april 7, bdim 2006 vancouver, canada - frederick yip – university of new south wales enforcing...

April 7, BDIM 2006 Vancouver, Canada - Frederick Yip – University of New South Wales

Enforcing Business Rules and Information Security Policies through Compliance Audits

Frederick Yip, Pradeep Ray, Nandan Paramesh

School of Computer Science & EngineeringSchool of Information Systems & IT Management

University of New South WalesSydney, Australia


Outline

Background – What the industry are doing? Problem – What are the challenges? Motivation – How these challenges motivated the research? XISSF – Compliance Mechanism Limitations & Future Work – Holistic Framework Conclusion


Background

Ever-increasing pressure and responsibilities for organizations to fulfill the requirements enforced by different regulations

By actively assessing corporate security compliance base on renowned standards, guidelines and best practices, e.g. CobiT, ISO17799.

secure trust and recognitions from customers and business partners US$15.5 Billion in 2005 US$5.8 Billion for Sarbanes Oxley Alone in 2005 Estimated to exceed US$80 billion over the next 5 years on Compliance

Spending HIPAA affects organizations that maintain medical health information

New! European 8th Directive – SOX Equivalent in EU – Currently in Draft Mode


Standards

CobiT v3, CobiT v4 Control Objectives for Information and related Technology

ISO/IEC17799:2000, ISO/IEC17799:2005 Information technology - Security techniques - Code of practice for information

security management AS/NZ17799:2001

Information technology - Code of practice for information security management BSI

IT Baseline Protection Manual BS7799, ISO27001

Information Technology - Security Techniques - Information Security Management Systems – Requirement


The Problem Multi-regulation

3 out of 4 organizations must comply with 2 or more regulations 43% organizations must comply with 3 or more regulations

Too many standards – which one should you use? Regulations Organization Structure Jurisdiction Industry Auditor

Standards are different Some overlapping Changes from time to time (versions)

Manual Process – Time Consuming Co-ordination and co-operation from Business Units Subjective


Compliance Process

`RegionalIT Manager

`BranchIT Manager

`

Standard

Standard Standard

`SystemAdministrator

Checklist

CIO

Standard(Textual Information)

Legislation(Textual Informaion)

...Traditional Checklists

Legal & ComplianceExpert

Legislation(Textual Information)

StandardExpert(s)

Legislation and regulation are ambiguous to IT

The need for a common Infosec specification format that can be distributed to other Business Units

What about multiple information security standards?

The need for a uniform way of checking compliance to policies and best practices

The need for a uniform way to report audit and compliance results


eXtensible Information Security Specification Format (XISSF)

What is it? Common Infosec specification format and platform - not vendor or firm specific Based on XML Textual descriptions of the security clauses or safeguards within Infosec

standards are restructured and codified

XISSF is capable of: Encapsulating and segregating the clauses extracted from different textual

standards Heterogeneous format of clauses from multiple standards can be encapsulated in

a single XISSF document. Transportable between business units - across a global business. Express information security specification explicitly – decreases ambiguity. Uniform way of checking compliance to policies and best practices A machine interpretable format for computer-aided assessment on security

compliance.


XISSF Foundation for providing automated support for

compliance audits. Addresses the problem of heterogeneous

information security standards Agent can be designed to perform routine and

subjective tasks based on XISSF – mobile agents and multi-agents systems.

Tags Enclosed weighting metric for each checkpoint in the

clauses for audit and assessment purposes. Atomic actionable questions or statements identified as

checkpoints.

XISSF

GROUP

CLAUSE

GROUP

CHECKPOINT

OBJECTIVE

CHECKPOINT

CLAUSE

CHECKPOINT

OBJECTIVE

CHECKPOINTdescription, weight, requiredthreat type, constraints,pre-requisites, …

due, reminder, reference …

id, required, role …

title, pre-req…

description, weight, requiredthreat type, constraints,pre-requisites, …


Regulations/Standards/Clauses/Checkpoints

...

CobiTISO

17799ISF ITIL BSI...

HIPAASOX ... GovernmentRegulations

Regulations satisfied by

Infosec standards

Security clauses extracted from

standards

Checkpoints extracted from

clauses

ISO 17799:20059.2.2

CobiT v4DS4

...

Cobit v4 DS4.1


Sample Clause - ISO17799

5.1.1 Information security policy documentControlAn information security policy document should be approved by management, and published and communicated to all employees and relevant external parties.Implementation guidanceThe information security policy document should state management commitment and set out the organization’s approach to managing information security. The policy document should contain statements concerning:a) a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing (see introduction);b) a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives;c) a framework for setting control objectives and controls, including the structure of risk assessment and risk management;….

<?xml version="1.0" encoding="UTF-8"?><xissf xmlns="http://www.cse.unsw.edu.au/xissf" xmlns:xissf="http://oval.mitre.org/XMLSchema/xissf" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="0.2" xsi:schemaLocation="http://www.cse.unsw.edu.au/xissf xissf.xsd"><status date="2006-01-06">draft</status><title>XISSF Sample</title><description>XISSF - eXtensible Information Security Specification Format. This document defines a list of security specification policies that should be enforced on the organization. This can vary from technical policies to abstract business level processes.</description><group due=“000024052006” reminder=“000012052006”><reference><title>ISO17799</title><organization>International Standard Organization</organization><format>ISO17799:2005</format><version>2005</version><url>http://www.iso.org</url></reference><clause id="5.1.1" required="true" weight="1“ prereq=“6.1.5”><title>Information security policy document</title><objective>An information security policy document should be approved by management, and published and communicated to all employees and relevant external parties. </objective><checkpoint required="true" weight="1“ role=“IT Manager”><description> The information security policy document should state management commitment and set out the organization’s approach to managing information security. </description></checkpoint><checkpoint required="true" weight="1"><description>The policy document should contain statements concerning a definition of information security, its overall objectives and scope and the importance of security as an enabling mechanism for information sharing.</description></checkpoint><checkpoint required="true" weight="1"><description>The policy document should contain statements concerning a statement of management intent, supporting the goals and principles of information security in line with the business strategy and objectives; </description></checkpoint>

</clause>


Scenario

Public CompanyListed in United States

AustraliaBranch Office

GermanyBranch Office

US SubsidiaryHealth Services

Regulated by SOX & HIPPASatisfy by implementing

ISO17799 & CobiT

Regulated byHIPPAHIPAA

HIPAA


Limitation & Future Work

Preliminary in nature but essential for any future work Checkpoints currently in English – Human Intervention

Improve automation Ontology based Schema for each governance standard Application of Concept Learning/Extraction Methodologies

for IT Standards Assessment Strategy Based on XISSF Agent Based Compliance Management based on XISSF


The Big Picture

`RegionalIT Manager

`BranchIT Manager

`BranchIT Manager

Standard

Standard Standard

`SystemAdministrator

Checklist


Legislation(Textual Information)

CIO

Standard(Textual Information)

Legislation(Textual Informaion)

...

XISSF

`IT Manager/System

Administrator

Legislation YLegislation X Legislation Z


StandardExpert(s)

Standard A Standard B

InterfaceAgent

InterfaceAgent

`IT Manager/System

Administrator

StandardExpert(s)

Involvement


Conclusion

An approach and mechanism to express explicit information security requirements and compliance audits in a codified format.

Increase portability especially for global business Provided a foundation to enable computer assisted compliance auditing. Normalization of XISSF decreases redundant compliance tasks and identify

conflicts Reduce interaction time in compliance time, improve efficiency Better modularization to segregate compliance tasks Role-based Ability to consolidate and extend multiple & heterogeneous infosec specifications The process of compliance is an important component of ensuring IT security

controls are employed and used correctly. It is a continuous effort!

april 7, bdim 2006 vancouver, canada - frederick yip – university of new south wales enforcing...

Documents

information security

information technology

medical health information

compliance results

australia slide

renowned standards

compliance spending

draft mode slide