1 / 23

Auditing Corporate Information Security

Auditing Corporate Information Security. John R. Robles Tuesday, November 1, 2005 Email: jrobles@coqui.net Tel: 787-647-396. Auditing Corporate Information Security. Steps in the Information Security Audit Plan Gather data Analyze and test Conclude Report findings.

norris
Télécharger la présentation

Auditing Corporate Information Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Email: jrobles@coqui.net Tel: 787-647-396

  2. Auditing Corporate Information Security • Steps in the Information Security Audit • Plan • Gather data • Analyze and test • Conclude • Report findings

  3. Auditing Corporate Information Security • Federal Financial Institutions Examination Council (FFIEC) • Federal Reserve System • Federal Deposit Insurance Corporation (FDIC) • National Credit Union Administration (NCUA) • Office of the Comptroller of the Currency (OCC), and • The Office of Thrift Supervision (OTS)

  4. Auditing Corporate Information Security • Information Systems Security Standards based on: • FFIEC Information TechnologyExamination Handbook • http://www.ffiec.gov/ffiecinfobase/ • Audit areas include: • Audit • Business Continuity Planning • Development and Acquisition • E-Banking • FedLine • Information Security • Management • Operations • Outsourcing Technology Services • Retail Payment Systems • Supervision of Technology Service Providers • Wholesale Payment system

  5. Auditing Corporate Information Security • INFORMATION SECURITY WORKPROGRAM EXAMINATION OBJECTIVE: Assess the quantity of risk and the effectiveness of the institution’s risk management processes as they relate to the security measures instituted to ensure confidentiality, integrity, and availability of information and to instill accountability for actions taken on the institution’s systems.

  6. Auditing Corporate Information Security • The objectives and procedures are divided into Tier 1 and Tier II: • Tier I assesses • an institution’s process for identifying and managing risks. • Tier II provides • additional verification where risk warrants it. • Tier I and Tier II are intended • to be a tool set examiners will use when selecting examination procedures for their particular examination. • Examiners should use these procedures as necessary to support examination objectives.

  7. Auditing Corporate Information Security • Tier 1 Audit Objectives • Objective 1: Determine the appropriate scope for the examination • Quantity of Risk • Objective 2: Determine the complexity of the institution’s information security environment. • Quality of Risk Management • Objective 3: Determine the adequacy of the risk assessment process.

  8. Auditing Corporate Information Security • Objective 4: Evaluate the adequacy of security policies relative to the risk to the institution. • Objective 5: Evaluate the security-related controls embedded in vendor management. • Objective 6: Determine the adequacy of security testing.

  9. Auditing Corporate Information Security • Objective 7: Evaluate the effectiveness of enterprise-wide security administration. • Conclusions • Objective 8: Discuss corrective action and communicate findings.

  10. Auditing Corporate Information Security • Tier 2 Controls • Access Rights Administration • Authentication • Network Security • Host Security • User Equipment Security • Physical Security • Personnel Security

  11. Auditing Corporate Information Security • Tier 2 Controls (Continued) • Application Security • Software Development and Acquisition • Business Continuity Security • Intrusion Detection and Response • Service Provider Oversight Security • Encryption Security • Data Security

  12. Auditing Corporate Information Security • Audit to Information Security Standards used by the Information Security department • ISO 17799 – world wide standard • http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.html • Cobit – High Level Standard, www.isaca.org • Industry specific – HIPAA Final Security Standards • Industry Specific – FFIEC Standard • NIST

  13. Auditing Corporate Information Security • ISO 17799 - This is essentially the set of security controls: the measures and safeguards for potential implementation. In volume it is the main body of the overall 'standard set' itself. 1. Security Policy 2. Security Organization Information Security Infrastructure Security and Third Party Access Outsourcing

  14. Auditing Corporate Information Security 3. Asset Classification and Control Accountability for assets Information Classification 4. Personnel Security Security in Job Definition and Resourcing User Training Responding to Security Incidents and Malfunctions 5. Physical and Environmental Security Secure Areas Equipment Security General Controls

  15. Auditing Corporate Information Security 6. Communications and Operations Management Operational Procedures and Responsibility System Planning and Acceptance Protection Against Malicious Software Housekeeping Network Management Media Handling and Security Exchanges of Information and Software

  16. Auditing Corporate Information Security 7. Access Control Business Requirement for Access Control User Access Management User Responsibilities Network Access Control Operating System Access Control Application Access Management Monitoring System Access and Use Mobile Computing and Telenetworking

  17. Auditing Corporate Information Security 8. System Development and Maintenance Security Requirements of Systems Security in Application Systems Cryptographic Controls Security of System Files Security in Development and Support Processes 9. Business Continuity Management Aspects of Business Continuity Management 10. Compliance Compliance with Legal Requirements Reviews of Security Policy and Technical Compliance System Audit Considerations

  18. Auditing Corporate Information Security • COBIT—IT Control Framework • Four (4) IT Domains and 34 Processes • PLAN AND ORGANISE • PO1—Define a strategic IT plan • PO2—Define the information architecture • PO3—Determine the technological direction • PO4—Define the IT organization and relationships • PO5—Manage the IT investment • PO6—Communicate management aims and direction • PO7—Manage human resources • PO8—Ensure compliance with external requirements • PO9—Assess risks • PO10—Manage projects • PO11—Manage quality

  19. Auditing Corporate Information Security • ACQUIRE AND IMPLEMENT • AI1—Identify automated solutions • AI2—Acquire and maintain application software • AI3—Acquire and maintain technology infrastructure • AI4—Develop and maintain procedures • AI5—Install and accredit systems • AI6—Manage changes • M4—Provide for independent audit

  20. Auditing Corporate Information Security • DELIVER AND SUPPORT • DS1—Define and manage service levels • DS2—Manage third-party services • DS3—Manage performance and capacity • DS4—Ensure continuous service • DS5—Ensure systems security • DS6—Identify and allocate costs • DS7—Educate and train users • DS8—Assist and advise customers • DS9—Manage the configuration • DS10—Manage problems and incidents • DS11—Manage data • DS12—Manage facilities • DS13—Manage operations

  21. Auditing Corporate Information Security • MONITOR AND EVALUATE • M1—Monitor the processes • M2—Assess internal control adequacy • M3—Obtain independent assurance

  22. Auditing Corporate Information Security • Test Controls • Document Findings • Prepare Report and present recommendations to management

  23. Auditing Corporate Information Security Thank You! John R. Robles Email: jrobles@coqui.net Tel: 787-647-396 http://home.coqui.net/jrobles

More Related