Presentation on theme: "Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396."— Presentation transcript:
Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
Auditing Corporate Information Security Steps in the Information Security Audit Plan Plan Gather data Gather data Analyze and test Analyze and test Conclude Conclude Report findings Report findings
Auditing Corporate Information Security Federal Financial Institutions Examination Council (FFIEC) Federal Reserve System Federal Reserve System Federal Deposit Insurance Corporation (FDIC) Federal Deposit Insurance Corporation (FDIC) National Credit Union Administration (NCUA) National Credit Union Administration (NCUA) Office of the Comptroller of the Currency (OCC), and Office of the Comptroller of the Currency (OCC), and The Office of Thrift Supervision (OTS) The Office of Thrift Supervision (OTS)
Auditing Corporate Information Security Information Systems Security Standards based on: FFIEC Information Technology Examination Handbook FFIEC Information Technology Examination Handbook Audit areas include: Audit areas include: AuditAudit Business Continuity PlanningBusiness Continuity Planning Development and AcquisitionDevelopment and Acquisition E-BankingE-Banking FedLineFedLine Information SecurityInformation Security ManagementManagement OperationsOperations Outsourcing Technology ServicesOutsourcing Technology Services Retail Payment SystemsRetail Payment Systems Supervision of Technology Service ProvidersSupervision of Technology Service Providers Wholesale Payment systemWholesale Payment system
Auditing Corporate Information Security INFORMATION SECURITY WORKPROGRAM EXAMINATION OBJECTIVE: EXAMINATION OBJECTIVE: Assess the quantity of risk and the effectiveness of the institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, Assess the quantity of risk and the effectiveness of the institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information and to instill accountability for actions taken on the institution’s systems.
Auditing Corporate Information Security The objectives and procedures are divided into Tier 1 and Tier II: Tier I assesses an institution’s process for identifying and managing risks. an institution’s process for identifying and managing risks. Tier II provides additional verification where risk warrants it. additional verification where risk warrants it. Tier I and Tier II are intended to be a tool set examiners will use when selecting examination procedures for their particular examination. to be a tool set examiners will use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessary to support examination objectives.
Auditing Corporate Information Security Tier 1 Audit Objectives Objective 1: Determine the appropriate scope for the examination Objective 1: Determine the appropriate scope for the examination Quantity of Risk Objective 2: Determine the complexity of the institution’s information security environment. Objective 2: Determine the complexity of the institution’s information security environment. Quality of Risk Management Objective 3: Determine the adequacy of the risk assessment process. Objective 3: Determine the adequacy of the risk assessment process.
Auditing Corporate Information Security Objective 4: Evaluate the adequacy of security policies relative to the risk to the institution. Objective 5: Evaluate the security-related controls embedded in vendor management. Objective 6: Determine the adequacy of security testing.
Auditing Corporate Information Security Objective 7: Evaluate the effectiveness of enterprise-wide security administration. Conclusions Objective 8: Discuss corrective action and communicate findings.
Auditing Corporate Information Security Tier 2 Controls Access Rights Administration Access Rights Administration Authentication Authentication Network Security Network Security Host Security Host Security User Equipment Security User Equipment Security Physical Security Physical Security Personnel Security Personnel Security
Auditing Corporate Information Security Tier 2 Controls (Continued) Application Security Application Security Software Development and Acquisition Software Development and Acquisition Business Continuity Security Business Continuity Security Intrusion Detection and Response Intrusion Detection and Response Service Provider Oversight Security Service Provider Oversight Security Encryption Security Encryption Security Data Security Data Security
Auditing Corporate Information Security Audit to Information Security Standards used by the Information Security department ISO – world wide standard ISO – world wide standard services/popstds/informationsecurity.htmlhttp://www.iso.org/iso/en/prods- services/popstds/informationsecurity.html Cobit – High Level Standard, Cobit – High Level Standard, Industry specific – HIPAA Final Security Standards Industry specific – HIPAA Final Security Standards Industry Specific – FFIEC Standard Industry Specific – FFIEC Standard NIST NIST
Auditing Corporate Information Security ISO This is essentially the set of security controls: the measures and safeguards for potential implementation. In volume it is the main body of the overall 'standard set' itself. 1.Security Policy 2.Security Organization Information Security Infrastructure Security and Third Party Access Outsourcing
Auditing Corporate Information Security 3.Asset Classification and Control Accountability for assets Information Classification 4.Personnel Security Security in Job Definition and Resourcing User Training Responding to Security Incidents and Malfunctions 5.Physical and Environmental Security Secure Areas Equipment Security General Controls
Auditing Corporate Information Security 6.Communications and Operations Management Operational Procedures and Responsibility System Planning and Acceptance Protection Against Malicious Software Housekeeping Network Management Media Handling and Security Exchanges of Information and Software
Auditing Corporate Information Security 7. Access Control Business Requirement for Access Control User Access Management User Responsibilities Network Access Control Operating System Access Control Application Access Management Monitoring System Access and Use Mobile Computing and Telenetworking
Auditing Corporate Information Security 8.System Development and Maintenance Security Requirements of Systems Security in Application Systems Cryptographic Controls Security of System Files Security in Development and Support Processes 9.Business Continuity Management Aspects of Business Continuity Management 10. Compliance Compliance with Legal Requirements Reviews of Security Policy and Technical Compliance System Audit Considerations
Auditing Corporate Information Security COBIT—IT Control Framework Four (4) IT Domains and 34 Processes Four (4) IT Domains and 34 Processes PLAN AND ORGANISE PO1—Define a strategic IT plan PO1—Define a strategic IT plan PO2—Define the information architecture PO2—Define the information architecture PO3—Determine the technological direction PO3—Determine the technological direction PO4—Define the IT organization and relationships PO4—Define the IT organization and relationships PO5—Manage the IT investment PO5—Manage the IT investment PO6—Communicate management aims and direction PO6—Communicate management aims and direction PO7—Manage human resources PO7—Manage human resources PO8—Ensure compliance with external requirements PO8—Ensure compliance with external requirements PO9—Assess risks PO9—Assess risks PO10—Manage projects PO10—Manage projects PO11—Manage quality PO11—Manage quality
Auditing Corporate Information Security ACQUIRE AND IMPLEMENT AI1—Identify automated solutions AI1—Identify automated solutions AI2—Acquire and maintain application software AI2—Acquire and maintain application software AI3—Acquire and maintain technology infrastructure AI3—Acquire and maintain technology infrastructure AI4—Develop and maintain procedures AI4—Develop and maintain procedures AI5—Install and accredit systems AI5—Install and accredit systems AI6—Manage changes AI6—Manage changes M4—Provide for independent audit M4—Provide for independent audit
Auditing Corporate Information Security DELIVER AND SUPPORT DS1—Define and manage service levels DS1—Define and manage service levels DS2—Manage third-party services DS2—Manage third-party services DS3—Manage performance and capacity DS3—Manage performance and capacity DS4—Ensure continuous service DS4—Ensure continuous service DS5—Ensure systems security DS5—Ensure systems security DS6—Identify and allocate costs DS6—Identify and allocate costs DS7—Educate and train users DS7—Educate and train users DS8—Assist and advise customers DS8—Assist and advise customers DS9—Manage the configuration DS9—Manage the configuration DS10—Manage problems and incidents DS10—Manage problems and incidents DS11—Manage data DS11—Manage data DS12—Manage facilities DS12—Manage facilities DS13—Manage operations DS13—Manage operations
Auditing Corporate Information Security MONITOR AND EVALUATE M1—Monitor the processes M1—Monitor the processes M2—Assess internal control adequacy M2—Assess internal control adequacy M3—Obtain independent assurance M3—Obtain independent assurance
Auditing Corporate Information Security Test Controls Document Findings Prepare Report and present recommendations to management
Auditing Corporate Information Security Thank You! John R. Robles Tel: