1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”

Slides:



Advertisements
Similar presentations
Dr Lami Kaya ISO Information Security Management System (ISMS) Certification Overview Dr Lami Kaya
Advertisements

Agenda What is Compliance? Risk and Compliance Management
So You Want to Break Into the Industry… SAS No. 94 Requirements and Issues Related to IT Audits for Not-for-Profit Organizations.
The International Security Standard
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls
MODERN AUDITING 7th Edition
1 Copyright © 2013 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”
1 WebTrust for Certification Authorities (CAs) Overview October 2011 WebTrust for Certification Authorities (CAs) Overview October 2011 Presentation based.
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Security Controls – What Works
ISO/IEC Winnie Chan BADM 559 Professor Shaw 12/15/2008.
9.401 Auditing Chapter 1 Introduction. Definition of Auditing The accumulation and evaluation The accumulation and evaluation Of evidence about information.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
First Practice - Information Security Management System Implementation and ISO Certification.
SOX & ISO Protect your data and be ready to be audited!!!
Agenda Review homework Final Exam requirments ISO 9000 Baldridge
1 Performance Auditing  In IT Environment  Evidence Gathering & Analysis Techniques  Computer Assisted Techniques  Use of IDEA.
Fraud Prevention and Risk Management
Spreadsheet Management. Sarbanes-Oxley Act (SOX, 2002) Requires “an effective system of internal control” for financial reporting in publicly- held companies.
Internal Auditing and Outsourcing
Gurpreet Dhillon Virginia Commonwealth University
Information Security Framework & Standards
SEC835 Database and Web application security Information Security Architecture.
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Introduction to ISO International Organization for Standardization (ISO) n Worldwide federation of national standards bodies from over 100 countries,
Evolving IT Framework Standards (Compliance and IT)
Laboratory Biorisk Management Standard CWA 15793:2008
Chapter 3 Internal Controls.
ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Slide 1 The 9 th European Financial Markets Convention “Towards true integration by 2009” Brussels May 2005 Corporate Governance Session by the ECGI.
Everyone’s Been Hacked Now What?. OakRidge What happened?
1 Copyright © 2014 M. E. Kabay. All rights reserved. CSH5 Chapter 67 “Developing Classification Policies for Data” Karthik Raman & Kevin Beets Classification.
Presented by : Miss Vrindah Chaundee
Introduction to the ISO series ISO – principles and vocabulary (in development) ISO – ISMS requirements (BS7799 – Part 2) ISO –
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Security Standards and Threat Evaluation. Main Topic of Discussion  Methodologies  Standards  Frameworks  Measuring threats –Threat evaluation –Certification.
Everyone’s Been Hacked Now What?. OakRidge What happened?
Seeking a National Standard for Security: Developing a Systematic Crosswalk of the Final HIPAA Security Rule, the NIST SP , NIST SP Security.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Chapter 9: Introduction to Internal Control Systems
COBIT®. COBIT® - Control Objectives for Information and related Technology. C OBI T was initially created by the Information Systems Audit & Control Foundation.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISO. What is a standard? Standards are written guidelines which help to do things, or make things, more efficiently or more safely. Standards are written.
ISA99 - Industrial Automation and Controls Systems Security
HIPAA Security John Parmigiani Director HIPAA Compliance Services CTG HealthCare Solutions, Inc.
Control and Security Frameworks Chapter Three Prepared by: Raval, Fichadia Raval Fichadia John Wiley & Sons, Inc
Information Security tools for records managers Frank Rankin.
F8: Audit and Assurance. 2 Audit and Assurance Designed to give you knowledge and application of: Section A: Audit Framework and Regulation Section B:
CSC4003: Computer and Information Security Professor Mark Early, M.B.A., CISSP, CISM, PMP, ITILFv3, ISO/IEC 27002, CNSS/NSA 4011.
Models of Security Management Matt Cupp. Overview What is Security Management? What is Security Management? ISO/IEC ISO/IEC NIST Special Publication.
Department of Computer Science Introduction to Information Security Chapter 8 ISO/IEC Semester 1.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
Standards Certification Education & Training Publishing Conferences & Exhibits 1 Copyright © ISA, All Rights reserved ISA99 - Industrial Automation and.
Audit Committee 1 June 2005 Overview of the Audit Function in the Council and Role of Audit Committee.
Dr. Yeffry Handoko Putra, M.T
MEM Cybersecurity Working Group Update to PCD Technical Committee
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
MEM Cybersecurity Working Group Update to PCD Technical Committee
ISO 9000.
What are ISO 9000 Standards? ISO 9000 Standards
Need for ISO 9000 & other Q Systems Swamynathan.S.M AP/ECE/SNSCT
Project proposal for ISO 27001:2013 implementation
Agenda Review homework Final Exam requirments ISO 9000 Baldridge
ارائه كننده: شاهين انتصاري
IS4680 Security Auditing for Compliance
Awareness and Auditor training kit
Presentation transcript:

1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections” Donald Glass, Chris Davis, John Mason, David Gursky, James Thomas, Wendy Carr, and Diane Levine

2 Copyright © 2010 M. E. Kabay. All rights reserved. Topics  Introduction  Auditing Standards  SAS 70 Audits  Sarbanes-Oxley  Addressing Multiple Regulations  Technical Frameworks for IT Audits

3 Copyright © 2010 M. E. Kabay. All rights reserved. Introduction (1)  Non-IT auditors  Financial: accuracy/integrity accounting  External: material, macro-level issues (e.g., governance, reporting, legal compliance)  Internal: transaction-level controls, protecting assets, validating systems  Recent legal/regulatory changes affect auditing  Especially regulatory compliance  Validating protection of mission-critical systems  Ensuring that weaknesses in IT infrastructure/security do not affect other parties (who can sue for damages)

4 Copyright © 2010 M. E. Kabay. All rights reserved. Introduction (2)  Management attitudes range from  We have to do this – part of cost of doing business  Nice to have (but don’t spend much)  These attitudes ignore added value from audits  QUESTION FOR CLASS: WHAT ARE SOME BENEFITS OF AUDITS BEYOND ASSURANCE OF COMPLIANCE?  Auditing increasingly included in IA training programs & certifications

5 Copyright © 2010 M. E. Kabay. All rights reserved. Auditing Standards  Introduction to ISO  ISO/IEC  Gramm-Leach Bliley Act  Auditing Standards Conclusions

6 Copyright © 2010 M. E. Kabay. All rights reserved. Introduction to ISO  International Organization for Standardization  Nongovernmental cooperative  Create, identify, publish industry standards  Business & technology (not just IT)  Member committees work on specific standards  Represent best practices  E.g., ISO 9000 stds have become world- recognized for quality  ISO increasingly accepted as international standard for information security management

7 Copyright © 2010 M. E. Kabay. All rights reserved. History of ISO Standards (1)  History  British Standard (BS) 7799 published Feb 1995 Part 1: Best Practices for Information Security Management Part 2: Specifications for Information Security Management Systems Part 3: Guidelines for Information Security Risk Management

8 Copyright © 2010 M. E. Kabay. All rights reserved. History of ISO Standards (2)  BS 7799 Part 1 became ISO (Dec 2000) with 10 domains: 1.Business continuity planning 2.Systems access control 3.System development & maintenance 4.Physical & environmental security 5.Compliance 6.Personnel security 7.Security organization 8.Computer & operations management 9.Asset classification & control 10.Security policy

9 Copyright © 2010 M. E. Kabay. All rights reserved. History of ISO Standards (3)  Later converted ISO to ISO/IEC 17799:2005  IEC = International Electrochemical Commission (Geneva)  Information Technology – Security Techniques – Code of Practice for Information Security Management  Added objectives, controls  Updated previous editions to include new technology  E.g., wireless networks  ISO/IEC goes beyond ISO/IEC (see next slides)

10 Copyright © 2010 M. E. Kabay. All rights reserved. ISO/IEC (1)  ISO/IEC 27000: Fundamentals & Vocabulary  ISO/IEC 27001:2005. ISMS – Requirements  ISO/IEC 27002:2005. Code of Practice for Information Security Management  ISO/IEC 27003:2010. ISMS Implementation Guidance  ISO/IEC 27004*. Information Security Management Measurement  ISO/IEC 27005*. Information Security Risk Management  ISO/IEC 27006:2007. Requirements for Bodies Providing Audit and Certification of Information Security Management Systems Notes: ISMS = information security management system * Under development as of March 2010

11 Copyright © 2010 M. E. Kabay. All rights reserved. ISO/IEC (2)  ISO/IEC  Similar to OECD guidance on security of IS & NW  Includes PDCA cycle Plan-Do-Check-Act Invented by W. Edwards Denning (1950s)  Certification  Indicates formal compliance with standards  Business benefits (public visibility to stakeholders)  Operational benefits (fewer errors, better response, greater resilience)

12 Copyright © 2010 M. E. Kabay. All rights reserved. Gramm-Leach Bliley Act  Financial Services Modernization Act of 1999 = GLBA  Regulates security of consumers’ personal financial information  Also protects

13 Copyright © 2010 M. E. Kabay. All rights reserved. Auditing Standards Conclusions

14 Copyright © 2010 M. E. Kabay. All rights reserved. SAS 70 Audits  Introduction to SAS 70  Cost and Benefits of SAS 70 Audits  SAS 70 Audits Conclusion

15 Copyright © 2010 M. E. Kabay. All rights reserved. Introduction to SAS 70

16 Copyright © 2010 M. E. Kabay. All rights reserved. Cost and Benefits of SAS 70 Audits

17 Copyright © 2010 M. E. Kabay. All rights reserved. SAS 70 Audits Conclusion

18 Copyright © 2010 M. E. Kabay. All rights reserved. Sarbanes-Oxley  Introduction to SOX  Section 404  Achieving Compliance  Audit and Certification  SOX Conclusion

19 Copyright © 2010 M. E. Kabay. All rights reserved. Introduction to SOX

20 Copyright © 2010 M. E. Kabay. All rights reserved. Section 404

21 Copyright © 2010 M. E. Kabay. All rights reserved. Achieving Compliance

22 Copyright © 2010 M. E. Kabay. All rights reserved. Audit and Certification

23 Copyright © 2010 M. E. Kabay. All rights reserved. SOX Conclusion

24 Copyright © 2010 M. E. Kabay. All rights reserved. Addressing Multiple Regulations  Publicly Available Security Publications  Federal Information Systems Management Act (FISMA)  Risk Framework  Multiple Regulations and IS Audits Conclusion

25 Copyright © 2010 M. E. Kabay. All rights reserved. Publicly Available Security Publications

26 Copyright © 2010 M. E. Kabay. All rights reserved. Federal Information Systems Management Act (FISMA)

27 Copyright © 2010 M. E. Kabay. All rights reserved. Risk Framework

28 Copyright © 2010 M. E. Kabay. All rights reserved. Multiple Regulations and IS Audits Conclusion

29 Copyright © 2010 M. E. Kabay. All rights reserved. Technical Frameworks for IT Audits  Framework 1: People, Processes, Tools & Measures  Framework 2: STRIDE  Framework 3: PDIO  General Best Practices  Technical Frameworks Conclusion

30 Copyright © 2010 M. E. Kabay. All rights reserved. Framework 1: People, Processes, Tools & Measures

31 Copyright © 2010 M. E. Kabay. All rights reserved. Framework 2: STRIDE

32 Copyright © 2010 M. E. Kabay. All rights reserved. Framework 3: PDIO

33 Copyright © 2010 M. E. Kabay. All rights reserved. General Best Practices

34 Copyright © 2010 M. E. Kabay. All rights reserved. Technical Frameworks Conclusion

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.