Cyber Security Audit and Information Security.pptx

alamba570 65 views 52 slides Sep 05, 2024
Slide 1
Slide 1 of 52
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45
Slide 46
46
Slide 47
47
Slide 48
48
Slide 49
49
Slide 50
50
Slide 51
51
Slide 52
52

About This Presentation

Cyber Security Audit

Size: 596.15 KB
Language: en
Added: Sep 05, 2024
Slides: 52 pages

Slide Content

Information Security Audit

Security Audit Introduction A security audit is a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system's physical configuration and environment, software, information handling processes, and user practices.

Security Audit Introduction Security audits are often used to determine regulatory compliance, in the wake of legislation that specifies how organizations must deal with information.

Purpose of Audits a) Build awareness of current practices and risks b) Reducing risk, by evaluating, planning and supplementing security efforts c) Strengthening controls including both automated and human d) Compliance with customer and regulatory requirements and expectations e) Building awareness and interaction between technology and business teams f) Improving overall IT governance in the organization

Scope of the Audit As with any Audit, a risk assessment should be one of the first steps to be completed when examining a new process. The risk assessment will help determine whether the process warrants expending a significant amount of audit resources on the project. The scope of the audit depends on the risk. But even for the high-risk systems, the scope should be limited to testing the critical internal controls upon which the security of the process depends.

The scope of the audit depends upon Site business plan Type of data assets to be protected Value of importance of the data and relative priority Previous security incidents Time available Auditors experience and expertise

What should be covered in audits?

What should be covered in audits?

What makes a good security audit? The development and dissemination of the IS Auditing Standards by Information Systems Audit and Control Association (ISACA) is already in circulation for further information. A good security audit is part of a regular and comprehensive framework of information security.

What makes a good security audit? A good security audit may likely include the following: Clearly defined objectives Coverage of security is comprehensive and cross-cutting audit across the entire organization. Partial audits may be done for specific purposes. Audit team is experienced, independent and objective. Every audit team should consist of at least two auditors to guarantee the independence and objectivity of the audit (”two-person rule”). There is unrestricted right to obtain and view information.

What makes a good security audit? A good security audit may likely include the following: Important IS audit meetings such as the opening and the closing meetings as well as the interviews should be conducted as a team. This procedure ensures objectivity, thoroughness, and impartiality. No member of the audit team, should have participated directly in supporting or managing the areas to be audited, e.g. they must not have been involved in the development of concepts or the configuration of the IT systems.

What makes a good security audit? A good security audit may likely include the following: It should be ensured that actual operations in the organization are not significantly disrupted by the audit when initiating the audit. The auditors never actively intervene in systems, and therefore should not provide any instructions for making changes to the objects being audited. It is management responsibility for supporting the conduct of fair and comprehensive audit. Appropriate communication and appointment of central point of contact and other support for the auditors. The execution is planned and carried out in a phase wise manner

Audit Methodologies Audits need to be planned and have a certain methodology to cover the total material risks of an organisation . A planned methodology is also important as this clarifies the way forward to all in the organisation and the audit teams. Which methodology and techniques is used is less important than having all the participants within the audit approach the subject in the same manner.

Audit Methodologies There are two primary methods by which audits are performed. Start with the overall view of the corporate structure and drill down to the minutiae; or begin with a discovery process that builds up a view of the organization.

Audit Methodologies Audit methods may also be classified according to type of activity. These include three types 1.Testing – Pen tests and other testing methodologies are used to explore vulnerabilities. In other words, exercising one or more assessment objects to compare actual and expected behaviours . 2. Examination and Review – This include reviewing policies, processes, logs, other documents, practices, briefings, situation handling, etc. In other words checking, inspecting, reviewing, observing, studying, or analysing assessment objects 3. Interviews and Discussion – This involves group discussions, individual interviews, etc.

Auditing techniques There are various Auditing techniques used: Examination Techniques Target Identification and Analysis Techniques Target Vulnerability Validation Techniques

Auditing techniques (Examination Techniques ) Examination techniques, generally conducted manually to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities. These techniques include: Documentation review Log review Ruleset and system configuration review Network sniffing File integrity checking

Auditing techniques (Target Identification and Analysis Techniques ) Testing techniques generally performed using automated tools used to identify systems, ports, services, and potential vulnerabilities. They techniques include: Network discovery Network port and service identification Vulnerability scanning Wireless scanning Application security examination

Auditing techniques (Target Vulnerability Validation Techniques ) Testing techniques that corroborate the existence of vulnerabilities, these may be performed manually or with automated tools. These techniques include: Password cracking Penetration testing Social engineering Application security testing

Security Testing Frameworks There are numerous security testing methodologies being used today by security auditors for technical control assessment. Four of the most common are as follows: Open Source Security Testing Methodology Manual (OSSTMM) Information Systems Security Assessment Framework (ISSAF) NIST 800 - 115 Open Web Application Security Project (OWASP)

Audit as Process A successful audit will have following steps: 1. Establish a prioritized list of risks to an organization. 2. Delineate a plan to alleviate those risks. 3. Validate that the risks have been mitigated. 4. Develop an ongoing process to minimize risk. 5. Establish a cycle of reviews to validate the process on a perpetual basis.

Properties of Successful Audit Define the security perimeter – what is being examined? Describe the components – and be detailed about it. Determine threats – what kinds of damage could be done to the systems Delineate the available tools – what documents and tools are in use or need to be created? Reporting mechanism – how will you show progress and achieve validation in all areas? Review history – is there institutional knowledge about existing threats?

Properties of Successful Audit Determine Network Access Control list – who really needs access to this? Prioritize risk – calculate risk as Risk = probability * harm Delineate mitigation plan – what are the exact steps required to minimize the threats? Implement procedures – start making changes. Review results Rinse and repeat – schedule the next iteration of the process.

Auditing Security Practices (Reference) The first step for evaluating security controls is to examine the organization’s policies, security governance structure, and security objectives because these three areas encompass the business practices of security. Security controls are selected and implemented because of security policies or security requirements mandated by law.

Auditing Security Practices (Reference) Some criteria you can use to compare the service of security against are: Evaluation against the organization’s own security policy and security baselines Regulatory/industry compliance—Health Insurance Evaluation against standards such as NIST 800 or ISO 27002 Governance frameworks such as COBIT or COSO

Auditing Security Practices (Reference) After you have identified the security audit criteria that the organization needs to comply with, the next phase is to perform assessments to determine how well they achieve their goals. A number of assessments are usually required to determine appropriate means for referring back to the scope, which defines the boundaries of the audit. The following are types of assessments that might be performed to test security controls:

Auditing Security Practices (Reference) Risk assessments : This type of assessment examines potential threats to the organization by listing areas that could be sources of loss such as corporate espionage, service outages, disasters, and data theft. Each is prioritized by severity, matched to the identified vulnerabilities, and used to determine whether the organization has adequate controls to minimize the impact. Policy assessment : This assessment reviews policy to determine whether the policy meets best practices, is unambiguous, and accomplishes the business objectives of the organization.

Auditing Security Practices (Reference) Social engineering : This involves penetration testing against people to identify whether security awareness training, physical security, and facilities are properly protected. Security design review : The security design review is conducted to assess the deployment of technology for compliance with policy and best practices. These types of tests involve reviewing network architecture and design and monitoring and alerting capabilities.

Auditing Security Practices (Reference) Security process review: The security process review identifies weaknesses in the execution of security procedures and activities. All security activities should have written processes that are communicated and consistently followed. The two most common methods for assessing security processes are through interviews and observation: Interviews: Talking to the actual people responsible for maintaining security, from users to systems administrators, provides a wealth of evidence about the people aspect of security. How do they feel about corporate security methods? Can they answer basic security policy questions? Do they feel that security is effective? The kind of information gathered helps identify any weakness in training and the organization’s commitment to adhering to policy.

Auditing Security Practices (Reference) Document review : Checking the effectiveness and compliance of the policy, procedure, and standards documents is one of the primary ways an auditor can gather evidence. Checking logs, incident reports, and trouble tickets can also provide data about how IT operates on a daily basis. Technical review : This is where penetration testing and technical vulnerability testing come into play. One of the most important services an auditor offers is to evaluate the competence and effectiveness of the technologies relied upon to protect a corporation’s assets.

Auditing Security Practices (Reference) Observation: Physical security can be tested by walking around the office and observing how employees conduct themselves from a security perspective. Do they walk away without locking their workstations or have sensitive documents sitting on their desks? Do they leave the data centre door propped open, or do they not have a sign-out procedure for taking equipment out of the building? It is amazing what a stroll through the cubicles of a company can reveal about the security posture of an organization.

Testing Security Technology There are many terms used to describe the technical review of security controls. Ethical hacking, penetration test, and security testing are often used interchangeably to describe a process that attempts to validate security configuration and vulnerabilities by exploiting them in a controlled manner to gain access to computer systems and networks. There are various ways that security testing can be conducted, and the choice of methods used ultimately comes down to the degree to which the test examines security as a system.

Testing Security Technology There are generally two distinct levels of security testing commonly performed today Vulnerability assessment Penetration test

Vulnerability assessment This technical assessment is intended to identify as many potential weaknesses in a host, application, or entire network as possible based on the scope of the engagement. Configurations, policies, and best practices are all used to identify potential weaknesses in the deployment or design of the entity being tested.

Vulnerability assessment These types of assessments are notorious for finding an enormous amount of potential problems that require a security expert to prioritize and validate real issues that need to be addressed. Running vulnerability scanning software can result in hundreds of pages of items being flagged as vulnerable when in reality they are not exploitable.

Penetration test The penetration test is intended to assess the prevention, detection, and correction controls of a network by attempting to exploit vulnerabilities and gain control of systems and services. Penetration testers (also known as pentesters ) scan for vulnerabilities as part of the process just like a vulnerability assessment, but the primary difference between the two is that a pentester also attempts to exploit those vulnerabilities as a method of validating that there is an exploitable weakness.

Penetration test Successfully taking over a system does not show all possible vectors of entry into the network, but can identify where key controls fail. If someone is able to exploit a device without triggering any alarms, then detective controls need to be strengthened so that the organization can better monitor for anomalies.

Penetration test Security control testing is an art form in addition to a technical security discipline. It takes a certain type of individual and mind-set to figure out new vulnerabilities and exploits. Penetration testers usually fit this mould, and they must constantly research new attack techniques and tools.

Penetration test Auditors, on the other hand, might not test to that degree and will more than likely work with a penetration tester or team if a significant level of detailed knowledge in required for the audit.

Penetration test When performing these types of engagements, four classes of penetration tests can be conducted and are differentiated by how much prior knowledge the penetration tester has about the system. The four types are: Red Team/Blue Team assessment White Box Black Box Grey Box

Red Team/Blue Team assessment The terms Red and Blue Team come from the military where combat teams are tested to determine operational readiness. In the computer world, a Red and Blue Team assessment is like a war game, where the organization being tested is put to the test in as real a scenario as possible. Red Team assessments are intended to show all of the various methods an attacker can use to gain entry. It is the most comprehensive of all security tests. This assessment method tests policy and procedures, detection, incident handling, physical security, security awareness, and other areas that can be exploited.

Black box testing This assumes no prior knowledge of the infrastructure to be tested. The testers must first determine the location and extent of the systems before commencing their analysis.

White box testing This provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code, and IP addressing information.

Grey box testing These are the several variations in between the white and the black box, where the testers have partial information. Penetration tests can also be described as "full disclosure" (white box), "partial disclosure" (grey box), or "blind" (black box) tests based on the amount of information provided to the testing party.

Phases of Information Security Audit These are following phases of Information Security Audit Pre-audit agreement stage Initiation and Planning stage Data collection and fieldwork (Test phase) Analysis Reporting Follow-through

Pre-audit agreement stage Agree scope and objective of the audit. Agree on the level of support that will be provided. Agree locations, duration and other parameters of the audit. Agree financial and other considerations. Confidentiality agreements and contracting have to be completed at this stage. Developing/creating a formal agreement to state the audit objectives, scope, and audit protocol. (e.g., statement of work, audit memorandum, or engagement memo)

Initiation and Planning stage Conducting a preliminary review of the client’s environment, mission, operations, polices, and practices. Performing risk assessments of client environment, data and technology resources; completing research of regulations, industry standards, practices, and issues. Reviewing current policies, controls, operations, and practices; Holding an Entrance Meeting to review the engagement memo, to request items from the client, schedule client resources, and to answer client questions. This will also include laying out the time line and specific methods to be used for the various activities.

Data collection and fieldwork (Test phase) This stage is to accumulate and verify sufficient, competent, relevant, and useful evidence to reach a conclusion related to the audit objectives and to support audit findings and recommendations. During this phase, the auditor will conduct interviews; observe procedures and practices, perform automated and manual tests, and other tasks. Fieldwork activities may be performed at the client’s worksite(s) or at remote locations, depending on the nature of the audit.

Analysis Analyses are performed after documentation of all evidence and data, to arrive at the audit findings and recommendations. Any inconsistencies or open issues are addressed at this time. The auditor may remain on-site during this phase to enable prompt resolution of questions and issues. At the end of this phase, the auditor will hold an Exit Meeting with the client to discuss findings and recommendations, address client questions, discuss corrective actions, and resolve any outstanding issues. A first draft of the findings and recommendations may be presented to the client during the exit meeting.

Reporting Generally, the Information Security Audit Program will provide a draft audit report after completing fieldwork and analysis. Based on client response if changes are required to the draft, the auditor may issue a second draft. Once the client is satisfied that the terms of the audit are complied with the final report will be issued with the auditor’s findings and recommendations.

Follow-through Depending on expectations and agreements the auditor will evaluate the effectiveness of the corrective action taken by the client, and, if necessary, advise the client on alternatives that may be utilized to achieve desired improvements. In larger, more complex audit situations, follow-up may be repeated several times as additional changes are initiated.

Follow-through Additional audits may be performed to ensure adequate implementation of recommendations. The level of risk and severity of the control weakness or vulnerability dictate the time allowed between the reporting phase and the follow-up phase. The follow-up phase may require additional documentation for the audit client.
Tags
information security
Categories
General
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 65
  • Slides 52
  • Age 452 days
Related Slideshows
Pray For The Peace Of Jerusalem and You Will Prosper 22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
Don_t_Waste_Your_Life_God.....powerpoint 26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf 31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
Fertility awareness methods for women in the society 14
Fertility awareness methods for women in the society
Isaiah47
29 views
Chapter 5 Arithmetic Functions Computer Organisation and Architecture 35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
syakira bhasa inggris (1) (1).pptx....... 5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views
View More in This Category