76

INFORMATION SECURITY AND MANAGEMENT SYSTEM 2011

<SECURITY AUDITING & ISMS

5/23/2011

PURPOSE OF AUDITS Federal , state ,and local governments depend heavily on information systems security measures to avoid data tampering ,fraud ,inappropriate access to and disclosure of sensitive information ,and disruptions in critical operations. 2. These include planning ,developing a strategy ,implementing the capability ,and assessing results .
1.

SECURITY AUDITING OBJECTIVES 1.To ensure confidentiality ,integrity & availability of data. 2.To protect hardware ,software ,and data from the environmental threats. 3.For proper management ,design ,performance and reliability of components. Risk involved 1. Disclosure of corporate confidential data & information.

2. Unauthorized access to information systems & facilities. 3. Fraud 4. Theft of data or other information assets. 5. Modification or deletion of data & information. 6. Non compliance with policies , standards ,quality and procedures. Auditing Steps There are four different audit steps followed: 1. Planning and risk assessment 2. Testing of internal controls 3. Substantive procedures 4. Finalization The purpose of these audit steps is to provide a standard process that is used in every audit. In most organizations , an audit is conducted by the internal audit department or an external auiting or accounting firm. 1. Planning and risk assessment audit steps It typically conducted before the fiscal year end and are used to gather information.

Auditor takes the time to learn about the industry , regulation , accounting policies ,and information systems.
2.

Testing internal controls This processes and procedures are used to ensure that proper approvals are in place before payment is made or transactions entered in the system. The primary method of internal control testing is to randomly select transactions and check the source documentation.

3. Substantive procedure It is the process of collecting physical evidence of transactions and verifying the value posted to a specific account is supported by actual documents. 4. Finalization The creation of a report to management that summarizes all the procedures use to conduct the audit , the result of various processes and supporting documention . Sequence which is followed with these steps as a base 1. Previous check 2. Plannig & organizing 3. Network control (Policies/standards)

4. Network control (hardware & software) 5. Network data standard & data access 6. Hardware & software backup & recovery 7. Software communication 8. Access network o.s software & facilities 9. Data encryption & filtering 10. Internet application 11. Password protection This security audit program contains over 400 unique task divided into 11 areas of audit focus which are divided into 38 separate task groupings . The 11 areas of audit focus and objectives are: Corporate security management Systems development and maintance Information access control management Compliance management Human resource security management Information security incident management Communications and operations management Organizational asset management Physical and environmental security management Security policy management Disaster recovery plan and business continuity

Information security ????????? Information security is to avoid unauthorized access to the data /information. Confidentiality. Safeguarding the accuracy and completeness of information and processing methods. Integrity:::: Ensuring that authorized users have access to information and associated assets when required. Availability:: Ensuring that information is accessible only to those authorized to have access.

Security doesnt means that lock everything since availability of data at right time is as important as securing a data .

HISTORY
OF ISO 27001 ISO:::>International Organization for standardization Iso 27001 is the first of a planned series of standards covering information security. It was published by the International Organization for standardization on 15 oct 2005 essentially replacing the old BS7799-2 standard. ISO 27001 provides a superset of controls that covers and encompasses all of the security and risk related controls .

International Organization for standardization is the worlds largest developer and publisher of international standards. It is a network of the national standards institute of 157 countries , the member per country , with a central secretariat in Geneva , Switzerland , that coordinates the system . ISO27001, ISO 17799 & BS7799 STANDARDS ISO/IEC 17799 = BS 7799 PART 1 Code of practice for information security management

 Provides a comprehensive set of security controls Based on best information security practices It cannot be used assessment and registration ISO 27001 = BS 7799 PART 2 Specifies requirements for establishing , implementing , and documenting isms Specifies requirement for security controls to be implemented Can be used for assessment and registration BS 7799>>>>>>>>>>>>>>ISO 27001 Elevation to international standard status More organizations are expected to adopt it Clarifications and improvements made by the international organization for standardization Alignment with ISO standards ISO 27001 6 stage process 1. Define an information security policy 2. Define scope of information security management system 3. Perform a security risk assessment 4. Manage the identified risk

5. Select controls to be implemented and applied 6. Prepare an statement of applicability

SECURITY AND RISKS

Assemble a team and agree to your strategy

Define scope

Review consultancy option

Identification of information assets

Determination of value of information assets

Identification of legal , regulatory &contractual requirements

Determination of risk

Determination of policy(lies) and the degree of assurance required from the controls

Identification of control objectives and controls

Definition of security strategy & organisation

Definition of policies, standards ,and procedures to implement the controls

Completion of isms documentation requirements

Implementation of policies, standards and procedures.

BS7799 contains 10 security domains 1.Security policy Information security policy Information security policy document Review of the information security policy 2.Security organization Internal organization Management commitment to information security Information security coordination Allocation of information security responsibilities Authorization process for information processing facilities Confidentiality agreements Contact with authorities Contact with special interest groups Independent review of information security External parties Identification of risk related to external parties Addressing security when dealing with customers 3. Assets management Responsibility for assets Inventory of assets Ownership of assets Acceptable use of assets Information classification Classification guidelines

Information labeling and handling 4.Human resources security Prior to employment Roles and responsibilities Screening Terms and conditions of employment During employment Management responsibilities Information security awareness, education and training Disciplinary process Termination or change of employment Termination responsibilities Return of assets Removal of access rights 5.Physical and environmental security Secure areas Physical security perimeter Physical entry controls Securing offices, room and facilities Protecting against external and environmental threats Working in secure areas Public access , delivery and loading areas Equipment security Equipment sitting and protection Supporting utilities

Cabling security Equipment maintenance Security of equipment off premises Secure disposal or re-use of equipment Removal of property 6.Communications and operations management Operational procedures and responsibilities Documented operating procedures Change management Segregation of duties Separation of development , test and operational facilities Third party service delivery management Service delivery Monitoring and review of third party services System planning and acceptance Capacity management System acceptance Protection against malicious and mobile code Controls against malicious code Controls against mobile code Back up Network security management Network controls Security of network services

 Media handling Management of removable media Disposal of media Information handling procedures Security of the system documentation Exchange of information Information exchange policies and procedures Exchange agreements Physical media in transit Electronic messaging Business information systems Electronic commerce services Electronic commerce On-line transactions Publicly available information Monitoring Audit logging Monitoring system use Protection of log information Administrator and operator logs Fault logging Clock synchronization 7.Access control Business requirement for access control Access control policy User access management User registration

Privilege management User password management User responsibilities Password use Unattended user equipment Clear desk and clear screen policy Network access control Policy on use of network services User authentication for external connections Equipment identification in networks Remote diagnostic and configuration port protection Segregation in networks Network connection control Network routing control Operating system access control Secure log-on procedures User identification and authentication Password management system Use of system utilities Session time out Limitation of connection time Application and information access control Information access restriction Sensitive system isolation Mobile computing and teleworking Mobile computing and communications Teleworking

8.Information systems acquisition , development and maintenance Security requirements of information systems Security requirements analysis and specification Correct processing in applications Input data validation Control of internal processing Message integrity Output data validation Cryptographic controls Policy on the use of cryptographic controls Key management Security of system files Control of operational software Protection of system test data Access control to program source code Security in development and support processes Change control procedures Technical review of applications after operating system changes Restrictions on changes to software packages Information leakage Outsourced software development Technical vulnerability management Control of technical vulnerabilities 9.Information security incident management Reporting information security events and weaknesses

Reporting information security events Reporting security weaknesses Management of information security incidents and improvements Responsibilities and procedures Learning from information security incidents Collection of evidence 10.Business continuity management Information security aspects of business continuity management Including information security in the business continuity management process Business continuity and risk assessment Developing and implementing continuity plans including information security control Business continuity planning framework Testing , maintaining and reassessing business continuity plans 11.Compliance Compliance with legal requirements Identification of applicable legalization Intellectual property rights Protection of organizational records Data protection and privacy of personal information Prevention of misuse of information processing facilities Regulation of cryptographic controls

 Compliance with security policies and standards , and technical compliance Compliance with security policies and standards Technical compliance checking Information systems audit considerations Information systems audit controls Protection of information systems audit tools

Security policy Organization of information security Assets management

Human resources security

Physical & environmental security Information systems acquisition,develop ment and maintenance

Access control

Communications & operations management Information security incident management Business continuity management

compliance

Overall the standard can be put in: Domain areas 11 Control objectives- 39 Controls - 133

ACT : HOW TO IMPROVE NEXT TIME

PLAN :WHAT TO DO ? :HOW TO DO IT?

CHECK :DID THING HAPPEN ACCORDING TO PLAN ?

DO :DO WAT WAS PLAN ?

INPUTS

OUTPUTS