1 / 28

IS4680 Security Auditing for Compliance Unit 2

IS4680 Security Auditing for Compliance Unit 2 Information Security Compliance Audit—Standards and Frameworks. Class Agenda 6/20/16. Covers Chapter 3 and 4 Learning Objectives Lesson Presentation and Discussions. Discussion on Assignments. Discussion on Lab Activities.

jnevin
Télécharger la présentation

IS4680 Security Auditing for Compliance Unit 2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IS4680 Security Auditing for Compliance Unit 2 Information Security Compliance Audit—Standards and Frameworks

  2. Class Agenda 6/20/16 • Covers Chapter 3 and 4 • Learning Objectives • Lesson Presentation and Discussions. • Discussion on Assignments. • Discussion on Lab Activities. • Lab will be perform in class. • Break Times as per School Regulations.

  3. Learning Objective • Explain the use of standards and frameworks in a compliance audit of an information technology (IT) infrastructure.

  4. Key Concepts • Business challenges that exist in compliance • Information systems security (ISS) domains that are audited within an IT infrastructure • Organizational barriers to maintaining IT compliance

  5. Key Concepts (Continued) • Organizational involvement in maintaining IT compliance • Proper security controls, such as configuration and change management • Standards and frameworks, such as 17799, 27001, Control Objectives for Information and Related Technology (COBIT), Statement on Auditing Standards 70 (SAS 70), and Committee of Sponsoring Organizations (COSO)

  6. EXPLORE: CONCEPTS

  7. Framework and Standards. Group discussion. • Control Objectives for Information and related Technology (COBIT) • ISO/IEC 27002 • NIST 800-53 • Committee of Sponsoring Organizations (COSO) • SAS 70 Compliance

  8. Avoiding legal consequences • A number of federal and state laws have been enacted to protect the privacy of electronic data • The Health Insurance Portability and Accountability Act of 1996 (HIPAA) • The Sarbanes-Oxley Act of 2002 (Sarbox) • The Gramm-Leach-Bliley Act (GLBA) • USA Patriot Act (2001) • The California Database Security Breach Act (2003) • Children’s Online Privacy Protection Act of 1998 (COPPA)

  9. Security Controls, Configuration and Change Management Security Controls • The environments of controls are made up largely of a basic set of principles that apply across various domains. Configuration Management • Configuration management ensures that changes are requested, evaluated, and authorized. Change Management • Change and configuration management provide a method for tracking unauthorized changes. Changes that are not authorized can negatively impact the system’s security posture.

  10. Organizational Barriers to IT Compliance • Lack of alignment to the business objectives and strategy. • General misunderstanding on the rationale for IT compliance. • Funding shortfalls. • Support from top management. • Misconception of what the IT compliance will do for the organization.

  11. Business Challenges to the Organization for Compliance

  12. EXPLORE: PROCESSES

  13. Auditing ISS Domains

  14. Compliance Amidst Organizational Hurdles

  15. EXPLORE: ROLES

  16. Roles and Responsibilities • Audit Managers • Responsible for conducting audits and assessments aligning to organizational governance. • Data Owners • Responsible for access controls and auditing guidelines within frameworks.

  17. Roles and Responsibilities (Continued) • Executive Managers • Responsible for organizational governance, funding, and support. • Senior IT Managers • Responsible for IT implementation of audit controls and frameworks for compliance.

  18. EXPLORE: CONTEXTS

  19. Standards and Frameworks • SAS 70: Works very well on Sarbanes-Oxley (SOX) Act issues and has two types of service audit reports. • COBIT: Used for IT control framework; it is an excellent supplement to COSO. Also used for SOX compliance.

  20. Standards and Frameworks (Continued) • COSO: Used for improving organizational performance and governance. • International Organization for Standardization (ISO) 27000 series: Focuses on management and processes, and relies upon other standards, such as ISO or International Electrotechnical Commission (IEC) 27002. ISO 17799 is an older version of ISO 27000.

  21. EXPLORE: RATIONALE

  22. Auditing—Standards and Frameworks

  23. Relevance of Information Security Compliance Audits • Reduces risk • Improves operational process • Supports business objectives • Supports organizational governance

  24. Case Study Take a look at an online reseller for both new and used goods. It is a public organization and has millions of transactions, totaling billions of dollars a year. They must be compliant and have information security audits so their IT controls are sound and any weakness that are uncovered from the audits are addressed.

  25. Case Study (Continued) If they did not have any compliance regulations and did not complete audits, their systems could become the subject of an attack. Thus, millions of credit card and customer information could be lost.

  26. Case Study (Continued) This event would trigger the organization to suffer from a tremendous loss of revenue and go out of business. You must have a plan in place to audit your organization’s information security compliance and have that well documented.

  27. Summary • In this presentation, the following were covered: • Concepts of security controls, configuration and change management • Organizational barriers to IT compliance and business challenges to the organization for compliance • Process of auditing information systems security domains and compliance amidst organizational hurdles • Roles and responsibilities related to information security compliance audit • Auditing standards and frameworks

  28. Assignment and Lab • Discussion 2.1 Organizational Barriers to IT Compliance • Lab 2.2 Align Auditing Frameworks for a Business Unit within the DoD • Assignment 2.3 Frameworks—Role in IT Security Domains and Auditing Compliance

More Related