Presentation is loading. Please wait.

Presentation is loading. Please wait.

IS4680 Security Auditing for Compliance

Published byWidya Chandra Modified over 6 years ago

Similar presentations

Presentation on theme: "IS4680 Security Auditing for Compliance"— Presentation transcript:

1 IS4680 Security Auditing for Compliance
Unit 2 Information Security Compliance Audit—Standards and Frameworks

2 Class Agenda 6/20/16 Covers Chapter 3 and 4 Learning Objectives
Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities. Lab will be perform in class. Break Times as per School Regulations.

3 Learning Objective Explain the use of standards and frameworks in a compliance audit of an information technology (IT) infrastructure.

4 Key Concepts Business challenges that exist in compliance
Information systems security (ISS) domains that are audited within an IT infrastructure Organizational barriers to maintaining IT compliance

5 Key Concepts (Continued)
Organizational involvement in maintaining IT compliance Proper security controls, such as configuration and change management Standards and frameworks, such as 17799, 27001, Control Objectives for Information and Related Technology (COBIT), Statement on Auditing Standards 70 (SAS 70), and Committee of Sponsoring Organizations (COSO)

6 EXPLORE: CONCEPTS

7 Framework and Standards. Group discussion.
Control Objectives for Information and related Technology (COBIT) ISO/IEC 27002 NIST Committee of Sponsoring Organizations (COSO) SAS 70 Compliance

8 Avoiding legal consequences
A number of federal and state laws have been enacted to protect the privacy of electronic data The Health Insurance Portability and Accountability Act of 1996 (HIPAA) The Sarbanes-Oxley Act of 2002 (Sarbox) The Gramm-Leach-Bliley Act (GLBA) USA Patriot Act (2001) The California Database Security Breach Act (2003) Children’s Online Privacy Protection Act of 1998 (COPPA)

9 Security Controls, Configuration and Change Management
The environments of controls are made up largely of a basic set of principles that apply across various domains. Security Controls Configuration management ensures that changes are requested, evaluated, and authorized. Configuration Management Change and configuration management provide a method for tracking unauthorized changes. Changes that are not authorized can negatively impact the system’s security posture. Change Management

10 Organizational Barriers to IT Compliance
Lack of alignment to the business objectives and strategy. General misunderstanding on the rationale for IT compliance. Funding shortfalls. Support from top management. Misconception of what the IT compliance will do for the organization.

11 Business Challenges to the Organization for Compliance
Standards and regulations with a policy infrastructure can change. Organizational policies provide general statements that address the operational goals of an organization and will change with new laws. External Standards describe mandatory processes or objectives that align with the goal of the policies and can interfere with operations. Gaining acceptance to policy changes and implementations can be costly as employees may not want to change their processes. Internal

12 EXPLORE: PROCESSES

13 Auditing ISS Domains Discover and classify data and information systems. Examine the potential impact on the organization. Select security controls based on the risk to the systems. Implement security controls. Place security controls to ensure risks are reduced to an appropriate level. Assess security controls and evaluate the effectiveness of the controls.

14 Compliance Amidst Organizational Hurdles
Regular assessment of selected security controls Configuration and control management processes Change management processes Annual audit of the security environment Monitoring security controls on an ongoing basis

15 EXPLORE: ROLES

16 Roles and Responsibilities
Audit Managers Responsible for conducting audits and assessments aligning to organizational governance. Data Owners Responsible for access controls and auditing guidelines within frameworks.

17 Roles and Responsibilities (Continued)
Executive Managers Responsible for organizational governance, funding, and support. Senior IT Managers Responsible for IT implementation of audit controls and frameworks for compliance.

18 EXPLORE: CONTEXTS

19 Standards and Frameworks
SAS 70: Works very well on Sarbanes-Oxley (SOX) Act issues and has two types of service audit reports. COBIT: Used for IT control framework; it is an excellent supplement to COSO. Also used for SOX compliance.

20 Standards and Frameworks (Continued)
COSO: Used for improving organizational performance and governance. International Organization for Standardization (ISO) series: Focuses on management and processes, and relies upon other standards, such as ISO or International Electrotechnical Commission (IEC) ISO is an older version of ISO

21 EXPLORE: RATIONALE

22 Auditing—Standards and Frameworks
Control activities provide details on how to achieve the goals of the control objectives. Control objectives remain mostly constant. Conducting audits and assessments must be done with a standard against which to audit or assess.

23 Relevance of Information Security Compliance Audits
Reduces risk Improves operational process Supports business objectives Supports organizational governance

24 Case Study Take a look at an online reseller for both new and used goods. It is a public organization and has millions of transactions, totaling billions of dollars a year. They must be compliant and have information security audits so their IT controls are sound and any weakness that are uncovered from the audits are addressed.

25 Case Study (Continued)
If they did not have any compliance regulations and did not complete audits, their systems could become the subject of an attack. Thus, millions of credit card and customer information could be lost.

26 Case Study (Continued)
This event would trigger the organization to suffer from a tremendous loss of revenue and go out of business. You must have a plan in place to audit your organization’s information security compliance and have that well documented.

27 Summary In this presentation, the following were covered:
Concepts of security controls, configuration and change management Organizational barriers to IT compliance and business challenges to the organization for compliance Process of auditing information systems security domains and compliance amidst organizational hurdles Roles and responsibilities related to information security compliance audit Auditing standards and frameworks

28 Assignment and Lab Discussion 2.1 Organizational Barriers to IT Compliance Lab 2.2 Align Auditing Frameworks for a Business Unit within the DoD Assignment 2.3 Frameworks—Role in IT Security Domains and Auditing Compliance

Download ppt "IS4680 Security Auditing for Compliance"

Similar presentations

IT Security Policy Framework

IT Security Policy Framework
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Security Controls – What Works

Security Controls – What Works
E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.

E-Commerce: Legal and Practical Issues Legal Issues: Security – December 2, 2005 Stephen M. Foxman Philadelphia.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.

© 2006 IBM Corporation Introduction to z/OS Security Lesson 9: Standards and Policies.
Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.

Internal Control. COSO’s Framework Committee of Sponsoring Organizations 1992 issued a white paper on internal control Since this time, this framework.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Policies and Implementation Issues.

© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Policies and Implementation Issues.
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Chicagoland IASA Spring Conference

Chicagoland IASA Spring Conference
Information Security Framework & Standards

Information Security Framework & Standards
INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,

INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on the primary regulatory requirements,
Basics of OHSAS Occupational Health & Safety Management System

Basics of OHSAS Occupational Health & Safety Management System
ISMS for Mobile Devices Page 1 ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.
Introduction to Internal Control Systems

Introduction to Internal Control Systems

Similar presentations

Ads by Google