Presentation is loading. Please wait.

Presentation is loading. Please wait.

Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel: 787-647-3961.

Published byPhyllis Alexander Modified over 8 years ago

Similar presentations

Presentation on theme: "Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel: 787-647-3961."— Presentation transcript:

1 Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Email: jrobles@coqui.net jrobles@coqui.net Tel: 787-647-3961 Puerto Rico Chapter

2 John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961  For those of you who took the CISSP exam, an audit of your institution’s IS security controls is a real-life CISSP exam.  If you pass the CISSP exam, you can get certified.  If you pass the audit examination, you get to keep your job. Audit-Proof IS Security Controls

3 So how can I pass an IS audit? And keep my job. So how can I pass an IS audit? And keep my job. 1 st, Reduce your stress levels.1 st, Reduce your stress levels. 2 nd, Prepare for your audit2 nd, Prepare for your audit Have documentation of everything related to IS security controls. Have documentation of everything related to IS security controls. Be prepared to answer questions and provide information. Be prepared to answer questions and provide information. 3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions)3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions) (If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue) (If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue)

4 Audit-Proof IS Security Controls  Reduce your stress levels Most likely, it’s not your first audit experience Most likely, it’s not your first audit experience If you are the CISO, then you have already been through an audit.If you are the CISO, then you have already been through an audit. Your audit results should get better with time.Your audit results should get better with time. If there were recommendations on your last audit, make sure you have remedied the exceptionsIf there were recommendations on your last audit, make sure you have remedied the exceptions Try to improve your evaluation scoreTry to improve your evaluation score If it’s your 1 st audit, If it’s your 1 st audit, And you are CISA, CISM, and/or CISSP, you know the theory. Review that theory, again.And you are CISA, CISM, and/or CISSP, you know the theory. Review that theory, again. 1 st timers, get an audit work program (FDIC, etc.)1 st timers, get an audit work program (FDIC, etc.)

5 Audit-Proof IS Security Controls  Review and provide documentation of everything related to IS security controls Institution’s organization chart Institution’s organization chart Security dept. organization chart Security dept. organization chart Job descriptionsJob descriptions Security training schedulesSecurity training schedules Security dept. long- and short-range plans Security dept. long- and short-range plans Policies and procedures Policies and procedures List of all hardware and location List of all hardware and location List of all software and location List of all software and location John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

6 Audit-Proof IS Security Controls  Documentation (Cont.) List of vendors (hardware, software, security management services) List of vendors (hardware, software, security management services) Network diagrams Network diagrams List of authorized persons per application and system (Local and Remote) List of authorized persons per application and system (Local and Remote) Identify root and admin usersIdentify root and admin users IS Security configurations on PCs, servers, and networks IS Security configurations on PCs, servers, and networks Business Continuity Plan Business Continuity Plan John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

7 Audit-Proof IS Security Controls  Lack of adequate documentation can impact the evaluation of your audit. It could cause auditors to look in more detail at your security controls and find more exceptions It could cause auditors to look in more detail at your security controls and find more exceptions  Audit-proof security controls implies that all security controls are documented.  Audit-proof IS security controls are those that the auditor expects to review, analyze, and report on. John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

8 Audit-Proof IS Security Controls  Try to visualize security controls as the auditor would, that is, as Preventive Security Controls Preventive Security Controls Detective Security Controls Detective Security Controls Corrective Security Controls Corrective Security Controls  Those controls should address the CIA (Confidentiality, Integrity, Availability) of the institution’s information

9 Audit-Proof IS Security Controls  Be prepared to answer questions and provide information regarding how you maintain the Confidentiality of information Review what is confidential information? Review what is confidential information? Show the categorization of informationShow the categorization of information If you know what is confidential and sensitive information, then you know what is not confidential and sensitive If you know what is confidential and sensitive information, then you know what is not confidential and sensitive Show Information System Risk Assessment and Risk Management programShow Information System Risk Assessment and Risk Management program John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

10 Audit-Proof IS Security Controls How do you protect the confidentiality? How do you protect the confidentiality? Show / discuss policies related to Confidentiality and ACLsShow / discuss policies related to Confidentiality and ACLs Show / discuss Access Control Lists (ACLs) by applicationShow / discuss Access Control Lists (ACLs) by application Show / discuss Internet and remote access filtering via routers and firewallsShow / discuss Internet and remote access filtering via routers and firewalls Show/ discuss procedures to provide, change, and delete from the ACLsShow/ discuss procedures to provide, change, and delete from the ACLs John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

11 Audit-Proof IS Security Controls  Confidentiality (Cont.) Show/ discuss security controls to detect the violation of confidentiality Show/ discuss security controls to detect the violation of confidentiality Wrong passwords limit and resetWrong passwords limit and reset Password structure and durationPassword structure and duration Discuss logging of all access to all confidential informationDiscuss logging of all access to all confidential information Discuss physical access restrictions and logsDiscuss physical access restrictions and logs Discuss your router and firewall configurationsDiscuss your router and firewall configurations Discuss the setup of the DMZDiscuss the setup of the DMZ Discuss the security configuration of servers, PCs, routers, and firewallsDiscuss the security configuration of servers, PCs, routers, and firewalls

12 Audit-Proof IS Security Controls Detect Violation of Confidentiality (Cont.) Detect Violation of Confidentiality (Cont.) Show/ discuss how access controls are tested to ensure violations are prevented, detected / notified, and correctedShow/ discuss how access controls are tested to ensure violations are prevented, detected / notified, and corrected Incident Response program - Review this key security control when violations are discovered and notifiedIncident Response program - Review this key security control when violations are discovered and notified Discuss how major violations were detected or NOT Discuss how major violations were detected or NOT Discuss how violations notifications were handled or NOT Discuss how violations notifications were handled or NOT Discuss how violations were analyzed and how changes were implemented to ensure non-recurrence Discuss how violations were analyzed and how changes were implemented to ensure non-recurrence

13 Audit-Proof IS Security Controls  Be prepared to answer questions and provide information regarding how you maintain the Integrity of information. Show /discuss the key security control of Change Management to hardware, software, network, and security parametersShow /discuss the key security control of Change Management to hardware, software, network, and security parameters Discuss Approval, Implementation, and Testing of changesDiscuss Approval, Implementation, and Testing of changes Discuss actual changes to:Discuss actual changes to: ACLs ACLs Hardware, Application Software, and Operating Systems Hardware, Application Software, and Operating Systems Network hardware and software, Network hardware and software, Security settings on HW, SW, and Network Security settings on HW, SW, and Network

14 Audit-Proof IS Security Controls  Discuss how Changes to HW, Application SW, Operating Systems, and Network are tested. Discuss approved requisitions, Discuss approved requisitions, Discuss Approved Tests of changes by User, IT personnel, and Security personnel Discuss Approved Tests of changes by User, IT personnel, and Security personnel Discuss tests of approved updated security configurations Discuss tests of approved updated security configurations Update related documentation Update related documentation List of approved HW, SW, Network componentsList of approved HW, SW, Network components Network diagramNetwork diagram John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

15 Audit-Proof IS Security Controls  Detect Violations of Integrity Show/ discuss how Change Management controls are tested to ensure integrity violations are prevented, detected / notified, and correctedShow/ discuss how Change Management controls are tested to ensure integrity violations are prevented, detected / notified, and corrected Discuss IP mapping software to detect unauthorized HW. Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of non- approved hardware (wired, wireless, PC-based, Server- based) Discuss prevention, detection, and removal of non- approved hardware (wired, wireless, PC-based, Server- based) Discuss Virus, Malware, and Spam prevention, detection, & removal Discuss Virus, Malware, and Spam prevention, detection, & removal Discuss the maintenance of Server, PC, and Network configuration documentation Discuss the maintenance of Server, PC, and Network configuration documentation Discuss IPS (Intrusion Prevention) and IDS (Intrusion Detection) elements Discuss IPS (Intrusion Prevention) and IDS (Intrusion Detection) elements

16 Audit-Proof IS Security Controls Look at previous security controls asLook at previous security controls as Preventive Preventive Detective Detective Corrective Corrective Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, and security parameters.Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, and security parameters. Compare documented base-line approved components against scanned components.Compare documented base-line approved components against scanned components. John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

17 Audit-Proof IS Security Controls Review Incident Response program when integrity violations are discoveredReview Incident Response program when integrity violations are discovered Discuss how major violations were detected or NOT Discuss how major violations were detected or NOT Unauthorized hardwareUnauthorized hardware Unauthorized software applications/ Lack of appropriate SW licensesUnauthorized software applications/ Lack of appropriate SW licenses Unauthorized? Viruses, Malware, and Spam?Unauthorized? Viruses, Malware, and Spam? Unauthorized changes to security parameters and hardware configurationsUnauthorized changes to security parameters and hardware configurations Discuss how violations notifications were handled or NOT Discuss how violations notifications were handled or NOT

18 Audit-Proof IS Security Controls  Discuss how violations were analyzed and how changes were implemented to ensure non- recurrence, e.g.  Computer Forensics – Activate/ secure all audit logs  More frequent scanning to maintain an updated documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)  More frequent and aggressive independent patrolling (prevention and detection) of the perimeter (DMZ) and inside networks  A better-equipped and knowledgeable IS Security Dept.  Improved security training of institution personnel

19 John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961 Audit-Proof IS Security Controls  How do you Provide for the Availability of Hardware, Applications Software, System Software, and Network HW and SW Show / Discuss Business Impact AnalysisShow / Discuss Business Impact Analysis Show/ Discuss Critical IT ResourcesShow/ Discuss Critical IT Resources Functions, Functions, Personnel, Personnel, HW, SW, Network, HW, SW, Network, Space, Space, Vendors Vendors

20 Audit-Proof IS Security Controls  Security Controls to Prevent the Unavailability HW HW HW redundancyHW redundancy Off site recovery site with required and minimal HWOff site recovery site with required and minimal HW SW SW Backup of required software and dataBackup of required software and data Alternate routes to the outside Alternate routes to the outside Dual telecom providers for voice and dataDual telecom providers for voice and data

21 Audit-Proof IS Security Controls  The famous Business Continuity Plan (BCP) Have it! Have it! If you don’t have one, give me a call!If you don’t have one, give me a call! Test it! (at least annually) Test it! (at least annually) Update it! (based on test results) Update it! (based on test results)  It should cover all critical functions of the institution John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

22  Summary of Audit-Proof IS Security Controls Provide a lot of documentation – the more, the better Provide a lot of documentation – the more, the better Fix all previous audit issues Fix all previous audit issues Review Confidentiality security controls Review Confidentiality security controls Review Integrity security controls Review Integrity security controls Review Availability security controls Review Availability security controls Define CIA security controls as: Define CIA security controls as: Preventive controlsPreventive controls Detective controlsDetective controls Corrective controlsCorrective controls John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961

23 Audit-Proof IS Security Controls Thank You! John R. Robles Email: jrobles@coqui.net jrobles@coqui.net Tel: 787-647-396 www.johnrrobles.com

Download ppt "Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel: 787-647-3961."

Similar presentations

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Security Update Server Registration, Active scanning and Windows patching.

Security Update Server Registration, Active scanning and Windows patching.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.

NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.

Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
© 2003, Educational Institute Chapter 12 Systems and Security Maintenance Managing Technology in the Hospitality Industry Fourth Edition (469T or 469)

© 2003, Educational Institute Chapter 12 Systems and Security Maintenance Managing Technology in the Hospitality Industry Fourth Edition (469T or 469)
Security Management Practices Keith A. Watson, CISSP CERIAS.

Security Management Practices Keith A. Watson, CISSP CERIAS.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Controls for Information Security

Controls for Information Security
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.

Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Network security policy: best practices

Network security policy: best practices
Firewall Auditing Sean K. Lowder CISSP / MCSE / CCNA

Firewall Auditing Sean K. Lowder CISSP / MCSE / CCNA

Similar presentations

Ads by Google