How to Troubleshoot Apps for the Modern Connected Worker
Security audits & compliance
1. Security Audits & Compliance
-Based on ISO 27001:2013 standard
By Aarti Bala
1
2. Agenda
Terms and Definitions
Three pillars of Information Security
Introduction to Security Audits & Compliance
Types of Audits
Conducting a security Audit
Introduction to ISO 27001:2013 standard
ISO 27001 Framework
Conclusion
References
2
3. Terms and Definitions
ISO : International Organisation for Standardization
ISMS : Information Security Management System
Security Policies : A written document in an organization outlining how to protect the organization
from threats, including computer security threats, and how to handle situations when they do occur.
NC : Nonconformity/non-compliance
Observation : Opportunity for improvement
Recommendation : An auditor can provide recommendations to the management for every
observation in such a way that it not only corrects the problem, but also addresses the root cause.
Audit Report : A security audit report is the deliverable of the auditor. It is the result of the audit
work.
3
5. Introduction
Security Audit:
An information security audit occurs when the security auditor conducts an
organizational review to ensure that the correct and most up-to-date processes
and infrastructure are being applied.
Security audits measure an information system's performance against a list of
criteria.
Compliance :
Security compliance is a legal concern for organizations in many industries today.
Regulatory standards like PCI DSS, HIPAA, and ISO 27001 prescribe
recommendations for protecting data and improving info security management in
the enterprise.
5
6. Types of Audits
Internal Audits:
Baseline for external/formal audits
Performed by a team of internal auditors/team members/etc who knows organisation policies well
Cost effective and consistent
Conducted more frequently
Cause less disruption to the work flow of employees
External Audits:
Performed by seasoned professionals of an external auditor firm
Holds incredible value for the organisation
Way to achieve enterprise wide security certifications
More expensive
Free from internal bias
6
7. Conducting a Security Audit
Initiating an Audit
Preparing audit activities
Conducting Audit activities
Preparing and distributing the audit
report
Completing the audit
7
Completing audit follow up
8. Introduction to ISO 27001:2013 standard
Why ISO?
ISO 27001 is an internationally recognized certification standard for information
security management systems.
It is used as a benchmark for the protection of sensitive information and one of the
most widely recognized, customer-valued certification.
The international standard establishes guidelines for designing and executing risk-
appropriate security controls and adopting management procedures to continually
review the effectiveness of existing security processes.
8
10. Information Security Policies
Objective : Provide management guidance and information security support in
accordance with commercial requirements and relevant laws and regulations.
Organisation of Information Security
Objective : Establish a management structure to initiate and control
implementation and information security operation within the organization.
Human Resources (HR) Management:
Objective : Ensure that employees and contractors understand their
responsibilities and are appropriate for the roles for which they are assigned.
Asset Management
Objective: Identify organizational assets and set appropriate protection
responsibilities
10
11. Access Control
Objective : Limit access to information and information processing locations /
manipulation.
Cryptography
Objective : To protect the confidentiality, authenticity and integrity of
information by cryptographic means.
Physical and Environmental Security
Objective : Prevent unauthorized physical access, damage and interference in
the organization information processing.
Operations management
Objective : Ensure correct and safe operations of information processing
locations.
11
12. Communications management
Objective : Ensure the protection of information in networks and their
information processing locations. Maintaining the security of information
transferred within an organization and with any external entity.
System Acquisition Development and Maintenance
Objective : Ensure that information security is an integral part of information
systems throughout their life cycle. This also includes the requirements for
information systems that provide services on public networks.
Supplier Relationships
Objective : Ensure the protection of the organization's assets that is accessible
by suppliers.
12
13. Information Security Incident Management
Objective : Ensure a consistent and effective approach to managing information
security incidents, including communication about events and security
weaknesses.
Information Security Aspects of Business Continuity Management
Objective : To counteract interruptions to business activities and to protect
critical business processes from the effects of major failures of information
systems or disasters and to ensure their timely resumption.
Compliance
Objective : To avoid breaches of any law, statutory, regulatory or contractual
obligations, and of any security requirements.
13
14. Conclusion
Security audits are about fact-finding and not fault-finding
Corelating the audit artifacts is one of the important skills of an auditor
Audits are pivotal in identifying the scopes for improvement
Internal audits ensures compliance to the organization’s/client’s security
requirements, paving a smooth foundation for external security audits
Security policies, for any organization, provides a baseline to identify the
audit scope
An auditor has to be un-biased while conducting an audit in order for the
audit to be effective
An auditor should take complete responsibility for the audit i.e., from
initiating the audit till the closure of nonconformities
14
