Information Systems

Security
Policies, Standards, and/or
Guidelines
Rikki S. Dewangga, MSi. AK., CISA., PMP.

Rikki S. Dewangga, MSi, Ak., CISA, PMP.

1995 System Analysis PPA FE UGM

1998 SE, Ak. UGM
1999 Arthur Andersen Junior IT Auditor
2000 Ernst & Young Senior IT Auditor
2002 BaliCamp Manager
2002 BETA Consulting - Partner
2004 Ernst & Young Manager IT Audit
2008 RSM AAJ Associates Senior Manager ITAAS (IT
Assurance and Advisory Services)
2010 PT Administrasi Medika GM IT, Compliance,
Business Reporting and Analysis
2012 PT Sinar Surya Technology - CTO

InfoSecPol

Information systems security policies are high-level

overall statements describing the general goals of an

organization with regard to the control and security over
its information systems.
1.
2.
3.
4.
5.

Purpose and Responsibility

System Procurement and Development
Access Terminals
Equipment and Information Security
Service Bureau Programs

Section 4: Equipment and

Information Security
Section 4 divides security into three
subsections:
a. Equipment and environmental security
b. Information and communication
security
c. Contingency and recovery

Items to include in an information

systems security policy:

Statement of Purpose and Responsibility

System Procurement and Development Approach
Equipment and Environmental Security (i.e., physical
security)
Information and Communication Security (i.e., logical
security)
Contingency and Recovery (This is a subset of physical
security, but it is
acceptable to have a separate section due to its
importance.)
Service Bureau Programs (if applicable)
Custom Vendor Software Programs (if applicable)

IT Audit Methodologies

CobiT
www.isaca.org
BS 7799 - Code of Practice (CoP)
www.bsi.org.uk/disc/
BSI -IT baseline protection manual
www.bsi.bund.de/gshb/english/menue.htm
ITSEC
www.itsec.gov.uk
Common Criteria (CC)
csrc.nist.gov/cc/

ITIL overview

ITIL = IT Infrastructure Library

Developed in the Late 1980s

CCTA (Central Computer and Telecommunications
Agency) = Office of Government Commerce (OGC)
OGC website URL http://ww.ogc.gov.uk
ITIL website URL http://www.itil.co.uk

ITIL is a Best Practice Framework

Public Domain
ITIL Philosophy Scalable Process
driven approach

The ITIL Objectives

Key Objectives
Align IT services with the Current and Future needs of the
business and its Customers (both internal and extern)
To improve Quality of the services delivered
Reduce long term Cost of service provision

IT Infrastructure Library (ITIL)

PlanningtoImplementServiceManagement

T
H
E

ServiceManagement

The

U
S

Business

Perspective

N
E
S
S

Service
Support
Service
Delivery

T
H
E

ICT

Infrastructure

E
C

Management

H
N

Security
Management
ApplicationsManagement

O
L
O
G
Y

Comparison of Methods Results

Standardisation
Independence

Ease of use

CobiT
Certifyability

Update frequency

BS 7799
BSI
ITSEC

Applicability in
practice

Efficiency

Presentation of
results

Adaptability
Extent of scope

5.1. Importance of
Information Security
Management

5.1. Importance of
Information Security
Management

Security objectives to meet organizations business

requirements include :

Ensure the continued availability of their information systems.

Ensure the integrity of the information stored on their computer
systems.
Preserve the confidentiality of sensitive data.
Ensure conformity to applicable laws, regulations and standards.
Ensure adherence to trust and obligation in relation to any
information relating to an identified or identifiable individual
Preserve the confidentiality of sensitive data in store and in transit.

5.1. Importance of
Information Security
Management
5.1.1. Key Elements of Information Security

Management

Senior management commitment and support

Policies and procedures

Organization

Security awareness and education

Monitoring and compliance

Incident handling and response

5.1. Importance of
Information Security
Management
5.1.2. Information Security Management
Roles and Responsibilities

IS security steering committee

Executive management
Security advisory group
Chief Privacy Officer (CPO)
Chief security officer (CSO)
Process owners
Information assets owners and data owners
Users
External parties
Security specialists/advisors
IT developers
IS auditors

5.1. Importance of
Information Security
Management
5.1.3. Information Asset Inventories

Clear identification of asset

Location
Security/risk classification
Asset group
Owner

5.1. Importance of
Information Security
Management
5.1.4. Classification of Information Assets

Who has access rights and to what?

The level of access to be granted

Who is responsible for determining the access rights

and access levels?
What approvals are needed for access?

5.1. Importance of
Information Security
Management
5.1.5. System Access Permissions
Logically or physically based
Need-to-know basis
Four IT layers of security provided for
networks
Access to information resources
Access Capabilities
Reviews of access authorization

5.1. Importance of
Information Security
Management
5.1.6. Mandatory and Discretionary Access
Controls
- Mandatory

Enforces corporate security policy

Compares sensitivity of information resources

Discretionary
- Enforces data-owner-defined sharing of information
resources.

5.1. Importance of Information

Security Management
5.1.7. Privacy Management Issues and the Role of IS
Auditors
- The goals of a privacy impact assessment

Pinpoint the nature of personally identifiable information

associated with business processes
Document the collection, use, disclosure and destruction of
personally identifiable information
Ensure that accountability for privacy issues exists
Be the foundation for informed policy, operations and system
design decisions based on an understanding of privacy risk and
the options available for mitigating that risk.

5.1. Importance of
Information Security
Management
5.1.8. Critical success factors to
information security management

Information Security Policy

Senior management commitment and
support on security training
Security Awareness Training
Professional Risk-based Approach

10

5.1. Importance of
Information Security
Management
5.1.9. Information security and
External Parties

Identification of Risks Related to External

Parties
Addressing Security When Dealing With
Customers
Addressing Security in Third-party Agreements

5.1. Importance of
Information Security
Management
5.1.10. HUMAN RESOURCES
SECURITY AND THIRD PARTIES

Screening
Terms and Conditions of Employment
During Employment
Termination or Change of Employment
Removal of Access Rights

11

5.1. Importance of
Information Security
Management
5.1.11. Computer crime issues and exposures

Threats to business include the following:

Financial loss
Legal repercussions
Loss of credibility or competitive edge
Blackmail/industrial espionage
Disclosure of confidential, sensitive or
embarrassing information
Sabotage

5.1. Importance of
Information Security
Management
5.1.11. Computer crime issues and exposures
(Cont.)
Computer crime vs. computer abuse
Crime depending on statistics of the
jurisdiction
Civil offense vs. criminal offence

When should a crime be suspected?

12

5.1. Importance of
Information Security
Management
5.1.11. Computer crime issues and exposures (Cont.)

Possible perpetrators include:

Hackers
Script Kiddies
Crackers
Employees (authorized or unauthorized)
IS personnel
End users
Former employees
Interested or educated outsiders
Part-time and temporary personnel
Third parties
Accidental ignorant

Thank You
Q&A

13