Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Management

Security audits

advertisement 
Security audits
Today’s talk
 Security audits
 Penetration testing as a component of Security
auditing
 Different types of information systems security
accreditation organizations
 Certifications available
Introduction
 Definition
 Purpose of security audits
Domain specific audit
 Application security
 Network security
 Business continuity planning (BCP)/Disaster
recovery (DR)
 Physical (Environmental) security/personnel
 Employee vetting procedures
Security Policy
 The ‘Bible’ of the organization
 Contents
 Bad policies are worse than none at all
 Policy should be changes for any additions to the
infrastructure
 Generally the Information Security policy is
expected to be reviewed annually
Application Security
 This domain only comes into picture when the
third party is providing an application or using an
web application developed by another
company.
 Detailed enumeration of the development
process:
 Ex: Whether SDLC was followed while
development
 Access controls in place.
Network Security
 Network diagram – firewall infrastructure used ,
most preferably multi tier firewall.
 Segregation between the application server and
database server. Either logically or physically.
 Usage of removable media, access to file
upload sites and personal email
 Ability to disable antivirus
 Server hardening and change management
procedures.
Penetration Testing
 Is a focused effort on penetrating the system
 Penetration testing vs Vulnerability scanning
 Expected to be done annually
Business continuity/DR
 Business continuity – Pre planned procedure to
ensure continuation of operations in the case of
a disaster.
 BCP simulation test. (Time to recover)
 Disaster recovery - reactive approach in case of
a disaster
 Availability of a cold site ,hot site and a warm site
Physical Security/Personnel
 Very critical since humans are involved
 Controls can be placed for systems but very
difficult to implement for humans
 Social engineering
 Importance of educating even the facilities staff
Employee Vetting
 Includes Background verification ,criminal check
 Credit reference
 Adherence and education of the information
security policy and other policies such as clear
desk policy
Guidelines
 PCI-DSS : Payment card Industry Data security
standards – organizations that handle cardholder
information.
 SSAE 16 : Reporting on controls at a service
organization
 ISO 27001 Certification for data centers : Security
management standard that specifies security
management best practices and comprehensive
security controls.
Certifications
 ISO/IEC 27001 lead auditor certification
 Certifiied Information systems auditor certification
(CISA) by ISACA.
Related documents
EDRP-OUTLINE
EDRP-OUTLINE
Diapositive 1
Diapositive 1
Project rough draft template
Project rough draft template
LS 130 110
LS 130 110
Business Continuity Plan
Business Continuity Plan
Key Elements to an Effective Business Continuity Plan
Key Elements to an Effective Business Continuity Plan
DISASTER RECOVERY INFRASTRUCTURE
DISASTER RECOVERY INFRASTRUCTURE
Business Continuity Plan and Disaster Recovery Plan
Business Continuity Plan and Disaster Recovery Plan
The Disaster Resource GUIDE
The Disaster Resource GUIDE
Computer Security
Computer Security
BCP Assumptions - Government of Alberta
BCP Assumptions - Government of Alberta
BCP Terminology
BCP Terminology
Open Data at the World Bank - Group on Earth Observations
Open Data at the World Bank - Group on Earth Observations
ISA 562
ISA 562
Document13456180 13456180
Document13456180 13456180
ThorteachesStudyGuideCISMDomain4-200409-224752
ThorteachesStudyGuideCISMDomain4-200409-224752
The Role of Organizational Culture in... Resilient Supply Chains
The Role of Organizational Culture in... Resilient Supply Chains
Download
advertisement