Security Audits, Standards & Inspections

Security Audits Standards Inspections-ppt Download

  • Date:30 Jun 2020
  • Views:1
  • Downloads:0
  • Size:448.08 KB

Share Presentation : Security Audits Standards Inspections

Download and Preview : Security Audits Standards Inspections

Report CopyRight/DMCA Form For : Security Audits Standards Inspections


Transcription:

Security Audits , Standards , Inspections, CSH6 Chapter 54. Security Audits Standards and Inspections , Donald Glass Chris Davis John Mason . David Gursky James Thomas Wendy Carr , and Diane Levine. Copyright 2015 M E Kabay All rights reserved . Introduction, Auditing Standards, SAS 70 Audits. Sarbanes Oxley, Addressing Multiple Regulations, Technical Frameworks for IT Audits.
Copyright 2015 M E Kabay All rights reserved . Introduction 1 , Non IT auditors, Financial accuracy integrity accounting. External material macro level issues e g , governance reporting legal compliance . Internal transaction level controls , protecting assets validating systems. Recent legal regulatory changes affect auditing. Especially regulatory compliance, Validating protection of mission critical. Ensuring that weaknesses in IT, infrastructure security do not affect other.
parties who can sue for damages , Copyright 2015 M E Kabay All rights reserved . Introduction 2 , Management attitudes range from. We have to do this part of cost of doing, Nice to have but don t spend much . These attitudes ignore added value from audits. QUESTION FOR CLASS WHAT ARE SOME, BENEFITS OF AUDITS BEYOND ASSURANCE. OF COMPLIANCE , Auditing increasingly included in IA training.
programs certifications, Copyright 2015 M E Kabay All rights reserved . Auditing Standards, Introduction to ISO, ISO IEC 27001. Gramm Leach Bliley Act, Auditing Standards Conclusions. Copyright 2015 M E Kabay All rights reserved . Introduction to ISO, International Organization for Standardization. Nongovernmental cooperative, Create identify publish industry standards.
Business technology not just IT , Member committees work on specific standards. Represent best practices, E g ISO 9000 standards have become world . recognized for quality, ISO 27000 increasingly accepted as. international standard for information security, management. See also CSH6 Chapters, 44 Security Policy Guidelines .
65 Role of the CISO , Copyright 2015 M E Kabay All rights reserved . History of ISO Standards, British Standard BS 7799 published Feb 1995. Part 1 Best Practices for Information Security. Management, Part 2 Specifications for Information Security. Management Systems, Part 3 Guidelines for Information Security Risk. Management, Copyright 2015 M E Kabay All rights reserved .
History of ISO Standards, BS 7799 Part 1 became ISO 17799 Dec 2000 . with 10 domains , 1 Business continuity planning, 2 Systems access control. 3 System development maintenance, 4 Physical environmental security. 5 Compliance, 6 Personnel security, 7 Security organization. 8 Computer operations management, 9 Asset classification control.
10 Security policy, Copyright 2015 M E Kabay All rights reserved . History of ISO Standards, Later converted ISO 17799 to ISO IEC. 17799 2005, IEC International Electrochemical, Commission Geneva . Information Technology Security, Techniques Code of Practice for. Information Security Management, Added objectives controls.
Updated previous editions to include new, technology. E g wireless networks, ISO IEC 27000 goes beyond ISO IEC 17799. see next slides , Copyright 2015 M E Kabay All rights reserved . ISO IEC 27001 1 , ISO IEC 27000 Fundamentals Vocabulary. ISO IEC 27001 2005 ISMS Requirements, ISO IEC 27002 2005 Code of Practice for.
Information Security Management, ISO IEC 27003 2010 ISMS Implementation. ISO IEC 27004 Information Security, Management Measurement. ISO IEC 27005 Information Security Risk, Management. ISO IEC 27006 2007 Requirements for Bodies, Providing Audit and Certification of Information. Security Management Systems, ISMS information security management system.
Under development asE of, Copyright 2015 M March, Kabay 2010. All rights reserved , ISO IEC 27001 2 , ISO IEC 27001. Similar to OECD guidance on security of IS , Includes PDCA cycle. Plan Do Check Act, Invented by W Edwards Denning 1950s . Certification, Indicates formal compliance with standards.
Business benefits public visibility to, stakeholders . Operational benefits fewer errors better, response greater resilience . Copyright 2015 M E Kabay All rights reserved . Gramm Leach Bliley Act, Financial Services Modernization Act of 1999 . Main proposers were Phil Gramm Jim Leach , and Thomas Bliley Jr. Regulates security of consumers , Personal financial information.
Nonpublic personal information NPI , Also governs. Privacy requirements for information, Disclosures to third parties. Prevention of pretexts for information , See also CSH6 Chapter 64 . US Legal Regulatory Issues, Copyright 2015 M E Kabay All rights reserved . Auditing Standards, Conclusions, May combine compliance auditing risk.
management into cooperative function, Growing managerial acceptance of need for. risk management, Benefits of regular audits include. Threat identification, Reduced costs through optimization of. resource allocation operations, Support for internal information assurance. Protection against lawsuits through, certification compliance with industry.
Supporting due diligence claims, Copyright 2015 M E Kabay All rights reserved . SAS 70 Audits, Introduction to SAS 70, Costs and Benefits of SAS 70 Audits. SAS 70 Audits Conclusion, Statement of Auditing Standards. Copyright 2015 M E Kabay All rights reserved . Introduction to SAS 70 1 , SAS 70 Statement on Auditing Standards 70. American Institute of Certified Public, Accountants AICPA .
Reports on the Processing of Transactions, Used by Service Organizations. Full text available online, http umiss lib olemiss edu 82 record b1038093. Terminology, Service organization provides outsourcing . Service auditor works for outsourcer , User organization client . Users auditors works for client , Copyright 2015 M E Kabay All rights reserved .
Introduction to SAS 70 2 , SAS 70 audits primary method of evaluating. possible outsourcing supplier, Outsourcing growing. Reduce costs, Focus on mission critical function internally. Outsourced functions include, Customer service help desk. Back office data processing, Human resources management benefits.
Web site hosting, Claims processing, Finance accounting. Copyright 2015 M E Kabay All rights reserved . Introduction to SAS 70 3 , Type II audits include mandatory tests. Type I may not test controls, Therefore Type II more expensive but. preferable for organizations desiring, continuous process improvement. Copyright 2015 M E Kabay All rights reserved . Introduction to SAS 70 4 , Process, Initial assessment.
Evaluation of processing transaction, systems controls. Develop statement of work SOW , Present SOW with estimated. Completion date, Details, Interviews with management technical. administrators, Copyright 2015 M E Kabay All rights reserved . Introduction to SAS 70 5 , Management of audit team.
Usually CPA in charge of team, Technical audit lead. Evaluation testing systems , Application lead, Evaluation testing application. E g databases administrative software, Auditors evaluate compliance with internal . external standards, Report on deviations from expectation. Copyright 2015 M E Kabay All rights reserved . Costs and Benefits of SAS, Initial SAS 70 audit costs between 25K 1M.
Small organization may not find it cost effective. Larger organizations use SAS 70 to comply with. GLBA and SOX Sarbanes Oxley Act , SAS 70 uses COSO standard. Process for reviewing internal controls, SOX 404 uses COSO see next section of. these slides 54 4 of text, See pro cons of SAS 70 Exhibit 54 2 in CSH6 . Reformulated on following page, Committee of Sponsoring Organizations. of the Treadway Commission, Copyright 2015 M E Kabay All rights reserved .
Costs Benefits of SAS 70, Audits reformulated , Feature For For. User Service, Independent assessment of controls , Lower cost for evaluation of controls . No additional review of controls required , SAS 70 audits are forward looking can refer to predictions . SAS 70 audits must be continuously reviewed updated . SAS 70 audits increase value of services , Disruption to service organization reduced by eliminating need . for user organization auditors to audit service organization. SAS 70 audit can be used to build strong working relationship . between service user organizations, Audit results can provide opportunities for improvements .
Copyright 2015 M E Kabay All rights reserved . SAS 70 Audits Conclusion, SAS 70 audit is not 100 guarantee of perfect. But viewed as high level assurance for, confidence. Particularly useful in ensuring compliance, with SOX 404 reporting. See next section of slides, Copyright 2015 M E Kabay All rights reserved . Sarbanes Oxley SOX , Introduction to SOX, Section 404.
Achieving Compliance, Audit and Certification, SOX Conclusion. Copyright 2015 M E Kabay All rights reserved . Introduction to SOX 1 , Financial reporting act enacted July 2002. Guided by Paul S Sarbanes Michael G Oxley, Response to scandals Enron WorldCom . Oct 2001 executives hid B in debt, Share prices crashed from 90 to 1. 11B losses by shareholders, Execs went to prison for fraud.
Auditors went bankrupt, WorldCom, Fraudulent accounting started 1999. 2002 auditors proved 3 8B fraud, ultimately found 11B fraud . Copyright 2015 M E Kabay All rights reserved . Introduction to SOX 2 , Executive officers must, Certify effective internal controls. Accept personal responsibility liability for, SOX provides for severe penalties. Civil criminal, May include imprisonment of officials.
Organizations must plan for repeatable, demonstrations of compliance. Copyright 2015 M E Kabay All rights reserved . SOX 404, Directly addresses IT in financial reporting. Requires attention to internal controls, Adequacy. Effectiveness, Widespread industry acceptance of need for. constant honest compliance, Copyright 2015 M E Kabay All rights reserved .
Achieving Compliance, Intro to SOX Compliance, Control Framework. Testing, Copyright 2015 M E Kabay All rights reserved . Intro to SOX Compliance, Identify key processes in organization. Determine how processes implemented , controlled, Determine methods for reporting success . Provide coverage across entire system life, Include projects design architecture .
development delivery operations, Auditor will examine core processes . adequacy of controls execution of controls, Copyright 2015 M E Kabay All rights reserved . Control Framework, Securities Exchange Commission SEC . mandates COSO framework, Public Company Accounting Oversight. Board PCAOB , Also supports COSO, In Auditing Standard No 2 .
An Audit of Internal Control over, Financial Reporting Performed in. Conjunction with an Audit of Financial, Statements. Copyright 2015 M E Kabay All rights reserved . COSO Framework, See http www coso org, Core elements of internal control . Control environment, Risk assessment, Control activities. Information communication, Monitoring, Committee of Sponsoring Organizations.
of the Treadway Commission, Copyright 2015 M E Kabay All rights reserved . CobiT 1 , ISACA defined Control Objectives in, Information Technology framework. 4 domains 34 IT processes 215 control, objectives. Recommends 12 specific processes for SOX, compliance see CSH6 54 4 3 3 Areas are . 1 Application software, 2 Technology infrastructure.
3 Operations, 4 Solutions changes, cont d next slide . Originally the Information Systems Audit and Control Association. Copyright 2015 M E Kabay All rights reserved . CobiT 2 , Areas in CobiT for attention in SOX, compliance cont d . 5 Changes, 6 Service levels, 7 3rd party services, 8 System security. 9 Configuration, 10 Problems incidents, 12 Physical environment operations. Copyright 2015 M E Kabay All rights reserved . Issues, Planning and scheduling tests, Determining sample sizes.
2013-03-04 updated by MK_x000d_ 2012-03-17 updated by MK_x000d_ “Security Audits, Standards and Inspections”_x000d_ Donald Glass, Chris Davis, John Mason, David Gursky, James Thomas, Wendy Carr, and Diane Levine

Related Presentations