Auditing in the New Millennium:
|
|
- Alexis Gilbert
- 7 years ago
- Views:
Transcription
1 : Information Technology Controls and Network Vulnerability Assessments Ernie Barany, CPA, CPT, CEH Principal Auditor Dan Altobelli, CPA, CISA, CEH Principal Auditor 1
2 When you think of IT auditing, is this what you think of? 2
3 When you think of IT auditing, is this what you think of? 3
4 Why you have to know some IT: - Most controls are handled by the application - Everyone has a web application now - Why steal, when you can get the computer to do it for you? - Information is one of the most valuable assets - Those pesky auditing standards 4
5 Overview 1. The OSA IT Controls Framework 2. What the heck is a network vulnerability assessment (NVA)? 3. The purpose of information security 4. Scope and objectives of a NVA 5
6 Overview 5. Criteria/benchmarks 6. Audit procedures and testing 7. Reporting the results 8. Audit Findings 6
7 OSA IT Controls Framework Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 7
8 Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 8
9 Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations - Documenting of the business processes and controls the organization uses. General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Used to help in determining risk areas - Testing of controls focused only on the business processes in the audit scope. Application Controls - Includes manual and automated controls and their interaction. Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 9
10 Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) - General controls audit work is limited by the scope of the audit - Agency vs OIT - Third-party vendors - Authorization is limited to controls that appear in the business process being audited. - No OS or network 10
11 Application Audit Network Security Controls Perimeter Security Internal Network Operations - ALL business processes are in the scope of the audit General Controls - Testing of system controls will include point-in-time as well as past transactions Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Often will utilize a test environment - Focuses on the automated controls: is the application operating as intended Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 11
12 Application Audit Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) - All general controls are covered, unless previously audited - Does not matter who is responsible for the control - Authorization is a complete review of all users and their access - May touch on server configuration and some network as they relate to the application and its data. 12
13 Network Vulnerability Assessment Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 13
14 Network Vulnerability Assessment Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Focus is on network security controls Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) - General controls are selected based on preliminary work for impact on the network not all general controls are included. Business Process Controls (Manual and/or Automated) - Logical access = network logon, and falls in the Internal Operations area. 14
15 What is a Vulnerability Assessment? The process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region). Our focus is on computer networks, though infrastructure and facility do come into play 15
16 Vulnerability Assessment vs. Penetration Test List-oriented (NVA) vs. goal-oriented (PT) Auditing in the New Millennium A Network Vulnerability Assessment is designed to yield a prioritized list of vulnerabilities For an organization that is not sure where they are Verify results and report may not exploit Prioritize vulnerabilities by risk and provide remediation 16
17 Vulnerability Assessment vs. Penetration Test List-oriented (NVA) vs. goal-oriented (PT) Auditing in the New Millennium Penetration Test has the goal of breaching security. For organization comfortable with security posture Report every instance where security was breached May not identify and exploit all weaknesses 17
18 The Purpose of Information Security It s all about loss. Reputation, financial assets, citizen goodwill, operations uptime, computing resources, personnel productivity, intellectual property, liability protection Personally Identifiable Information (PII) of citizens would open the liability of lawsuits and expose the state to excessive costs Confidential Information (CI) of state operations could expose any number of risks 18
19 The Purpose of Information Security Public entities are charged with protecting their information assets from unauthorized disclosure, modification, or loss. To this end, state entities spend taxpayer dollars on information technology security infrastructure, personnel, training, etc. Our reviews assess the effectiveness and efficiency of that infrastructure in achieving its goals. 19
20 Possible scope items: NVA Scope All entity information technology resources and other resources that the entity has stewardship over, both on the perimeter and internal. IT strategic planning and other aspects of Security Management like policies and procedures. The change control process of the entity, focused on network configuration changes. 20
21 Possible scope items: NVA Scope Business Continuity/Disaster Recovery plans in place in the event of processing disruptions. Physical security in place to protect the entity s IT infrastructure. 21
22 Audit Objectives Overall: To determine the adequacy of security controls over the entity s computer network by: 1. Evaluating the security planning and management process of the entity. 2. Determining the risk of unauthorized logical access to devices on the network. 22
23 Audit Objectives 3. Evaluating the adequacy of the entity s business continuity plan to ensure continued operations. 4. Verifying that changes to the network and its devices are properly implemented and documented. 5. Evaluating the adequacy of physical security controls that protect network devices. 23
24 Criteria and Benchmarks There is no one agreed upon standard for performing NVAs this makes it the hardest part of evaluating. We have developed a standard which is a combination of OSSTMM, PTES, FISCAM, CObIT, Yellow Book standards, etc (ABCDEFGHIJKLM..) Private companies performing these services do not have the audit documentation requirements that we do. 24
25 Criteria and Benchmarks OSA process to determine criteria for an NVA: Is it a credible/ adequate standard? Y Measure performance vs their standard Report deficiencies in performance Document policies and practices in place Does the entity follow a standard? N Y Do their policies and practices satisfy industry standards? N Y N Report deficiencies in standard Report deficiencies in policies Measure performance vs industry standards 25
26 Audit Procedures and Testing Preliminary Work Survey Work Risk Assessment Audit Testing and Discussion with IT Management Conclusion Finding Development 26
27 Audit Procedures Approach - We re from the government, and we re here to help - Have continued communication with auditee during testing - High-level issues are brought to management s attention immediately for remediation - Review with auditee prior to finalizing the work to see the status of remediation efforts 27
28 Public Report Reporting the Results Summarizes sensitive findings in less detail than will be reported in the Management Letter. Detailed findings in non-sensitive areas. Auditee response in the sensitive areas is also generalized (detailed remediation is provided separately) 28
29 Management Letter Reporting the Results Not a public document due to the sensitive nature of the contents (vulnerability detail) Used internally by IT management. Because the management letter items are included in summary in the report, they are included in follow up compliance. 29
30 Audit Findings Most Common Audit Findings - Unnecessary ports and services - Unpatched or obsolete software or hardware - Improperly configured devices - Insecure coding - Secure Socket Layer (SSL) issues 30
31 Audit Findings Most Common Audit Findings - Information disclosure - Insecure wireless networks - Network ID maintenance issues - Outdated, untested, or missing disaster recovery documentation - Inadequate policies and procedures 31
32 Questions 32
External Penetration Assessment and Database Access Review
External Penetration Assessment and Database Access Review Performed by Protiviti, Inc. At the request of Internal Audit April 25, 2012 Note: This presentation is intended solely for the use of the management
More informationInformation Technology Security Review April 16, 2012
Information Technology Security Review April 16, 2012 The Office of the City Auditor conducted this project in accordance with the International Standards for the Professional Practice of Internal Auditing
More informationU.S. Department of Energy Office of Inspector General Office of Audits and Inspections
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report The Department's Configuration Management of Non-Financial Systems OAS-M-12-02 February 2012 Department
More informationOregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention
Secretary of State Audit Report Jeanne P. Atkins, Secretary of State Gary Blackmer, Director, Audits Division Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need
More informationPractical Guidance for Auditing IT General Controls. September 2, 2009
Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009 About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income
More informationApplication Security in the Software Development Lifecycle
Application Security in the Software Development Lifecycle Issues, Challenges and Solutions www.quotium.com 1/15 Table of Contents EXECUTIVE SUMMARY... 3 INTRODUCTION... 4 IMPACT OF SECURITY BREACHES TO
More informationInformation Security Services
Information Security Services Information Security In 2013, Symantec reported a 62% increase in data breaches over 2012. These data breaches had tremendous impacts on many companies, resulting in intellectual
More informationManaging IT Security with Penetration Testing
Managing IT Security with Penetration Testing Introduction Adequately protecting an organization s information assets is a business imperative one that requires a comprehensive, structured approach to
More informationJuly 6, 2015. Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263
July 6, 2015 Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263 Re: Security Over Electronic Protected Health Information Report 2014-S-67
More informationCASE MANAGEMENT SYSTEM
REPORT NO. 2010-197 JUNE 2010 PUBLIC SERVICE COMMISSION CASE MANAGEMENT SYSTEM Information Technology Operational Audit For the Period December 2009 Through March 2010 and Selected Actions from January
More informationInformation System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls
Information System Audit Arkansas Administrative Statewide Information System (AASIS) General Controls ARKANSAS DIVISION OF LEGISLATIVE AUDIT April 12, 2002 April 12, 2002 Members of the Legislative Joint
More informationPerformance Audit E-Service Systems Security
Performance Audit E-Service Systems Security October 2009 City Auditor s Office City of Kansas City, Missouri 15-2008 October 21, 2009 Honorable Mayor and Members of the City Council: This performance
More informationHealthcare Technology Audit Basics. Session Objectives
Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare
More information3/17/2015. Healthcare Technology Audit Basics. Session Objectives. Jennifer McGill, CIA, CISA, CGEIT April 20, 2015
Healthcare Technology Audit Basics Jennifer McGill, CIA, CISA, CGEIT April 20, 2015 Session Objectives Review information technology basic concepts. Use real world examples to identify and understand healthcare
More informationUniversity System of Maryland University of Maryland, College Park Division of Information Technology
Audit Report University System of Maryland University of Maryland, College Park Division of Information Technology December 2014 OFFICE OF LEGISLATIVE AUDITS DEPARTMENT OF LEGISLATIVE SERVICES MARYLAND
More informationInformation Technology General Controls And Best Practices
Paul M. Perry, FHFMA, CITP, CPA Alabama CyberNow Conference April 5, 2016 Information Technology General Controls And Best Practices 1. IT General Controls - Why? 2. IT General Control Objectives 3. Documentation
More informationAudit Report. Management of Naval Reactors' Cyber Security Program
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections Audit Report Management of Naval Reactors' Cyber Security Program DOE/IG-0884 April 2013 Department of Energy Washington,
More informationSoftware as a Service: Guiding Principles
Software as a Service: Guiding Principles As the Office of Information Technology (OIT) works in partnership with colleges and business units across the University, its common goals are to: substantially
More informationPut into test the security of an environment and qualify its resistance to a certain level of attack.
Penetration Testing: Comprehensively Assessing Risk What is a penetration test? Penetration testing is a time-constrained and authorized attempt to breach the architecture of a system using attacker techniques.
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationSTATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE
STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM SUBCOMMITTEE ON GOVERNMENT ORGANIZATION,
More informationNetwork Marketing Strategy - Overview of the Colorado Cyber Security Program
COLORADO S CYBERSECURITY ASSESSMENT APPROACH Matt Devlin, CISA, CISM Deputy State Auditor September 30, 2014 Overview Colorado OSA and IT Audit Background State of Colorado IT and InfoSec Organizational
More informationU.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL
U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT: U.S. Election Assistance Commission Compliance with the Requirements of the Federal Information Security Management Act Fiscal
More informationHUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE
PERFORMANCE AUDIT OF HUMAN RESOURCES MANAGEMENT NETWORK (HRMN) SELF-SERVICE DEPARTMENT OF CIVIL SERVICE July 2004 ...The auditor general shall conduct post audits of financial transactions and accounts
More informationIT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results
Acquire or develop application systems software Controls provide reasonable assurance that application and system software is acquired or developed that effectively supports financial reporting requirements.
More informationETHICAL HACKING 010101010101APPLICATIO 00100101010WIRELESS110 00NETWORK1100011000 101001010101011APPLICATION0 1100011010MOBILE0001010 10101MOBILE0001
001011 1100010110 0010110001 010110001 0110001011000 011000101100 010101010101APPLICATIO 0 010WIRELESS110001 10100MOBILE00010100111010 0010NETW110001100001 10101APPLICATION00010 00100101010WIRELESS110
More informationExternal Supplier Control Requirements
External Supplier Control s Cyber Security For Suppliers Categorised as Low Cyber Risk 1. Asset Protection and System Configuration Barclays Data and the assets or systems storing or processing it must
More informationPatch and Vulnerability Management Program
Patch and Vulnerability Management Program What is it? A security practice designed to proactively prevent the exploitation of IT vulnerabilities within an organization To reduce the time and money spent
More informationLooking at the SANS 20 Critical Security Controls
Looking at the SANS 20 Critical Security Controls Mapping the SANS 20 to NIST 800-53 to ISO 27002 by Brad C. Johnson The SANS 20 Overview SANS has created the 20 Critical Security Controls as a way of
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL The auditor general shall conduct post audits of financial transactions and accounts of the state and of all
More informationKASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES. www.kaspersky.com
KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES www.kaspersky.com EXPERT SERVICES Expert Services from Kaspersky Lab are exactly that the services of our in-house experts, many of them global
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationHanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness
Issue Date: August 31, 2006 Audit Report Number 2006-DP-0005 TO: Lisa Schlosser, Chief Information Officer, A FROM: Hanh Do, Director, Information System Audit Division, GAA SUBJECT: Review of HUD s Information
More informationSECURITY CONSIDERATIONS FOR LAW FIRMS
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
More informationU.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report
U.S. Department of Energy Office of Inspector General Office of Audits & Inspections Evaluation Report The Department's Unclassified Cyber Security Program - 2012 DOE/IG-0877 November 2012 MEMORANDUM FOR
More information4 Testing General and Automated Controls
4 Testing General and Automated Controls Learning Objectives To understand the reasons for testing; To have an idea about Audit Planning and Testing; To discuss testing critical control points; To learn
More informationNEIAF June 18, 2015. IS Auditing 101
NEIAF June 18, 2015 IS Auditing 101 http://www.gao.gov/fiscam/overview Planning Understand the Overall Audit Objectives and Related Scope of the Information System Controls Audit Understand the Entity
More informationChapter 1 The Principles of Auditing 1
Chapter 1 The Principles of Auditing 1 Security Fundamentals: The Five Pillars Assessment Prevention Detection Reaction Recovery Building a Security Program Policy Procedures Standards Security Controls
More informationCITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard
CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard (Approved by the Information Strategy and Governance Committee in December 2013; revision 1.1 approved by Chief Information
More informationThe ICS Approach to Security-Focused IT Solutions
The ICS Approach to Security-Focused IT Solutions for the State of Mississippi ICS offers a dynamic and comprehensive portfolio of security-driven IT solutions for the State of Mississippi. Taking a proactive
More informationCybersecurity and internal audit. August 15, 2014
Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices
More informationPeopleSoft IT General Controls
PeopleSoft IT General Controls Performance Audit December 2009 Office of the Auditor Audit Services Division City and County of Denver Dennis J. Gallagher Auditor The Auditor of the City and County of
More informationMICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL
MICHIGAN OFFICE OF THE AUDITOR GENERAL AUDIT REPORT THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL ...The auditor general shall conduct post audits of financial transactions and accounts of the state and of
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationDisaster Recovery and Business Continuity Plan
Disaster Recovery and Business Continuity Plan Table of Contents 1. Introduction... 3 2. Objectives... 3 3. Risks... 3 4. Steps of Disaster Recovery Plan formulation... 3 5. Audit Procedure.... 5 Appendix
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationBetter secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
More informationNationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011
Nationwide Review of CMS s HIPAA Oversight Brian C. Johnson, CPA, CISA Wednesday, January 19, 2011 1 WHAT I DO Manage Region IV IT Audit and Advance Audit Technique Staff (AATS) IT Audit consists of 8
More informationFEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM
REPORT NO. 2015-007 AUGUST 2014 DEPARTMENT OF EDUCATION FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM Information Technology Operational Audit DEPARTMENT OF EDUCATION Pursuant to Article IX, Section
More informationOffice of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget
Office of the Auditor General Performance Audit Report Statewide UNIX Security Controls Department of Technology, Management, and Budget December 2015 State of Michigan Auditor General Doug A. Ringler,
More informationPCI-DSS Penetration Testing
PCI-DSS Penetration Testing Adam Goslin, Co-Founder High Bit Security May 10, 2011 About High Bit Security High Bit helps companies obtain or maintain their PCI compliance (Level 1 through Level 4 compliance)
More informationNetwork and Security Controls
Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationWEB APPLICATION SECURITY ASSURANCE STANDARDS. Version 1.6
WEB APPLICATION SECURITY ASSURANCE STANDARDS Version 1.6 March 25, 2014 Table of Contents Document Control... 3 NOTES to Reviewers... 4 Introduction... 5 Conceptual Framework of the Standards... 5 1. Level
More informationOFFICE OF THE CITY AUDITOR
CITY OF SAN ANTONIO OFFICE OF THE CITY AUDITOR Audit of Information Technology Services Department Project No. AU10-012 September 1, 2011 Audit of Information Technology Services Department Executive Summary
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationFour Top Emagined Security Services
Four Top Emagined Security Services. www.emagined.com Emagined Security offers a variety of Security Services designed to support growing security needs. This brochure highlights four key Emagined Security
More informationFederal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security
Federal Communications Commission Office of Inspector General FY 2003 Follow-up on the Audit of Web Presence Security Audit Report No. 03-AUD-09-21 October 20, 2004 TABLE OF CONTENTS Page EXECUTIVE SUMMARY
More informationPOSTAL REGULATORY COMMISSION
POSTAL REGULATORY COMMISSION OFFICE OF INSPECTOR GENERAL FINAL REPORT INFORMATION SECURITY MANAGEMENT AND ACCESS CONTROL POLICIES Audit Report December 17, 2010 Table of Contents INTRODUCTION... 1 Background...1
More informationAudit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013
Audit Report The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013 A-14-13-13086 November 2013 MEMORANDUM Date: November 26,
More informationSimplifying Security & Compliance Innovating IT Managed Services. Data Security Threat Landscape and IT General Controls
Simplifying Security & Compliance Innovating IT Managed Services Data Security Threat Landscape and IT General Controls Audit Standards and IT General Controls General IT controls discussed in AUC Section
More informationDefense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks
Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks A look at multi-vendor access strategies Joel Langill TÜV FSEng ID-1772/09, CEH, CPT, CCNA Security Consultant / Staff
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationNetwork Security Audit. Vulnerability Assessment (VA)
Network Security Audit Vulnerability Assessment (VA) Introduction Vulnerability Assessment is the systematic examination of an information system (IS) or product to determine the adequacy of security measures.
More informationEffectively Assessing IT General Controls
Effectively Assessing IT General Controls Tommie Singleton UAB AGENDA Introduction Five Categories of ITGC Control Environment/ELC Change Management Logical Access Controls Backup/Recovery Third-Party
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationTwo Approaches to PCI-DSS Compliance
Disclaimer Copyright Michael Chapple and Jane Drews, 2006. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes,
More informationTOP 10 Security Questions Introduction Breaches and other privacy and security incidents in healthcare are on the rise due to the vast size of the industry and the oneoffs of protected health information
More informationDATABASE SECURITY CITYWIDE REPORT NO.
SPECIAL AUDIT REPORT OF DATABASE SECURITY CITYWIDE REPORT NO. 11-103 City of Albuquerque Office of Internal Audit Database Security Citywide Report No. 11-103 Executive Summary The Office of Internal Audit
More informationEVALUATION REPORT. The Department of Energy's Unclassified Cybersecurity Program 2014
U.S. Department of Energy Office of Inspector General Office of Audits and Inspections EVALUATION REPORT The Department of Energy's Unclassified Cybersecurity Program 2014 DOE/IG-0925 October 2014 Department
More informationVulnerability Management. Information Technology Audit. For the Period July 2010 to July 2011
O L A OFFICE OF THE LEGISLATIVE AUDITOR STATE OF MINNESOTA FINANCIAL AUDIT DIVISION REPORT Vulnerability Management Information Technology Audit For the Period July 2010 to July 2011 May 22, 2012 Report
More informationUnderstanding Vulnerability Management Life Cycle Functions
Research Publication Date: 24 January 2011 ID Number: G00210104 Understanding Vulnerability Management Life Cycle Functions Mark Nicolett We provide guidance on the elements of an effective vulnerability
More informationHITRUST CSF Assurance Program
HITRUST CSF Assurance Program Simplifying the Meaningful Use Privacy and Security Risk Assessment September 2010 Table of Contents Regulatory Background CSF Assurance Program Simplifying the Risk Assessment
More informationNetwork Security: Policies and Guidelines for Effective Network Management
Network Security: Policies and Guidelines for Effective Network Management Department of Electrical and Computer Engineering, Federal University of Technology, Minna, Nigeria. jgkolo@gmail.com, usdauda@gmail.com
More informationFeedback Ferret. Security Incident Response Plan
Feedback Ferret Security Incident Response Plan Document Reference Feedback Ferret Security Incident Response Plan Version 3.0 Date Created June 2013 Effective From 20 June 2013 Issued By Feedback Ferret
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationEVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07
EVALUATION REPORT Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review March 13, 2015 REPORT NUMBER 15-07 EXECUTIVE SUMMARY Weaknesses Identified During the FY 2014
More informationLibrary Systems Security: On Premises & Off Premises
Library Systems Security: On Premises & Off Premises Guoying (Grace) Liu University of Windsor Leddy Library Huoxin (Michael) Zheng Castlebreck Inc. CLA 2015 Annual Conference, Ottawa, June 5, 2015 Information
More informationUF Risk IT Assessment Guidelines
Who Should Read This All risk assessment participants should read this document, most importantly, unit administration and IT workers. A robust risk assessment includes evaluation by all sectors of an
More informationCompliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:
Security.01 Penetration Testing.02 Compliance Review.03 Application Security Audit.04 Social Engineering.05 Security Outsourcing.06 Security Consulting.07 Security Policy and Program.08 Training Services
More informationWhy SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?
SaaS vs. COTS Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)? Unlike COTS solutions, SIMCO s CERDAAC is software that is offered as a service (SaaS). This offers several
More informationAn Overview of Information Security Frameworks. Presented to TIF September 25, 2013
An Overview of Information Security Frameworks Presented to TIF September 25, 2013 What is a framework? A framework helps define an approach to implementing, maintaining, monitoring, and improving information
More informationInformation Technology Internal Controls Part 2
IT Controls Webinar Series Information Technology Internal Controls Part 2 Presented by the Arizona Office of the Auditor General October 23, 2014 Part I Overview of IT Controls and Best Practices Part
More informationDefending the Database Techniques and best practices
ISACA Houston: Grounding Security & Compliance Where The Data Lives Mark R. Trinidad Product Manager mtrinidad@appsecinc.com March 19, 2009 Agenda Understanding the Risk Changing threat landscape The target
More informationU.S. Department of the Interior Office of Inspector General AUDIT REPORT
U.S. Department of the Interior Office of Inspector General AUDIT REPORT GENERAL CONTROL ENVIRONMENT OF THE FEDERAL FINANCIAL SYSTEM AT THE RESTON GENERAL PURPOSE COMPUTER CENTER, U.S. GEOLOGICAL SURVEY
More informationRajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np
Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np Meaning Why is Security Audit Important Framework Audit Process Auditing Application Security
More informationAyla Networks, Inc. SOC 3 SysTrust 2015
Ayla Networks, Inc. SOC 3 SysTrust 2015 SOC 3 SYSTRUST FOR SERVICE ORGANIZATIONS REPORT July 1, 2015 To December 31, 2015 Table of Contents SECTION 1 INDEPENDENT SERVICE AUDITOR S REPORT... 2 SECTION 2
More informationDepartment of Veterans Affairs
OFFICE OF AUDITS & EVALUATIONS Department of Veterans Affairs Federal Information Security Management Act Assessment for FY 2010 May 12, 2011 10-01916-165 FISMA NIST OIG OMB POA&M ACRONYMS AND ABBREVIATIONS
More informationCRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data
CRISC Glossary Term Access control Access rights Application controls Asset Authentication The processes, rules and deployment mechanisms that control access to information systems, resources and physical
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India
CIRCULAR CIR/MRD/DP/13/2015 July 06, 2015 To, All Stock Exchanges, Clearing Corporation and Depositories. Dear Sir / Madam, Subject: Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing
More informationREGULATIONS FOR THE SECURITY OF INTERNET BANKING
REGULATIONS FOR THE SECURITY OF INTERNET BANKING PAYMENT SYSTEMS DEPARTMENT STATE BANK OF PAKISTAN Table of Contents PREFACE... 3 DEFINITIONS... 4 1. SCOPE OF THE REGULATIONS... 6 2. INTERNET BANKING SECURITY
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationInformation Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis
Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationOPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE
OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE Please provide all relevant documents responsive to the information requests listed within each area below. In addition to the specific documents requested,
More informationBUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM
BUILDING AN OFFENSIVE SECURITY PROGRAM Common Gaps in Security Programs Outsourcing highly skilled security resources can be cost prohibitive. Annual assessments don t provide the coverage necessary. Software
More informationLAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable
More informationIndustrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities
Industrial Cyber Security Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities WE HEAR ABOUT CYBER INCIDENTS EVERY DAY IN THE NEWS, BUT JUST HOW RELEVANT ARE THESE
More informationInformation Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No. 2016-002 July 2015
July 2015 Information Technology Operational Audit DEPARTMENT OF STATE Florida Voter Registration System (FVRS) Sherrill F. Norman, CPA Auditor General Secretary of State Section 20.10, Florida Statutes,
More information