1 / 13

Security audits

Security audits. Today’s talk. Security audits Penetration testing as a component of Security auditing Different types of information systems security accreditation organizations Certifications available. Introduction. Definition Purpose of security audits. Domain specific audit.

hovan
Download Presentation

Security audits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security audits

  2. Today’s talk Security audits Penetration testing as a component of Security auditing Different types of information systems security accreditation organizations Certifications available

  3. Introduction Definition Purpose of security audits

  4. Domain specific audit Application security Network security Business continuity planning (BCP)/Disaster recovery (DR) Physical (Environmental) security/personnel Employee vetting procedures

  5. Security Policy • The ‘Bible’ of the organization • Contents • Bad policies are worse than none at all • Policy should be changes for any additions to the infrastructure • Generally the Information Security policy is expected to be reviewed annually

  6. Application Security This domain only comes into picture when the third party is providing an application or using an web application developed by another company. Detailed enumeration of the development process: Ex: Whether SDLC was followed while development Access controls in place.

  7. Network Security Network diagram – firewall infrastructure used , most preferably multi tier firewall. Segregation between the application server and database server. Either logically or physically. Usage of removable media, access to file upload sites and personal email Ability to disable antivirus Server hardening and change management procedures.

  8. Penetration Testing Is a focused effort on penetrating the system Penetration testing vs Vulnerability scanning Expected to be done annually

  9. Business continuity/DR Business continuity – Pre planned procedure to ensure continuation of operations in the case of a disaster. BCP simulation test. (Time to recover) Disaster recovery - reactive approach in case of a disaster Availability of a cold site ,hot site and a warm site

  10. Physical Security/Personnel Very critical since humans are involved Controls can be placed for systems but very difficult to implement for humans Social engineering Importance of educating even the facilities staff

  11. Employee Vetting Includes Background verification ,criminal check Credit reference Adherence and education of the information security policy and other policies such as clear desk policy

  12. Guidelines PCI-DSS : Payment card Industry Data security standards – organizations that handle cardholder information. SSAE 16 : Reporting on controls at a service organization ISO 27001 Certification for data centers : Security management standard that specifies security management best practices and comprehensive security controls.

  13. Certifications ISO/IEC 27001 lead auditor certification Certifiied Information systems auditor certification (CISA) by ISACA.

More Related