role of compliance in security audits

Role of Compliance in Security Audits

Agenda :

Information Security Compliance Memory Techniques for quick revision / recall

Information Security Compliance

Need for ComplianceThe Five R’s for IS ComplianceISO 27001 : An IntroductionSteps for ISMS ImplementationCommon Myths on ISO 27001

The Road Ahead:

Information Security and Compliance Relationship

The Five R ‘s of IS Compliance Reputation• Protecting the business impact from security breach

Regulation• Complying with multiple regulations• Developing a common security and audit framework

Revenue• Protecting the corporate intellectual property / trade secrets.

Resilience• Ensuring continuity of critical business processes during

disaster.

Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC

tools

• ISO 27001 defines best practices for information security management

• A management system should balance physical, technical, procedural, and personnel security

• Without a formal Information Security Management System, there is a greater risk to your security being breached

• Information security is a management process, NOT a technological process

ISO 27001 : Overview

• ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)• ISO 27003 – ISMS Implementation guidelines• ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management• ISO 27006 – 27010 – allocation for future use

ISO 27001 : Family of Standards

PDCA Cycle: Steps for ISMS Implementation

1

4

3

2

Steps for ISMS Implementation1. Obtain management support2. Treat as a project3. Define the scope4. Write an ISMS Policy5. Define the Risk Assessment methodology6. Perform the risk assessment & risk treatment7. Write the Statement of Applicability8. Write the Risk Treatment Plan9. Define how to measure the effectiveness of controls10. Implement the controls & mandatory procedures11. Implement training and awareness programs12. Operate the ISMS13. Monitor the ISMS14. Internal audit15. Management review16. Corrective and preventive actions

Common Myths about ISO 27001

"The standard requires..."

"We'll let the IT department handle it"

"We'll implement it in a few months"

"This standard is all about documentation"

"The only benefit of the standard is for marketing purposes"

Memory Techniques

for Quick Revision

The fun part of learning

Mnemonics Sentence Aid Workflow DiagramsColour Coding differentiation

Memory Techniques

The Road Ahead:

Mnemonics Abbreviated Character Strings for easy memory aid

How to operate?

Take the first alphabet of each word point and arrange them in "useful" order.

Best Practices: For a long mnemonic string , group it into chunks of 2 or 3 for quick recall

If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.

MnemonicsExamples :

Process Workflow (Plan – Do – Check – Act)Mnemonic: PDCA

Memory Aid :

Imagine “Pen Drive “ of CA • (CA = Certifying Authority)

Mnemonics (contd.)Examples :

COBIT Domains: a) Plan and Organize b) Acquire and Implement c) Deliver and Supportd) Monitor and Evaluate

Mnemonic: PADM

Memory Aid: (Imagine PADM Shri Award)

PADM श्री�

Sentence Aid Memory Recall technique to easily recall long Mnemonic Strings “in order”.

Advantage: Used esp. when Mnemonic string is quite long (>= 5 points). Helpful for easy recall.

Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U

Sentence Aid Prerequisites:Sentence Aid MUST be :

expression making a

visual impact on your memory.

Always design a Sentence Aid which is :

a) Mnemonic Workflow oriented (to maintain serial order)b) Bound to a strong event in your memoryc) Natural Progressiond) Capital letters indicating actual point of Mnemonic.

Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U

Fails

U

Informs

If

का�

• Injection

•Cross Site Scripting (XSS)

•Broken Authentication and Session Mgmt

•Insecure Direct Object References

•Cross Site Request Forgery (CSRF)

•Security Misconfiguration

•Insecure Cryptographic Storage

•Failure to Restrict URL Access

•Insufficient Transport Layer Protection

•Unvalidated Redirects and Forwards

EXAMPLE:

Sentence Aid: ICBI का� Counter Strike If Fails, Informs U.

Sentence Aid

Layer 1: Physical layerLayer 2: Data link layerLayer 3: Network layerLayer 4: Transport layerLayer 5: Session layerLayer 6: Presentation layerLayer 7: Application layer

OSI Layer Model

Sentence Aid: Please Do Not Take Sales Person’s Advice

Example:

Workflow Diagrams These figures/diagrams give the directive flow of the process

Advantage is that they can summarize vast information in a appealing view.

We can grasp readily the “gist” of the process workflow.

Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s)• Cyclic Processes

Workflow Type : FlowchartsRisk Assessment Process

Workflow Type : Hierarchy Figures

Workflow Type : Cyclic Process

Color Coding Differentiation This technique takes advantage of the fact that we better remember the figures if they are filled with different background colors.

Using same colors for related fields help us to better distinguish the same genre of the entities.

Color Coding Differentiation

Sentence Aid : Develop a SOA for ACP to help him pass HSC exam for IB entrance.

Mnemonic: SOA ACP HSC IB

EXAMPLE :

Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to evolution. It is, strictly speaking, a real factor in scientific research.

--Albert Einstein

But in reality, without knowledge, imagination can not be developed.-- Wikipedia (on Imagination) , after Einstein quote.

Quotes:

PrecautionsStudy thoroughly the subject matter before venturing into memorizing techniques.

Know WHAT YOUR ABBREVATION stands for rather than keeping in mind only the Mnemonic.

Memory Techniques are only an AID. They are NOT SUBSTITUTE for comprehensive study.

Utilized Best AFTER comprehensive study for REVISION.

THANK YOU !!

Presented By: Manasdeep

- Questions ?