1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5...
34
Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections” Donald Glass, Chris Davis, John Mason, David Gursky, James Thomas, Wendy Carr, and Diane Levine
-
date post
19-Dec-2015 -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5...
1 Copyright © 2010 M. E. Kabay. All rights reserved.
Security Audits, Standards, & Inspections
CSH5 Chapter 54“Security Audits, Standards and Inspections”
Donald Glass, Chris Davis, John Mason, David Gursky, James Thomas, Wendy Carr,
and Diane Levine
2 Copyright © 2010 M. E. Kabay. All rights reserved.
TopicsIntroductionAuditing StandardsSAS 70 AuditsSarbanes-OxleyAddressing Multiple RegulationsTechnical Frameworks for IT Audits
3 Copyright © 2010 M. E. Kabay. All rights reserved.
Introduction (1)Non-IT auditors
Financial: accuracy/integrity accountingExternal: material, macro-level issues (e.g.,
governance, reporting, legal compliance)Internal: transaction-level controls,
protecting assets, validating systemsRecent legal/regulatory changes affect auditing
Especially regulatory complianceValidating protection of mission-critical
systemsEnsuring that weaknesses in IT
infrastructure/security do not affect other parties (who can sue for damages)
4 Copyright © 2010 M. E. Kabay. All rights reserved.
Introduction (2)
Management attitudes range fromWe have to do this – part of cost of doing
businessNice to have (but don’t spend much)
These attitudes ignore added value from auditsQUESTION FOR CLASS: WHAT ARE SOME
BENEFITS OF AUDITS BEYOND ASSURANCE OF COMPLIANCE?
Auditing increasingly included in IA training programs & certifications
5 Copyright © 2010 M. E. Kabay. All rights reserved.
Auditing Standards
Introduction to ISOISO/IEC 27001Gramm-Leach Bliley ActAuditing Standards Conclusions
6 Copyright © 2010 M. E. Kabay. All rights reserved.
Introduction to ISO
International Organization for StandardizationNongovernmental cooperativeCreate, identify, publish industry standardsBusiness & technology (not just IT)
Member committees work on specific standardsRepresent best practicesE.g., ISO 9000 stds have become world-
recognized for qualityISO 27000 increasingly accepted as
international standard for information security management
7 Copyright © 2010 M. E. Kabay. All rights reserved.
History of ISO Standards (1)History
British Standard (BS) 7799 published Feb 1995Part 1: Best Practices for Information
Security ManagementPart 2: Specifications for Information
Security Management SystemsPart 3: Guidelines for Information Security
Risk Management
8 Copyright © 2010 M. E. Kabay. All rights reserved.
History of ISO Standards (2)BS 7799 Part 1 became ISO 17799 (Dec 2000)
with 10 domains:1. Business continuity planning2. Systems access control3. System development & maintenance4. Physical & environmental security5. Compliance6. Personnel security7. Security organization8. Computer & operations management9. Asset classification & control10.Security policy
9 Copyright © 2010 M. E. Kabay. All rights reserved.
History of ISO Standards (3)Later converted ISO 17799 to ISO/IEC
17799:2005IEC = International Electrochemical
Commission (Geneva)Information Technology – Security
Techniques – Code of Practice for Information Security Management
Added objectives, controlsUpdated previous editions to include new
technologyE.g., wireless networks
ISO/IEC 27000 goes beyond ISO/IEC 17799 (see next slides)
10 Copyright © 2010 M. E. Kabay. All rights reserved.
ISO/IEC 27001 (1) ISO/IEC 27000: Fundamentals & Vocabulary ISO/IEC 27001:2005. ISMS – Requirements ISO/IEC 27002:2005. Code of Practice for
Information Security Management ISO/IEC 27003:2010. ISMS Implementation
Guidance ISO/IEC 27004*. Information Security
Management Measurement ISO/IEC 27005*. Information Security Risk
Management ISO/IEC 27006:2007. Requirements for Bodies
Providing Audit and Certification of Information Security Management Systems
Notes:ISMS = information security management system* Under development as of March 2010
11 Copyright © 2010 M. E. Kabay. All rights reserved.
ISO/IEC 27001 (2) ISO/IEC 27001
Similar to OECD guidance on security of IS & NW
Includes PDCA cyclePlan-Do-Check-ActInvented by W. Edwards Denning (1950s)
CertificationIndicates formal compliance with standardsBusiness benefits (public visibility to
stakeholders)Operational benefits (fewer errors, better
response, greater resilience)
12 Copyright © 2010 M. E. Kabay. All rights reserved.
Gramm-Leach Bliley Act
Financial Services Modernization Act of 1999 = GLBARegulates security of consumers’ personal
financial informationAlso protects
13 Copyright © 2010 M. E. Kabay. All rights reserved.
Auditing Standards Conclusions
14 Copyright © 2010 M. E. Kabay. All rights reserved.
SAS 70 Audits
Introduction to SAS 70Cost and Benefits of SAS 70 AuditsSAS 70 Audits Conclusion
15 Copyright © 2010 M. E. Kabay. All rights reserved.
Introduction to SAS 70
16 Copyright © 2010 M. E. Kabay. All rights reserved.
Cost and Benefits of SAS 70 Audits
17 Copyright © 2010 M. E. Kabay. All rights reserved.
SAS 70 Audits Conclusion
18 Copyright © 2010 M. E. Kabay. All rights reserved.
Sarbanes-Oxley
Introduction to SOXSection 404Achieving ComplianceAudit and CertificationSOX Conclusion
19 Copyright © 2010 M. E. Kabay. All rights reserved.
Introduction to SOX
20 Copyright © 2010 M. E. Kabay. All rights reserved.
Section 404
21 Copyright © 2010 M. E. Kabay. All rights reserved.
Achieving Compliance
22 Copyright © 2010 M. E. Kabay. All rights reserved.
Audit and Certification
23 Copyright © 2010 M. E. Kabay. All rights reserved.
SOX Conclusion
24 Copyright © 2010 M. E. Kabay. All rights reserved.
Addressing Multiple Regulations
Publicly Available Security PublicationsFederal Information Systems Management
Act (FISMA)Risk FrameworkMultiple Regulations and IS Audits
Conclusion
25 Copyright © 2010 M. E. Kabay. All rights reserved.
Publicly Available Security Publications
26 Copyright © 2010 M. E. Kabay. All rights reserved.
Federal Information Systems Management Act (FISMA)
27 Copyright © 2010 M. E. Kabay. All rights reserved.
Risk Framework
28 Copyright © 2010 M. E. Kabay. All rights reserved.
Multiple Regulations and IS Audits Conclusion
29 Copyright © 2010 M. E. Kabay. All rights reserved.
Technical Frameworks for IT Audits
Framework 1: People, Processes, Tools & Measures
Framework 2: STRIDEFramework 3: PDIOGeneral Best PracticesTechnical Frameworks Conclusion
30 Copyright © 2010 M. E. Kabay. All rights reserved.
Framework 1: People, Processes, Tools & Measures
31 Copyright © 2010 M. E. Kabay. All rights reserved.
Framework 2: STRIDE
32 Copyright © 2010 M. E. Kabay. All rights reserved.
Framework 3: PDIO
33 Copyright © 2010 M. E. Kabay. All rights reserved.
General Best Practices
34 Copyright © 2010 M. E. Kabay. All rights reserved.
Technical Frameworks Conclusion
