1 / 34

IS4680 Security Auditing for Compliance Unit 3 Information Security Policy Audit Tools

IS4680 Security Auditing for Compliance Unit 3 Information Security Policy Audit Tools. Class Agenda 6/27/16. Covers Chapter 5 Learning Objectives Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Lab will be perform in class.

minty
Download Presentation

IS4680 Security Auditing for Compliance Unit 3 Information Security Policy Audit Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IS4680 Security Auditing for Compliance Unit 3 Information Security Policy Audit Tools

  2. Class Agenda 6/27/16 • Covers Chapter 5 • Learning Objectives • Lesson Presentation and Discussions. • Discussion on Assignments. • Discussion on Lab Activities. • Lab will be perform in class. • Break Times as per School Regulations.

  3. Learning Objective • Describe the components and basic requirements for creating an audit plan to support business and system considerations.

  4. Key Concepts • Identifying key building blocks and critical requirements of an audit • Identifying critical security control points and assessing information technology (IT) security • Obtaining information through documentation and resources • Organizing the IT security policy • Analyzing best practices for testing and monitoring

  5. Components of an IT Infrastructure Audit IT controls cross all seven of the domains on an infrastructure. They include: • Data • Applications systems • Technology • Facilities • Personnel

  6. Components of an IT Infrastructure Audit (Continued) The scope should not restrain the organization and cause: • Lesser resources • Limited time frame • Prevented discovery of audit evidence • Restricted audit procedures

  7. Audit Building Blocks • Before an audit can be completed, scopes, goals, objectives, and frequency must be defined.

  8. Audit Building Blocks (Continued) • The scope should not restrain the organization and cause: • Lesser resources • Limited time frame • Prevented discovery of audit evidence • Restricted audit procedures

  9. Audit Building Blocks (Continued) • The goals must be aligned with the business objectives. • The objectives of an audit should satisfy a requirement placed internally or externally on the organization.

  10. Audit Building Blocks (Continued) • The frequency must not interfere with ongoing operations such that full-time employees (FTEs) are always working on an audit, unless the organization is large enough to have full-time audit departments.

  11. Security Control Points in IT Infrastructure • On a high-level, controls for IT systems are of two types: general and the other application. These controls apply broadly to all system components across an organization.

  12. Security Control Points in IT Infrastructure (Continued) • National Institute of Standards and Technology (NIST) defines following three IT security controls: • Management Controls: Includes controls typically governed by management as part of the overall security program. • Operational Controls: Includes controls that are implemented by people rather than systems. • Technical Controls: Includes controls that are performed by the IT systems.

  13. Information Gathering  • In the process of assessing IT security, information is gathered from many areas within the organization to be analyzed. • An auditor must also need to understand the following prior to performing an audit: • Understanding of the organization, such as business requirements and goals of the organization. • Knowledge of how the security program is currently in place. • Industry “best practices” for the type of organization and systems.

  14. Information Gathering (Continued)  Other types of documentation are: • Administrative documentation • System documentation • Procedural documentation • Network architecture diagrams • Vendor support access documents and agreements

  15. Risk Management Risk management provides information about the organization’s risk and how much risk an organization can operate under, depends on the following: • Aligning risk appetite and strategy: Helps manage the uncertainty with consideration of the goals of the organization.

  16. Risk Management (Continued) • Enhancing risk response decisions: Improves the ability to make better decisions about how to manage risk. • Reducing operational surprises and losses: Enhances the organization’s ability to identify potential events or threats and react appropriately.

  17. Risk Management (Continued) • Identifying and managing multiple and cross-enterprise risks: Helps consider related risks from across the organization and provide a unified response across the varying risks. • Seizing opportunities: Helps the organization recognize events from which new opportunities can be pursued.

  18. Risk Management (Continued) • Improving deployment of capital: Improves how organizations divide their financial resources to enhance performance and profitability.

  19. Threat Analysis • When undertaking a risk management plan, a complete threat analysis must be conducted. • Part of the risk assessment process requires an examination of those activities that represent danger.

  20. Threat Analysis (Continued) • Threats can be grouped through a combination of the following: • External or internal • Natural or man made • Intentional or accidental

  21. Vulnerability Analysis After performing a threat analysis, you need to identify weaknesses or flaws. Specifically, you need to identify vulnerabilities that can be exploited by previously identified threats. Some examples are: • Vulnerability lists and databases published by industry organizations • Security advisories • Software and security analysis using automated tools

  22. Risk Assessment Analysis • Given the previous inputs, the final step is to determine the level of risk. When pairing threats and vulnerabilities, risk is determined primarily by three functions: • The likelihood of a threat to exploit a given vulnerability. • The impact on the organization if that threat against the vulnerability is achieved. • The sufficiency of controls to either eliminate or reduce the risk.

  23. Risk Assessment Analysis (Continued) • There are always tradeoffs, and they include: • Cost: Are the costs of a control justified by the reduction of risk? • Operational impact: Does the control have an adverse effect on system performance? • Feasibility: Is the control technically feasible? Will the control be feasible for the end users?

  24. Roles and Responsibilities • Senior Managers • Responsible for making the organization meet governance requirements. • IT Managers • Responsible for placing and monitoring IT controls on systems.

  25. Roles and Responsibilities (Continued) • IT Auditors • Responsible for information assurance. • Data Owners • Responsible for identifying data to be protected.

  26. Roles and Responsibilities (Continued) • System Administrators • Responsible for implementation of IT controls and providing data custodian functions. • Risk Managers • Responsible for managing risk within the organization.

  27. Information Security Policy Audit Framework • The IT security policy framework includes policies, standards, and guidelines. Each of these include: • Technology • Processes • Personnel

  28. Information Security Policy Audit Framework (Continued) The framework covers all seven of the domains of an IT infrastructure which are listed below: • User Domain • Workstation Domain • Local Area Network (LAN) Domain • LAN-to-Wide-Area Network (WAN) Domain

  29. Information Security Policy Audit Framework (Continued) • WAN Domain • Remote Access Domain • System/Application Domain

  30. Information Security Policy Audit Framework (Continued) • In many instances, policies, standards, and guidelines cross all domains: • The seven domains also map across various high-level areas. Examples include access control and operations management.

  31. IT Testing and Monitoring • The most important and beneficial elements of an IT security program. • Testing and monitoring must be conducted to know the controls are working. • All frameworks include a control objective for regularly assessing and monitoring IT systems and controls.

  32. IT Testing and Monitoring (Continued) • Questions that must be answered are: • Is IT performance measured to detect problems before it is too late? • Does management ensure that internal controls are effective and efficient? • Can IT performance be linked back to business goals? • Are adequate confidentiality, integrity, and availability controls in place for information security?

  33. Summary • In this presentation, the following were covered: • Components of an IT infrastructure audit, building blocks of an IT audit, and security control points in the IT infrastructure • Process of information gathering, risk management, threat analysis, vulnerability analysis, and risk assessment analysis • Roles and responsibilities associated with information security policy audit tools • Framework in which the information security policy audit takes place • Need for the IT testing and monitoring

  34. Assignment and Lab • Discussion 3.1 Information Gathering • Lab 3.2 Define a Process for Gathering Information Pertaining to a HIPAA Compliance Audit • Assignment 3.3 Analyzing the Critical Security Control Points

More Related