Web AuditNet

Dan's Internal Audit Corner

 

Creating a Computer Security Incident Response Team

 

By Dan Swanson

 

Each month Dan Swanson, a senior security and internal audit professional will provide his list of recommended resources for AuditNet readers. If you have questions about this page or the links, you can reach Dan at www.securitybenchmark.com and dswanson_2005@yahoo.com.

 

For more IT and Information Security resources check out the latest Taylor and Francis publications.

 

 

The Key Resource:

Creating a Computer Security Incident Response Team: A Process for Getting Started

 

Safeguarding assets has been an important objective of all organizations for centuries. Protecting an organization’s assets has evolved from mainly physical and personnel safeguards, to a combination of physical, personnel, procedural, and software-based asset management that must be clearly and completely stated in the organization policies, standards and guidance, and monitoring of asset values. With a high percentage of market value now accounted for by intangible assets such as intellectual property, reputation, brand, and electronic records, information continues to be (ever more so) a vital business resource.

 

Who is Responsible for Information Asset Protection?

While chief information security officers (CISOs) and chief financial officers (CFOs) are important players regarding information asset protection and security, they are not the true “guardians” of the organization's critical information assets. For example, in hospitals, CFOs are not responsible for safeguarding patient records; at insurance companies, they are not the guardians of policyholder records. In the pharmaceutical or technology sectors, the company’s crown jewels (its intellectual property and talent) are not the direct responsibility of the CFO or the CISO. Managers are directly responsible for day-to-day asset protection.

 

The bottom-line: Top management must implement an information security management program that truly safeguards all assets of the organization, and that is based on compliance, standards, and comparable to practices of other well-run organizations. Making management responsible to manage the protection of the information entrusted to them is the important first step.

 

Organizations that have not done so already should immediately:

  • Discuss information security with the board and senior management, ensuring their understanding of the key risks and gaining their support for the necessary controls;

  • Link security investments and resourcing to core business priorities and risk assessment results and due diligence efforts;

  • Leverage existing security standards, guidance, and practices, complete and update the security policies and internal standards and guidance, and define the organization’s information security management system;

  • Explicitly assign responsibility and accountability for protecting information assets across the organization;

  • Revisit IT and related strategies to align business and IT efforts, and ensure that overarching information security requirements are explicitly defined;

  • Inventory and classify the organization’s key information: identify it, assign a business guardian to it, and determine how best to protect based on security assessment results;

  • Strengthen the business continuity program;

  • Configure security into both business processes and the supporting IT systems to strengthen technical and procedural security practices;

  • Include “Asset Protection in the Digital Age” as one of the discussion items in quarterly business performance review meetings and quarterly reports to shareholders, and develop action plans for improvement as needed.

We must build security into and across all organizational efforts. The CISO and CFO each have a mandate to work with the other key corporate players—and especially with the business guardians of information assets—to ensure effective asset protection. This is definitely a responsibility shared by various stakeholders throughout the organization. The question is, do they work together to ensure effective asset protection? Or do they work on this critical responsibility in isolated silos, allowing things to fall between the cracks? Are we also addressing information protection in all the outsourced activities and international business that are so prevalent today?

 

Leaders also need to ensure that all vendors, suppliers, and other third parties responsible for protecting information used in outsourced activities are included in the mix of information asset protection and security actions.

 

Things Do Happen!

At the end of the day, things do happen, so you must ensure you have a solid incident response capability! - (and therefore) - check out the key resource cited at the very beginning of this column for further guidance.

 

For more guidance on protecting your organization’s information assets check out the many resources cited below.

 

Have another great month.

 

Enjoy.

 

Dan Swanson

 


a) Board Guidance for Information Security

 

Information Security Oversight: A 2007 Survey Report

Given the tenuousness and fragility of information—and the critical dependency on it for core business operations—information security deserves close and continual board attention. Updated for today’s ever-evolving information environment, this report presents 2007 survey findings, highlights several timeless recommendations from NACD’s landmark 2001 report, and provides a few additional recommendations for security-savvy boards as they look ahead to the next decade.

 

b) Recommended Readings

 

UK's families put on fraud alert

 

Governing for Enterprise Security Implementation Guide
This guidance is designed to help business leaders implement an effective program to govern information technology (IT) and information security.

 

Build Security In (BSI)

As part of the Software Assurance program, Build Security In (BSI) is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative.

 

Information Centric Approach to Defense-in-Depth

 

ISO/IEC 27000-series information security management system standards

 ISO/IEC 27001 and 27002 are international standards offering good practice advice for information security management systems, from their design through implementation to compliance auditing.
 

Ask the Auditor: Who is Responsible for Information Security?

The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.

 

IT Compliance Institute (ITCi) – “IT Audit Checklist for Information Security”: This paper supports an internal audit of the organization’s information security program with guidance on improving information security programs and processes, as well as information on assessing the robustness of your organization’s security efforts.

 

Avoiding IS Icebergs

This article explores the audit's assurance role regarding information security and outlines approaches and methodologies.

 

c) Information Security Management/Board Oversight

Information Security Management and Assurance: A Call to Action for Corporate Governance (PDF, 754KB)

Information Security Governance: What Directors Need to Know (PDF, 753KB)

 

 

 

 

The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®