SlideShare a Scribd company logo

Auditing, Risk Analysis, and Security Policies Procedures

Ahmed Ismail
Ahmed Ismail
1 of 6
Download to read offline
Auditing Assessment  and Risk  Analysis Policies and  Procedures Security  Architecture Implementio n and  Depolyment Security Concepts Slide 4
Secure transport Card readers Security room CCTV Secured doors and vaults Surveillance and alarms Patrolling security guard Firewalls and router ACLs Network- and host-based intrusion detection Scanner Centralized security and policy management Identity, AAA, access control servers and certificate authorities Encryption and virtual private networks (VPNs) Extended perimeter security Intrusion protection Intrusion protection Security management and policy Secure connectivity Identity services I I Security Technologies Slide 5
Layered Security • Firewall • Network IPS • ADC  • WAF • DDoS Mitigation • Network DLP • Web & Mail GW • SIEM • VM • NBA • ITGRC • FIM • Pen Testing • Vulnerability Assessment • Security Awareness  • Security Compliance • Forensic Analysis  • Secure Software • Host Protection • Host DLP • White Listing • DB Protection • Virtualization Protection • Data Encryption • Access Control • Video Surveillance • Video Analytics  • Motion Detection • Fire Alarm • AAA • IAM • 2FA • Adaptive Authentication • NAC • SSL VPN Slide 6
Standards and Regulations # Code Standard name Organization name 1 PCI‐ DSS Payment Card Industry Data Security Standard Payment Card Industry Security Standards Council (PCI SSC) 2 PA‐DSS Payment Application Data Security Standard Payment Card Industry Security Standards Council (PCI SSC) 3 ISO/IEC 27001:2005 Information Security Management Standard International Organization for  Standardization (ISO) 4 HIPAA/HITECH The Health Insurance Portability and Availability Act United States Congress 5 SAS 70 Statement of Acceptance Standard American Institute of Certified Public Accountants (AICPA) 6 SOX 404 Sarbanes‐Oxley Act United States Congress (United States federal law) 7 GLBA Gramm‐Leach‐Bliley Act United States Congress (United States federal law) 8 FISMA Federal Information Security Management Act United States Congress (United States federal law) 9 SSAE 16 Statement on Standards for Attestation Engagements American Institute of Certified Public Accountants (AICPA) 10 OSSTMM Open‐Source Security Testing Methodology Manual The Institute for Security and Open Methodologies (ISECOM) 11 OWASP Open Web Application Security Project OWASP foundation 12 GIAC Global Information Assurance Certification GIAC company Slide 7
Standards and Regulations # Code Genre Description Organization name ITU‐T ITU Telecommunication  Standardization Sector E.408 Provide overview of security requirement ,threat  identification frameworks guidelines for risk  mitigation  International  Telecommunication Union E.409 Incident organization and securing incident handling  X.805 Security architecture for systems providing end‐to‐ end communications  X.1051 ISMS guidelines for telecommunication which is also  referred as ISO 27011:2008 3GPP 3rd Generation  Partnership Project 33‐series Provide specifications for security standards for  GSM(including GPRS and EDGE ),WCDMA and LTE  (including advanced LTE ) mobile systems Groups of  telecommunications  associations(the  Organizational Partners) 3GPP2 S.S0086 && others  ISO/IEC Information Security  Management  Standard(ISO)/  International Electro‐ technical Commission (IEC) 27001:2005 Specifies requirements for an information security  management system  International Organization  for  Standardization (ISO) 27001:2005 Specifies code of practice  for information security  management based on ISO 27001 27011:2008 ISO 27002 tailored specifically for applications  telecommunications organizations, developed as a  joint effort with IUT‐T  15408 (the common criteria  ) A common set of security requests for evaluation of  computer security products and systems, including  telecommunication network components  Slide 8
ICS/SCADA Security Standards # Code Standard name Organization Name 1 FIPS 140‐2 Federal information processing standards  National institute of standards and technology  2 API 1164 American petroleum‐ institute  pipeline SCADA  security  American petroleum institute  3 API security guide lines  Guide lines for the petroleum industry  American petroleum institute 4 CAG Consensus  Audit guidelines  American internet  security  training company  5 ChemITC Guidance for cyber security in chemistry  American chemistry council  7 ISO27001 Information security –security techniques –information security  management systems –requirements  International Organization for  Standardization 8 IEC62351 Data and communication security  International Electro‐technical Commission 9 IEEE 1402 IEEE guide for electric power substation physical and electronic  security  Institute of electrical and electronic  engineering  10 ISA99‐2 / IEC 624435‐2‐1 Manufacturing and control system security. Establishing a manufacturing & control system security program  International Society for Automation (ISA) 11 NERC CIP (CIP) Critical Infrastructure Protection Cyber security  North American Electric reliability committee   12 NIST SP 800‐53R3 Recommended security  controls for federal information  systems and organizations  National institute of standards and technology 13 RG 5.71 Regulatory 5.71 “cyber security programs for nuclear facilities“ U.S. Regulatory  14  CFATS Chemical facility  Anti‐terrorism standards  Slide 9

Recommended

Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensiveFidelis Cybersecurity
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 
Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...NetSquared Vancouver
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
 

Recommended

Adoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoAdoção do PCI no Brasil - 10o Workshop SegInfo - Apresentação
Adoção do PCI no Brasil - 10o Workshop SegInfo - ApresentaçãoClavis Segurança da Informação
 
Putting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensivePutting Cyber Attackers on the Defensive
Putting Cyber Attackers on the DefensiveFidelis Cybersecurity
 
You can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainYou can't detect what you can't see illuminating the entire kill chain
You can't detect what you can't see illuminating the entire kill chainFidelis Cybersecurity
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Ruby Meditation
 
Fidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis - Live Demonstration of Deception Solution
Fidelis - Live Demonstration of Deception SolutionFidelis Cybersecurity
 
Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...Mack Hardy: Five practical things you can do to secure your online self. Poli...
Mack Hardy: Five practical things you can do to secure your online self. Poli...NetSquared Vancouver
 
Extending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSExtending Your Network Cloud Security to AWS
Extending Your Network Cloud Security to AWSFidelis Cybersecurity
 
Extend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureExtend Network Visibility and Secure Applications and Data in Azure
Extend Network Visibility and Secure Applications and Data in AzureFidelis Cybersecurity
 
The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...Ulf Mattsson
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Mule anypoint enterprise security
Mule anypoint enterprise securityMule anypoint enterprise security
Mule anypoint enterprise securityD.Rajesh Kumar
 
Anypoint enterprise security
Anypoint enterprise securityAnypoint enterprise security
Anypoint enterprise securityD.Rajesh Kumar
 
See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017Chia-Lung Hsieh
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection featuresMariaDB plc
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
Forti web
Forti webForti web
Forti webLan & Wan Solutions
 
CASBs - A New Hope
CASBs - A New HopeCASBs - A New Hope
CASBs - A New HopeBitglass
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoNCCOMMS
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
ICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency OutreachICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency OutreachICANN
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web ApplicationsMark Garratt
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013ssleuropa
 
Iso 27001 i̇ç denetçi eğitimi
Iso 27001 i̇ç denetçi eğitimiIso 27001 i̇ç denetçi eğitimi
Iso 27001 i̇ç denetçi eğitiminbeksi
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 

More Related Content

What's hot

The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...Ulf Mattsson
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilDavid Ochel
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Fidelis Cybersecurity
 
Mule anypoint enterprise security
Mule anypoint enterprise securityMule anypoint enterprise security
Mule anypoint enterprise securityD.Rajesh Kumar
 
Anypoint enterprise security
Anypoint enterprise securityAnypoint enterprise security
Anypoint enterprise securityD.Rajesh Kumar
 
See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017Chia-Lung Hsieh
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Cybersecurity
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection featuresMariaDB plc
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPFidelis Cybersecurity
 
CASBs - A New Hope
CASBs - A New HopeCASBs - A New Hope
CASBs - A New HopeBitglass
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoNCCOMMS
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
ICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency OutreachICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency OutreachICANN
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web ApplicationsMark Garratt
 
SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013ssleuropa
 

What's hot (20)

The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...The day when 3rd party security providers disappear into cloud bright talk se...
The day when 3rd party security providers disappear into cloud bright talk se...
 
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake OilLASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
LASCON 2014: Multi-Factor Authentication -- Weeding out the Snake Oil
 
Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019Game Changing Cyber Defensive Strategies for 2019
Game Changing Cyber Defensive Strategies for 2019
 
Mule anypoint enterprise security
Mule anypoint enterprise securityMule anypoint enterprise security
Mule anypoint enterprise security
 
Anypoint enterprise security
Anypoint enterprise securityAnypoint enterprise security
Anypoint enterprise security
 
See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017
 
Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration Fidelis Endpoint® - Live Demonstration
Fidelis Endpoint® - Live Demonstration
 
Using advanced security and data-protection features
Using advanced security and data-protection featuresUsing advanced security and data-protection features
Using advanced security and data-protection features
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
 
Secure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLPSecure Your Data with Fidelis Network® for DLP
Secure Your Data with Fidelis Network® for DLP
 
Forti web
Forti webForti web
Forti web
 
CASBs - A New Hope
CASBs - A New HopeCASBs - A New Hope
CASBs - A New Hope
 
CSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami LaihoCSF18 - GDPR - Sami Laiho
CSF18 - GDPR - Sami Laiho
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
ICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency OutreachICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency Outreach
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Securing Web Applications
Securing Web ApplicationsSecuring Web Applications
Securing Web Applications
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013SSL Europa Cloud Security 2013
SSL Europa Cloud Security 2013
 

Viewers also liked

Iso 27001 i̇ç denetçi eğitimi
Iso 27001 i̇ç denetçi eğitimiIso 27001 i̇ç denetçi eğitimi
Iso 27001 i̇ç denetçi eğitiminbeksi
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_bangloreIPPAI
 
Novità della norma ISO/IEC 27001:2013
Novità della norma ISO/IEC 27001:2013Novità della norma ISO/IEC 27001:2013
Novità della norma ISO/IEC 27001:2013Andrea Praitano
 
Action Plan for the Central Delaware: 2008-2018
Action Plan for the Central Delaware: 2008-2018Action Plan for the Central Delaware: 2008-2018
Action Plan for the Central Delaware: 2008-2018Wallace Roberts & Todd
 
Iso 27001 E Iso 27004
Iso 27001 E Iso 27004Iso 27001 E Iso 27004
Iso 27001 E Iso 27004dcordova923
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachPECB
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassA-lign
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Anton Chuvakin
 
Effective Security Metrics
Effective Security MetricsEffective Security Metrics
Effective Security MetricsInnoTech
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001PECB
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Forming deep relationships with your clients
Forming deep relationships with your clientsForming deep relationships with your clients
Forming deep relationships with your clientsIntuit Inc.
 
Slum Improvement Action Plan (SIAP) NUSP2 Kota Semarang
Slum Improvement Action Plan (SIAP) NUSP2 Kota SemarangSlum Improvement Action Plan (SIAP) NUSP2 Kota Semarang
Slum Improvement Action Plan (SIAP) NUSP2 Kota SemarangBagus ardian
 
Key considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsKey considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsPECB
 
ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in indiaiFour Consultancy
 
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?PECB
 
100% cloud: Your action plan for success
100% cloud: Your action plan for success 100% cloud: Your action plan for success
100% cloud: Your action plan for success Intuit Inc.
 
Slum Improvement Action Plan (SIAP) NUSP2 Kota Batam
Slum Improvement Action Plan (SIAP) NUSP2 Kota BatamSlum Improvement Action Plan (SIAP) NUSP2 Kota Batam
Slum Improvement Action Plan (SIAP) NUSP2 Kota BatamBagus ardian
 

Viewers also liked (20)

Iso 27001 i̇ç denetçi eğitimi
Iso 27001 i̇ç denetçi eğitimiIso 27001 i̇ç denetçi eğitimi
Iso 27001 i̇ç denetçi eğitimi
 
S nandakumar_banglore
S nandakumar_bangloreS nandakumar_banglore
S nandakumar_banglore
 
Novità della norma ISO/IEC 27001:2013
Novità della norma ISO/IEC 27001:2013Novità della norma ISO/IEC 27001:2013
Novità della norma ISO/IEC 27001:2013
 
Action Plan for the Central Delaware: 2008-2018
Action Plan for the Central Delaware: 2008-2018Action Plan for the Central Delaware: 2008-2018
Action Plan for the Central Delaware: 2008-2018
 
Iso 27001 E Iso 27004
Iso 27001 E Iso 27004Iso 27001 E Iso 27004
Iso 27001 E Iso 27004
 
How to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approachHow to apply ISO 27001 using a top down, risk-based approach
How to apply ISO 27001 using a top down, risk-based approach
 
ISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access PassISO 27001 Certification: An All-Access Pass
ISO 27001 Certification: An All-Access Pass
 
Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005Old Presentation on Security Metrics 2005
Old Presentation on Security Metrics 2005
 
Effective Security Metrics
Effective Security MetricsEffective Security Metrics
Effective Security Metrics
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
Role of compliance in security audits
Role of compliance in security auditsRole of compliance in security audits
Role of compliance in security audits
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Forming deep relationships with your clients
Forming deep relationships with your clientsForming deep relationships with your clients
Forming deep relationships with your clients
 
Slum Improvement Action Plan (SIAP) NUSP2 Kota Semarang
Slum Improvement Action Plan (SIAP) NUSP2 Kota SemarangSlum Improvement Action Plan (SIAP) NUSP2 Kota Semarang
Slum Improvement Action Plan (SIAP) NUSP2 Kota Semarang
 
Key considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systemsKey considerations for an appropriate scope for all management systems
Key considerations for an appropriate scope for all management systems
 
ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india ISO 27001:2013 IS audit plan - by software outsourcing company in india
ISO 27001:2013 IS audit plan - by software outsourcing company in india
 
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?How to improve resilience and respond better to Cyber Attacks with ISO 22301?
How to improve resilience and respond better to Cyber Attacks with ISO 22301?
 
ISO 27001:2013 - Changes
ISO 27001:2013 - ChangesISO 27001:2013 - Changes
ISO 27001:2013 - Changes
 
100% cloud: Your action plan for success
100% cloud: Your action plan for success 100% cloud: Your action plan for success
100% cloud: Your action plan for success
 
Slum Improvement Action Plan (SIAP) NUSP2 Kota Batam
Slum Improvement Action Plan (SIAP) NUSP2 Kota BatamSlum Improvement Action Plan (SIAP) NUSP2 Kota Batam
Slum Improvement Action Plan (SIAP) NUSP2 Kota Batam
 

Similar to Auditing, Risk Analysis, and Security Policies Procedures

Securing your telco cloud
Securing your telco cloud Securing your telco cloud
Securing your telco cloud OPNFV
 
An Introduction to South Seas Corporation
An Introduction to South Seas CorporationAn Introduction to South Seas Corporation
An Introduction to South Seas CorporationEd Mohr
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanationindianadvisory
 
Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSLahav Savir
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
 
Spider & F5 Round Table - Secure the Cloud Data Center with eMind
Spider & F5 Round Table - Secure the Cloud Data Center with eMindSpider & F5 Round Table - Secure the Cloud Data Center with eMind
Spider & F5 Round Table - Secure the Cloud Data Center with eMindTzoori Tamam
 
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...itnewsafrica
 
Subscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, ScalabilitySubscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, ScalabilityZuora, Inc.
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information SecurityAhmed Sayed-
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iPrecisely
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_StrategicRamesh VG
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkMarcoAfzali
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyRuby Meditation
 
Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Shahar Geiger Maor
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale
 
Safeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudSafeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudHostway|HOSTING
 

Similar to Auditing, Risk Analysis, and Security Policies Procedures (20)

Securing your telco cloud
Securing your telco cloud Securing your telco cloud
Securing your telco cloud
 
An Introduction to South Seas Corporation
An Introduction to South Seas CorporationAn Introduction to South Seas Corporation
An Introduction to South Seas Corporation
 
Electronic security
Electronic securityElectronic security
Electronic security
 
Electronic Security
Electronic SecurityElectronic Security
Electronic Security
 
Simple cloud security explanation
Simple cloud security explanationSimple cloud security explanation
Simple cloud security explanation
 
Build Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWSBuild Secure Cloud Solution using F5 BIG-IP on AWS
Build Secure Cloud Solution using F5 BIG-IP on AWS
 
Cybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
 
Spider & F5 Round Table - Secure the Cloud Data Center with eMind
Spider & F5 Round Table - Secure the Cloud Data Center with eMindSpider & F5 Round Table - Secure the Cloud Data Center with eMind
Spider & F5 Round Table - Secure the Cloud Data Center with eMind
 
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
Kabelo Sekele- Government in Transformation: Cloud Powered Security, Identity...
 
Subscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, ScalabilitySubscribed 2015: Architecture, Security, Scalability
Subscribed 2015: Architecture, Security, Scalability
 
Starting your Career in Information Security
Starting your Career in Information SecurityStarting your Career in Information Security
Starting your Career in Information Security
 
Jcv course contents
Jcv course contentsJcv course contents
Jcv course contents
 
Understanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM iUnderstanding Zero Trust Security for IBM i
Understanding Zero Trust Security for IBM i
 
Application_security_Strategic
Application_security_StrategicApplication_security_Strategic
Application_security_Strategic
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
Nist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing FrameworkNist 800 82 ICS Security Auditing Framework
Nist 800 82 ICS Security Auditing Framework
 
Dark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander ObozinskiyDark Insight: the Basic of Security - Alexander Obozinskiy
Dark Insight: the Basic of Security - Alexander Obozinskiy
 
Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)Cloud Security for Startups - From A to E(xit)
Cloud Security for Startups - From A to E(xit)
 
RightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the CloudRightScale Webinar: Security and Compliance in the Cloud
RightScale Webinar: Security and Compliance in the Cloud
 
Safeguarding PCI Data in the Cloud
Safeguarding PCI Data in the CloudSafeguarding PCI Data in the Cloud
Safeguarding PCI Data in the Cloud
 

Auditing, Risk Analysis, and Security Policies Procedures

  • 2. Secure transport Card readers Security room CCTV Secured doors and vaults Surveillance and alarms Patrolling security guard Firewalls and router ACLs Network- and host-based intrusion detection Scanner Centralized security and policy management Identity, AAA, access control servers and certificate authorities Encryption and virtual private networks (VPNs) Extended perimeter security Intrusion protection Intrusion protection Security management and policy Secure connectivity Identity services I I Security Technologies Slide 5
  • 3. Layered Security • Firewall • Network IPS • ADC  • WAF • DDoS Mitigation • Network DLP • Web & Mail GW • SIEM • VM • NBA • ITGRC • FIM • Pen Testing • Vulnerability Assessment • Security Awareness  • Security Compliance • Forensic Analysis  • Secure Software • Host Protection • Host DLP • White Listing • DB Protection • Virtualization Protection • Data Encryption • Access Control • Video Surveillance • Video Analytics  • Motion Detection • Fire Alarm • AAA • IAM • 2FA • Adaptive Authentication • NAC • SSL VPN Slide 6
  • 4. Standards and Regulations # Code Standard name Organization name 1 PCI‐ DSS Payment Card Industry Data Security Standard Payment Card Industry Security Standards Council (PCI SSC) 2 PA‐DSS Payment Application Data Security Standard Payment Card Industry Security Standards Council (PCI SSC) 3 ISO/IEC 27001:2005 Information Security Management Standard International Organization for  Standardization (ISO) 4 HIPAA/HITECH The Health Insurance Portability and Availability Act United States Congress 5 SAS 70 Statement of Acceptance Standard American Institute of Certified Public Accountants (AICPA) 6 SOX 404 Sarbanes‐Oxley Act United States Congress (United States federal law) 7 GLBA Gramm‐Leach‐Bliley Act United States Congress (United States federal law) 8 FISMA Federal Information Security Management Act United States Congress (United States federal law) 9 SSAE 16 Statement on Standards for Attestation Engagements American Institute of Certified Public Accountants (AICPA) 10 OSSTMM Open‐Source Security Testing Methodology Manual The Institute for Security and Open Methodologies (ISECOM) 11 OWASP Open Web Application Security Project OWASP foundation 12 GIAC Global Information Assurance Certification GIAC company Slide 7
  • 5. Standards and Regulations # Code Genre Description Organization name ITU‐T ITU Telecommunication  Standardization Sector E.408 Provide overview of security requirement ,threat  identification frameworks guidelines for risk  mitigation  International  Telecommunication Union E.409 Incident organization and securing incident handling  X.805 Security architecture for systems providing end‐to‐ end communications  X.1051 ISMS guidelines for telecommunication which is also  referred as ISO 27011:2008 3GPP 3rd Generation  Partnership Project 33‐series Provide specifications for security standards for  GSM(including GPRS and EDGE ),WCDMA and LTE  (including advanced LTE ) mobile systems Groups of  telecommunications  associations(the  Organizational Partners) 3GPP2 S.S0086 && others  ISO/IEC Information Security  Management  Standard(ISO)/  International Electro‐ technical Commission (IEC) 27001:2005 Specifies requirements for an information security  management system  International Organization  for  Standardization (ISO) 27001:2005 Specifies code of practice  for information security  management based on ISO 27001 27011:2008 ISO 27002 tailored specifically for applications  telecommunications organizations, developed as a  joint effort with IUT‐T  15408 (the common criteria  ) A common set of security requests for evaluation of  computer security products and systems, including  telecommunication network components  Slide 8
  • 6. ICS/SCADA Security Standards # Code Standard name Organization Name 1 FIPS 140‐2 Federal information processing standards  National institute of standards and technology  2 API 1164 American petroleum‐ institute  pipeline SCADA  security  American petroleum institute  3 API security guide lines  Guide lines for the petroleum industry  American petroleum institute 4 CAG Consensus  Audit guidelines  American internet  security  training company  5 ChemITC Guidance for cyber security in chemistry  American chemistry council  7 ISO27001 Information security –security techniques –information security  management systems –requirements  International Organization for  Standardization 8 IEC62351 Data and communication security  International Electro‐technical Commission 9 IEEE 1402 IEEE guide for electric power substation physical and electronic  security  Institute of electrical and electronic  engineering  10 ISA99‐2 / IEC 624435‐2‐1 Manufacturing and control system security. Establishing a manufacturing & control system security program  International Society for Automation (ISA) 11 NERC CIP (CIP) Critical Infrastructure Protection Cyber security  North American Electric reliability committee   12 NIST SP 800‐53R3 Recommended security  controls for federal information  systems and organizations  National institute of standards and technology 13 RG 5.71 Regulatory 5.71 “cyber security programs for nuclear facilities“ U.S. Regulatory  14  CFATS Chemical facility  Anti‐terrorism standards  Slide 9