IS345 Information Security
Module 5 | Cyber Regulations and Standards
Agenda
● Cyber Regulations and Standards
Outcomes
● Develop policies and procedures needed to respond
and remediate cyber attacks on an organization’s core
systems and describe a plan to restore functionality to
the infrastructure.
● Implement systems, apply tools and use concepts to
minimize risk to an organization’s cyberspace to
address cybersecurity threats.
Objectives
● Become familiar with the U.S. HIPAA, PCI, Sarbanes Oxley and
other U.S. specific laws and regulations
● Define and discuss IT security policies
● Define attributes of an effective and an ineffective IT security
policy
● Review legal and regulatory requirements relative to your
country
● Identify two laws (for your country) that protect data and privacy
● Examine data, electronic and privacy protection laws in other
countries
● Discuss Legal and Regulatory requirements affecting
Information Security.
Standards
● Standards are mandatory requirements, code of
practice approved by a recognizable external
standards organization.
● ISO, ISACA, IAPP, NIST, PCI
● Cybersecurity has many different standards
ISO 27000 series
The International Standards Organization puts out many
standards. However, the 27000 series specifically focuses
on cybersecurity.
ISO 27000 series Examples
27000:2016
This standard describes how an information security management
system (ISMS) should work
27001:2013
This standard describes the main information security techniques
27002:2013
This standard provides detailed descriptions of the controls
27002:2017
This standard provides guidance on planning and information security
management system
27004:2009
This standard covers the types of metrics and measurements
27005:2011
This is the main standard used when conducting an information risk
management program
27010:2015
This standard was developed with the express intention of exchanging
information securely between organizations.
Payment Card Industry Data Security Standard
(PCI DSS)
The Payment Card Industry Data Security Standard
(PCI DSS) was developed to encourage and
enhance cardholder data security and facilitate the
broad adoption of consistent data security
measures globally.
Payment Card Industry Data Security Standard
(PCI DSS)
● PCI DSS provides a baseline of technical and
operational requirements designed to protect account
data.
● PCI DSS applies to all entities involved in payment card
processing—including merchants, processors,
acquirers, issuers, and service providers.
PCI DSS
PCI DSS Example
Free writing exercise - 30 minutes
●
●
Review the PCI Standards
Discuss which PCI Standard you feel
is the most important and why
National Institute of Science and Technology
● NIST is a U.S. government research and standards
agency.
● The organization focuses on many types of
engineering research including cyber security
● Special Publication Series
● National Vulnerability Database https://nvd.nist.gov/
National Institute of Science and Technology
● https://csrc.nist.gov/publications/sp
○ NIST SP 800-83 – Guide to Malware Incident
Prevention and Handling
○ NIST SP 800-100 – Information Security Handbook:
A Guide for Managers
○ NIST SP 800-153 – Guidelines for Securing
Wireless Local Area Networks (WLANs)
Cyber Security Laws
● European Union
○ Network and Information Security (NIS) Directive
■ Member states are required to adopt a national
strategy that sets out concrete policy and
regulatory measures to maintain a level of
network and information security.
Cyber Security Laws
● European Union
○ Network and Information Security (NIS) Directive
■ The competent authorities in EU member states
and the European Commission will form a
cooperation network to coordinate against risks
and incidents affecting network and information
systems.
Cyber Security Laws
● European Union
○ Network and Information Security (NIS) Directive
■ EU member states must ensure that public
bodies and certain market operators take
appropriate technical and organizational
measures to manage the security risks of
networks and information systems.
Cyber Security Laws
● European Union
○ Network and Information Security (NIS) Directive
■ Public bodies and selected private sector
companies must also notify the competent
authority of incidents that have a significant
impact on the continuity of these services
Cyber Security Laws
● European Union
○ General Data Protection Regulation (GDPR)
■ Extends Privacy rights of individuals and how
their data is managed and moved
Cyber Security Laws
● United States has no comprehensive cyber security
laws, but some areas are covered by other laws.
○ HIPAA
○ Sarbanes Oxley Act
○ COPPA
Free writing exercise - 30 minutes
●
●
Review one HIPAA, SOX, or any other
law
Discuss which aspects pertain to
information security
Information Security Lifecycle Assignment
● Students will review and discuss the IT security life cycle as it relates to a
particular program or system.
● Students will explain the steps taken at each point in the lifecycle to respond
to IT security vulnerabilities and risks.
● 4-6 pages excluding the title page, table of contents and references.
● APA formatting is required
References
Payment Card Industry. (2018). PCI Data Security Standards v3.2.1.
Retrieved from https://www.pcisecuritystandards.org/document_library
Sutton, D. (2017). Cyber security: a practitioner’s guide. Swindon, UK:
BCS Learning & Development.
IS 464 – Policy and
Audits
Week 5 – Audit Role in Information Technology
1
IT auditing, while often not popular, is necessary given:
Importance of IT systems and services to the business including needing
to meet regulations and laws
Complexity of a company’s cyber-ecosystem (multiple different
vendors, different devices, different software)
Public and business NEED to rely on data integrity
Senft &
Gallegos
Chapter 3
Corporate ‘cooking’ of the books has been around a long time and
happens on electronic systems. In the past we failed to recognize
electronic systems also could be modified to represent false data
(especially financial data)
A number examples of electronic system manipulation have occurred
(Enron, EFCA, and others) – led to various acts (SOX, FCPA, and
others)
Section 404 of SOX is relevant to IT (discusses IT expectations)
SOX insists on separation of financial advisors from auditors and
auditors can only audit the same client for five years in a row
In electronic systems can use software to audit some aspects
Slide 2
Professional organizations (AICPA, ISACA, IIA, AGA) help guide audit
expectations
Generally accepted auditing standards (GAAS) and generally accepted
accounting procedures (GAAP) that must be followed
GAAS includes:
Senft &
Gallegos
Chapter 3
General standards regarding competence, independence and due diligence
Fieldwork standards in planning and examination of evidence on which findings
will be based
Reporting standards which include appropriate disclosure, specifics on accepted
auditing standards, and a clear summary of audit
1974 was first issue of an audit control (SAS3) for electronic systems,
followed by SAS 48 and now SAS 136 and includes:
How complex systems and services are
IT involvement in the business
Data availability
How much electronic systems used in accounting efforts
Are there computer-assisted audit techniques (CAAT) to assist audit
Need for IT knowledge (to audit
Other considerations as noted
NOTE: The auditor is responsible to look for errors or irregularities, BUT not
does not insure or guarantee the systems
Slide 3
The National Institute of Standards and Technology (NIST) issues
standards for electronic systems. One such is Federal Information
Processing Standards (FIPS) – applies to companies doing business
with U.S. federal government (NIST 800-53 & NIST 800-171)
There are a number of control frameworks such as Control Objectives
for Information and Related Technology (COBIT) IT organizations can
use for compliance guidance
Senft &
Gallegos
Chapter 3
Financial auditing goes back to 1933 & 1934 instituted by SEC for
publicly traded companies. Audits musts be done by CPAs
IT auditing and governance is needed:
Found issues with electronic systems in the past → decreased trust
Controls could be circumvented
Financial institutions suffered losses due to software changes
Data security was being compromised
Mobile hardware to access data from anywhere
Increasing amounts of data (needing more audit automation)
Ever increasing numbers of attackers
Slide 4
IT auditing requires many skills from standard auditing skills
through to specific IT skills such as:
Senft &
Gallegos
Chapter 3
IT security knowledge (including how to perform security tests)
Telecommunications
Knowledge of different vendor database types
How to assess a disaster recover plan
IT system and services change control
All formal auditors are professionals with designations (and must
adhere to specific requirements, have high ethical standards, and
be able to act independently to ensure objectivity)
All of the above increases trust in their findings
Training in IT auditing can be on the job and through in company
programs, through professional organization seminars, and in
universities (usually on the job primarily)
Must do continuous training (as with other professions)
Slide 5
IT auditors need IT knowledge and experience as well as auditing
experience
There are 11 skill areas suggested for IT auditors
8 technical areas are suggested for any program beyond a bachelor’s
degree
Communication and negotiation skills are needed
Ability to learn from errors as experience grows
Senft &
Gallegos
Chapter 3
IT auditors will : audit, may counsel (businesses on standards and
controls), is likely to partner with senior management, be an investigator
(including computer forensics)
Forensics has become increasingly important with escalating attacks – to
capture proof of malfeasance for prosecution of attackers
Currently can expect there will be internal auditor(s) to assist companies
with evaluation of IT systems and services
As well must have external auditors perform audits to confirm internal
auditor findings (at arms length – objective)
The many stories of corporate financial malfeasance have led to multiple
laws which are enforced → need to confirm electronic systems and
services comply with regulations and laws
Slide 6
Key #5: Ensuring Compliance Through Auditing and Monitoring
Auditing differs from monitoring in that monitoring is ongoing and
proactive while auditing is retrospective and often uses sampling
Both auditing and monitoring help:
Kahn & Blair
Chapter 16
Catch issues before they become known to regulators, shareholders
or others
Catch issues before they become so severe as to impact business
Increase trust in IT systems and services (measures compliance to
policies and procedures)
Find security issues (including breaches) earlier, or even stop them
(see the latest Verizon Data Breach Investigations Report)
Auditing and monitoring may be required by law (such as HIPAA,
NASD Conduct Rule 3010, and IRS Revenue Procedure 97-22)
Slide 7
Audits can be expected to include:
Kahn & Blair
Chapter 16
Interviews of personnel (to confirm compliance with policies and
procedures)
Will review written documentation from policies and procedures to
records of system and services status’
Review of equipment configuration
May include review of physical equipment in place for security and
how running
Audit guidance is available from multiple sources
Companies are expected to perform audits using internal
resources AND on a regular basis have an external source perform
an audit (for confirmation)
Some laws and/or regulations require regular external audits of IMC
systems and services (such as GDPR for the EU, and Sarbanes-Oxley)
Slide 8
Software Licensing
Do not use any software without it being licensed – companies are
increasingly pursuing those that do – perform license audits regularly
Need a software licensing policy from executive management
Monitor software to ensure it is not pirated or installed too many times
Do monitor employee activity
Kahn & Blair
Chapter 16
We can monitor when, where, what employees do
There are HR considerations, however if the policy is clear and well
communicated there are very few issues
Monitoring employee activity often discovers intruders
Slide 9
IT auditors are professionals focusing on IT system and services
compliance
Can be employed within a company or may be hired from another IT
experienced company
Both IT system auditing and computer forensics are part of IT
auditing
Take Aways for
Week 5
Multiple episodes of corporations ‘cooking the books’ has led to
multiple laws governing corporate financial reporting, which
involves corporate electronic systems
Monitoring and auditing are necessary and can be automated
Require ‘at arms length’ or external auditing on a regular basis for
more sensitive systems and services, or due to legal requirements
Be sure to audit software licenses
Some employee monitoring is advisable
Slide 10
Purchase answer to see full
attachment