Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security.

Published byEstella Sarah Sharp Modified over 9 years ago

Similar presentations

Presentation on theme: "Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security."— Presentation transcript:

1 Security audits

2 Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security accreditation organizations  Certifications available

3 Introduction  Definition  Purpose of security audits

4 Domain specific audit  Application security  Network security  Business continuity planning (BCP)/Disaster recovery (DR)  Physical (Environmental) security/personnel  Employee vetting procedures

5 Security Policy  The ‘Bible’ of the organization  Contents  Bad policies are worse than none at all  Policy should be changes for any additions to the infrastructure  Generally the Information Security policy is expected to be reviewed annually

6 Application Security  This domain only comes into picture when the third party is providing an application or using an web application developed by another company.  Detailed enumeration of the development process:  Ex: Whether SDLC was followed while development  Access controls in place.

7 Network Security  Network diagram – firewall infrastructure used, most preferably multi tier firewall.  Segregation between the application server and database server. Either logically or physically.  Usage of removable media, access to file upload sites and personal email  Ability to disable antivirus  Server hardening and change management procedures.

8 Penetration Testing  Is a focused effort on penetrating the system  Penetration testing vs Vulnerability scanning  Expected to be done annually

9 Business continuity/DR  Business continuity – Pre planned procedure to ensure continuation of operations in the case of a disaster.  BCP simulation test. (Time to recover)  Disaster recovery - reactive approach in case of a disaster  Availability of a cold site,hot site and a warm site

10 Physical Security/Personnel  Very critical since humans are involved  Controls can be placed for systems but very difficult to implement for humans  Social engineering  Importance of educating even the facilities staff

11 Employee Vetting  Includes Background verification,criminal check  Credit reference  Adherence and education of the information security policy and other policies such as clear desk policy

12 Guidelines  PCI-DSS : Payment card Industry Data security standards – organizations that handle cardholder information.  SSAE 16 : Reporting on controls at a service organization  ISO 27001 Certification for data centers : Security management standard that specifies security management best practices and comprehensive security controls.

13 Certifications  ISO/IEC 27001 lead auditor certification  Certifiied Information systems auditor certification (CISA) by ISACA.

Download ppt "Security audits. Today’s talk  Security audits  Penetration testing as a component of Security auditing  Different types of information systems security."

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.
Business Plug-In B4 MIS Infrastructures.

Business Plug-In B4 MIS Infrastructures.
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.

AFM INTERNAL AUDIT NETWORK MEETING MUTUAL ONE GROVE PARK, LEICESTER Current ‘Hot Topics’ in Information Security Governance Auditing David Tattersall 03.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.

Securing NPI Mary Schuster Mike Murphy.  Gramm-Leach-Bliley Act Enacted to control the ways that financial institutions deal with the private information.
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works

Security Controls – What Works
EMS Auditing Definitions

EMS Auditing Definitions
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.

ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP
Step 1: A.User enters id/pw for FI: encrypted in Quicken PIN vault B.Id/pw transmitted to Intuit CustomerCentral Servers at NCR using 128 bit SSL Step.

Step 1: A.User enters id/pw for FI: encrypted in Quicken PIN vault B.Id/pw transmitted to Intuit CustomerCentral Servers at NCR using 128 bit SSL Step.
Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.

Alter – Information Systems 4th ed. © 2002 Prentice Hall 1 E-Business Security.
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
100 % UPTIME SLAs 27 | 8 DATA CLOUD CENTERSPODS SSAE-16, SOC 2 TYPE II, PCI-DSS, HIPAA, HITECH AT101, NIST 800-53, SAFE HARBOR COMPLIANT POWER INFRASTRUCTURE.

100 % UPTIME SLAs 27 | 8 DATA CLOUD CENTERSPODS SSAE-16, SOC 2 TYPE II, PCI-DSS, HIPAA, HITECH AT101, NIST , SAFE HARBOR COMPLIANT POWER INFRASTRUCTURE.

Similar presentations

Ads by Google