (VPN)
• Virtual Private Network
•  Encrypted/authenticated access to the network,
• Modem lines create problems
• Callback modems: modem will call back a pre-specified number

Software

• Access management
• What are the trade offs?
• Access management
• Privilege management
• Log and review this type of access
• Enables Segregation of duties
• Separate user and information system roles, separate within information system group
• Development and data entry
• Separate within user role as to incompatible functions
• initiation and authorization of transactions, recording of transactions, custody of assets, and reconciliation  
• Logical Access Controls
• User ID:
• Linked to name, mdatardina@deloitte.ca 
• Based on job: Accountspayable@xyz.com
• No association: User12@xyz.com  Problem?
• Logical Access Controls
• Authentication - user is who says he/she is
• Passwords: 
• Random vs user generated
• Rule based: What are the rules?
• Phrases: Cat jumped over the lazy dog in Sarnia Cjotldis1
• Plastic magnetic-strip cards 
• Example?
• Smart cards 
• Example?
• Biometric devices - fingerprints, hand geometry, eye retina patterns; consider Type I/Type II
• Access control software- allows controlled access - locks out illegitimate users, e.g. Active Directory for Windows
• Increased use of single-sign-on: authenticate once across multiple platforms
• Pro: ease-of-access
• Con: break one password, can break into multiple systems
• Could also use profile management 
• Allocate standard access privileges to users based on their group, rather than individual basis, e.g. AP clerk can access AP, network, office suite, etc
• Reduces admin costs and allows easier access and rule setting
• Anti-Virus Controls  
• Anti-virus software
• Installed and configured properly
• Update regularly 
• Won’t help against zero day
• Ensure automated scans are scheduled.
• Scan network
• Scan desktop
• Run at sign-on

Author: Malik Datardina, CPA, CA, CISA. Malik works at Auvenir as a GRC Strategist that is working to transform the engagement experience for accounting firms and their clients. The opinions expressed here do not necessarily represent UWCISA, UW, Auvenir (or its affiliates), CPA Canada or anyone else.