Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS4680 Security Auditing for Compliance

Published byHope Beasley Modified over 6 years ago

Similar presentations

Presentation on theme: "IS4680 Security Auditing for Compliance"— Presentation transcript:

1 IS4680 Security Auditing for Compliance
Unit 5 Creating Compliance Within the User Domain

2 Class Agenda 7/18/16 Covers Chapter 8 Learning Objectives
Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulation Discussion on Project.

3 Learning Objective Describe information security systems compliance requirements within the User Domain.

4 Key Concepts Compliance law requirements and business drivers
Characteristics of separation of duties, least privilege, and need-to-know Importance of confidentiality agreements and employee background checks Benefits of security awareness training Best practices for User Domain compliance requirements

5 EXPLORE: CONCEPTS

6 Compliance Laws and Business Drivers
Publically-traded organization must follow laws and regulations. Organizations that are private use them to adhere to auditing requirements and frameworks that have been implemented.

7 Compliance Laws and Business Drivers (Continued)
Organizational boards have a due diligence to protect the data and their customer’s data during the normal course of business. Information technology (IT)-security controls are used within the seven domains to control and align with the organization’s compliance requirements.

8 Separation of Duties Requires at least two different roles to accomplish any business-critical task. Requires collusion to violate policy.

9 Least Privilege Access is granted to carry out role assigned and no additional access is granted. Can be a challenge when organizations are changing or growing.

10 Need-to-Know Limits access to information only to those who require it to complete a job function. Damages the organization if others were aware of this information.

11 EXPLORE: PROCESSES

12 Create Compliance Within the User Domain
Step 1 Protect data privacy Step 2 Implement proper security controls for the User Domain Step 3 Create separation of duties Step 4 Provide for least privilege

13 Create Compliance Within the User Domain (Continued)
Step 5 Provide the information on need-to-know basis Step 6 Create and deploy confidentiality agreements Step 7 Conduct employee background checks

14 EXPLORE: ROLES

15 Roles Senior Managers IT Managers
Responsible for organizational governance and compliance. IT Managers Responsible for application of controls to be in compliance.

16 Roles (Continued) IT Auditors Data Owners
Responsible for auditing IT controls for compliance. Data Owners Responsible for the data and who is granted access to it.

17 Roles (Continued) System Administrators Risk Managers
Responsible to monitor the controls on systems and follow them as well. Risk Managers Responsible for risk.

18 EXPLORE: CONTEXTS

19 Best Practices for User Domain Compliance
The following are considered best practices for User Domain compliance: Document all laws, regulations, and standards that require User Domain compliance for your organization. Define acceptable use policies (AUPs) for each type of IT service or equipment.

20 Best Practices for User Domain Compliance (Continued)
Conduct background checks for all employees and critical contractors prior to engagement. Develop security awareness and procedures training for employees and contractors.

21 Best Practices for User Domain Compliance (Continued)
Require security awareness, procedures training, and assessment prior to engagement. Require users to sign confidentiality agreements prior to receiving access to any sensitive information.

22 Best Practices for User Domain Compliance (Continued)
Require action by at least two separate users to complete any business-critical function involving sensitive information. Audit user access privileges periodically for compliance to stated goals.

23 EXPLORE: RATIONALE

24 Confidentiality Agreements and Employee Background Checks
Confidentiality agreements allow organizations to disclose sensitive information to a small number of parties without concern that an information leak might cause harm. The purpose of a background check is to uncover any evidence of past behavior that might indicate a prospect is a security risk.

25 Security Awareness Training
Training employees on security matters can help avoid many security policy violations, such as: Weak passwords Inappropriate use of the Internet Inappropriate use of Divulging confidential information

26 Security Awareness Training (Continued)
You should provide training for each employee on security topics, such as: Organization’s commitment to information security Justification for security-related activities Important security procedures

27 Summary In this presentation, the following were covered:
Concepts such as separation of duties, least privileges, and need-to-know information Process of creating compliance within the User Domain Roles and responsibilities involved in creating compliance within the User Domain Best practices for User Domain compliance Need for confidentiality agreements and employee background checks and security awareness training

28 Assignment and Lab Discussion 5.1 Separation of Duties, Least Privilege, and Need-to-Know Lab 5.2 Define a Process for Gathering Information Pertaining to a GLBA Compliance Audit Assignment 5.3 Best Practices for User Domain Compliance

Download ppt "IS4680 Security Auditing for Compliance"

Similar presentations

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.

Ethics Ethics are the rules of personal behavior and conduct established by a social group for those existing within the established framework of the social.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.

The Office of Information Technology Information Security Administrator Kenneth Pierce, Vice Provost for IT and Chief Information Officer.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
General Security Principles and Practices Chapter 3.

General Security Principles and Practices Chapter 3.
6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.

6-1 McGraw-Hill/Irwin ©2002 by The McGraw-Hill Companies, Inc. All rights reserved. Chapter 6 Internal Control Evaluation: Assessing Control Risk.
Office of Inspector General (OIG) Internal Audit

Office of Inspector General (OIG) Internal Audit
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Internal Auditing and Outsourcing

Internal Auditing and Outsourcing
Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.

Lecture 30 Information Security (Cont’d). Overview Organizational Structures Roles and Responsibilities Information Classification Risk Management 2.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 14 – Human Factors.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 14 – Human Factors.
The Risk Adverse Property Management Firm Understanding the risks to your business and methods to manage those risks.

The Risk Adverse Property Management Firm Understanding the risks to your business and methods to manage those risks.

Similar presentations

Ads by Google