Documente Academic
Documente Profesional
Documente Cultură
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
2
2013 ISACA. All rights reserved.
Reservation of Rights
2013 ISACA. All rights reserved. No part of this publication may be used, copied,
reproduced, modified, distributed, displayed, stored in a retrieval system or transmitted in
any form by any means (electronic, mechanical, photocopying, recording or otherwise)
without the prior written authorization of ISACA. Reproduction and use of all or portions of
this publication are permitted solely for academic, internal and non-commercial use and
for consulting/advisory engagements, and must include full attribution of the materials
source. No other right or permission is granted with respect to this work.
3
2013 ISACA. All rights reserved.
Acknowledgements
Researcher
Krag Brotby, CISM, CGEIT, Brotby & Associates, USA
Board of Directors
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice President
Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, Six Sigma Black Belt, Dell, Spain, Vice President
Theresa Grafenstine, CISA, CGEIT, CRISC, CGAP, CGMA, CIA, CPA, US House of Representatives, USA, Vice President
Vittal Raj, CISA, CISM, CGEIT, CFE. CIA, CISSP, FCA, Kumar & Raj, India, Vice President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Vice President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Past International President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich , Australia, Director
Knowledge Board
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Chairman
Rosemary M. Amato, CISA, CMA, CPA, Deloitte Touche Tohmatsu Ltd., The Netherlands
Steven A. Babb, CGEIT, CRISC, Betfair, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Anthony P. Noble, CISA, Viacom, USA
Jamie Pasfield, CGEIT, ITIL V3, MSP, PRINCE2, Pfizer, UK
5
2013 ISACA. All rights reserved.
Agenda
Company Profile PharmUniverse
Background Information
The Problems
Your Role
Your Tasks
Figures
Notes
Questions
Glossary
6
2013 ISACA. All rights reserved.
Company Profile PharmUniverse
International pharmaceutical company with 1,500 employees
Founded nine years ago, headquartered in Boston, Massachusetts, USA
Small offices in Los Angeles, California, USA; Dsseldorf, Germany, and
Singapore
Is the result of the work of a senior researcher in the pharmaceutical
industry who discovered a new formula for a drug shown to greatly
reduce the likelihood of lung and other blood clots
Currently has an eight percent share in the blood clot prevention drug
market
7
Background Information
What we do
Financials
Org. Structure
Operational
Industry
8
Background Information
9
Background Information
10
Background Information
11
Background Information
Financials
Org. Structure
Marketing
Industry
12
2013 ISACA. All rights reserved.
Background Information
The board of directors:
What we do
Is best characterised by diversity
Financials Has some members who have served in positions with
pharmaceutical and biomedical companies, but the
Org. Structure majority do not have this kind of background
Is anything but risk averse, and pushes the CEO to offer
Marketing generous incentives to researchers who develop new
formulas likely to result in new and profitable
Industry pharmaceutical products
The CEO:
Is a member of the executive council, which meets
bimonthly to create, evaluate and, in some cases, change
corporate objectives.
13
2013 ISACA. All rights reserved.
Background Information
The Research team:
What we do
Although this team does not, in a strict sense,
Financials comprise a business unit, for all practical purposes it
functions like one.
Org. Structure It receives a yearly budget that is more than ample for
a unit of fewer than 60 employees. Most of these
Marketing employees are scientists, who are led by a seasoned
business professional with more than 20 years of
Industry
experience managing scientific research teams in
business settings.
14
2013 ISACA. All rights reserved.
Background Information
The Research team:
What we do
The team manager reports to the vice president (VP) of
Financials research, who reports to the CEO. The team is
accountable for meeting a long list of objectives, of which
Org. Structure the most critical are the number of:
Patents filed and granted per year
Marketing Hours of labor to produce a viable formula for each drug
product
Industry Viable formulas (regardless of whether they are patented)
created per year
Marketing and sales of products are handled completely
independently of the research team.
15
2013 ISACA. All rights reserved.
Background Information
PharmUniverse spends a large proportion of its yearly
What we do
budget on marketing, attempting to win the trust of
customers and potential customers.
Financials
Despite being a relative newcomer in the market, these
Org. Structure efforts have generally been successful.
Another round of well-publicised problems recently
Marketing found in competing drugs has also given a boost to
PharmUniverses marketing efforts.
Industry
16
2013 ISACA. All rights reserved.
Background Information
The pharmaceutical industry is extremely competitive.
What we do The ability to streamline the process of inventing
formulas and testing them to determine whether they
Financials are viable as products is what makes a company in this
arena successful.
Org. Structure Industrial espionage is common in the pharmaceutical
industry. Obtaining competitors drug formulas before
Marketing products go to market is a huge advantage for
competitors because it greatly reduces the time and
Industry resources needed in the costly research process.
At the same time, having a formula stolen is a worst-case
scenario for a pharmaceutical company. The companys
profits from a new product are likely to be minimised.
17
2013 ISACA. All rights reserved.
The Problems
You are faced with the challenge of establishing an information security
governance programme in a company that is relatively new and has never had
more than a very small IT security function that focused mostly on firewalls and
intrusion prevention systems (IPSs) before you arrived.
With the exception of you, no one on the executive management team knows
much about information security, and although your current budget adequately
covers the salaries of your security team and a few network security initiatives that
were started before you arrived, the CEO has told you that he has a wait and see
attitude towards information security.
18
2013 ISACA. All rights reserved.
The Problems
You interpret the CEOs comments to mean that if information security does not
produce visible results by the next fiscal year, your budget could be cut back
significantly and you may even lose your job.
As you become acquainted with how PharmUniverse works, you realise that the
brain trust of this company is not the sales or marketing organisation, nor is it
executive-level management, but rather it is the research division.
The output of this unit is, almost without exception, potentially very valuable
intellectual property that must be kept out of the hands of competitors at all costs.
19
2013 ISACA. All rights reserved.
The Problems
The members of this unit, the manager in particular, are faced with tremendous
pressure to come up with new, viable formulas. If they do, they are handsomely
rewarded. If they do not, they are treated progressively more harshly andalmost
without exceptionterminated.
In the past, several terminated researchers departed the company under extremely
hostile circumstances; a few of them went to work for competitors shortly after.
20
2013 ISACA. All rights reserved.
The Problems
Another issue of potential concern to you is that most of the employees in this
organisation are scientists who are used to working in environments where ideas
and research data are freely exchanged within and outside of research teams.
Most of them (and the VP of research) barely know what file permissions or virtual
private networks (VPNs) are, and even if they did, they would not be inclined to use
either because doing so would be an inconvenience that would slow their research
progress.
The fact that the research division now uses cloud services for data storage is also
something that has caught your attention.
21
2013 ISACA. All rights reserved.
The Problems
Ben Dorian: Research Team Manager
The research team manager is Ben Dorian. He is highly focused on achieving the
goals handed to him by his boss, the VP of research. He is by no means a scientist.
Instead, he is a numbers person all the way through, and the most important
numbers to him are the ones that represent the progress of his unit.
He is polite, but very driven. You have tried to establish a communication channel
with him, but he is so busy that all he has had time for so far is a few short
telephone conversations with you.
22
2013 ISACA. All rights reserved.
The Problems
Sudha Patel: Chief Scientist, Research Unit
The chief scientist of the research unit, Sudha Patel, is the founder of
PharmUniverse. She played the major role in the discovery of the companys blood
clot prevention drug and led the company during its early stages.
When venture capitalists funded the company, they insisted that an experienced
CEO with business know-how be hired and that Sudha be moved to a position in
which her talents could be used.
She epitomises the spirit of innovation within the company and, to date, has more
than 10 patents to her credit. Highly respected as a scientist by the rest of the
scientific staff, she is viewed by many within the research unit as the real leader.
Sudha is extremely knowledgeable about networking and application
developmentto the point that network operations staff members have sometimes
turned to her for help for difficult operational issues.
At the same time, she knows little about information security, although she is not at
all opposed to the idea of it.
23
2013 ISACA. All rights reserved.
The Problems
Although your impressions of the adequacy of PharmUniverses security controls
are based on limited observations, it does not appear that the current controls in
place are adequate.
You have learned that vulnerability analysis and penetration testing have, in the
past, been performed only before audits were to be conducted.
When you asked the executive council members about the companys information
security policy and standards, they were unaware that both existed. Later, you
found that these documents (which were far from being complete) existed, but had
not been widely distributed.
Your conversations with the C-level officers have given you a good idea concerning
an information security framework to guide your governance efforts, and both the
CEO and CIO liked your framework document and signed off on it a week ago.
24
2013 ISACA. All rights reserved.
Your Role
25
2013 ISACA. All rights reserved.
Your Tasks
You need to develop a desired state of the information security practice that includes a
set of information security characteristics/attributes in connection with the business needs
and action plan that you are creating.
You must select 10 information security attributes for PharmUniverse.
Provide a clear and complete rationale for each security attributes. The rationale must
include a discussion of the pros and cons associated with each. For example, suppose you
choose level 3 Established Process for security risk management as a security attribute.
Your goal is to have:
An enterprisewide information security policy that is signed off by senior
management, documented and widely distributed and a defined security awareness
programme
A training effort that systematically reaches all employees who have access to
computers, but is tailored to the needs of each major group of employees
Orderly change control processes in place for risk management so that, for example,
whatever changes are made to the information security policy are systematic and
documented
26
2013 ISACA. All rights reserved.
Your Tasks
27
2013 ISACA. All rights reserved.
Your Tasks The Pros
You need to list pros and cons in the exemplary case at hand.
28
2013 ISACA. All rights reserved.
Your Tasks The Cons
Cons include (but are not limited to):
Financial costs
Lack of available resources to perform tasks (analysing and rewriting policy
provisions, creating and delivering tailored training programmes, etc.) that are likely
to require months to perform
The likelihood of employee resistance to change, especially amongst scientists if
they are required to complete information security awareness sessions and change
procedures
29
2013 ISACA. All rights reserved.
30
2013 ISACA. All rights reserved.
Notes
PharmUniverses existence and success revolves around intellectual property (IP).
If its IP ends up in the hands of competitors, the future of this company will not be
bright. Impact assessments may be the most useful to communicate potential
compromise.
The lack of understanding of security is a problem and creates the need to educate
management and staff and increase overall security support and awareness.
31
2013 ISACA. All rights reserved.
Discussion Questions
1. What are the most important business issues and goals for
PharmUniverse?
2. What are the managerial, organisational and technological issues and
resources related to this case?
3. What role do different decision makers play in the overall planning,
implementing and managing of the information technology/security
applications?
4. What are some of the emerging IT security technologies that should be
considered in solving the problem related to the case?
5. How can the chief information security officer (CISO) in this scenario
most effectively communicate the risk to senior management?
6. Which model (e.g., Process Capability Model ), framework (e.g., COBIT)
or standards (e.g., ISO/IEC 15504) is most likely to fit in with
PharmUniverses culture and operations?
7. What kinds of control strategies are most central to securing critical
data?
32
2013 ISACA. All rights reserved.
Questions for assignment: 4, 5 and 7
33