Information audits in a perimeter-less world



Similar documents
Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Blue Valley Schools FEBRUARY 2015

Altius IT Policy Collection Compliance and Standards Matrix

Intel Enhanced Data Security Assessment Form

ISO Information Security Management Systems Professional

Information Technology General Controls (ITGCs) 101

Security from a customer s perspective. Halogen s approach to security

PII Compliance Guidelines

Security Controls What Works. Southside Virginia Community College: Security Awareness

3rd Party Assurance & Information Governance outlook IIA Ireland Annual Conference Straightforward Security and Compliance

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Client Security Risk Assessment Questionnaire

Security Audit Survivor How to Remain On the Island in the Wake of the Piedmont Audit

INFORMATION SYSTEMS. Revised: August 2013

Miami University. Payment Card Data Security Policy

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

DHHS Information Technology (IT) Access Control Standard

INCIDENT RESPONSE CHECKLIST

Security aspects of e-tailing. Chapter 7

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Audit and Compliance

Take Control of Identities & Data Loss. Vipul Kumra

How to Secure Your Environment

How To Protect Data From Attack On A Network From A Hacker (Cybersecurity)

Logging In: Auditing Cybersecurity in an Unsecure World

F G F O A A N N U A L C O N F E R E N C E

Intelligent Vendor Risk Management

Certified Information Systems Auditor (CISA)

Four Top Emagined Security Services

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

FINRA Publishes its 2015 Report on Cybersecurity Practices

IS YOUR INFORMATION SECURE? Secure and reliable ICT. Our experience. Your benefit. SWISS CYBER SECURITY

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Cloud Computing Governance & Security. Security Risks in the Cloud

Kevin Staggs - CISSP February 2, Patch Management

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

Securing the Service Desk in the Cloud

Leveraging Microsoft Privileged Identity Management Features for Compliance with ISO 27001, PCI, and FedRAMP

Western Australian Auditor General s Report. Information Systems Audit Report

ICANWK406A Install, configure and test network security

Asset management guidelines

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

Orchestrating the New Paradigm Cloud Assurance

Technology Risk Management

What s happening in the area of E-security for the Financial Transactions in China

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

More Expenses. Only this time the Telegraph will have to pay them after their recent data breech

Vendor Audit Questionnaire

SonicWALL PCI 1.1 Implementation Guide

Infor CloudSuite. Defense-in-depth. Table of Contents. Technical Paper Plain talk about Infor CloudSuite security

Information Shield Solution Matrix for CIP Security Standards

NETWORK SECURITY GUIDELINES

ITSM Governance In the world of cloud computing

March

IT Audit in the Cloud

Payment Card Industry (PCI) Policy Manual. Network and Computer Services

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

BYOD Guidelines A practical guide for implementing a successful BYOD Management program in an organization of any size.

Information security controls. Briefing for clients on Experian information security controls

CONTENTS. PCI DSS Compliance Guide

Small Firm Focus: A Practical Approach to Cybersecurity Friday, May 29 9:00 a.m. 10:15 a.m.

PAYMENT CARD INDUSTRY (PCI) ANNUAL TRAINING DECEMBER 10, 2009 WESTERN ILLINOIS UNIVERSITY OFFICE OF THE CTSO & BUSINESS SERVICES

MAXIMUM DATA SECURITY with ideals TM Virtual Data Room

Critical Controls for Cyber Security.

<COMPANY> P01 - Information Security Policy

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Cloud Security. Peter Jopling IBM UK Ltd Software Group Hursley Labs. peterjopling IBM Corporation

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

IBM Cloud Security Draft for Discussion September 12, IBM Corporation

Anypoint Platform Cloud Security and Compliance. Whitepaper

PCI COMPLIANCE REQUIREMENTS COMPLIANCE CALENDAR

Walton Centre. Document History Date Version Author Changes 01/10/ A Cobain L Wyatt 07/01/ L Wyatt Update to procedure

Ensuring Enterprise Data Security with Secure Mobile File Sharing.

Big Data, Big Risk, Big Rewards. Hussein Syed

Cloud Security and Managing Use Risks

Securely Yours LLC IT Hot Topics. Sajay Rai, CPA, CISSP, CISM

University of Sunderland Business Assurance PCI Security Policy

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Data Security and Healthcare

Security Services. 30 years of experience in IT business

Whitepaper. Security Best Practices for Evaluating Google Apps Marketplace Applications. Introduction. At a Glance

Network Security Guidelines. e-governance

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

The Protection Mission a constant endeavor

Supplier Security Assessment Questionnaire

Dokument Nr. 521.dw Ausgabe Februar 2013, Rev Seite 1 von d Seite 1 von 11

RSA SIEM and DLP Infrastructure and Information Monitoring in One Solution

Security Overview Enterprise-Class Secure Mobile File Sharing

Project Title slide Project: PCI. Are You At Risk?

Transcription:

Information audits in a perimeter-less world Jayesh Kamat Practice Head Risk Advisory services Seclore Partner

The Business Challenge

Information Value Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it. ~Rear Admiral Grace Murray Hopper

Traditional Perimeter Definition Traditional definitions of perimeters have relied on a combination of the following concepts: Physical locations Managed computers Applications Business (automation, BI) Networks - Corporate (LAN, WAN) People Employees & Contractors What is the relevance of these constructs today?

Traditional Audit Approach Information security = Information System security. We secure and assess security of the information though the security of its containers. Secure Configuration Email controls Application controls Patches Updates Backup Maintenance Access privileges Access logs Authorization Authentication Antivirus Backup Physical & environmental Secure Configuration Antivirus Patches End point security Encryption Data backup Image Source: http://www.whoners.com/wp-content/uploads/2011/05/computer-network-support.jpg Vendor, third party security Network controls Remote policy enforcement Authorization Remote wipe End point security

The Challenge Information flows beyond these traditional assessment perimeters, it travels to people, external consultants/sme, Vendor systems & personnel, networks Sensitive data is created in many contexts Need to share information with internal and external stakeholders, partners, vendors, SME NDAs and legal contracts with employees and vendors Ineffective and difficult to enforce Methods of sharing confidential data are varied (Email, CD, FTP, USB, ) Complex policies for information security Sensitive Data generated, stored & processed on Cloud services/saas Data volume and business may not allow for audit of the providers Image source: http://www.bannerhousing.ie/support.html No control on confidential information once it leaves the perimeter

Securing information vs Info Systems? Apart from the enterprise/perimeter security systems information itself is protected today using technologies like DLP and IRM Extended Enterprise - IRM EXT. AUDITOR CONSULTANTS VENDORS CUSTOMERS Policy Enterprise Server TELEMARKETER Enterprise / DLP Perimeter LAWYERS Competitors GOVERNMENT

The New Paradigm

Change the Paradigm Along with the regular information system audit, information security audit itself should be considered Audit Information governance & sustenance controls? Focus on information itself along with the information system Focus on who sends and receives the information, how and what? Focus on enforcement of information security (policies, processes) Audit reporting & monitoring controls

Governance & Sustenance Ensure governance and sustenance roles, responsibilities & processes are designed well and their implementation is effective. Data governance framework or DSCI DFS guidelines can be adopted for this purpose. An established governance framework consisting of roles, responsibilities and accountability should be established Established Classification Schema DLP/IRM Tool Strategy Source: DGI Framework from www. Datagovernance.com DSCI - DSF Management, reporting and monitoring processes User awareness program

Focus on Information Ensure classification policies, data handling policies & processes are designed well and their implementation is effective. This includes the use of media encryption as well as information encryption if applicable Classification Control Design Control Effectiveness Encryption Access Policies Sender, receiver Access times, expiration Automatic enforcement User training and enforcement

Reporting & Monitoring Ensure regular and frequent reporting of the incidents is being carried out with timely investigations of all violations. Incident management processes control design & effectiveness Investigations & closure Program effectiveness

Audit Framework Creation IS audit framework are usually established based on compliance requirements, augmenting such a framework with DSCI & DGI guidance can help create information auditing framework Privacy Laws COBIT BS25999 ISO27001 ISO20000 PCI DSS Source DSCI DSCI - DSF - > Data Security (DSC) Source: DGI Framework from www. Datagovernance.com Data Governance Framework - Data Governance Institute Rationalized Audit framework Requirement 1 Requirement 2 Requirement3 Requirement 4 Rationalized Requirements IS Audit Framework Information Audit Framework

In Summary It is recommended that along with the traditional information systems audit an audit of information control design and effectiveness should also be conducted Traditional IS Audit IS Audit and Information Audit IT Governance, Business continuity Data governance & Sustenance principles Acquisition, system development control Data protection, operations Infrastructure & operations Incident management, reporting Info Sec Management Framework Physical & environmental controls

Thank You!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information