Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Business Plug-In B4 MIS Infrastructures.

CIP Cyber Security – Security Management Controls

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

Security Controls – What Works

EMS Auditing Definitions

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

Payment Card Industry (PCI) Data Security Standard

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Step 1: A.User enters id/pw for FI: encrypted in Quicken PIN vault B.Id/pw transmitted to Intuit CustomerCentral Servers at NCR using 128 bit SSL Step.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

100 % UPTIME SLAs 27 | 8 DATA CLOUD CENTERSPODS SSAE-16, SOC 2 TYPE II, PCI-DSS, HIPAA, HITECH AT101, NIST , SAFE HARBOR COMPLIANT POWER INFRASTRUCTURE.

AUDITING INFORMATION SYSTEMS SECURITY. AUDIT OF LOGICAL ACCESS USE OF TECHNIQUES FOR TESTING SECURITY USE OF INVESTIGATION TECHNIQUES.

Information Security Management BS 7799 now ISO 17799:2000 Paul M Kane nic.AC wwTLD Meeting Argentina April 2005.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.

PCI requirements in business language What can happen with the cardholder data?

ENAM ENAM - INFRA Project 2013.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Natick Public Schools Technology Presentation February 6, 2006 Dennis Roche, CISA Director of Technology.

David N. Wozei Systems Administrator, IT Auditor.

Rich Archer Partner, Risk Advisory Services KPMG LLP Auditing Business Continuity Plans.

Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.

Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.

Mobile Banking By: Chenyu Gong, Jalal Hafidi, Harika Malineni.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

1 Chapter Nine Conducting the IT Audit Lecture Outline Audit Standards IT Audit Life Cycle Four Main Types of IT Audits Using COBIT to Perform an Audit.

Manga comic industry security information presentation By Dominic Roofe.

CPS ® and CAP ® Examination Review OFFICE SYTEMS AND TECHNOLOGY, Fifth Edition By Schroeder and Graf ©2005 Pearson Education, Inc. Pearson Prentice Hall.

Wireless Intrusion Prevention System

SecSDLC Chapter 2.

Development of a Clean Room/Highly Restricted Zone June 12, 2012 Thomas Garrubba - CVS Caremark; Manager, Technical Assessments Group ©2011 The Shared.

Chapter 15 Managing Information. Agenda Chief Information Officer IS Department and End Users Control & Security Contingency Management.

Engineering and Management of Secure Computer Networks School of Engineering © Steve Woodhead 2009 Corporate Governance and Information Security (InfoSec)

Disaster Recovery: Can Your Business Survive Data Loss? DR Strategies for Today and Tomorrow.

Internet Engineering Course Outline. Internet Engineering Course; Sharif University of Technology Aims and Contents To attain necessary skills for handling.

DRP Disaster Recovery Planning. Social Networking... It's the way the 21st century communicates today.

Oncology Patient Enrollment Network OPEN OPEN Documentation Lucille Patrichuk OPEN Implementation Manager OPEN Conference September 18, 2008.

CLOUD-BASED VIDS A CIO’S PERSPECTIVE Stephen Alford, CIO WEP, Inc.

Santa Clara, CA (408)

INFORMATION ASSURANCE POLICY. Information Assurance Information operations that protect and defend information and information systems by ensuring their.

Web Werks Data Center achieves PCI DSS Certification.

Dr. Ir. Yeffry Handoko Putra

Review of IT General Controls

Performing Risk Analysis and Testing: Outsource or In-house

CompTIA Security+ Study Guide (SY0-401)

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

INDULGENCE There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

DTS Disaster Recovery Service Fact and Fallacy

Current ‘Hot Topics’ in Information Security Governance Auditing

Payment Card Industry Data Security Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Disaster Recovery AITR Meeting Aug 25, 2009.

CompTIA Security+ Study Guide (SY0-501)

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Disaster Recovery AITR Meeting Aug 25, 2009.

Operational procedures for preventing misuse

Compliance in the Cloud

Presentation transcript:

Security audits

Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security accreditation organizations  Certifications available

Introduction  Definition  Purpose of security audits

Domain specific audit  Application security  Network security  Business continuity planning (BCP)/Disaster recovery (DR)  Physical (Environmental) security/personnel  Employee vetting procedures

Security Policy  The ‘Bible’ of the organization  Contents  Bad policies are worse than none at all  Policy should be changes for any additions to the infrastructure  Generally the Information Security policy is expected to be reviewed annually

Application Security  This domain only comes into picture when the third party is providing an application or using an web application developed by another company.  Detailed enumeration of the development process:  Ex: Whether SDLC was followed while development  Access controls in place.

Network Security  Network diagram – firewall infrastructure used, most preferably multi tier firewall.  Segregation between the application server and database server. Either logically or physically.  Usage of removable media, access to file upload sites and personal  Ability to disable antivirus  Server hardening and change management procedures.

Penetration Testing  Is a focused effort on penetrating the system  Penetration testing vs Vulnerability scanning  Expected to be done annually

Business continuity/DR  Business continuity – Pre planned procedure to ensure continuation of operations in the case of a disaster.  BCP simulation test. (Time to recover)  Disaster recovery - reactive approach in case of a disaster  Availability of a cold site,hot site and a warm site

Physical Security/Personnel  Very critical since humans are involved  Controls can be placed for systems but very difficult to implement for humans  Social engineering  Importance of educating even the facilities staff

Employee Vetting  Includes Background verification,criminal check  Credit reference  Adherence and education of the information security policy and other policies such as clear desk policy

Guidelines  PCI-DSS : Payment card Industry Data security standards – organizations that handle cardholder information.  SSAE 16 : Reporting on controls at a service organization  ISO Certification for data centers : Security management standard that specifies security management best practices and comprehensive security controls.

Certifications  ISO/IEC lead auditor certification  Certifiied Information systems auditor certification (CISA) by ISACA.