0
Information Systems 365/765         Lecture 13Class Project – Security Audit
!!EXAMS!!• About 2/3 done  correcting• Mostly pretty  good• Those that  were not good,  please don’t  worry. We can  do so...
Good News and Bad News• The good news  is that your  exams look  great! Well  done! I am so  proud of all of  you!• The ba...
Look at all the topics we have               covered!•   The Confidentiality, Availability and Integrity Triad•   The five...
So Now What?• Exams? No more!• Quizzes? Yeah, I owe you a few of  those• How about a class project?• You know, something t...
Security Audit• Security audit  of ANY  company which  is publicly  traded on the  NYSE or  NASDAQ• Requirements:  company...
What to do• Meet your team  mate!• Pick your company• Read their annual  report, ignore the  financial  information if you...
What to do• Write a 5 page Executive  Summary, outlining your  findings and suggestions in  the following areas:• Security...
What About Standards?• The nice thing  about  standards is  that there are  so many to  choose from!
Why This Security Audit?• The ISO/IEC 27000 series is an  information security standard  published by the International  O...
Standards• ISO/IEC  27002 has  directly  equivalent  national  standards in  several  countries.
This Security Audit is Compliant•   Australia•   New Zealand•   BrazilI•   Denmark•   Estonia•   Japan•   Lithuania•   Net...
Components of a Security Audit• Risk assessment• Security policy - management direction• Organization of information secur...
Components of a Security Audit• Access control - restriction of access  rights to networks, systems, applications,  functi...
A Word of Advice
Upcoming SlideShare
Loading in...5
×

Security audit

244

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
244
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Security audit"

  1. 1. Information Systems 365/765 Lecture 13Class Project – Security Audit
  2. 2. !!EXAMS!!• About 2/3 done correcting• Mostly pretty good• Those that were not good, please don’t worry. We can do some extra credit• You are all good students!
  3. 3. Good News and Bad News• The good news is that your exams look great! Well done! I am so proud of all of you!• The bad news is that this course will not be offered next semester• The scary news is that I might be entering the PhD program
  4. 4. Look at all the topics we have covered!• The Confidentiality, Availability and Integrity Triad• The five pillars of information security Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)• cyberwar Sarbanes-Oxley Act• cyber espionage USA PATRIOT Act• technical controls Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”)• administrative controls Electronic Communications Privacy Act (“ECPA”)• spoofing data and source integrity FERPA• check digits and checksums software vulnerabilities• data classification software bugs• data loss prevention unchecked user input• content scanning full disclosure• enterprise management tools limited disclosure• authentication responsible disclosure• paswords security through obscurity• dual factor authentication Buffer overflows• multi factor authentication Dangling pointers• knowledge based authentication Input validation errors, such as:• biometrics Format string bugs• shared secrets Improperly handling shell metacharacters so they are interpreted• digital certificates for authentiction purposes SQL injection• initial credentialing Code injection• single sign on E-mail injection• wireless authentication Directory traversal• hybrid authentication solutions Cross-site scripting in web applications• symmetric encryption Race conditions, such as:• asymmetric encryption Time-of-check-to-time-of-use bugs• steganography Symlink races• digital certificates for encryption Privilege-confusion bugs, such as:• non-repudiation Cross-site request forgery in web applications• information privacy Privilege escalation• privacy enhancing technologies User interface failures, such as:• social engineering definition Warning fatigue or user conditioning• social engineering methods Blaming the Victim Prompting a user to make a security decision without giving the user enough• social engineering real life example information to answer it.• social engineering defenses Race Conditions• pretexting physical security• phishing the 4 layers of physical security• road apples elements of network security• quid pro quo change control / change management• digital forensics risks of outsourcing information systems in relation to security concerns
  5. 5. So Now What?• Exams? No more!• Quizzes? Yeah, I owe you a few of those• How about a class project?• You know, something that requires some team effort!• Something that leverages all that knowledge you have gained
  6. 6. Security Audit• Security audit of ANY company which is publicly traded on the NYSE or NASDAQ• Requirements: company must have international operations
  7. 7. What to do• Meet your team mate!• Pick your company• Read their annual report, ignore the financial information if you want to. I’m more interested in the qualitative stuff• Work through the template, item by item
  8. 8. What to do• Write a 5 page Executive Summary, outlining your findings and suggestions in the following areas:• Security Policy, Organizational Security, Asset Classification and Control, Personnel Security, Physical and Environmental Security, Communications and Operations Management, Access Control, System Development and Maintenance, Business Continuity Management, Compliance.
  9. 9. What About Standards?• The nice thing about standards is that there are so many to choose from!
  10. 10. Why This Security Audit?• The ISO/IEC 27000 series is an information security standard published by the International Organization for Standardization (ISO)
  11. 11. Standards• ISO/IEC 27002 has directly equivalent national standards in several countries.
  12. 12. This Security Audit is Compliant• Australia• New Zealand• BrazilI• Denmark• Estonia• Japan• Lithuania• Netherlands• Peru• SpainUNE• SwedenSS• United Kingdom• Uruguay
  13. 13. Components of a Security Audit• Risk assessment• Security policy - management direction• Organization of information security - governance of information security• Asset management - inventory and classification of information assets• Human resources security - security aspects for employees joining, moving and leaving an organization• Physical and environmental security - protection of the computer facilities• Communications and operations management - management of technical security controls in systems and networks
  14. 14. Components of a Security Audit• Access control - restriction of access rights to networks, systems, applications, functions and data• Information systems acquisition, development and maintenance - building security into applications• Information security incident management - anticipating and responding appropriately to information security breaches• Business continuity management - protecting, maintaining and recovering business-critical processes and systems• Compliance - ensuring conformance with information security policies, standards, laws and regulations
  15. 15. A Word of Advice
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×