Rob kloots auditingforscyandbcm

Auditing Security and Business Continuity Management

Rob Kloots – CISA CISM CRISC,

Owner, TrustingtheCloud

1Berlin, June 2012

Auditing Security and Business Continuance Management

2

Content

• 2012 Risk Landscape

• Some definitions, models & standards

• Audit & Control

– Information security governance

– Administration of user access, passwords

– Access security controls

– Remote access and third parties

– User awareness

– How to deal with an IT system crash? What to do and how to continue?


3

2012 Risk Landscape

PWC Global Internal Audit survey

2012: The risks ahead

Intensifying economic and financial market uncertainty

Increased regulation and changes in government policy

Data security threats and reputation

Mergers and acquisitions risks


4

More attention required


5

Importance of IA's contribution to monitoring each risk


6

More IA audit capacity planned


7

Definition of Internal Auditing

The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.

Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.


8

Definition of Business Continuity Management

BCM is defined by the British Standards Institute (BSI) as:

'an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation brand and value creating activities'.

Business Continuity is defined by the International Standards Organization as the:

"capability of the organization to continue delivery of services or products at acceptable predefined levels following disruptive incidents"*

*Source ISO 22300 Vocabulary


9

Principles of ICT Continuity

Protect—Protecting the ICT environment from ...

Detect—Detecting incidents at the earliest opportunity ...

React—Reacting to an incident in the most appropriate manner ...

Recover—Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data.

Operate—Operating in disaster recovery mode until return to normal is possible may require some time and necessitate “scaling up” disaster recovery operations to support increasing business volumes that need to be serviced over time.

Return—Devising a strategy for every IT continuity plan allows an organization to migrate back from disaster recovery mode to a position in which it can support normal business.


10

Business Continuity within Management


11

BCP details

BUSINESS CONTINUITY PLANNING1. Project Foundation2. Business Assessment3. Strategy Selection4. Plan Development5. Testing and Maintenance

1. PROJECT FOUNDATIONBusiness Continuity Planning EvaluationPlan ManagementBusiness Impact AnalysisRecovery StrategiesPlan DevelopmentPlan MaintenancePlan Testing

2. BUSINESS ASSESSMENTRisk AssessmentInformation ProtectionProtectionDetectionResponseBusiness Impact Analysis (BIA)

4. PLAN DEVELOPMENT#1-Develop Response and Recovery Teams#2-Develop Draft Action Plan#3-Prioritize Action Plan Execution#4-Document General Plan Sections#5-Document the Technical Recovery Processes


12

Basic terms used in a standard

Business Continuity Management System (BCMS) – part of an overall management system that takes care business continuity is planned, implemented, maintained, and continually improved

Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)

Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed, or resources must be recovered

Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restored

Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce after resuming its business operations


13

Trust Services Principles and Criteria

Security - The system is protected against unauthorized access (both physical and logical).

Availability - The system is available for operation and use as committed or agreed.

Processing Integrity - System processing is complete, accurate, timely, and authorized.

Online Privacy - Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.

Confidentiality - Information designated as confidential is protected as committed or agreed.


14

Best Practices For IT Availability And Service Continuity Management

1) Classify systems for criticality.

2) Develop tiers of service for both availability and IT service continuity.

3) Measure availability from the end-user perspective.

4) Include availability and continuity considerations in application development and testing.


15

Incident timeline


16

BS25777 –IT Continuity


17

Information Risk Component

The confidentiality, integrity and availability of information systems must be ensured to protect the business from the risks relating to information technology. An IS audit helps to identify areas where these are vulnerable or inadequately protected through systematic examination and evaluation.

Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur.

Approach to Auditing Business Continuity

The audit of business continuity can be broken into three major components:

– Validating the business continuity plan

– Scrutinizing and verifying preventive and facilitating measures for ensuring continuity

– Examining evidence about the performance of activities that can assure continuity and recovery


18

BIA focus

Recovery Time Objective“Target time set for resumption of product,

service or activity delivery after an incident” BS 25999:1

Maximum Tolerable Period of Disruption “Duration after which an organisation’s viability

will be irrevocably threatened if product and service delivery cannot be resumed” BS 25999:1


19

Risks related to technology


20

Information Assurance Structure


21

ISO 27001 Security

User access/pwAccess security ctls

Infosec governance

Remote access 3rd pty

User awareness

Crash and Restart

Crash and Restart


22

Risk and Controls

Business Continuity risk profile is prepared for each business function

Controls are set to address risk, in consultation with the support / business function

Weight are assigned to each control according to type of the control (e.g. A preventative control has the highest weight)

Type of control

Preventative

Corrective

Other entity


23

Example of Risk and Control

Risk: Electricity failure

Controls:

Uninteruptable power supply (UPS)

Generators

Preventive maintenance reports


24

Fail a Security Audit Already -- it's Good for You

Network World — Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations:

1) You have perfect security.

2) You're not trying hard enough.


25

Your turn

Questions ???

Rob Kloots – CISA CISM CRISC,

Owner, TrustingtheCloud

E [email protected]

M +32.499-374713

mailto:[email protected]


26

ISO27001 – 14. BCM


27

ISO27001 – 11. AC


28

ISO27001 – 11. ework


29

ISO27001 – 6. EP


30

ISO27001 – 8. HR


31

ISO27001 – 8. HR


32

ISO27001 – 9. PhySec


33

ISO27001 – 10. 3rd pty


34

ISO27001 – 10. Mon


35

ISO27001 – 13. IncMgt

Rob kloots auditingforscyandbcm

Documents

disaster recovery mode

business continuity

internal auditing

auditing security

information systems

hrauditing security

business

audit