1 Copyright © 2010 M. E. Kabay. All rights reserved. Security Audits, Standards, & Inspections CSH5 Chapter 54 “Security Audits, Standards and Inspections”

1 Copyright © 2010 M. E. Kabay. All rights reserved.

Security Audits, Standards, & Inspections

CSH5 Chapter 54“Security Audits, Standards and Inspections”

Donald Glass, Chris Davis, John Mason, David Gursky, James Thomas, Wendy Carr,

and Diane Levine

2 Copyright © 2010 M. E. Kabay. All rights reserved.

TopicsIntroductionAuditing StandardsSAS 70 AuditsSarbanes-OxleyAddressing Multiple RegulationsTechnical Frameworks for IT Audits

3 Copyright © 2010 M. E. Kabay. All rights reserved.

Introduction (1)Non-IT auditors

Financial: accuracy/integrity accountingExternal: material, macro-level issues (e.g.,

governance, reporting, legal compliance)Internal: transaction-level controls,

protecting assets, validating systemsRecent legal/regulatory changes affect auditing

Especially regulatory complianceValidating protection of mission-critical

systemsEnsuring that weaknesses in IT

infrastructure/security do not affect other parties (who can sue for damages)

4 Copyright © 2010 M. E. Kabay. All rights reserved.

Introduction (2)

Management attitudes range fromWe have to do this – part of cost of doing

businessNice to have (but don’t spend much)

These attitudes ignore added value from auditsQUESTION FOR CLASS: WHAT ARE SOME

BENEFITS OF AUDITS BEYOND ASSURANCE OF COMPLIANCE?

Auditing increasingly included in IA training programs & certifications

5 Copyright © 2010 M. E. Kabay. All rights reserved.

Auditing Standards

Introduction to ISOISO/IEC 27001Gramm-Leach Bliley ActAuditing Standards Conclusions

6 Copyright © 2010 M. E. Kabay. All rights reserved.

Introduction to ISO

International Organization for StandardizationNongovernmental cooperativeCreate, identify, publish industry standardsBusiness & technology (not just IT)

Member committees work on specific standardsRepresent best practicesE.g., ISO 9000 stds have become world-

recognized for qualityISO 27000 increasingly accepted as

international standard for information security management

7 Copyright © 2010 M. E. Kabay. All rights reserved.

History of ISO Standards (1)History

British Standard (BS) 7799 published Feb 1995Part 1: Best Practices for Information

Security ManagementPart 2: Specifications for Information

Security Management SystemsPart 3: Guidelines for Information Security

Risk Management

8 Copyright © 2010 M. E. Kabay. All rights reserved.

History of ISO Standards (2)BS 7799 Part 1 became ISO 17799 (Dec 2000)

with 10 domains:1. Business continuity planning2. Systems access control3. System development & maintenance4. Physical & environmental security5. Compliance6. Personnel security7. Security organization8. Computer & operations management9. Asset classification & control10.Security policy

9 Copyright © 2010 M. E. Kabay. All rights reserved.

History of ISO Standards (3)Later converted ISO 17799 to ISO/IEC

17799:2005IEC = International Electrochemical

Commission (Geneva)Information Technology – Security

Techniques – Code of Practice for Information Security Management

Added objectives, controlsUpdated previous editions to include new

technologyE.g., wireless networks

ISO/IEC 27000 goes beyond ISO/IEC 17799 (see next slides)

10 Copyright © 2010 M. E. Kabay. All rights reserved.

ISO/IEC 27001 (1) ISO/IEC 27000: Fundamentals & Vocabulary ISO/IEC 27001:2005. ISMS – Requirements ISO/IEC 27002:2005. Code of Practice for

Information Security Management ISO/IEC 27003:2010. ISMS Implementation

Guidance ISO/IEC 27004*. Information Security

Management Measurement ISO/IEC 27005*. Information Security Risk

Management ISO/IEC 27006:2007. Requirements for Bodies

Providing Audit and Certification of Information Security Management Systems

Notes:ISMS = information security management system* Under development as of March 2010

11 Copyright © 2010 M. E. Kabay. All rights reserved.

ISO/IEC 27001 (2) ISO/IEC 27001

Similar to OECD guidance on security of IS & NW

Includes PDCA cyclePlan-Do-Check-ActInvented by W. Edwards Denning (1950s)

CertificationIndicates formal compliance with standardsBusiness benefits (public visibility to

stakeholders)Operational benefits (fewer errors, better

response, greater resilience)

12 Copyright © 2010 M. E. Kabay. All rights reserved.

Gramm-Leach Bliley Act

Financial Services Modernization Act of 1999 = GLBARegulates security of consumers’ personal

financial informationAlso protects

13 Copyright © 2010 M. E. Kabay. All rights reserved.

Auditing Standards Conclusions

14 Copyright © 2010 M. E. Kabay. All rights reserved.

SAS 70 Audits

Introduction to SAS 70Cost and Benefits of SAS 70 AuditsSAS 70 Audits Conclusion

15 Copyright © 2010 M. E. Kabay. All rights reserved.

Introduction to SAS 70

16 Copyright © 2010 M. E. Kabay. All rights reserved.

Cost and Benefits of SAS 70 Audits

17 Copyright © 2010 M. E. Kabay. All rights reserved.

SAS 70 Audits Conclusion

18 Copyright © 2010 M. E. Kabay. All rights reserved.

Sarbanes-Oxley

Introduction to SOXSection 404Achieving ComplianceAudit and CertificationSOX Conclusion

19 Copyright © 2010 M. E. Kabay. All rights reserved.

Introduction to SOX

20 Copyright © 2010 M. E. Kabay. All rights reserved.

Section 404

21 Copyright © 2010 M. E. Kabay. All rights reserved.

Achieving Compliance

22 Copyright © 2010 M. E. Kabay. All rights reserved.

Audit and Certification

23 Copyright © 2010 M. E. Kabay. All rights reserved.

SOX Conclusion

24 Copyright © 2010 M. E. Kabay. All rights reserved.

Addressing Multiple Regulations

Publicly Available Security PublicationsFederal Information Systems Management

Act (FISMA)Risk FrameworkMultiple Regulations and IS Audits

Conclusion

25 Copyright © 2010 M. E. Kabay. All rights reserved.

Publicly Available Security Publications

26 Copyright © 2010 M. E. Kabay. All rights reserved.

Federal Information Systems Management Act (FISMA)

27 Copyright © 2010 M. E. Kabay. All rights reserved.

Risk Framework

28 Copyright © 2010 M. E. Kabay. All rights reserved.

Multiple Regulations and IS Audits Conclusion

29 Copyright © 2010 M. E. Kabay. All rights reserved.

Technical Frameworks for IT Audits

Framework 1: People, Processes, Tools & Measures

Framework 2: STRIDEFramework 3: PDIOGeneral Best PracticesTechnical Frameworks Conclusion

30 Copyright © 2010 M. E. Kabay. All rights reserved.

Framework 1: People, Processes, Tools & Measures

31 Copyright © 2010 M. E. Kabay. All rights reserved.

Framework 2: STRIDE

32 Copyright © 2010 M. E. Kabay. All rights reserved.

Framework 3: PDIO

33 Copyright © 2010 M. E. Kabay. All rights reserved.

General Best Practices

34 Copyright © 2010 M. E. Kabay. All rights reserved.

Technical Frameworks Conclusion