THE ART OF DIS-CONNECTING, SOCIAL NETWORKING RISK MANAGEMENT ISACA Perth Chapter 13 October 2011

Size: px

Start display at page:

Download "THE ART OF DIS-CONNECTING, SOCIAL NETWORKING RISK MANAGEMENT ISACA Perth Chapter 13 October 2011"

Martha Caldwell
5 years ago
Views:

1 THE ART OF DIS-CONNECTING, SOCIAL NETWORKING RISK MANAGEMENT ISACA Perth Chapter 13 October 2011 Australian Crime Commission 1 THE ART OF DIS-CONNECTING SOCIAL NETWORKING RISK MANAGEMENT ISACA Perth Chapter 13 October

2 ENISA Ad-hoc Working Group on Risk Assessment and Risk Management When I use a word, Humpty Dumpty said, in rather a scornful tone, it means just what I choose it to mean neither more nor less. Lewis Carroll's Through the Looking-Glass (1872) 2

Social Media Social media is defined as using Internet-based applications or broadcast capabilities to disseminate and/or collaborate on information.

3 Social Media Social media is defined as using Internet-based applications or broadcast capabilities to disseminate and/or collaborate on information. This is different than traditional advertising and marketing channels due to the populist nature of social media, in which anyone with an Internet-attached device can, with near anonymity and without accountability, participate in public or private information or disinformation sharing, depending on access privileges to a social media web site. Current social media tools include: Blogs (e.g., WordPress, Drupal, TypePad ) Microblogs (e.g., Twitter, Tumblr) Instant messaging (e.g,, AOL Instant Messenger [AIM ], Microsoft Windows Live Messenger) Online communication systems (e.g., Skype ) Image and video sharing sites (e.g., Flickr, YouTube) Social networking sites (e.g., Facebook, MySpace) Professional networking sites (e.g., LinkedIn, Plaxo) Online communities that may be sponsored by the company itself (Similac.com, Open by American Express) Online collaboration sites (e.g., Huddle) The common link is that all of the tools are implemented and managed by individuals. These technologies can also be hacked, hijacked and leveraged by unscrupulous individuals. ISACA: Social Media Audit/Assurance Program 3

10 HB 158-2010 Delivering assurance based on ISO 31000:2009 - Risk management - Principles and guidelines Figure 2 Maturity Model for Internal Control Maturity Level Status of the Internal Control

Control is not part of the There is no intent to assess the need for internal control. Incidents are dealt organization s culture or mission.

4 10 HB Delivering assurance based on ISO 31000: Risk management - Principles and guidelines Figure 2 Maturity Model for Internal Control Maturity Level Status of the Internal Control Environment Establishment of Internal Controls 0 Non-existent There is no recognition of the need for internal control. Control is not part of the There is no intent to assess the need for internal control. Incidents are dealt organization s culture or mission. There is a high risk of control deficiencies and with as they arise. incidents. 1 Initial/ad hoc There is some recognition of the need for internal control. The approach to risk and There is no awareness of the need for assessment of what is needed in terms control requirements is ad hoc and disorganized, without communication or of IT controls. When performed, it is only on an ad hoc basis, at a high level monitoring. Deficiencies are not identified. Employees are not aware of their and in reaction to significant incidents. Assessment addresses only the actual responsibilities. incident. 2 Repeatable but Intuitive Controls are in place but are not documented. Their operation is dependent on the Assessment of control needs occurs only when needed for selected IT knowledge and motivation of individuals. Effectiveness is not adequately evaluated. processes to determine the current level of control maturity, the target level Many control weaknesses exist and are not adequately addressed; the impact can that should be reached and the gaps that exist. An informal workshop be severe. Management actions to resolve control issues are not prioritized or approach, involving IT managers and the team involved in the process, is used consistent. Employees may not be aware of their responsibilities. to define an adequate approach to controls for the process and to motivate an agreed-upon action plan. 3 Defined Controls are in place and adequately documented. Operating effectiveness is Critical IT processes are identified based on value and risk drivers. A detailed evaluated on a periodic basis and there is an average number of issues. However, analysis is performed to identify control requirements and the root cause of the evaluation process is not documented. While management is able to deal gaps and to develop improvement opportunities. In addition to facilitated predictably with most control issues, some control weaknesses persist and impacts workshops, tools are used and interviews are performed to support the could still be severe. Employees are aware of their responsibilities for control. analysis and ensure that an IT process owner owns and drives the assessment and improvement process. 4 Managed and There is an effective internal control and risk management environment. A formal, IT process criticality is regularly defined with full support and agreement from Measurable documented evaluation of controls occurs frequently. Many controls are automated the relevant business process owners. Assessment of control requirements is and regularly reviewed. Management is likely to detect most control issues, but not based on policy and the actual maturity of these processes, following a all issues are routinely identified. There is consistent follow-up to address identified thorough and measured analysis involving key stakeholders. Accountability control weaknesses. A limited, tactical use of technology is applied to automate for these assessments is clear and enforced. Improvement strategies are controls. supported by business cases. Performance in achieving the desired outcomes is consistently monitored. External control reviews are organized occasionally. 5 Optimized An enterprise-wide risk and control program provides continuous and Business changes consider the criticality of IT processes and cover any need effective control and risk issues resolution. Internal control and risk to reassess process control capability. IT process owners regularly perform management are integrated with enterprise practices, supported with self-assessments to confirm that controls are at the right level of maturity to automated real-time monitoring with full accountability for control monitoring, meet business needs and they consider maturity attributes to find ways to risk management and compliance enforcement. Control evaluation is make controls more efficient and effective. continuous, based on self-assessments and gap and root cause analyses. The organization benchmarks to external best practices Employees are proactively involved in control improvements. and seeks external advice on internal control effectiveness. For critical processes, independent reviews take place to provide assurance that the controls are at the desired level of maturity and working as planned. ISACA: IT Assurance Guide Using COBIT, Appendix VII Maturity Model for Internal Control (figure 2) 4

Agencies MUST adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO

2 (January 2011), Protective Security Policy Branch, Attorney General s Department Security risk management is really a special application that should fit within an organisation s established risk

5 Agencies MUST adopt a risk management approach to cover all areas of protective security activity across their organisation, in accordance with the Australian Standard for Risk Management AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management. Australian Government Protective Security Policy Framework V1.2 (January 2011), Protective Security Policy Branch, Attorney General s Department Security risk management is really a special application that should fit within an organisation s established risk management framework. It introduces a new element, the concept of someone deliberately introducing an exposure to potential harm and seeking actively to bypass controls in place. However, the similarities between organisational and security risk management far outweigh any differences. HB 167:2006 Security risk management 15 ACC

6 Threat intent = the optimism a threat agent has about successfully attacking a target Threat capability = the force a threat agent can bring to bear on a target Australian Government Protective Security Manual 6

7 7

8 Category Objective Control Mobile computing and teleworking To ensure information security when using mobile computing and teleworking facilities. A formal policy shall be in place, and appropriate security measures shall be adopted to protect against the risks of using mobile computing and communication facilities. A policy, operational plans and procedures shall be developed and implemented for teleworking activities. Security requirements of information systems To ensure that security is an integral part of information systems. Statements of business requirements for new information systems, or enhancements to existing information systems shall specify the requirements for security controls. LOCATION/USAGE HOME/HOME WORK/HOME HOME/WORK WORK/WORK ENISA: Online as soon as it happens 8

9 ENISA: Online as soon as it happens Category Objective Control Management of information security incidents and security incidents. improvements To ensure a consistent and effective approach is applied to the management of information security monitored. incidents. Compliance with legal requirements Identification of applicable legislation Management responsibilities and procedures shall be established to ensure a quick, effective, and orderly response to information There shall be mechanisms in place to enable the types, volumes, and costs of information security incidents to be quantified and Where a follow-up action against a person or organization after an information security incident involves legal action (either civil or criminal), evidence shall be collected, retained, and presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). All relevant statutory, regulatory and contractual requirements and the organization s approach to meet these requirements shall be explicitly defined, documented, and kept up to date for each information system and the organization. ENISA - Online as soon as it happens 9

10 ENISA - Online as soon as it happens ENISA - Online as soon as it happens ENISA - Online as soon as it happens 10

11 ENISA - Online as soon as it happens ENISA - Online as soon as it happens 11

based on the US Government s Federal Enterprise Architecture Framework

12 The Australian Government Performance Reference Mode (PRM) is a part of the Australian Government Architecture Reference Models which itself is based on the US Government s Federal Enterprise Architecture Framework See also: 12

13 HB Governance, risk management and control assurance 13

December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS:

December 2015 THE STATUS OF GOVERNMENT S GENERAL COMPUTING CONTROLS: 2014 www.bcauditor.com CONTENTS Auditor General s Comments 3 623 Fort Street Victoria, British Columbia Canada V8W 1G1 P: 250.419.6100