Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS4680 Security Auditing for Compliance

Published byCamilla Atkinson Modified over 5 years ago

Similar presentations

Presentation on theme: "IS4680 Security Auditing for Compliance"— Presentation transcript:

1 IS4680 Security Auditing for Compliance
Unit 4 Conducting and Reporting an IT Infrastructure Compliance Audit

2 Class Agenda 7/11/16 Covers Chapter 6 and 7 Learning Objectives
Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulation Discussion on Project.

3 Learning Objective Describe the different parameters required to conduct and report on information technology (IT) infrastructure audit for organizational compliance.

4 Key Concepts Auditing in a layered fashion, and the benefits of a security assessment Proper configuration and implementation of security controls and countermeasures Benefits of reporting risks, threats, and vulnerabilities in an IT security assessment IT security controls and countermeasure gap analysis Compliance recommendations

5 EXPLORE: CONCEPTS

6 Parameters to Conduct IT Infrastructure Audit
An adequate plan Establishing baselines Identifying an acceptable level of risk across the organization The presence of adequate controls or countermeasures

7 Gap Analysis A technique use to determine steps to be taken to move from its current state to its desired, future state. Also called need-gap analysis, needs analysis, and needs assessment.

8 Countermeasures for Gap Analysis
Within the gap analysis report, the following must be included as countermeasures: Respecting intellectual property rights (IPR): Organizations regardless of size depend on proprietary software and other intangible assets.

9 Countermeasures for Gap Analysis (Continued)
Protecting and retaining organizational records: Laws and regulations set time periods for which organizations must hold and protect specific types of data. Protecting personal information: Numerous laws have been enacted to protect the collection, processing, and storage of personal information.

10 Countermeasures for Gap Analysis (Continued)
Preventing users from using systems for unauthorized purposes: Because of legislation that provides protection against computer misuses, organizations are required to meet requirements for security monitoring access notification.

11 Countermeasures for Gap Analysis (Continued)
Managing the proper use and import or export of cryptographic controls: Although laws have been relaxed in recent years, there are legal restrictions on the export of cryptographic technology to “rogue states” or terrorist organizations.

12 Effect of Security Assessments on Audit
There are different approaches to identify security weaknesses within an organization. Some of the approaches include the following: Network scan: Provides information pertaining to the environment. Vulnerability scan: Provides the fundamental process for managing vulnerabilities. Penetration test: Provides an active hands-on assessment that uses methods similar to what a real-world attacker might use.

13 EXPLORE: PROCESSES

14 Layered Audit A layered audit approach across the domains of the IT infrastructure will be necessary when systems span across the domains. This is especially evident in audits of a particular process and an external audit over financial-reporting controls.

15 Layered Audit (Continued)
Organizational financial systems can span across multiple domains and even include third-party providers, such as payroll service providers. The auditor has to verify the controls considering the process and the infrastructure that the process uses.

16 IT Infrastructure Compliance Audit Procedure
Step 1 Complete security assessment Step 2 Complete IT security audit Step 3 Use automated audit reporting tools Step 4 Review configurations and implement or change compliance requirements based on findings

17 IT Infrastructure Compliance Audit Procedure (Continued)
Step 5 Perform additional testing and monitoring to verify and validate Step 6 Implement security controls and countermeasures Step 7 Produce new baseline

18 EXPLORE: ROLES

19 Roles Senior managers IT managers IT auditors

20 Roles (Continued) Data owners System administrators Risk managers

21 EXPLORE: RATIONALE

22 Benefits Associated with Compliance Recommendations
Better alignment with organizational governance Reduction of risks Policy alignment with business objectives Being compliant with regulatory requirements

23 Benefits of Audits Audits sometimes reveal major risks or compliance gaps. The final reports may include recommendations supported by the audit findings, such as: The recommended actions should be logically tied to a finding for which the problem has also been identified. A recommendation is more valuable to the organization when it is specific, sensible, and cost effective.

24 Benefits of Audits (Continued)
Ultimately, the objective is to consider the processes and inputs up to this point and clearly communicate the following: Recommended actions to lessen control weaknesses. Recommended actions to comply with applicable laws and regulations. Comparisons and gaps to standards and accepted frameworks and recommendations to narrow the gap.

25 Summary In this presentation, the following were covered:
Parameters to conduct IT infrastructure audit, countermeasures for gap analysis, and effect of security assessments on audit List the steps for layered audit and IT infrastructure compliance audit Roles and responsibilities related to IT infrastructure compliance audit Benefits of compliance recommendations and auditing

26 Assignment and Lab Discussion 4.1 The Importance of Job Role Separation in Organizations Lab 4.2 Align an IT Security Assessment to Achieve Compliance Assignment 4.3 IT Security Controls and Countermeasure Gap Analysis

Download ppt "IS4680 Security Auditing for Compliance"

Similar presentations

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Auditing Computer Systems

Auditing Computer Systems
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.

Auditor General’s Office One key audit focus area – Compliance with Laws and Regulations.
Security Controls – What Works

Security Controls – What Works
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Network security policy: best practices

Network security policy: best practices
The Evolution of IT Risk & Compliance February 2012 Rosalyn Ellis, CRISC Susan Hoffman, CISA,CGEIT 1.

The Evolution of IT Risk & Compliance February 2012 Rosalyn Ellis, CRISC Susan Hoffman, CISA,CGEIT 1.
Information Technology Audit

Information Technology Audit
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Evolving IT Framework Standards (Compliance and IT)

Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.

Information Systems Security Computer System Life Cycle Security.
Security Architecture

Security Architecture
Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.

Chapter 7 Auditing Internal Control over Financial Reporting McGraw-Hill/Irwin ©2008 The McGraw-Hill Companies, All Rights Reserved.
OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP 221601 YAP YONG TECK 228407 TAN YUAN JUE 226491 TAY QIU JIE 227495 GROUP MEMBER:

OVERVIEW OF INFORMATION SYSTEM (IS) AUDITING NORHAFIZAH BINTI ABDUL MUDALIP YAP YONG TECK TAN YUAN JUE TAY QIU JIE GROUP MEMBER:

Similar presentations

Ads by Google