Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel: 787-647-3961.

Slides:



Advertisements
Similar presentations
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Advertisements

Security Update Server Registration, Active scanning and Windows patching.
CIP Cyber Security – Security Management Controls
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
NERC Security Requirements – What Vendors Should Provide James W. Sample, CISSP, CISM Manager of Information Security California ISO.
Information Technology Control Day IV Afternoon Sessions.
Lecture Outline 10 INFORMATION SYSTEMS SECURITY. Two types of auditors External auditor: The primary mission of the external auditors is to provide an.
SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security+ Guide to Network Security Fundamentals
© 2003, Educational Institute Chapter 12 Systems and Security Maintenance Managing Technology in the Hospitality Industry Fourth Edition (469T or 469)
Security Management Practices Keith A. Watson, CISSP CERIAS.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Pertemuan 20 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
Computer Security: Principles and Practice
Controls for Information Security
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Stephen S. Yau CSE , Fall Security Strategies.
Chapter 8 Information Systems Controls for System Reliability— Part 1: Information Security Copyright © 2012 Pearson Education, Inc. publishing as Prentice.
Network security policy: best practices
Firewall Auditing Sean K. Lowder CISSP / MCSE / CCNA
The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.
User Services. Services Desktop Support Technical Support Help Desk User Services Customer Relationship Management.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 IT Essentials PC Hardware and Software 4.1 Instructional Resource Chapter.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
© 2009 IDBI Intech, Inc. All rights reserved.IDBI Intech Confidential 1 Information (Data) Security & Risk Mitigation.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Chapter 17: Computer Audits ACCT620 Internal Accounting Otto Chang Professor of Accounting.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Thomas Levy. Agenda 1.Aims: Reducing Cyber Risk 2.Information Risk Management 3.Secure Configuration 4.Network Security 5.Managing User Access 6.Education.
InfoSecurity Conference 2011 The Challenges of Cloud Computing John R. Robles John R. Robles and Associates
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Chapter 6 of the Executive Guide manual Technology.
Policy Review (Top-Down Methodology) Lesson 7. Policies From the Peltier Text, p. 81 “The cornerstones of effective information security programs are.
Auditing Information Systems (AIS)
PRIVACY, SECURITY & ID THEFT PREVENTION - TIPS FOR THE VIGILANT BUSINESS - SMALL BUSINESS & ECONOMIC DEVELOPMENT FORUM October 21, WITH THANKS TO.
K E M A, I N C. Ten Steps To Secure Control Systems APPA 2005 Conference Session: Securing SCADA Networks from Cyber Attacks Memphis, TN April 18, 2005.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.
Note1 (Admi1) Overview of administering security.
Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
Chapter 2 Securing Network Server and User Workstations.
HO © 2012 Fluor. All rights reserved. Quick Wins in Vulnerability Management Classification: Confidential Owner: Michael Holcomb Approver: Phil.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Lecture 19 Page 1 CS 236 Online Securing Your System CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Information Security Measures Confidentiality IntegrityAccessibility Information cannot be available or disclosed to unauthorized persons, entities or.
(2011) Security Breach Compromises 75,000 Staff/Student Social Security Numbers Image from this Site Presenters: Aron Eisold, Matt Mickelson, Bryce Nelson,
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Information Security tools for records managers Frank Rankin.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Review of IT General Controls
Enhancing Network Security
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Security Standard: “reasonable security”
UConn NIST Compliance Project
IS4680 Security Auditing for Compliance
What a non-IT auditor needs to know about IT & IT controls
Information Security Awareness
6. Application Software Security
Presentation transcript:

Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Tel: Puerto Rico Chapter

John R. Robles Tel:  For those of you who took the CISSP exam, an audit of your institution’s IS security controls is a real-life CISSP exam.  If you pass the CISSP exam, you can get certified.  If you pass the audit examination, you get to keep your job. Audit-Proof IS Security Controls

So how can I pass an IS audit? And keep my job. So how can I pass an IS audit? And keep my job. 1 st, Reduce your stress levels.1 st, Reduce your stress levels. 2 nd, Prepare for your audit2 nd, Prepare for your audit Have documentation of everything related to IS security controls. Have documentation of everything related to IS security controls. Be prepared to answer questions and provide information. Be prepared to answer questions and provide information. 3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions)3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions) (If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue) (If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue)

Audit-Proof IS Security Controls  Reduce your stress levels Most likely, it’s not your first audit experience Most likely, it’s not your first audit experience If you are the CISO, then you have already been through an audit.If you are the CISO, then you have already been through an audit. Your audit results should get better with time.Your audit results should get better with time. If there were recommendations on your last audit, make sure you have remedied the exceptionsIf there were recommendations on your last audit, make sure you have remedied the exceptions Try to improve your evaluation scoreTry to improve your evaluation score If it’s your 1 st audit, If it’s your 1 st audit, And you are CISA, CISM, and/or CISSP, you know the theory. Review that theory, again.And you are CISA, CISM, and/or CISSP, you know the theory. Review that theory, again. 1 st timers, get an audit work program (FDIC, etc.)1 st timers, get an audit work program (FDIC, etc.)

Audit-Proof IS Security Controls  Review and provide documentation of everything related to IS security controls Institution’s organization chart Institution’s organization chart Security dept. organization chart Security dept. organization chart Job descriptionsJob descriptions Security training schedulesSecurity training schedules Security dept. long- and short-range plans Security dept. long- and short-range plans Policies and procedures Policies and procedures List of all hardware and location List of all hardware and location List of all software and location List of all software and location John R. Robles Tel:

Audit-Proof IS Security Controls  Documentation (Cont.) List of vendors (hardware, software, security management services) List of vendors (hardware, software, security management services) Network diagrams Network diagrams List of authorized persons per application and system (Local and Remote) List of authorized persons per application and system (Local and Remote) Identify root and admin usersIdentify root and admin users IS Security configurations on PCs, servers, and networks IS Security configurations on PCs, servers, and networks Business Continuity Plan Business Continuity Plan John R. Robles Tel:

Audit-Proof IS Security Controls  Lack of adequate documentation can impact the evaluation of your audit. It could cause auditors to look in more detail at your security controls and find more exceptions It could cause auditors to look in more detail at your security controls and find more exceptions  Audit-proof security controls implies that all security controls are documented.  Audit-proof IS security controls are those that the auditor expects to review, analyze, and report on. John R. Robles Tel:

Audit-Proof IS Security Controls  Try to visualize security controls as the auditor would, that is, as Preventive Security Controls Preventive Security Controls Detective Security Controls Detective Security Controls Corrective Security Controls Corrective Security Controls  Those controls should address the CIA (Confidentiality, Integrity, Availability) of the institution’s information

Audit-Proof IS Security Controls  Be prepared to answer questions and provide information regarding how you maintain the Confidentiality of information Review what is confidential information? Review what is confidential information? Show the categorization of informationShow the categorization of information If you know what is confidential and sensitive information, then you know what is not confidential and sensitive If you know what is confidential and sensitive information, then you know what is not confidential and sensitive Show Information System Risk Assessment and Risk Management programShow Information System Risk Assessment and Risk Management program John R. Robles Tel:

Audit-Proof IS Security Controls How do you protect the confidentiality? How do you protect the confidentiality? Show / discuss policies related to Confidentiality and ACLsShow / discuss policies related to Confidentiality and ACLs Show / discuss Access Control Lists (ACLs) by applicationShow / discuss Access Control Lists (ACLs) by application Show / discuss Internet and remote access filtering via routers and firewallsShow / discuss Internet and remote access filtering via routers and firewalls Show/ discuss procedures to provide, change, and delete from the ACLsShow/ discuss procedures to provide, change, and delete from the ACLs John R. Robles Tel:

Audit-Proof IS Security Controls  Confidentiality (Cont.) Show/ discuss security controls to detect the violation of confidentiality Show/ discuss security controls to detect the violation of confidentiality Wrong passwords limit and resetWrong passwords limit and reset Password structure and durationPassword structure and duration Discuss logging of all access to all confidential informationDiscuss logging of all access to all confidential information Discuss physical access restrictions and logsDiscuss physical access restrictions and logs Discuss your router and firewall configurationsDiscuss your router and firewall configurations Discuss the setup of the DMZDiscuss the setup of the DMZ Discuss the security configuration of servers, PCs, routers, and firewallsDiscuss the security configuration of servers, PCs, routers, and firewalls

Audit-Proof IS Security Controls Detect Violation of Confidentiality (Cont.) Detect Violation of Confidentiality (Cont.) Show/ discuss how access controls are tested to ensure violations are prevented, detected / notified, and correctedShow/ discuss how access controls are tested to ensure violations are prevented, detected / notified, and corrected Incident Response program - Review this key security control when violations are discovered and notifiedIncident Response program - Review this key security control when violations are discovered and notified Discuss how major violations were detected or NOT Discuss how major violations were detected or NOT Discuss how violations notifications were handled or NOT Discuss how violations notifications were handled or NOT Discuss how violations were analyzed and how changes were implemented to ensure non-recurrence Discuss how violations were analyzed and how changes were implemented to ensure non-recurrence

Audit-Proof IS Security Controls  Be prepared to answer questions and provide information regarding how you maintain the Integrity of information. Show /discuss the key security control of Change Management to hardware, software, network, and security parametersShow /discuss the key security control of Change Management to hardware, software, network, and security parameters Discuss Approval, Implementation, and Testing of changesDiscuss Approval, Implementation, and Testing of changes Discuss actual changes to:Discuss actual changes to: ACLs ACLs Hardware, Application Software, and Operating Systems Hardware, Application Software, and Operating Systems Network hardware and software, Network hardware and software, Security settings on HW, SW, and Network Security settings on HW, SW, and Network

Audit-Proof IS Security Controls  Discuss how Changes to HW, Application SW, Operating Systems, and Network are tested. Discuss approved requisitions, Discuss approved requisitions, Discuss Approved Tests of changes by User, IT personnel, and Security personnel Discuss Approved Tests of changes by User, IT personnel, and Security personnel Discuss tests of approved updated security configurations Discuss tests of approved updated security configurations Update related documentation Update related documentation List of approved HW, SW, Network componentsList of approved HW, SW, Network components Network diagramNetwork diagram John R. Robles Tel:

Audit-Proof IS Security Controls  Detect Violations of Integrity Show/ discuss how Change Management controls are tested to ensure integrity violations are prevented, detected / notified, and correctedShow/ discuss how Change Management controls are tested to ensure integrity violations are prevented, detected / notified, and corrected Discuss IP mapping software to detect unauthorized HW. Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of non- approved hardware (wired, wireless, PC-based, Server- based) Discuss prevention, detection, and removal of non- approved hardware (wired, wireless, PC-based, Server- based) Discuss Virus, Malware, and Spam prevention, detection, & removal Discuss Virus, Malware, and Spam prevention, detection, & removal Discuss the maintenance of Server, PC, and Network configuration documentation Discuss the maintenance of Server, PC, and Network configuration documentation Discuss IPS (Intrusion Prevention) and IDS (Intrusion Detection) elements Discuss IPS (Intrusion Prevention) and IDS (Intrusion Detection) elements

Audit-Proof IS Security Controls Look at previous security controls asLook at previous security controls as Preventive Preventive Detective Detective Corrective Corrective Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, and security parameters.Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, and security parameters. Compare documented base-line approved components against scanned components.Compare documented base-line approved components against scanned components. John R. Robles Tel:

Audit-Proof IS Security Controls Review Incident Response program when integrity violations are discoveredReview Incident Response program when integrity violations are discovered Discuss how major violations were detected or NOT Discuss how major violations were detected or NOT Unauthorized hardwareUnauthorized hardware Unauthorized software applications/ Lack of appropriate SW licensesUnauthorized software applications/ Lack of appropriate SW licenses Unauthorized? Viruses, Malware, and Spam?Unauthorized? Viruses, Malware, and Spam? Unauthorized changes to security parameters and hardware configurationsUnauthorized changes to security parameters and hardware configurations Discuss how violations notifications were handled or NOT Discuss how violations notifications were handled or NOT

Audit-Proof IS Security Controls  Discuss how violations were analyzed and how changes were implemented to ensure non- recurrence, e.g.  Computer Forensics – Activate/ secure all audit logs  More frequent scanning to maintain an updated documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)  More frequent and aggressive independent patrolling (prevention and detection) of the perimeter (DMZ) and inside networks  A better-equipped and knowledgeable IS Security Dept.  Improved security training of institution personnel

John R. Robles Tel: Audit-Proof IS Security Controls  How do you Provide for the Availability of Hardware, Applications Software, System Software, and Network HW and SW Show / Discuss Business Impact AnalysisShow / Discuss Business Impact Analysis Show/ Discuss Critical IT ResourcesShow/ Discuss Critical IT Resources Functions, Functions, Personnel, Personnel, HW, SW, Network, HW, SW, Network, Space, Space, Vendors Vendors

Audit-Proof IS Security Controls  Security Controls to Prevent the Unavailability HW HW HW redundancyHW redundancy Off site recovery site with required and minimal HWOff site recovery site with required and minimal HW SW SW Backup of required software and dataBackup of required software and data Alternate routes to the outside Alternate routes to the outside Dual telecom providers for voice and dataDual telecom providers for voice and data

Audit-Proof IS Security Controls  The famous Business Continuity Plan (BCP) Have it! Have it! If you don’t have one, give me a call!If you don’t have one, give me a call! Test it! (at least annually) Test it! (at least annually) Update it! (based on test results) Update it! (based on test results)  It should cover all critical functions of the institution John R. Robles Tel:

 Summary of Audit-Proof IS Security Controls Provide a lot of documentation – the more, the better Provide a lot of documentation – the more, the better Fix all previous audit issues Fix all previous audit issues Review Confidentiality security controls Review Confidentiality security controls Review Integrity security controls Review Integrity security controls Review Availability security controls Review Availability security controls Define CIA security controls as: Define CIA security controls as: Preventive controlsPreventive controls Detective controlsDetective controls Corrective controlsCorrective controls John R. Robles Tel:

Audit-Proof IS Security Controls Thank You! John R. Robles Tel:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.