Puerto Rico Chapter
Audit Proof Information System Security Controls
Wednesday, August 18, 2010
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
For those of you who took the CISSP
exam, an audit of your institutions IS security controls is a real-life CISSP exam. If you pass the CISSP exam, you can get certified. If you pass the audit examination, you get to keep your job.
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
So how can I pass an IS audit? And keep my job.
1st, Reduce your stress levels. 2nd, Prepare for your audit
Have documentation of everything related to IS security controls. Be prepared to answer questions and provide information.
3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions)
(If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue)
Audit-Proof IS Security Controls
Reduce your stress levels Most likely, its not your first audit experience
If you are the CISO, then you have already been through an audit. Your audit results should get better with time. If there were recommendations on your last audit, make sure you have remedied the exceptions Try to improve your evaluation score
If its your 1st audit,
And you are CISA, CISM, and/or CISSP, you know the theory. Review that theory, again. 1st timers, get an audit work program (FDIC, etc.)
Audit-Proof IS Security Controls
Review and provide documentation of everything related to IS security controls Institutions organization chart Security dept. organization chart
Job descriptions Security training schedules
Security dept. long- and short-range plans Policies and procedures List of all hardware and location List of all software and location
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
Documentation (Cont.) List of vendors (hardware, software, security management services) Network diagrams List of authorized persons per application and system (Local and Remote)
Identify root and admin users
IS Security configurations on PCs, servers, and networks Business Continuity Plan
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
Lack of adequate documentation can impact the evaluation of your audit.
It could cause auditors to look in more detail at your security controls and find more exceptions
Audit-proof security controls implies that all security controls are documented. Audit-proof IS security controls are those that the auditor expects to review, analyze, and report on.
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
Audit-Proof IS Security Controls
Try to visualize security controls as the auditor would, that is, as Preventive Security Controls Detective Security Controls Corrective Security Controls Those controls should address the CIA (Confidentiality, Integrity, Availability) of the institutions information
Audit-Proof IS Security Controls
Be prepared to answer questions and provide information regarding how you maintain the Confidentiality of information Review what is confidential information?
Show the categorization of information
If you know what is confidential and sensitive information, then you know what is not confidential and sensitive
Show Information System Risk Assessment and Risk Management program
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
How do you protect the confidentiality?
Show / discuss policies related to Confidentiality and ACLs Show / discuss Access Control Lists (ACLs) by application Show / discuss Internet and remote access filtering via routers and firewalls Show/ discuss procedures to provide, change, and delete from the ACLs
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
Audit-Proof IS Security Controls
Confidentiality (Cont.) Show/ discuss security controls to detect the violation of confidentiality
Wrong passwords limit and reset Password structure and duration Discuss logging of all access to all confidential information Discuss physical access restrictions and logs Discuss your router and firewall configurations Discuss the setup of the DMZ Discuss the security configuration of servers, PCs, routers, and firewalls
Audit-Proof IS Security Controls
Detect Violation of Confidentiality (Cont.)
Show/ discuss how access controls are tested to ensure violations are prevented, detected / notified, and corrected Incident Response program - Review this key security control when violations are discovered and notified
Discuss how major violations were detected or NOT Discuss how violations notifications were handled or NOT Discuss how violations were analyzed and how changes were implemented to ensure non-recurrence
Audit-Proof IS Security Controls
Be prepared to answer questions and provide information regarding how you maintain the Integrity of information.
Show /discuss the key security control of Change Management to hardware, software, network, and security parameters Discuss Approval, Implementation, and Testing of changes Discuss actual changes to:
ACLs Hardware, Application Software, and Operating Systems Network hardware and software, Security settings on HW, SW, and Network
Audit-Proof IS Security Controls
Discuss how Changes to HW, Application SW, Operating Systems, and Network are tested. Discuss approved requisitions, Discuss Approved Tests of changes by User, IT personnel, and Security personnel Discuss tests of approved updated security configurations Update related documentation
List of approved HW, SW, Network components Network diagram
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
Detect Violations of Integrity
Show/ discuss how Change Management controls are tested to ensure integrity violations are prevented, detected / notified, and corrected
Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of nonapproved hardware (wired, wireless, PC-based, Serverbased) Discuss Virus, Malware, and Spam prevention, detection, & removal Discuss the maintenance of Server, PC, and Network configuration documentation Discuss IPS (Intrusion Prevention) and IDS (Intrusion Detection) elements
Audit-Proof IS Security Controls
Look at previous security controls as
Preventive Detective Corrective
Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, and security parameters. Compare documented base-line approved components against scanned components.
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
Review Incident Response program when integrity violations are discovered
Discuss how major violations were detected or NOT Unauthorized hardware Unauthorized software applications/ Lack of appropriate SW licenses Unauthorized? Viruses, Malware, and Spam? Unauthorized changes to security parameters and hardware configurations Discuss how violations notifications were handled or NOT
Audit-Proof IS Security Controls
Discuss how violations were analyzed and how changes were implemented to ensure nonrecurrence, e.g.
Computer Forensics Activate/ secure all audit logs More frequent scanning to maintain an updated documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) More frequent and aggressive independent patrolling (prevention and detection) of the perimeter (DMZ) and inside networks A better-equipped and knowledgeable IS Security Dept. Improved security training of institution personnel
Audit-Proof IS Security Controls
How do you Provide for the Availability of Hardware, Applications Software, System Software, and Network HW and SW
Show / Discuss Business Impact Analysis Show/ Discuss Critical IT Resources
Functions, Personnel, HW, SW, Network, Space, Vendors
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
Audit-Proof IS Security Controls
Security Controls to Prevent the Unavailability HW
HW redundancy Off site recovery site with required and minimal HW
SW
Backup of required software and data
Alternate routes to the outside
Dual telecom providers for voice and data
Audit-Proof IS Security Controls
The famous Business Continuity Plan (BCP) Have it!
If you dont have one, give me a call!
Test it! (at least annually) Update it! (based on test results) It should cover all critical functions of the institution
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
Summary of Audit-Proof IS Security Controls
Provide a lot of documentation the more, the better Fix all previous audit issues Review Confidentiality security controls Review Integrity security controls Review Availability security controls Define CIA security controls as:
Preventive controls Detective controls Corrective controls
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Audit-Proof IS Security Controls
Thank You!
John R. Robles Email: jrobles@coqui.net Tel: 787-647-396 www.johnrrobles.com
You might also like
- Insident ResponseDocument8 pagesInsident Responseraghuram medapatiNo ratings yet
- DVCon Europe 2015 T07 PresentationDocument98 pagesDVCon Europe 2015 T07 PresentationJon DCNo ratings yet
- Cybersecurity Assessment RFPDocument9 pagesCybersecurity Assessment RFPPratik BhaleraoNo ratings yet
- CEH Notes Cybrary PDFDocument34 pagesCEH Notes Cybrary PDFJashan Singh100% (1)
- Network and IT Security Systems ControlDocument3 pagesNetwork and IT Security Systems ControlehaunterNo ratings yet
- Network Security FundamentalsDocument41 pagesNetwork Security FundamentalsMarco Lopez ReinosoNo ratings yet
- Security Audit Course ProjectDocument6 pagesSecurity Audit Course ProjectmaryamNo ratings yet
- Divisional protection levels and security conceptsDocument4 pagesDivisional protection levels and security conceptsKaskiNo ratings yet
- Information Security Engineer - Consultant - ISO 27001 - Job Description V 2.0Document3 pagesInformation Security Engineer - Consultant - ISO 27001 - Job Description V 2.0AyazNo ratings yet
- Resume LatestDocument3 pagesResume LatestBrein120No ratings yet
- 5.6 Auditing Network Infrastructure SecurityDocument15 pages5.6 Auditing Network Infrastructure Securityandreas_lukitaNo ratings yet
- CSE3502-Information Security Management Digital Assignment-2 Audit ReportDocument13 pagesCSE3502-Information Security Management Digital Assignment-2 Audit ReportShadowNo ratings yet
- Cybersecurity Incident Response - How To Survive An AttackDocument26 pagesCybersecurity Incident Response - How To Survive An Attacka50% (2)
- Security +: The Risk FormulaDocument12 pagesSecurity +: The Risk Formularnj1230No ratings yet
- Christopher T. Ruggieri: Summary of QualificationsDocument5 pagesChristopher T. Ruggieri: Summary of QualificationsAshwani kumarNo ratings yet
- Database Security: System Vulnerability and AbuseDocument7 pagesDatabase Security: System Vulnerability and AbuseAndhika Prasetya GradiyantoNo ratings yet
- IT Security AuditingDocument52 pagesIT Security AuditingNorah Al-ShamriNo ratings yet
- 21BCE2735_VL2023240501598_DADocument28 pages21BCE2735_VL2023240501598_DAEXTERMINATORNo ratings yet
- Network DocumentationDocument4 pagesNetwork Documentationejiworth4531No ratings yet
- Audit of IT Security 061cab1246c98f6 59791303Document42 pagesAudit of IT Security 061cab1246c98f6 59791303PRUTHVI SNo ratings yet
- CSIS Essentials For Information Asset OwnersDocument3 pagesCSIS Essentials For Information Asset OwnerspubliwilNo ratings yet
- Is Security AuditDocument52 pagesIs Security AuditNivithaNo ratings yet
- Assessing Network SecurityDocument45 pagesAssessing Network Securityhamid.shalbaf.tabarNo ratings yet
- L Loftley JR Resume April 2021Document7 pagesL Loftley JR Resume April 2021Ashwani kumarNo ratings yet
- TOPIC 3 - Infomtion Assets Seccurity and Risk Presentation UpdatedDocument49 pagesTOPIC 3 - Infomtion Assets Seccurity and Risk Presentation UpdatedMulTechNo ratings yet
- notes-Feb2024Document3 pagesnotes-Feb2024researchmalwarenowNo ratings yet
- MOdule 4Document6 pagesMOdule 4Shubham SarkarNo ratings yet
- Security Assessment Vs Penetration TestingDocument3 pagesSecurity Assessment Vs Penetration Testinganil100% (1)
- Basic Security ControlDocument26 pagesBasic Security ControlAbiyau NeoNo ratings yet
- How To SecureDocument12 pagesHow To SecuretrqNo ratings yet
- Security Risk AssessmentDocument20 pagesSecurity Risk AssessmentAzmir MNo ratings yet
- IT Security Audit: Prepared by Mbabazi SylviaDocument36 pagesIT Security Audit: Prepared by Mbabazi SylviaMicheal BixNo ratings yet
- WP LM Log Monitoring Best PracticesDocument9 pagesWP LM Log Monitoring Best PracticesPoesiNo ratings yet
- Penetration Testing: Edmund Whitehead Rayce WestDocument14 pagesPenetration Testing: Edmund Whitehead Rayce WestAditya ghadgeNo ratings yet
- Security AuditDocument31 pagesSecurity AuditTarang Shah100% (2)
- Ethical HackingDocument157 pagesEthical Hackingeduardo cerronNo ratings yet
- Monitoring and AuditingDocument31 pagesMonitoring and AuditingFlorence Heart ViñasNo ratings yet
- Cyber Security Chapter 4Document13 pagesCyber Security Chapter 4Omar YasserNo ratings yet
- w14-ITT565 Securing The Network Infrastructure-UFUTUREDocument43 pagesw14-ITT565 Securing The Network Infrastructure-UFUTUREMuhammad Imran HaronNo ratings yet
- Eight-Step Guide to Network Security AuditingDocument7 pagesEight-Step Guide to Network Security Auditingbuyaka12No ratings yet
- IT Control (AutoRecovered)Document15 pagesIT Control (AutoRecovered)Zaya SubairNo ratings yet
- IT Controls: Northern Arizona University Compliance, Controls & Business Services December 2011Document35 pagesIT Controls: Northern Arizona University Compliance, Controls & Business Services December 2011Sefi RifkianaNo ratings yet
- Function CategoryDocument15 pagesFunction CategoryFrancesco F.No ratings yet
- Jimmy Fallon CyberSecuritDocument6 pagesJimmy Fallon CyberSecuritAshwani kumarNo ratings yet
- Unit 7 Information Security Audit and FeaturesDocument110 pagesUnit 7 Information Security Audit and FeaturesAdityaNo ratings yet
- Network Security v1.0 - Module 22Document16 pagesNetwork Security v1.0 - Module 22Hussein KipkoechNo ratings yet
- Incident & Incident Response MethodologyDocument38 pagesIncident & Incident Response MethodologyKashish VermaNo ratings yet
- Penetration Testing Services For PC CentreDocument5 pagesPenetration Testing Services For PC CentreDavid AaguluNo ratings yet
- CIA Triad PresentationDocument30 pagesCIA Triad PresentationGayashan PereraNo ratings yet
- Catalyst - Cybersecurity Offerings - 050522 - ENG - v3Document18 pagesCatalyst - Cybersecurity Offerings - 050522 - ENG - v3Justo EbangNo ratings yet
- SIC MicroDocument8 pagesSIC MicroHatim KanchwalaNo ratings yet
- OT Security ChecklistDocument15 pagesOT Security Checklistct pentestNo ratings yet
- Performing Vendor Security Risk AssessmentsDocument12 pagesPerforming Vendor Security Risk AssessmentsJohn Bertoli100% (2)
- Anthony NcheDocument2 pagesAnthony NcheSAPNA tyagiNo ratings yet
- OEM Security Best PracticesDocument78 pagesOEM Security Best PracticesIgor IgoroshkaNo ratings yet
- A Penetration TestDocument7 pagesA Penetration TestSALMANRIZNo ratings yet
- Subjet Name: Emerging Trends in Computer Engineering & Information TechnologyDocument21 pagesSubjet Name: Emerging Trends in Computer Engineering & Information TechnologyPrathamesh LadNo ratings yet
- Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network ActivityFrom EverandCisco Router and Switch Forensics: Investigating and Analyzing Malicious Network ActivityRating: 2.5 out of 5 stars2.5/5 (2)
- Eleventh Hour Linux+: Exam XK0-003 Study GuideFrom EverandEleventh Hour Linux+: Exam XK0-003 Study GuideRating: 4.5 out of 5 stars4.5/5 (2)
- Practical Oracle Security: Your Unauthorized Guide to Relational Database SecurityFrom EverandPractical Oracle Security: Your Unauthorized Guide to Relational Database SecurityNo ratings yet
- Lecture 17Document85 pagesLecture 17Allan RobeyNo ratings yet
- Digital SignatureDocument13 pagesDigital Signatureradha ramaswamyNo ratings yet
- DFT20083 - 2.1 Describe Security PolicyDocument26 pagesDFT20083 - 2.1 Describe Security Policyamin124010No ratings yet
- Codes U1 TextDocument5 pagesCodes U1 Textapi-2735037650% (1)
- OWASP Application Security Verification Standard 4 0 2-EnDocument40 pagesOWASP Application Security Verification Standard 4 0 2-EnAmanda VanegasNo ratings yet
- COOKIE REPLAY ATTACK PREVENTIONDocument18 pagesCOOKIE REPLAY ATTACK PREVENTIONRenjithNo ratings yet
- Substitution CiphersDocument38 pagesSubstitution CiphersPooja ThakkarNo ratings yet
- Operating System SecurityDocument5 pagesOperating System SecurityZam ZamNo ratings yet
- Practical Assignment No. 1: 1. Security Token/Authentication TokenDocument3 pagesPractical Assignment No. 1: 1. Security Token/Authentication TokenAbhinav aroraNo ratings yet
- ITC596 Assesment 2Document9 pagesITC596 Assesment 2Romali KeerthisingheNo ratings yet
- Real-world cryptography – SSL/TLS overviewDocument61 pagesReal-world cryptography – SSL/TLS overviewSavas KaplanNo ratings yet
- Ethical Hacking and Countermeasures: EC-CouncilDocument199 pagesEthical Hacking and Countermeasures: EC-CouncilAbraham R DanielNo ratings yet
- SWR302 PE L1 FA23 TemplateDocument4 pagesSWR302 PE L1 FA23 TemplatePhạm Nhựt HàoNo ratings yet
- How To Configure VPN Site To Site Between FortiGates (Using VPN Setup Wizard)Document5 pagesHow To Configure VPN Site To Site Between FortiGates (Using VPN Setup Wizard)Toufik AblaouiNo ratings yet
- Research On SQL Injection Attack and Prevention Technology Based On WebDocument4 pagesResearch On SQL Injection Attack and Prevention Technology Based On WebAbhinav SinghNo ratings yet
- Phishing AspectsDocument31 pagesPhishing Aspectsdurgesh30No ratings yet
- GSA Rules of BehaviorDocument6 pagesGSA Rules of BehaviorCrookedNo ratings yet
- Weak encryption leaves mobile data vulnerableDocument19 pagesWeak encryption leaves mobile data vulnerablesuresh putNo ratings yet
- Introduction To Cryptography: Marcus K. G. AdomeyDocument52 pagesIntroduction To Cryptography: Marcus K. G. Adomeysaurabh sirohiNo ratings yet
- 10 Steps To Cyber Security (New) Explained - CyphereDocument29 pages10 Steps To Cyber Security (New) Explained - CyphereIvan DoriNo ratings yet
- IT Professionals Setting Up For Remote WorkersDocument2 pagesIT Professionals Setting Up For Remote WorkersCorey MolinelliNo ratings yet
- Cyber Security Unit - VDocument67 pagesCyber Security Unit - VDeepak kumarNo ratings yet
- Best Cyber Insights of 2023Document245 pagesBest Cyber Insights of 2023M N ZAKINo ratings yet
- CP200Document2 pagesCP200tzimistigrisNo ratings yet
- Prevention SQL Injection Attack To Website Using Web Application FirewallDocument21 pagesPrevention SQL Injection Attack To Website Using Web Application FirewallAkbarRosyidiNo ratings yet
- Padding Oracle Attack LabDocument6 pagesPadding Oracle Attack LabAkash RoyNo ratings yet
- OAJIS - 14 - 1153 Yosua Alberth SirDocument6 pagesOAJIS - 14 - 1153 Yosua Alberth Siryosua alberth sirNo ratings yet
- Sha 3Document6 pagesSha 3Pktc BKNo ratings yet
- د. محمد يونسClassical Encryption TechniquesDocument51 pagesد. محمد يونسClassical Encryption TechniquesMohammed Al-RadwanNo ratings yet
