Just who is responsible for information security? Are we learning from incidents that have occurred at other organizations? Do we leverage the research that is available from various institutions? Do we take regulations seriously?
This week’s resources discuss all these questions and more.
Good luck and have another great week.
1. Ask the Auditor: Who is Responsible for Information Security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.
As we started the research for the HIPAA and 17799 projects we came across a number of references to DITSCAP and NITSCAP. The purpose of the system security plan (SSP) is to provide an overview of the security requirements of the system and describe the controls in place or planned, responsibilities and expected behavior of all individuals who access the system. It is a core component of DITSCAP. The system security plan should be viewed as documentation of the structured process of planning adequate, cost-effective security protection for a system. It should reflect input from various managers with responsibilities concerning the system, including information owners, the system operator, and the system security manager. Additional information may be included in the basic plan and the structure and format organized according to agency needs, so long as the major sections described in this document are adequately covered and readily identifiable. Michael Kirby has developed a tool to help generate an SSP. It is available here on an as is basis, SCORE takes no responsibility for your use of the tool”. Try the tool at http://www.sans.org/score/ssp.php
3. Information Security Governance: Guidance for Boards of Directors and Executive Management 2nd Edition (ISACA)
To achieve effectiveness and sustainability in today’s complex, interconnected world, information security must be addressed at the highest levels of the organization, not regarded as a technical specialty relegated to the IT department.
4. Digital Records Management — What Auditors Should Know
As companies continue to decrease their dependence on paper records, internal auditors need to stay ahead of the game by understanding the necessary ingredients to an effective digital records management program.
5. Hammer Time: Enforcing Internal Security – by Linda L. Briggs.
Having internal rules and regulations in place regarding compliance is important, as is clearly communicating them to employees. But when infractions occur, as they inevitably will, how should you deal with them?
6. Security breach lists are an interesting read and can be useful for:
* Identifying trends in emerging security threats.
* Providing examples of why a control is necessary.
* Citing real world compromises in presentations, etc.