Information Security: A Comprehensive Guide to Roles, Responsibilities, and Audits

Posted on Sep 4, 2024 in Other subjects

  • Information Security

  • Confidentiality

  • Integrity

  • Availability

  • Tasks to be Completed

    • Definition and Maintenance of Security Policies/Strategies

    • Implementing and Ensuring Compliance to Policies and Procedures

    • Enforce Security Effectively

    • Well-Defined Technical Guidelines and Controls

    • Assurance (Audits and Regular Risk Assessment)

  • Security is Everyone’s Business

  • Management Support

    • Organizational Solutions
    • Financing
    • Education and Training Provided

  • Security Professionals

    • Implement Security Tasks

  • All Employees

    • Are Aware of and Obey Security Policies
    • Be Proactive to React to Potential Security Incidents
    • Job Roles and Responsibilities

  • Board and Executives

    • Ultimately Responsible for the Security Strategy, Resources Availability
    • Protect Continuity of Business Operations

  • Business Process/Data/Operation Owners

    • Perform Data Classification, Analyze the Impact from Security Failure

  • Process Owner

    • Design the Process, Including Security Features

  • IT Security Manager/Director/CSO

    • Defines IT Security Guidelines
    • Responsible for Security Awareness
    • Performs Security Risks Analysis
  • Job Roles and Responsibilities

  • System Supplier

    • Install and Maintain Systems
    • Responsible for the Correct Use of Security Mechanisms
    • Relationships with Customers are Based on SLAs

  • System Designer

    • Design Security of the System

  • Project Leaders

    • Ensure that Security Guidelines are Adhered to in Projects

  • Line Managers

    • Ensure that Their Personnel are Fully Aware of Security Policies.
    • Enforces Policies and Check Actual Progress
  • Job Roles and Responsibilities

  • Users

    • Must be Aware of Security Policies and Consequences of Violation

  • Auditor

    • An INDEPENDENT Person Who Checks the Status of IT Security

  • Audit

  • Audit

    • External

      • Performed by Independent Parties that Have No Rights to Alter or Update the System
      • External Auditor is Precluded from Advising the Client
      • They Report the Gaps and Direct to Appropriate Source of Information
      • Often Evaluate Against an External Standard, Such as COBIT or ISO27001

    • Internal

      • Discover Gaps and May Discuss the Mitigating Strategy with the Owner of the System
    • Neither External or Internal Auditors May be Involved in Implementation or Design Processes
    • Examples of Audit Types: SAS70/SSAE16, PCI DSS, HIPPA

  • Inspections and Reviews

    • Audit Considers Past Results When an Inspection Evaluates the Result at a Present Point of Time
    • Audit Must be Performed by Certified Professionals, Otherwise the Action Will be Known as “Review”

  • Penetration Tests and Red Teaming

  • Penetration Tests

    • Attempt to Bypass Control and Gain Access to a Given System
    • The Goal is to Prove that the System Can be Compromised
    • Opposite is Not Feasible, in Other Words it is Not Possible to Prove that the System Cannot be Compromised
    • Limited in its Value Being Restricted with its Scope and Resources
    • Unsuccessful Pentest Does Not Prove the Absence of Vulnerabilities
    • Mostly Used as an Internal Auditing Event

  • Red Teaming

    • Designed to Compromise a Site at All Cost
    • Is Not Limited to a Particular Attack Vector
    • Has a Specific Goal
    • Used by Government and Businesses on Most Critical Sites

  • Ethical Attacks

  • This is a Subset of Penetration Testing
  • Designed to Externally Validate Controls on a Given System by Simulating an Attack, but Limitations Apply
    • Limitations Do Not Allow Full Qualification of Existing Risks
    • The Ethical Attacker is Constrained with Resources, When a Real Attacker is Not
  • This is the Process to Determine a Subset of Possible Control Failures
  • Never Gives the Entire Control Set of Vulnerabilities
  • Helpful to Test Processes, in Particular by Measuring the Detection Time and the Response Time

  • Vulnerability Assessment

  • Assessment and Gap Analysis of a System’s or Site’s Control Strengths
  • Vulnerability Assessment is a Risk-Based Process that Assumes Identification and Classification of the Primary Vulnerabilities that May Impact the System
  • Gap Analysis is the Process of Comparing the Present State with the Targeted Desired State
  • The Goal is to Determine How We Can Get There
  • Various Processes and Methodologies Exist
  • Should Start from Inventory of Assets and Capabilities
  • Is Considered as a Mandatory Part of Security Risks Management Program

  • Black and White Box Testing

  • Black Box – Little or No Knowledge of the Internal System
  • White Box – the System Details are Known

  • Other Terms

  • Tools-Based Scanning is Not Equal to Vulnerability Assessment
  • An Agreed Procedure Review vs. An Audit Performed by a Certified Auditor
  • Acceptance Testing to Ensure that the System Meets the Required Level of Security
  • Data Conversion Process is to Check the Accuracy and Completeness of Data After Conversion. Two Stages – Before (Planning) and After Conversion

  • Other Terms

  • Vulnerability

  • Threat-Source

  • Threat

  • Risk

  • Controls

  • Internal Control is a Process Designed to Provide Reasonable Assurance Regarding the Achievements of the Following Objectives:

    • Effectiveness and Efficiency of Operations
    • Reliability of Financial Reporting
    • Compliance with Applicable Law and Regulations
  • The Process is Ultimately Managed by the Board of Directors but is Influenced by All Employees

  • Key Concept:

    • Process
    • Reasonable Assurance, Not Absolute
    • Influenced by People

  • Controls (cont)

  • Key Controls – Controls that Impact Reliance. Not Be Confused with Good Practice
  • Operational Controls – Focused on Day-to-Day Operations
  • General Controls – Processes that Apply Across the Undertaking, or an IT Section
  • General Control Framework Includes Policies, Processes, Procedures, Standards, Training Programs etc.
  • Reviewing General Controls Should Include Infrastructure and Environmental Controls
  • Also Logical and Physical Access to the Systems and Offices

  • Application Controls

  • Apply to Both Transactions and Data
  • Designed to Affirm the Completeness and Accuracy of Records and the Validity of Entries Created or Processed Within the System
  • Hard Controls Include Data Validation, Encryption, Security Services for Authorization, Logging, etc.
  • An Application Control is Built as the Element of Business Processes, Therefore Assessing of Application Controls Requires Understanding of Business Processes
  • Notation Languages: UML, BPEL (Business Process Executing Language), ERM (Entity-Relationship Models), Others

  • Other Terms

  • Objectivity

  • An Independent Mental Attitude that Requires You to Perform Audit with the Belief of Being Honest and Objective

  • Ethics

  • The Top 10 Commandments of Computer Ethics (See the Book)

  • Planning

  • Audit Should be Planned. Project-Like Approach is Helpful

  • Examining and Evaluating Information

  • Preliminary Survey

  • Obtain Initial Background Information Before Preparing the Audit Program

  • Planning

  • Adequate Planning Should Include Consideration of:
    • Communication with All Who Need to Know About the Audit.
    • Any Personnel to be Used on the Assignment.
    • Background Information on the Customer.
    • Work to be Done and the General Approach.
    • The Format and General Content of the Report to be Issued.

  • Information

  • The Process of Examining and Evaluating Information is as Follows:
    • Information Should be Collected on All Matters Related to the Objective and Scope of Work.
    • Information Should be Sufficient, Competent, Relevant, and Useful to Provide a Sound Basis for Findings and Recommendations.
    • Sufficient Information is Factual, Adequate, and Convincing so that a Prudent, Informed Person Would Reach the Same Conclusions as the Final Report Author.

  • Information (cont)

  • The Process of Examining and Evaluating Information is as Follows:
    • Information Should be Reliable and Accurate. Ensure that All Information is Correct Through Verification. An SRS (Simple Random Sample) or a Stratified Sample of the Information Should be Verified to Ensure Accuracy.
    • The Auditor Should Ensure that All the Information Supplied is Relevant to the Particular Project and is Consistent with the Objectives.
    • When Designing Audit Procedures and Any Testing Techniques Which are to be Employed, the Procedures Should be Selected in Advance (Where Practicable), and Subsequently Expanded or Altered Where Circumstances Warrant.

  • Audit Program and Procedures

  • Program Should Specify
    • Introduction and Background
    • Purpose and Scope of the Report
    • Objectives
    • Terms
  • Procedures
    • Should be Defined Prior to the Start of the Engagement

  • Standards

  • In Accordance to FISCAM, or the Federal Information System Controls Audit Manual, the Typical Reports Required as Part of the IT Audit Process Include:
    • Password Aging
    • User Privileges
    • System Privileges
    • Remote Access
    • Consolidated Change Logs
    • NTFS Permissions
    • Role Permissions & Membership
    • User Access
    • Auditing Enabled