Auditing Corporate Information Security
Download
Report
Transcript Auditing Corporate Information Security
Auditing Corporate
Information Security
John R. Robles
Tuesday, November 1, 2005
Email: [email protected]
Tel: 787-647-396
Auditing Corporate Information
Security
Steps
in the Information Security Audit
Plan
Gather data
Analyze and test
Conclude
Report findings
Auditing Corporate Information
Security
Federal
Financial Institutions Examination
Council (FFIEC)
Federal Reserve System
Federal Deposit Insurance Corporation
(FDIC)
National Credit Union Administration (NCUA)
Office of the Comptroller of the Currency
(OCC), and
The Office of Thrift Supervision (OTS)
Auditing Corporate Information
Security
Information Systems Security Standards based on:
FFIEC Information Technology
Examination Handbook
http://www.ffiec.gov/ffiecinfobase/
Audit areas include:
•
•
•
•
•
•
•
•
•
•
•
•
Audit
Business Continuity Planning
Development and Acquisition
E-Banking
FedLine
Information Security
Management
Operations
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers
Wholesale Payment system
Auditing Corporate Information
Security
INFORMATION SECURITY WORKPROGRAM
EXAMINATION OBJECTIVE:
Assess the quantity of risk and the effectiveness
of the institution’s risk management processes
as they relate to the security measures instituted
to ensure confidentiality,
integrity, and
availability of information and to instill
accountability for actions taken on the
institution’s systems.
Auditing Corporate Information
Security
The objectives and procedures are divided into Tier 1
and Tier II:
Tier I assesses
Tier II provides
additional verification where risk warrants it.
Tier I and Tier II are intended
an institution’s process for identifying and managing risks.
to be a tool set examiners will use when selecting examination
procedures for their particular examination.
Examiners should use these procedures as necessary to
support examination objectives.
Auditing Corporate Information
Security
Tier
1 Audit Objectives
Objective 1: Determine the appropriate scope
for the examination
Quantity
Objective 2: Determine the complexity of the
institution’s information security environment.
Quality
of Risk
of Risk Management
Objective 3: Determine the adequacy of the
risk assessment process.
Auditing Corporate Information
Security
Objective
4: Evaluate the adequacy of
security policies relative to the risk to the
institution.
Objective 5: Evaluate the security-related
controls embedded in vendor
management.
Objective 6: Determine the adequacy of
security testing.
Auditing Corporate Information
Security
Objective
7: Evaluate the effectiveness of
enterprise-wide security administration.
Conclusions
Objective 8: Discuss corrective action and
communicate findings.
Auditing Corporate Information
Security
Tier
2 Controls
Access Rights Administration
Authentication
Network Security
Host Security
User Equipment Security
Physical Security
Personnel Security
Auditing Corporate Information
Security
Tier
2 Controls (Continued)
Application Security
Software Development and Acquisition
Business Continuity Security
Intrusion Detection and Response
Service Provider Oversight Security
Encryption Security
Data Security
Auditing Corporate Information
Security
Audit to Information Security Standards used by
the Information Security department
ISO 17799 – world wide standard
• http://www.iso.org/iso/en/prodsservices/popstds/informationsecurity.html
Cobit – High Level Standard, www.isaca.org
Industry specific – HIPAA Final Security Standards
Industry Specific – FFIEC Standard
NIST
Auditing Corporate Information
Security
ISO 17799 - This is essentially the set of security
controls: the measures and safeguards for
potential implementation. In volume it is the main
body of the overall 'standard set' itself.
1. Security Policy
2. Security Organization
Information Security Infrastructure
Security and Third Party Access
Outsourcing
Auditing Corporate Information
Security
3. Asset Classification and Control
Accountability for assets
Information Classification
4. Personnel Security
Security in Job Definition and Resourcing
User Training
Responding to Security Incidents and
Malfunctions
5. Physical and Environmental Security
Secure Areas
Equipment Security
General Controls
Auditing Corporate Information
Security
6. Communications and Operations
Management
Operational Procedures and Responsibility
System Planning and Acceptance
Protection Against Malicious Software
Housekeeping
Network Management
Media Handling and Security
Exchanges of Information and Software
Auditing Corporate Information
Security
7. Access Control
Business Requirement for Access Control
User Access Management
User Responsibilities
Network Access Control
Operating System Access Control
Application Access Management
Monitoring System Access and Use
Mobile Computing and Telenetworking
Auditing Corporate Information
Security
8. System Development and Maintenance
Security Requirements of Systems
Security in Application Systems
Cryptographic Controls
Security of System Files
Security in Development and Support
Processes
9. Business Continuity Management
Aspects of Business Continuity Management
10. Compliance
Compliance with Legal Requirements
Reviews of Security Policy and Technical
Compliance
System Audit Considerations
Auditing Corporate Information
Security
COBIT—IT Control Framework
Four (4) IT Domains and 34 Processes
PLAN AND ORGANISE
PO1—Define a strategic IT plan
PO2—Define the information architecture
PO3—Determine the technological direction
PO4—Define the IT organization and relationships
PO5—Manage the IT investment
PO6—Communicate management aims and direction
PO7—Manage human resources
PO8—Ensure compliance with external requirements
PO9—Assess risks
PO10—Manage projects
PO11—Manage quality
Auditing Corporate Information
Security
ACQUIRE AND IMPLEMENT
AI1—Identify automated solutions
AI2—Acquire and maintain application software
AI3—Acquire and maintain technology infrastructure
AI4—Develop and maintain procedures
AI5—Install and accredit systems
AI6—Manage changes
M4—Provide for independent audit
Auditing Corporate Information
Security
DELIVER AND SUPPORT
DS1—Define and manage service levels
DS2—Manage third-party services
DS3—Manage performance and capacity
DS4—Ensure continuous service
DS5—Ensure systems security
DS6—Identify and allocate costs
DS7—Educate and train users
DS8—Assist and advise customers
DS9—Manage the configuration
DS10—Manage problems and incidents
DS11—Manage data
DS12—Manage facilities
DS13—Manage operations
Auditing Corporate Information
Security
MONITOR AND
EVALUATE
M1—Monitor the processes
M2—Assess internal control adequacy
M3—Obtain independent assurance
Auditing Corporate Information
Security
Test
Controls
Document Findings
Prepare Report and present
recommendations to management
Auditing Corporate Information
Security
Thank You!
John R. Robles
Email: [email protected]
Tel: 787-647-396
http://home.coqui.net/jrobles