Security Organization/ Infrastructure

Security Organization / Infrastructure

The size of security team depends on

• Size of the enterprise• Systems environment (distributed versus centralized)• Number of components in the operating environment• Organizational and management structure of the enterprise• Number and locations of operational sites (i.e., national

versus international)• How the sites are interconnected• Assessed risk• IT Strategic Plan• IT budget

Key challenges

• Migration of the security function from a centralized, mainframe-based function to an effective governing body in the distributed systems environment.

• Understanding the different security requirements for all of the technology implementations within the enterprise.

• Obtaining adequately budgeted resources.• Overutilization of employees.

Who are the key players of the security organization?

• The Chief Information Officer (CIO), the Chief Financial Officer (CFO), the Security Officer, security coordinators or liaisons, application coordinators, Human Resources, Legal Counsel, help desk, department management, and all system and information users.

The Executive Committee for Security

• Responsible for ensuring that the objective of a secure operating environment, through the establishment of an ISA, is clearly defined in the enterprise strategic plans.

• Include the CEO, the CFO, the COO, the CIO, the Security Officer, department or business unit directors, advisors to executive management, and/or members of the Board of Directors

The Chief Information Officer

• IT policy and aligning IT strategy with business strategies

• Business technology planning process, including the sponsorship of collaborative planning processes

• New and existing applications development for enterprise initiatives and overall coordination for business unit or divisional initiatives

• IT infrastructure and architecture (e.g., computers and networks) operations and investment decisions

• Sourcing and purchase decisions, which include make versus buy decisions relative to outsourcing, versus in-house provisioning of IT services and skills

• Establishing partnerships, including strategic relationships with key IT suppliers and consultants

• Technology transfer by providing enabling technologies that make it easier for customers and suppliers to do business with the enterprise as well as increase revenue and profitability

• Customer satisfaction with internal and external clients to ensure continuous customer satisfaction

• Implementation of security initiatives related to all IT components to protect the infrastructure and reduce risk to a manageable and acceptable level

• Providing training for all IT users to ensure productive use of existing and new systems

The Chief Financial Officer

• Determining and maintaining the adequacy of internal controls to ensure that enterprise assets are safeguarded and liabilities are appropriately minimized

• Ensuring the adequacy of accounting systems and procedures to enable the accurate reporting of the company’s financial position and operating results, and the proper recording of corporate transactions

• Directing the preparation of internal monthly, quarterly, and annual financial and operating results

• Ensuring the accurate and timely preparation of external SEC and shareholder reports, as well as those required by other institutions

• Overseeing the development of financial information systems enterprise wide to promote the timely and accurate assimilation, consolidation, and reporting of financial results and position

• Supporting the ongoing IS projects and improving the strategic capabilities of the Controller’s function to balance its existing tactical strength

The Security Officer• Communicate with executive management on the risks and

controls related to the business and operational systems environment

• Ensure that appropriate user access and authentication controls are in place

• Ensure that the documented security policies, standards, and procedures are reviewed, updated, and maintained periodically by appropriate individuals

• Evaluate security exposures, misuse, or noncompliance situations, and ensure implementation of security controls to address those incidences

• Ensure that all business unit/department Security Coordinators understand and execute their security responsibilities in accordance with related policies, standards, and procedures

• Organize and conduct periodic Security Team meetings• Research security Web sites, CERT advisories,

publications, vendor correspondence on application patches, updates, and version releases, and the media for recent exposures and their fixes in operating systems and networks

• Develop and implement the Security Awareness Program with assistance from Security Team members

• Develop and implement the Review and Compliance Program with assistance from Security Team members

Security Officer Placement (Typical)

• When the ISA in the enterprise has become mature through several cycles of assessment, mitigation, audit, and effective compliance

Security Officer Placement (Mature Security Life Cycle)

The Security Team

• Represent particular security and business continuation issues and concerns within each enterprise location

• Identify risks within each member’s area of concentration and ensure that appropriate controls are implemented to address these risks

• Develop, review, and recommend all security policies, standards, and procedures that will be implemented across sites

• Develop and implement an Information Security Awareness Program for all information technology administrators, development personnel, users, and their management, and administer the implementation of this program within their area

• Create and maintain the security architecture as well as champion the implementation process

Security Coordinators or Liaisons

• The coordinator’s primary responsibility is to ensure that appropriate user access within the scope of their business function is maintained.

• Ensuring that application access forms are initiated for existing and new users within the respective departmental area

• Ensuring that access is modified or deleted when employees and non-employees (i.e., consultants, contractors, business partners) operating within their business function or site are transferred or terminated

• Conducting user security awareness within their departmental function

• Ensuring that the enterprise Confidentiality Agreement and exit interview forms are signed by all users operating within their department or area of responsibility

• Actively participating as a member of the Security Team

• Coordinating with the Security Officer on all security-related matters

Departmental Management

• Departmental management is responsible for establishing the overall security strategy for department information.

• Classification of information owned by the department.

• Classifications will indicate the level of sensitivity and availability required for the information.

Network and Application Administrators

• Network and application administrators are technically responsible for the operation of the network or application.

• Risk assessment and the identification of vulnerabilities

• These administrators are responsible for assisting the departmental manager in implementing and managing information technology policies, procedures, standards, and departmental guidelines for a particular component of the operating environment.

• The difference between the security coordinator (liaison) and the network administrator is that the security coordinator works within the business unit and is aware of the appropriate access policies for each employee within that department or business unit.

• The network and application administrators actually implement the access control policies for each individual but may have no knowledge if the access is appropriate.

Human Resources

• Human Resources and departmental management are responsible for providing timely information to the enterprise LAN managers and application administrators about employee termination or transfers so that appropriate steps can be taken to revoke or change access to systems and information.

• New hires will be given the opportunity to read the Security Policy and Confidentiality Agreement and sign an acknowledgment form.

Legal Counsel

• Responsible for reviewing all security policies and procedures for enforceability.

• Breach of confidentiality, misuse of information, or destruction of information, files, or programs are often cause for termination or the subject of legal liability.

• The law indicates that monitoring procedures will be disclosed to the users of the application or resource.

Audit

• Four levels of audit functions:– Internal audit function, including electronic data

processing (EDP) auditing– External audit function required by the SEC, NYSE,

NASDAQ, and AMEX and performed by public accounting and auditing firms

– Component audits performed by the system administrators and security liaisons; and

– Compliance audits performed by the Security Officer and Security Team.

Internal Audit

• Primary responsibility it is to assess risk, measure compliance to policy, validate financial reporting, and provide corporate governance.

• Understand the organization’s business, the accounting process, and internal control concepts.

• Assess risk at the account and potential error levels.

• Plan the audit approach and test of controls.• Test controls and ensure that adequate

internal controls are in place.• Review the corporate code of conduct and

monitor compliance with it.

• Ensure integrity and objectivity of financial statements.• Review financial statements and recommend their

approval to the board.• Oversee the company quarterly reporting process.• Consider selection, implementation, and impact of

significant accounting policies.• Review management judgment of accounting methods

and estimates.• Understand financial and operational issues.• Participate in activities designed to prevent and detect

fraud.• Remain independent of management.

• Review legal company obligations and pending litigation.

• Review company insurance coverage.• Review compliance reports to regulatory agencies.• Review company budgets and executive expenses.• Participate in the selection of external auditors to

enhance their independence.• Review external auditors’ findings and communicate

with external auditors on financial issues.• Monitor management responses to external

auditors.

IS auditor

• Analyze a system or component to formulate the best approach for performing the audit.

• Prepare audit work-plans for each system or component.

• Review the system’s processes and documentation to determine compliance with stated data processing standards.

• Review the system’s input and output to verify the correctness of the transaction processing and reports.

• Ensure that systems produce the desired information.• Evaluate and review proposed applications to provide input

into the design of new systems regarding internal controls and adaptability.

• Periodically review data processing facilities to ascertain organizational and operational effectiveness.

• Provide audit support to other audit staff.• Coordinate the use of IS audit procedures for operational

and financial audits.• Examine computer systems documentation and output to

ensure the presence of adequate controls.• Develop audit reports and recommendations to IS and

business management that identify irregularities or deviations from established policies and procedures.

External Audit

• External auditor :- financial statement auditor• Auditors perform procedures to obtain

sufficient evidence to express an opinion as to whether an entity has maintained, in all material respects, effective internal control over financial reporting as of a point in time based on “control criteria.”

Control criteria includes

• The control environment• Risk assessment• Control activities• Information and communication• Monitoring

Control criteria categories

• Effectiveness and efficiency of operations• Compliance with laws and regulations, and• Reliability of financial reporting.