SlideShare une entreprise Scribd logo

Plan Security Audits Under 40 Characters

Télécharger en tant que PPTX, PDF
D
Divya Tiwari

Information Security Planning and Governance, Information Security Policy Standards, EISP, ISSP, SysSP, Policy Management, Pre-planning audit, Audit Risk Management, Performing Audit, Internal Controls, Audit Evidence, Audit Testing, Audit Finding, Follow-up activities

Ingénierie
1  sur  34
PLANNING FOR SECURITY & SECURITY AUDIT PROCESS SECURITY & RISK MANAGEMENT MODULE 6 DIVYA TIWARI MEIT TERNA ENGINEERING COLLEGE Information Security Planning and Governance, Information Security Policy Standards, EISP, ISSP, SysSP, Policy Management, Pre-planning audit, Audit Risk Management, Performing Audit, Internal Controls, Audit Evidence, Audit Testing, Audit Finding, Follow-up activities
PLANNING FOR SECURITY Information Security Planning and Governance Information Security Policy, Standards and Practices Enterprise Information Security Policy (EISP) Issue-Specific Security Policy (ISSP) System-Specific Policy (SysSP) Policy Management
Information Security Panning and Governance • Strategic Planning provides a long-term direction to be taken by whole organization and also by each of its component parts. • Strategic planning should guide organizational efforts and focus resource es toward specific, clearly defined goals. Organization develops general strategy Overall strategic plan for major divisions Each level of division then translates plan objectives into more specific objectives Executive teams also called C-level of the organization defines individual responsibilities Each individual of the organization works towards executing the broad strategy and turns general strategy into action
Planning Levels • Once organization’s overall strategic plan is translated into strategic plans for each major division or operation, next step is to translate these plans into tactical objectives that move toward reaching specific, measurable, achievable and time-bound accomplishments. • Strategic plans are used to create tactical plans, which are in turn used to develop operational plans. • Tactical planning focuses on shorter-term undertakings that will be completed within one or two years. • Tactical planning breaks each strategic goal into a series of incremental objectives. • Each objective in a tactical plan should be specific and should have a delivery date within a year of the plan’s start. • Budgeting, resource allocation, and personnel are critical components of the tactical plan. • Tactical plans often include project plans and resource acquisition planning documents (such as product specifications), project budgets, project reviews, and monthly and annual reports. • Since tactical plans are often created for specific projects, some organizations call this process project planning or intermediate planning.
• The chief information security officer (CISO) and the security managers use the tactical plan to organize, prioritize, and acquire resources necessary for major projects and to provide support for the overall strategic plan. • Managers and employees use operational plans, which are derived from the tactical plans, to organize the ongoing, day-to-day performance of tasks. • An operational plan includes the necessary tasks for all relevant departments, as well as communication and reporting requirements, which might include weekly meetings, progress reports, and other associated tasks. • These plans must reflect the organizational structure, with each subunit, department, or project team conducting its own operational planning and reporting. • Frequent communication and feedback from the teams to the project managers and/or team leaders, and then up to the various management levels, makes planning process more manageable and successful.
Planning and the CISO • The first priority of the CISO and the information security management team is the creation of a strategic plan to accomplish the organization’s information security objectives. • Each organization may have its own format for the design and distribution of a strategic plan, the fundamental elements of planning share characteristics across all types of enterprises. • The plan is an evolving statement of how the CISO and the various elements of the organization will implement the objectives of the information security charter. Information Security Governance • Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. • In order to secure information assets, an organization’s management must integrate information security practices into the fabric of the organization, expanding corporate governance policies and controls to encompass the objectives of the information security process.
• Information security objectives must be addressed at the highest levels of an organization’s management team in order to be effective and sustainable. • A broader view of information security encompasses all of an organization’s information assets, including the knowledge managed by those IT assets. • According to the Information Technology Governance Institute (ITGI), information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, establishment of objectives, measurement of progress toward those objectives, verification that risk management practices are appropriate, and validation that the organization’s assets are used properly. Information Security Governance Outcomes • Effective communication among stakeholders is critical to the structures and processes used in governance at every level especially in information security governance. • This requires the development of constructive relationships, a common language, and a commitment to the objectives of the organization.
Strategic alignment of information security with business strategy to support organizational objectives Risk management by executing appropriate measures to manage and mitigate threats to information resources Resource management by utilizing information security knowledge and infrastructure efficiently and effectively Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved Value delivery by optimizing information security investments in support of organizational objectives Five Goals of Information Security Governance are as follows:
Governance Framework • Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. • This framework, which is described in the document “Information Security Governance: Call to Action,” defines the responsibilities of: (1) the board of directors or trustees (2) the senior organizational executive (i.e., CEO) (3) executive team members (4) senior managers (5) all employees and users.
Information Security Policy, Standards and Practices Policies, Standards, and Practices
For a policy to be effective and thus legally enforceable, it must meet the given criteria: Dissemination (distribution) Review (reading) Comprehension (understanding) Compliance (agreement) Uniform enforcement
Enterprise Information Security Policy (EISP) • An enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. • The EISP guides the development, implementation, and management of the security program. • It sets out the requirements that must be met by the information security blueprint or framework. • It defines the purpose, scope, constraints, and applicability of the security program. • It also assigns responsibilities for the various areas of security, including systems administration, maintenance of the information security policies, and the practices and responsibilities of the users. It also, addresses legal compliance.
• According to the National Institute of Standards and Technology (NIST), the EISP typically addresses compliance in the following two areas: 1. General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. 2. The use of specified penalties and disciplinary action. • The specifics of EISPs vary from organization to organization, most EISP documents should include the following elements: 1. An overview of the corporate philosophy on security. 2. Information on the structure of the information security organization and individuals who fulfill the information security role. 3. Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors). 4. Fully articulated responsibilities for security that are unique to each role within the organization.
Issue-Specific Security Policy (ISSP) • As an organization executes various technologies and processes to support routine operations, it must instruct employees on the proper use of these technologies and processes. • Issue-specific security policy, or ISSP: (1) addresses specific areas of technology. (2) requires frequent updates. (3) contains a statement on the organization’s position on a specific issue. • There are number of approaches to creating and managing ISSPs within an organization. • Three of the most common are: 1. Independent ISSP documents, each tailored to a specific issue. 2. A single comprehensive ISSP document covering all issues. 3. A modular ISSP document that unifies policy creation and administration, while maintaining each specific issue’s requirements
Systems-Specific Policy (SysSP) • SysSPs functions as standards or procedures to be used when configuring or maintaining systems. • For example, a SysSP might describe the configuration and operation of a network firewall. Types of SysSP Managerial Guidance SysSP Technical Specifications SysSP Combination SysSP
Managerial Guidance SysSPs • A managerial guidance SysSP document is created by management to guide the implementation and configuration of technology as well as to address the behavior of people in the organization in ways that support the security of information. • For example, while the method for implementing a firewall belongs in the technical specifications SysSP, the firewall’s configuration must follow guidelines established by management. • An organization might not want its employees to access the Internet via the organization’s network, for instance; in that case, the firewall should be implemented accordingly. • Firewalls are not the only technology that may require system-specific policies. Any system that affects the confidentiality, integrity, or availability of information must be assessed to evaluate the trade-off between improved security and restrictions. Technical Specifications SysSP • A manager can work with a systems administrator to create managerial. • Similarly, the system administrator may need to create a policy to implement the managerial policy.
• Each type of equipment requires its own set of policies, which are used to translate the management intent for the technical control into an enforceable technical approach. • For example, an ISSP may require that user passwords be changed quarterly; a systems administrator can implement a technical control within a specific application to enforce this policy. • There are two general methods of implementing such technical controls: 1. access control lists 2. configuration rules. Combination SysSPs • Many organizations create a single document that combines the management guidance SysSP and the technical specifications SysSP. • If this approach is employed, care should be taken to clearly articulate the required actions. • This policy is a hybrid document that combines policy with procedural guidance for the convenience of the implementers of the system being managed. • This approach is best used by organizations that have multiple technical control systems of different types, and by smaller organizations that are seeking to document policy and procedure in a compact format.
Policy Management • Policies are living documents that must be managed. • These documents must be properly disseminated (distributed, read, understood, agreed to, and uniformly applied) and managed. • When two companies merge but retain separate policies, the difficulty of implementing security controls increases. • Likewise, when one company with unified policies splits in two, each new company may require different policies. • To remain viable, security policies must have: 1. a responsible individual 2. a schedule of reviews 3. a method for making recommendations for reviews 4. policy issuance and revision date.
SECURITY AUDIT PROCESS Preplanning Audits Audit Risk Assessment Performing Audit Internal Controls Audit Evidence Audit Testing Audit Finding Follow-up activities
Preplanning Audits • The first step in preplanning is to ask, “What is the objective of this particular audit?” • The objective may be compliance to a particular standard, surveillance auditing as follow- up to determine if the staff is still adhering to their own procedures, or something that is new. • An excellent method for determining the scope is to start a discussion asking questions about six key areas. • Scope is defined as a boundary of what is included and what is not. Some example questions and topics are given below: 1. Management: What are the business rules and objectives? Has management formally adopted a standard to be followed? Does management require their systems to be certified? Does executive management provide accreditation of the complete hardware/software system before it enters production?
2. Data: What data is involved? Is this customer data, engineering data, financial data? Are there any regulations governing data restrictions, acceptable or unacceptable use? 3. Intended Usage in Their Workflow: How is this data used? What is it for? Possibly a manual operation? Is it part of a software application? Ask for their workflow diagram. 4. Technology Platform: Is this data controlled in a computer program? In a file cabinet? Transmitted wirelessly on cell phones? 5. Facilities: Where does the work get done? Are the main systems located here or somewhere else? How much space is required to accommodate the staff? Where are the customers located? 6. People Involved: Who are the people we will work with on the client side? Who are the people on the auditee side? Using the skills matrix for reference, who is available to be on the audit team? Do we have the appropriate technical experts available?
Audit Risk Assessment • The purpose of a risk assessment is to ensure that sufficient evidence will be collected during an audit. • An audit risk assessment should take into account the following types of risks: 1. Inherent Risks: These are natural or built-in risks that always exist. Driving your automobile holds the inherent risk of an automobile accident or a flat tire. Theft is an inherent risk for items of high value. 2. Detection Risks: These are the risks that an auditor will not be able to detect what is being sought. It would be terrible to report no negative results when material conditions (faults) actually exist. Detection risks include sampling and nonsampling risks. a) Sampling Risks: These are the risks that an auditor will falsely accept or erroneously reject an audit sample (evidence). b) Nonsampling Risks: These are the risks that an auditor will fail to detect a condition because of not applying the appropriate procedure or using procedures inconsistent with the audit objective (detection fault).
3. Control Risks: These are the risks that an auditor could lose control, errors could be introduced, or errors may not be corrected in a timely manner (if ever). 4. Business Risks: These are risks that are inherent in the business or industry itself. They may be regulatory, contractual, or financial. Technological Risks These are inherent risks of using automated technology. Systems do fail. 5. Operational Risks: These are the risks that a process or procedure will not perform correctly. 6. Residual Risks: These are the risks that remain after all mitigation and control efforts are performed. 7. Technological Risks: These are inherent risks of using automated technology. Systems do fail. 8. Audit Risks: These are the combination of inherent, detection, control, and residual risks. Will your audit be able to accurately prove or disprove the target objective? Is the audit scope, time allotted, sponsor’s political strength, priorities, and available technical abilities sufficient?
Performing the Audit • Here one need to make sure you have the appropriate staff, ensure audit quality control, define auditee communications, perform proper data collection, and review existing controls. • In order to perform real audit one must carry out following activities: 1. Selecting the Audit Team 2. Determining Competence and Evaluating Auditors 3. Creating a Skills Matrix 4. Using the Work of Other People 5. Ensuring Audit Quality Control 6. Establishing Contact with the Auditee 7. Making Initial Contact with the Auditee
Internal Controls • Every auditor should consider two fundamental issues concerning internal control: • Issue 1: Management is often exempt from controls. • Issue 2: How controls are implemented determines the level of assurance. • The basic framework of controls according to the ISACA standards. • The controls are summarized here: • General Controls (Overall) • Pervasive Controls (Follows Technology) • Detailed Controls (Tasks) • Application Controls (Embedded in Programs) • Reviewing Existing Controls
Audit Evidence • Evidence will either prove or disprove a point. The absence of evidence is the absence of proof. Despite your best efforts, if you’re unable to prove those points, you would receive zero credit for your efforts. • An auditor should not give any credit to claims or positive assertions that cannot be documented by evidence. No evidence, no proof equals no credit. • There are two primary types of evidence, according to legal definition: • Direct Evidence. • Indirect Evidence.
• Examples of the various types of audit evidence include the following: • Documentary evidence, which can include a business record of transactions, receipts, invoices, and logs • Data extraction, which uses automated tools to mine details from data files • Auditee claims, which are representations made in oral or written statements • Analysis of plans, policies, procedures, and flowcharts • Results of compliance and substantive audit tests • Auditor’s observations of auditee work or re-performance of the selected process
Audit Testing • Compliance Testing Compliance testing tests for the presence or absence of something. Compliance testing includes verifying that policies and procedures have been put in place, and checking that user access rights, program change control procedures, and system audit logs have been activated. An example of a compliance test is comparing the list of persons with physical access to the datacenter against the HR list of current employees. • Substantive Testing Substantive testing seeks to verify the content and integrity of evidence. Substantive tests may include complex calculations to verify account balances, perform physical inventory counts, or execute sample transactions to verify the accuracy of supporting documentation. Substantive tests use audit samples selected by dollar value or to project (forecast or estimate) a total for groups with related characteristics.
Audit Findings • There are two concerns as auditors related to testing: 1. sufficiency of evidence 2. contradictory evidence • Detecting Irregularities and Illegal Acts. • Indicators of Illegal or Irregular Activity. • Responding to Irregular or Illegal Activity. • Findings Outside of Audit Scope . • Report Findings.
Follow-up Activities • After issuing a report, you are required to conduct an exit interview with management to obtain a commitment for the recommendations made in your audit. Management is responsible for acknowledging the recommendations and designating whatever corrective action will be taken, including the estimated dates for the action. • Sometimes events of concern are discovered, or occur, after an audit has been completed. You should be concerned about the discovery of subsequent events that pose a material challenge to your final report. Accounting standards recognize these events and classify them as follows: • Type 1 events refer to those that occurred before the balance sheet date. • Type 2 events are those that occurred after the balance sheet date. • Depending on the type of audit, you may have additional reporting requirements or activities.
MU Exam Questions May 2017 • What are the components of Enterprise Information Security Policy (EISP)? Compare with Issue Specific Security Policy SysSP. 10 marks • Explain what is information planning and governance. What are information policy standards? 10 marks Dec 2017 • Explain what is information planning and governance. What are information policy standards? 10 marks • Explain the role of the Audit Committee and how it helps the organization. What is the need of conducting Audit? 10 marks May 2018 • SN: Enterprise Information Security Policy (EISP). 5 marks Dec 2018 • Explain information security policy standards. 10 marks • SN: Security Audit process. 5 marks
May 2019 • Explain what is information planning and governance. What are information policy standards? 10 marks • Explain the role of the Audit Committee and how it helps the organization. What is the need of conducting Audit? 10 marks
Plan Security Audits Under 40 Characters

Recommandé

Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 

Recommandé

Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
8. operations security
8. operations security8. operations security
8. operations security7wounders
 
Build an Information Security Strategy
Build an Information Security StrategyBuild an Information Security Strategy
Build an Information Security StrategyAndrew Byers
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesKrist Davood - Principal - CIO
 
Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Information Security Governance and Strategy - 3
Information Security Governance and Strategy - 3Dam Frank
 
The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023Cybersecurity trends - What to expect in 2023
Cybersecurity trends - What to expect in 2023PECB
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset SecurityMaganathin Veeraragaloo
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 

Contenu connexe

Tendances

Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Edureka!
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsKarthikeyan Dhayalan
 
Security technologies
Security technologiesSecurity technologies
Security technologiesDhani Ahmad
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center FundamentalAmir Hossein Zargaran
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture DesignPriyanka Aash
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Maganathin Veeraragaloo
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing Netpluz Asia Pte Ltd
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...PECB
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurestorm
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 

Tendances (20)

Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...Application Security | Application Security Tutorial | Cyber Security Certifi...
Application Security | Application Security Tutorial | Cyber Security Certifi...
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
CISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security ConceptsCISSP - Chapter 1 - Security Concepts
CISSP - Chapter 1 - Security Concepts
 
Security technologies
Security technologiesSecurity technologies
Security technologies
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
Enterprise Security Architecture Design
Enterprise Security Architecture DesignEnterprise Security Architecture Design
Enterprise Security Architecture Design
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
NIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
 
Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management Domain 5 - Identity and Access Management
Domain 5 - Identity and Access Management
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
 
VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing VAPT - Vulnerability Assessment & Penetration Testing
VAPT - Vulnerability Assessment & Penetration Testing
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
Advanced Cybersecurity Risk Management: How to successfully address your Cybe...
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
Domain 2 - Asset Security
Domain 2 - Asset SecurityDomain 2 - Asset Security
Domain 2 - Asset Security
 
Security Framework for Digital Risk Managment
Security Framework for Digital Risk ManagmentSecurity Framework for Digital Risk Managment
Security Framework for Digital Risk Managment
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 

Similaire à Plan Security Audits Under 40 Characters

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdfsdfghj21
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managGrazynaBroyles24
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ InfrastructurePriyank Hada
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptxdotco
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aMaximaSheffield592
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptShruthi48
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptxdotco
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security BlueprintZefren Edior
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxStevenTharp2
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptxFaith Shimba
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfAbuHanifah59
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxjojo82637
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by FirstMutualHoldings
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxShreeveni
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxManushiKhatri
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerEnclaveSecurity
 

Similaire à Plan Security Audits Under 40 Characters (20)

Solve the exercise in security management.pdf
Solve the exercise in security management.pdfSolve the exercise in security management.pdf
Solve the exercise in security management.pdf
 
There are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database managThere are two general types of data dictionaries a database manag
There are two general types of data dictionaries a database manag
 
Security Organization/ Infrastructure
Security Organization/ InfrastructureSecurity Organization/ Infrastructure
Security Organization/ Infrastructure
 
CISM_WK_1.pptx
CISM_WK_1.pptxCISM_WK_1.pptx
CISM_WK_1.pptx
 
CHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, aCHAPTER 5 Security Policies, Standards, Procedures, a
CHAPTER 5 Security Policies, Standards, Procedures, a
 
Chapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.pptChapter 5 Planning for Security-students.ppt
Chapter 5 Planning for Security-students.ppt
 
crisc_wk_2a.pptx
crisc_wk_2a.pptxcrisc_wk_2a.pptx
crisc_wk_2a.pptx
 
Information Security Blueprint
Information Security BlueprintInformation Security Blueprint
Information Security Blueprint
 
standards1.pdf
standards1.pdfstandards1.pdf
standards1.pdf
 
Isms
IsmsIsms
Isms
 
Lesson 1
Lesson 1Lesson 1
Lesson 1
 
L13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptxL13 SDLC and Risk Management.pptx
L13 SDLC and Risk Management.pptx
 
IT Governance.pptx
IT Governance.pptxIT Governance.pptx
IT Governance.pptx
 
Chapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdfChapter 7 Managing Secure System.pdf
Chapter 7 Managing Secure System.pdf
 
ISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptxISO27001_COBIT_Students.pptx
ISO27001_COBIT_Students.pptx
 
Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by Assuring Digital Strategic Initiatives by
Assuring Digital Strategic Initiatives by
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
 
Human Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptxHuman Factors_MODULE_2.pptx
Human Factors_MODULE_2.pptx
 
unit 3 security plans and policies.pptx
unit 3 security plans and policies.pptxunit 3 security plans and policies.pptx
unit 3 security plans and policies.pptx
 
Its time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primerIts time to rethink everything a governance risk compliance primer
Its time to rethink everything a governance risk compliance primer
 

Plus de Divya Tiwari

Digital stick by Divya & Kanti
Digital stick by Divya & KantiDigital stick by Divya & Kanti
Digital stick by Divya & KantiDivya Tiwari
 
Predicting house price
Predicting house pricePredicting house price
Predicting house priceDivya Tiwari
 
Testing strategies -2
Testing strategies -2Testing strategies -2
Testing strategies -2Divya Tiwari
 
Testing strategies part -1
Testing strategies part -1Testing strategies part -1
Testing strategies part -1Divya Tiwari
 
Performance measures
Performance measuresPerformance measures
Performance measuresDivya Tiwari
 
Programming using MPI and OpenMP
Programming using MPI and OpenMPProgramming using MPI and OpenMP
Programming using MPI and OpenMPDivya Tiwari
 
IoT applications and use cases part-2
IoT applications and use cases part-2IoT applications and use cases part-2
IoT applications and use cases part-2Divya Tiwari
 
Io t applications and use cases part-1
Io t applications and use cases part-1Io t applications and use cases part-1
Io t applications and use cases part-1Divya Tiwari
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principlesDivya Tiwari
 
Responsive web design with html5 and css3
Responsive web design with html5 and css3Responsive web design with html5 and css3
Responsive web design with html5 and css3Divya Tiwari
 
Mac protocols for ad hoc wireless networks
Mac protocols for ad hoc wireless networks Mac protocols for ad hoc wireless networks
Mac protocols for ad hoc wireless networks Divya Tiwari
 
Routing protocols for ad hoc wireless networks
Routing protocols for ad hoc wireless networks Routing protocols for ad hoc wireless networks
Routing protocols for ad hoc wireless networks Divya Tiwari
 

Plus de Divya Tiwari (13)

Digital stick by Divya & Kanti
Digital stick by Divya & KantiDigital stick by Divya & Kanti
Digital stick by Divya & Kanti
 
Predicting house price
Predicting house pricePredicting house price
Predicting house price
 
Testing strategies -2
Testing strategies -2Testing strategies -2
Testing strategies -2
 
Testing strategies part -1
Testing strategies part -1Testing strategies part -1
Testing strategies part -1
 
Performance measures
Performance measuresPerformance measures
Performance measures
 
Programming using MPI and OpenMP
Programming using MPI and OpenMPProgramming using MPI and OpenMP
Programming using MPI and OpenMP
 
IoT applications and use cases part-2
IoT applications and use cases part-2IoT applications and use cases part-2
IoT applications and use cases part-2
 
Io t applications and use cases part-1
Io t applications and use cases part-1Io t applications and use cases part-1
Io t applications and use cases part-1
 
Security management concepts and principles
Security management concepts and principlesSecurity management concepts and principles
Security management concepts and principles
 
Web services
Web servicesWeb services
Web services
 
Responsive web design with html5 and css3
Responsive web design with html5 and css3Responsive web design with html5 and css3
Responsive web design with html5 and css3
 
Mac protocols for ad hoc wireless networks
Mac protocols for ad hoc wireless networks Mac protocols for ad hoc wireless networks
Mac protocols for ad hoc wireless networks
 
Routing protocols for ad hoc wireless networks
Routing protocols for ad hoc wireless networks Routing protocols for ad hoc wireless networks
Routing protocols for ad hoc wireless networks
 

Dernier

Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringJuanCarlosMorales19600
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort servicejennyeacort
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)dollysharma2066
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - GuideGOPINATHS437943
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleAlluxio, Inc.
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the weldingMuhammadUzairLiaqat
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxsomshekarkn64
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 

Dernier (20)

Piping Basic stress analysis by engineering
Piping Basic stress analysis by engineeringPiping Basic stress analysis by engineering
Piping Basic stress analysis by engineering
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort serviceGurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
Gurgaon ✡️9711147426✨Call In girls Gurgaon Sector 51 escort service
 
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
Call Us ≽ 8377877756 ≼ Call Girls In Shastri Nagar (Delhi)
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
Transport layer issues and challenges - Guide
Transport layer issues and challenges - GuideTransport layer issues and challenges - Guide
Transport layer issues and challenges - Guide
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
Correctly Loading Incremental Data at Scale
Correctly Loading Incremental Data at ScaleCorrectly Loading Incremental Data at Scale
Correctly Loading Incremental Data at Scale
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
welding defects observed during the welding
welding defects observed during the weldingwelding defects observed during the welding
welding defects observed during the welding
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
lifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptxlifi-technology with integration of IOT.pptx
lifi-technology with integration of IOT.pptx
 
Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 

Plan Security Audits Under 40 Characters

  • 1. PLANNING FOR SECURITY & SECURITY AUDIT PROCESS SECURITY & RISK MANAGEMENT MODULE 6 DIVYA TIWARI MEIT TERNA ENGINEERING COLLEGE Information Security Planning and Governance, Information Security Policy Standards, EISP, ISSP, SysSP, Policy Management, Pre-planning audit, Audit Risk Management, Performing Audit, Internal Controls, Audit Evidence, Audit Testing, Audit Finding, Follow-up activities
  • 2. PLANNING FOR SECURITY Information Security Planning and Governance Information Security Policy, Standards and Practices Enterprise Information Security Policy (EISP) Issue-Specific Security Policy (ISSP) System-Specific Policy (SysSP) Policy Management
  • 3. Information Security Panning and Governance • Strategic Planning provides a long-term direction to be taken by whole organization and also by each of its component parts. • Strategic planning should guide organizational efforts and focus resource es toward specific, clearly defined goals. Organization develops general strategy Overall strategic plan for major divisions Each level of division then translates plan objectives into more specific objectives Executive teams also called C-level of the organization defines individual responsibilities Each individual of the organization works towards executing the broad strategy and turns general strategy into action
  • 4. Planning Levels • Once organization’s overall strategic plan is translated into strategic plans for each major division or operation, next step is to translate these plans into tactical objectives that move toward reaching specific, measurable, achievable and time-bound accomplishments. • Strategic plans are used to create tactical plans, which are in turn used to develop operational plans. • Tactical planning focuses on shorter-term undertakings that will be completed within one or two years. • Tactical planning breaks each strategic goal into a series of incremental objectives. • Each objective in a tactical plan should be specific and should have a delivery date within a year of the plan’s start. • Budgeting, resource allocation, and personnel are critical components of the tactical plan. • Tactical plans often include project plans and resource acquisition planning documents (such as product specifications), project budgets, project reviews, and monthly and annual reports. • Since tactical plans are often created for specific projects, some organizations call this process project planning or intermediate planning.
  • 5. • The chief information security officer (CISO) and the security managers use the tactical plan to organize, prioritize, and acquire resources necessary for major projects and to provide support for the overall strategic plan. • Managers and employees use operational plans, which are derived from the tactical plans, to organize the ongoing, day-to-day performance of tasks. • An operational plan includes the necessary tasks for all relevant departments, as well as communication and reporting requirements, which might include weekly meetings, progress reports, and other associated tasks. • These plans must reflect the organizational structure, with each subunit, department, or project team conducting its own operational planning and reporting. • Frequent communication and feedback from the teams to the project managers and/or team leaders, and then up to the various management levels, makes planning process more manageable and successful.
  • 6. Planning and the CISO • The first priority of the CISO and the information security management team is the creation of a strategic plan to accomplish the organization’s information security objectives. • Each organization may have its own format for the design and distribution of a strategic plan, the fundamental elements of planning share characteristics across all types of enterprises. • The plan is an evolving statement of how the CISO and the various elements of the organization will implement the objectives of the information security charter. Information Security Governance • Governance is the set of responsibilities and practices exercised by the board and executive management with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly. • In order to secure information assets, an organization’s management must integrate information security practices into the fabric of the organization, expanding corporate governance policies and controls to encompass the objectives of the information security process.
  • 7. • Information security objectives must be addressed at the highest levels of an organization’s management team in order to be effective and sustainable. • A broader view of information security encompasses all of an organization’s information assets, including the knowledge managed by those IT assets. • According to the Information Technology Governance Institute (ITGI), information security governance includes all of the accountabilities and methods undertaken by the board of directors and executive management to provide strategic direction, establishment of objectives, measurement of progress toward those objectives, verification that risk management practices are appropriate, and validation that the organization’s assets are used properly. Information Security Governance Outcomes • Effective communication among stakeholders is critical to the structures and processes used in governance at every level especially in information security governance. • This requires the development of constructive relationships, a common language, and a commitment to the objectives of the organization.
  • 8. Strategic alignment of information security with business strategy to support organizational objectives Risk management by executing appropriate measures to manage and mitigate threats to information resources Resource management by utilizing information security knowledge and infrastructure efficiently and effectively Performance measurement by measuring, monitoring, and reporting information security governance metrics to ensure that organizational objectives are achieved Value delivery by optimizing information security investments in support of organizational objectives Five Goals of Information Security Governance are as follows:
  • 9. Governance Framework • Corporate Governance Task Force (CGTF) recommends that organizations follow an established framework, such as the IDEAL framework from the Carnegie Mellon University Software Engineering Institute. • This framework, which is described in the document “Information Security Governance: Call to Action,” defines the responsibilities of: (1) the board of directors or trustees (2) the senior organizational executive (i.e., CEO) (3) executive team members (4) senior managers (5) all employees and users.
  • 10. Information Security Policy, Standards and Practices Policies, Standards, and Practices
  • 11. For a policy to be effective and thus legally enforceable, it must meet the given criteria: Dissemination (distribution) Review (reading) Comprehension (understanding) Compliance (agreement) Uniform enforcement
  • 12. Enterprise Information Security Policy (EISP) • An enterprise information security policy (EISP) is also known as a general security policy, organizational security policy, IT security policy, or information security policy. • The EISP guides the development, implementation, and management of the security program. • It sets out the requirements that must be met by the information security blueprint or framework. • It defines the purpose, scope, constraints, and applicability of the security program. • It also assigns responsibilities for the various areas of security, including systems administration, maintenance of the information security policies, and the practices and responsibilities of the users. It also, addresses legal compliance.
  • 13. • According to the National Institute of Standards and Technology (NIST), the EISP typically addresses compliance in the following two areas: 1. General compliance to ensure meeting the requirements to establish a program and the responsibilities assigned therein to various organizational components. 2. The use of specified penalties and disciplinary action. • The specifics of EISPs vary from organization to organization, most EISP documents should include the following elements: 1. An overview of the corporate philosophy on security. 2. Information on the structure of the information security organization and individuals who fulfill the information security role. 3. Fully articulated responsibilities for security that are shared by all members of the organization (employees, contractors, consultants, partners, and visitors). 4. Fully articulated responsibilities for security that are unique to each role within the organization.
  • 14. Issue-Specific Security Policy (ISSP) • As an organization executes various technologies and processes to support routine operations, it must instruct employees on the proper use of these technologies and processes. • Issue-specific security policy, or ISSP: (1) addresses specific areas of technology. (2) requires frequent updates. (3) contains a statement on the organization’s position on a specific issue. • There are number of approaches to creating and managing ISSPs within an organization. • Three of the most common are: 1. Independent ISSP documents, each tailored to a specific issue. 2. A single comprehensive ISSP document covering all issues. 3. A modular ISSP document that unifies policy creation and administration, while maintaining each specific issue’s requirements
  • 15.
  • 16. Systems-Specific Policy (SysSP) • SysSPs functions as standards or procedures to be used when configuring or maintaining systems. • For example, a SysSP might describe the configuration and operation of a network firewall. Types of SysSP Managerial Guidance SysSP Technical Specifications SysSP Combination SysSP
  • 17. Managerial Guidance SysSPs • A managerial guidance SysSP document is created by management to guide the implementation and configuration of technology as well as to address the behavior of people in the organization in ways that support the security of information. • For example, while the method for implementing a firewall belongs in the technical specifications SysSP, the firewall’s configuration must follow guidelines established by management. • An organization might not want its employees to access the Internet via the organization’s network, for instance; in that case, the firewall should be implemented accordingly. • Firewalls are not the only technology that may require system-specific policies. Any system that affects the confidentiality, integrity, or availability of information must be assessed to evaluate the trade-off between improved security and restrictions. Technical Specifications SysSP • A manager can work with a systems administrator to create managerial. • Similarly, the system administrator may need to create a policy to implement the managerial policy.
  • 18. • Each type of equipment requires its own set of policies, which are used to translate the management intent for the technical control into an enforceable technical approach. • For example, an ISSP may require that user passwords be changed quarterly; a systems administrator can implement a technical control within a specific application to enforce this policy. • There are two general methods of implementing such technical controls: 1. access control lists 2. configuration rules. Combination SysSPs • Many organizations create a single document that combines the management guidance SysSP and the technical specifications SysSP. • If this approach is employed, care should be taken to clearly articulate the required actions. • This policy is a hybrid document that combines policy with procedural guidance for the convenience of the implementers of the system being managed. • This approach is best used by organizations that have multiple technical control systems of different types, and by smaller organizations that are seeking to document policy and procedure in a compact format.
  • 19. Policy Management • Policies are living documents that must be managed. • These documents must be properly disseminated (distributed, read, understood, agreed to, and uniformly applied) and managed. • When two companies merge but retain separate policies, the difficulty of implementing security controls increases. • Likewise, when one company with unified policies splits in two, each new company may require different policies. • To remain viable, security policies must have: 1. a responsible individual 2. a schedule of reviews 3. a method for making recommendations for reviews 4. policy issuance and revision date.
  • 20. SECURITY AUDIT PROCESS Preplanning Audits Audit Risk Assessment Performing Audit Internal Controls Audit Evidence Audit Testing Audit Finding Follow-up activities
  • 21. Preplanning Audits • The first step in preplanning is to ask, “What is the objective of this particular audit?” • The objective may be compliance to a particular standard, surveillance auditing as follow- up to determine if the staff is still adhering to their own procedures, or something that is new. • An excellent method for determining the scope is to start a discussion asking questions about six key areas. • Scope is defined as a boundary of what is included and what is not. Some example questions and topics are given below: 1. Management: What are the business rules and objectives? Has management formally adopted a standard to be followed? Does management require their systems to be certified? Does executive management provide accreditation of the complete hardware/software system before it enters production?
  • 22. 2. Data: What data is involved? Is this customer data, engineering data, financial data? Are there any regulations governing data restrictions, acceptable or unacceptable use? 3. Intended Usage in Their Workflow: How is this data used? What is it for? Possibly a manual operation? Is it part of a software application? Ask for their workflow diagram. 4. Technology Platform: Is this data controlled in a computer program? In a file cabinet? Transmitted wirelessly on cell phones? 5. Facilities: Where does the work get done? Are the main systems located here or somewhere else? How much space is required to accommodate the staff? Where are the customers located? 6. People Involved: Who are the people we will work with on the client side? Who are the people on the auditee side? Using the skills matrix for reference, who is available to be on the audit team? Do we have the appropriate technical experts available?
  • 23. Audit Risk Assessment • The purpose of a risk assessment is to ensure that sufficient evidence will be collected during an audit. • An audit risk assessment should take into account the following types of risks: 1. Inherent Risks: These are natural or built-in risks that always exist. Driving your automobile holds the inherent risk of an automobile accident or a flat tire. Theft is an inherent risk for items of high value. 2. Detection Risks: These are the risks that an auditor will not be able to detect what is being sought. It would be terrible to report no negative results when material conditions (faults) actually exist. Detection risks include sampling and nonsampling risks. a) Sampling Risks: These are the risks that an auditor will falsely accept or erroneously reject an audit sample (evidence). b) Nonsampling Risks: These are the risks that an auditor will fail to detect a condition because of not applying the appropriate procedure or using procedures inconsistent with the audit objective (detection fault).
  • 24. 3. Control Risks: These are the risks that an auditor could lose control, errors could be introduced, or errors may not be corrected in a timely manner (if ever). 4. Business Risks: These are risks that are inherent in the business or industry itself. They may be regulatory, contractual, or financial. Technological Risks These are inherent risks of using automated technology. Systems do fail. 5. Operational Risks: These are the risks that a process or procedure will not perform correctly. 6. Residual Risks: These are the risks that remain after all mitigation and control efforts are performed. 7. Technological Risks: These are inherent risks of using automated technology. Systems do fail. 8. Audit Risks: These are the combination of inherent, detection, control, and residual risks. Will your audit be able to accurately prove or disprove the target objective? Is the audit scope, time allotted, sponsor’s political strength, priorities, and available technical abilities sufficient?
  • 25. Performing the Audit • Here one need to make sure you have the appropriate staff, ensure audit quality control, define auditee communications, perform proper data collection, and review existing controls. • In order to perform real audit one must carry out following activities: 1. Selecting the Audit Team 2. Determining Competence and Evaluating Auditors 3. Creating a Skills Matrix 4. Using the Work of Other People 5. Ensuring Audit Quality Control 6. Establishing Contact with the Auditee 7. Making Initial Contact with the Auditee
  • 26. Internal Controls • Every auditor should consider two fundamental issues concerning internal control: • Issue 1: Management is often exempt from controls. • Issue 2: How controls are implemented determines the level of assurance. • The basic framework of controls according to the ISACA standards. • The controls are summarized here: • General Controls (Overall) • Pervasive Controls (Follows Technology) • Detailed Controls (Tasks) • Application Controls (Embedded in Programs) • Reviewing Existing Controls
  • 27. Audit Evidence • Evidence will either prove or disprove a point. The absence of evidence is the absence of proof. Despite your best efforts, if you’re unable to prove those points, you would receive zero credit for your efforts. • An auditor should not give any credit to claims or positive assertions that cannot be documented by evidence. No evidence, no proof equals no credit. • There are two primary types of evidence, according to legal definition: • Direct Evidence. • Indirect Evidence.
  • 28. • Examples of the various types of audit evidence include the following: • Documentary evidence, which can include a business record of transactions, receipts, invoices, and logs • Data extraction, which uses automated tools to mine details from data files • Auditee claims, which are representations made in oral or written statements • Analysis of plans, policies, procedures, and flowcharts • Results of compliance and substantive audit tests • Auditor’s observations of auditee work or re-performance of the selected process
  • 29. Audit Testing • Compliance Testing Compliance testing tests for the presence or absence of something. Compliance testing includes verifying that policies and procedures have been put in place, and checking that user access rights, program change control procedures, and system audit logs have been activated. An example of a compliance test is comparing the list of persons with physical access to the datacenter against the HR list of current employees. • Substantive Testing Substantive testing seeks to verify the content and integrity of evidence. Substantive tests may include complex calculations to verify account balances, perform physical inventory counts, or execute sample transactions to verify the accuracy of supporting documentation. Substantive tests use audit samples selected by dollar value or to project (forecast or estimate) a total for groups with related characteristics.
  • 30. Audit Findings • There are two concerns as auditors related to testing: 1. sufficiency of evidence 2. contradictory evidence • Detecting Irregularities and Illegal Acts. • Indicators of Illegal or Irregular Activity. • Responding to Irregular or Illegal Activity. • Findings Outside of Audit Scope . • Report Findings.
  • 31. Follow-up Activities • After issuing a report, you are required to conduct an exit interview with management to obtain a commitment for the recommendations made in your audit. Management is responsible for acknowledging the recommendations and designating whatever corrective action will be taken, including the estimated dates for the action. • Sometimes events of concern are discovered, or occur, after an audit has been completed. You should be concerned about the discovery of subsequent events that pose a material challenge to your final report. Accounting standards recognize these events and classify them as follows: • Type 1 events refer to those that occurred before the balance sheet date. • Type 2 events are those that occurred after the balance sheet date. • Depending on the type of audit, you may have additional reporting requirements or activities.
  • 32. MU Exam Questions May 2017 • What are the components of Enterprise Information Security Policy (EISP)? Compare with Issue Specific Security Policy SysSP. 10 marks • Explain what is information planning and governance. What are information policy standards? 10 marks Dec 2017 • Explain what is information planning and governance. What are information policy standards? 10 marks • Explain the role of the Audit Committee and how it helps the organization. What is the need of conducting Audit? 10 marks May 2018 • SN: Enterprise Information Security Policy (EISP). 5 marks Dec 2018 • Explain information security policy standards. 10 marks • SN: Security Audit process. 5 marks
  • 33. May 2019 • Explain what is information planning and governance. What are information policy standards? 10 marks • Explain the role of the Audit Committee and how it helps the organization. What is the need of conducting Audit? 10 marks