Role of compliance in security audits
-
Upload
nu-the-open-security-community -
Category
Technology
-
view
1.343 -
download
0
description
Transcript of Role of compliance in security audits
![Page 1: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/1.jpg)
Role of Compliance in Security Audits
Agenda :
Information Security Compliance Memory Techniques for quick revision / recall
![Page 2: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/2.jpg)
Information Security Compliance
Need for ComplianceThe Five R’s for IS ComplianceISO 27001 : An IntroductionSteps for ISMS ImplementationCommon Myths on ISO 27001
The Road Ahead:
![Page 3: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/3.jpg)
Information Security and Compliance Relationship
![Page 4: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/4.jpg)
The Five R ‘s of IS Compliance Reputation• Protecting the business impact from security breach
Regulation• Complying with multiple regulations• Developing a common security and audit framework
Revenue• Protecting the corporate intellectual property / trade secrets.
Resilience• Ensuring continuity of critical business processes during
disaster.
Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC
tools
![Page 5: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/5.jpg)
• ISO 27001 defines best practices for information security management
• A management system should balance physical, technical, procedural, and personnel security
• Without a formal Information Security Management System, there is a greater risk to your security being breached
• Information security is a management process, NOT a technological process
ISO 27001 : Overview
![Page 6: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/6.jpg)
• ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)• ISO 27003 – ISMS Implementation guidelines• ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management• ISO 27006 – 27010 – allocation for future use
ISO 27001 : Family of Standards
![Page 7: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/7.jpg)
PDCA Cycle: Steps for ISMS Implementation
1
4
3
2
![Page 8: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/8.jpg)
Steps for ISMS Implementation1. Obtain management support2. Treat as a project3. Define the scope4. Write an ISMS Policy5. Define the Risk Assessment methodology6. Perform the risk assessment & risk treatment7. Write the Statement of Applicability8. Write the Risk Treatment Plan9. Define how to measure the effectiveness of controls10. Implement the controls & mandatory procedures11. Implement training and awareness programs12. Operate the ISMS13. Monitor the ISMS14. Internal audit15. Management review16. Corrective and preventive actions
![Page 9: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/9.jpg)
Common Myths about ISO 27001
"The standard requires..."
"We'll let the IT department handle it"
"We'll implement it in a few months"
"This standard is all about documentation"
"The only benefit of the standard is for marketing purposes"
![Page 10: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/10.jpg)
Memory Techniques
for Quick Revision
The fun part of learning
![Page 11: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/11.jpg)
Mnemonics Sentence Aid Workflow DiagramsColour Coding differentiation
Memory Techniques
The Road Ahead:
![Page 12: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/12.jpg)
Mnemonics Abbreviated Character Strings for easy memory aid
How to operate?
Take the first alphabet of each word point and arrange them in "useful" order.
Best Practices: For a long mnemonic string , group it into chunks of 2 or 3 for quick recall
If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.
![Page 13: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/13.jpg)
MnemonicsExamples :
Process Workflow (Plan – Do – Check – Act)Mnemonic: PDCA
Memory Aid :
Imagine “Pen Drive “ of CA • (CA = Certifying Authority)
![Page 14: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/14.jpg)
Mnemonics (contd.)Examples :
COBIT Domains: a) Plan and Organize b) Acquire and Implement c) Deliver and Supportd) Monitor and Evaluate
Mnemonic: PADM
Memory Aid: (Imagine PADM Shri Award)
PADM श्री�
![Page 15: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/15.jpg)
Sentence Aid Memory Recall technique to easily recall long Mnemonic Strings “in order”.
Advantage: Used esp. when Mnemonic string is quite long (>= 5 points). Helpful for easy recall.
Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U
![Page 16: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/16.jpg)
Sentence Aid Prerequisites:Sentence Aid MUST be :
expression making a
visual impact on your memory.
Always design a Sentence Aid which is :
a) Mnemonic Workflow oriented (to maintain serial order)b) Bound to a strong event in your memoryc) Natural Progressiond) Capital letters indicating actual point of Mnemonic.
![Page 17: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/17.jpg)
Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U
Fails
U
Informs
If
का�
• Injection
•Cross Site Scripting (XSS)
•Broken Authentication and Session Mgmt
•Insecure Direct Object References
•Cross Site Request Forgery (CSRF)
•Security Misconfiguration
•Insecure Cryptographic Storage
•Failure to Restrict URL Access
•Insufficient Transport Layer Protection
•Unvalidated Redirects and Forwards
EXAMPLE:
Sentence Aid: ICBI का� Counter Strike If Fails, Informs U.
![Page 18: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/18.jpg)
Sentence Aid
Layer 1: Physical layerLayer 2: Data link layerLayer 3: Network layerLayer 4: Transport layerLayer 5: Session layerLayer 6: Presentation layerLayer 7: Application layer
OSI Layer Model
Sentence Aid: Please Do Not Take Sales Person’s Advice
Example:
![Page 19: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/19.jpg)
Workflow Diagrams These figures/diagrams give the directive flow of the process
Advantage is that they can summarize vast information in a appealing view.
We can grasp readily the “gist” of the process workflow.
Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s)• Cyclic Processes
![Page 20: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/20.jpg)
Workflow Type : FlowchartsRisk Assessment Process
![Page 21: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/21.jpg)
Workflow Type : Hierarchy Figures
![Page 22: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/22.jpg)
Workflow Type : Cyclic Process
![Page 23: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/23.jpg)
Color Coding Differentiation This technique takes advantage of the fact that we better remember the figures if they are filled with different background colors.
Using same colors for related fields help us to better distinguish the same genre of the entities.
![Page 24: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/24.jpg)
Color Coding Differentiation
Sentence Aid : Develop a SOA for ACP to help him pass HSC exam for IB entrance.
Mnemonic: SOA ACP HSC IB
EXAMPLE :
![Page 25: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/25.jpg)
Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to evolution. It is, strictly speaking, a real factor in scientific research.
--Albert Einstein
But in reality, without knowledge, imagination can not be developed.-- Wikipedia (on Imagination) , after Einstein quote.
Quotes:
![Page 26: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/26.jpg)
PrecautionsStudy thoroughly the subject matter before venturing into memorizing techniques.
Know WHAT YOUR ABBREVATION stands for rather than keeping in mind only the Mnemonic.
Memory Techniques are only an AID. They are NOT SUBSTITUTE for comprehensive study.
Utilized Best AFTER comprehensive study for REVISION.
![Page 27: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/27.jpg)
THANK YOU !!
Presented By: Manasdeep
![Page 28: Role of compliance in security audits](https://reader036.fdocuments.us/reader036/viewer/2022081603/557567cfd8b42a2e248b49f2/html5/thumbnails/28.jpg)
- Questions ?