Professional Documents
Culture Documents
exam, an audit of your institutions IS security controls is a real-life CISSP exam. If you pass the CISSP exam, you can get certified. If you pass the audit examination, you get to keep your job.
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Have documentation of everything related to IS security controls. Be prepared to answer questions and provide information.
3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions)
(If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue)
Reduce your stress levels Most likely, its not your first audit experience
If you are the CISO, then you have already been through an audit. Your audit results should get better with time. If there were recommendations on your last audit, make sure you have remedied the exceptions Try to improve your evaluation score
Review and provide documentation of everything related to IS security controls Institutions organization chart Security dept. organization chart
Job descriptions Security training schedules
Security dept. long- and short-range plans Policies and procedures List of all hardware and location List of all software and location
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Documentation (Cont.) List of vendors (hardware, software, security management services) Network diagrams List of authorized persons per application and system (Local and Remote)
Identify root and admin users
It could cause auditors to look in more detail at your security controls and find more exceptions
Audit-proof security controls implies that all security controls are documented. Audit-proof IS security controls are those that the auditor expects to review, analyze, and report on.
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
Try to visualize security controls as the auditor would, that is, as Preventive Security Controls Detective Security Controls Corrective Security Controls Those controls should address the CIA (Confidentiality, Integrity, Availability) of the institutions information
Be prepared to answer questions and provide information regarding how you maintain the Confidentiality of information Review what is confidential information?
Show the categorization of information
If you know what is confidential and sensitive information, then you know what is not confidential and sensitive
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
Confidentiality (Cont.) Show/ discuss security controls to detect the violation of confidentiality
Wrong passwords limit and reset Password structure and duration Discuss logging of all access to all confidential information Discuss physical access restrictions and logs Discuss your router and firewall configurations Discuss the setup of the DMZ Discuss the security configuration of servers, PCs, routers, and firewalls
Discuss how major violations were detected or NOT Discuss how violations notifications were handled or NOT Discuss how violations were analyzed and how changes were implemented to ensure non-recurrence
Be prepared to answer questions and provide information regarding how you maintain the Integrity of information.
Show /discuss the key security control of Change Management to hardware, software, network, and security parameters Discuss Approval, Implementation, and Testing of changes Discuss actual changes to:
ACLs Hardware, Application Software, and Operating Systems Network hardware and software, Security settings on HW, SW, and Network
Discuss how Changes to HW, Application SW, Operating Systems, and Network are tested. Discuss approved requisitions, Discuss Approved Tests of changes by User, IT personnel, and Security personnel Discuss tests of approved updated security configurations Update related documentation
List of approved HW, SW, Network components Network diagram
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of nonapproved hardware (wired, wireless, PC-based, Serverbased) Discuss Virus, Malware, and Spam prevention, detection, & removal Discuss the maintenance of Server, PC, and Network configuration documentation Discuss IPS (Intrusion Prevention) and IDS (Intrusion Detection) elements
Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, and security parameters. Compare documented base-line approved components against scanned components.
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Discuss how major violations were detected or NOT Unauthorized hardware Unauthorized software applications/ Lack of appropriate SW licenses Unauthorized? Viruses, Malware, and Spam? Unauthorized changes to security parameters and hardware configurations Discuss how violations notifications were handled or NOT
Discuss how violations were analyzed and how changes were implemented to ensure nonrecurrence, e.g.
Computer Forensics Activate/ secure all audit logs More frequent scanning to maintain an updated documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) More frequent and aggressive independent patrolling (prevention and detection) of the perimeter (DMZ) and inside networks A better-equipped and knowledgeable IS Security Dept. Improved security training of institution personnel
How do you Provide for the Availability of Hardware, Applications Software, System Software, and Network HW and SW
Show / Discuss Business Impact Analysis Show/ Discuss Critical IT Resources
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
SW
Backup of required software and data
Test it! (at least annually) Update it! (based on test results) It should cover all critical functions of the institution
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-3961
Provide a lot of documentation the more, the better Fix all previous audit issues Review Confidentiality security controls Review Integrity security controls Review Availability security controls Define CIA security controls as:
Preventive controls Detective controls Corrective controls
John R. Robles Email: jrobles@coqui.net Tel: 787-647-3961
Thank You!