Role of Compliance in Security AuditsAgenda : Information Security Compliance Memory Techniques for quick revision / recall
Information Security ComplianceThe Road Ahead: Need for Compliance The Five R’s for IS Compliance ISO 27001 : An Introduction Steps for ISMS Implementation Common Myths on ISO 27001
Information Security and Compliance Relationship
The Five R ‘s of IS Compliance Reputation • Protecting the business impact from security breach Regulation • Complying with multiple regulations • Developing a common security and audit framework Revenue • Protecting the corporate intellectual property / trade secrets. Resilience • Ensuring continuity of critical business processes during disaster. Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC tools
ISO 27001 : Overview• ISO 27001 defines best practices for information securitymanagement• A management system should balance physical, technical,procedural, and personnel security• Without a formal Information Security ManagementSystem, there is a greater risk to your security beingbreached• Information security is a management process, NOT atechnological process
ISO 27001 : Family of Standards • ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards) • ISO 27003 – ISMS Implementation guidelines • ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management • ISO 27006 – 27010 – allocation for future use
Steps for ISMS Implementation1. Obtain management support2. Treat as a project3. Define the scope4. Write an ISMS Policy5. Define the Risk Assessment methodology6. Perform the risk assessment & risk treatment7. Write the Statement of Applicability8. Write the Risk Treatment Plan9. Define how to measure the effectiveness of controls10. Implement the controls & mandatory procedures11. Implement training and awareness programs12. Operate the ISMS13. Monitor the ISMS14. Internal audit15. Management review16. Corrective and preventive actions
Common Myths about ISO 27001"The standard requires...""Well let the IT department handle it""Well implement it in a few months""This standard is all about documentation""The only benefit of the standard is for marketing purposes"
Memory Techniques forQuick Revision The fun part of learning
Mnemonics Abbreviated Character Strings for easy memory aidHow to operate?Take the first alphabet of each word point and arrange them in"useful" order.Best Practices: For a long mnemonic string , group it into chunks of 2 or 3 for quick recall If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.
MnemonicsExamples :Process Workflow (Plan – Do – Check – Act)Mnemonic: PDCA Memory Aid : Imagine “Pen Drive “ of CA • (CA = Certifying Authority)
Mnemonics (contd.)Examples :COBIT Domains:a) Plan and Organizeb) Acquire and Implementc) Deliver and Supportd) Monitor and EvaluateMnemonic: PADMMemory Aid: (Imagine PADM Shri Award) PADM
Sentence AidMemory Recall technique to easily recall long Mnemonic Strings“in order”.Advantage:Used esp. when Mnemonic string is quite long (>= 5 points).Helpful for easy recall. Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U
Sentence AidPrerequisites:Sentence Aid MUST be : expression making a visual impact on your memory.Always design a Sentence Aid which is :a) Mnemonic Workflow oriented (to maintain serial order)b) Bound to a strong event in your memoryc) Natural Progressiond) Capital letters indicating actual point of Mnemonic.
EXAMPLE:Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U • Injection •Cross Site Scripting (XSS) •Broken Authentication and Session Mgmt •Insecure Direct Object References •Cross Site Request Forgery (CSRF) If •Security Misconfiguration •Insecure Cryptographic Storage Fails •Failure to Restrict URL Access Informs •Insufficient Transport Layer Protection U •Unvalidated Redirects and Forwards Sentence Aid: ICBI Counter Strike If Fails, Informs U.
Sentence AidExample:OSI Layer Model Layer 1: Physical layer Layer 2: Data link layer Layer 3: Network layer Layer 4: Transport layer Layer 5: Session layer Layer 6: Presentation layer Layer 7: Application layer Sentence Aid: Please Do Not Take Sales Person’s Advice
Workflow Diagrams These figures/diagrams give the directive flow of the processAdvantage is that they can summarize vast information in aappealing view.We can grasp readily the “gist” of the process workflow. Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s) • Cyclic Processes
Workflow Type : Flowcharts Risk Assessment Process
Color Coding Differentiation This technique takes advantage of the fact that we better remember thefigures if they are filled with different background colors. Using same colors for related fields help us to better distinguish the samegenre of the entities.
Color Coding DifferentiationEXAMPLE :Mnemonic:SOA ACP HSC IBSentence Aid :Develop a SOA for ACP to help him pass HSC exam for IB entrance.
Quotes:Imagination is more important than knowledge. For knowledge is limited, whereasimagination embraces the entire world, stimulating progress, giving birth to evolution. It is,strictly speaking, a real factor in scientific research.--Albert EinsteinBut in reality, without knowledge, imagination can not be developed.-- Wikipedia (on Imagination) , after Einstein quote.
PrecautionsStudy thoroughly the subject matter before venturing intomemorizing techniques.Know WHAT YOUR ABBREVATION stands for rather than keepingin mind only the Mnemonic.Memory Techniques are only an AID. They are NOT SUBSTITUTEfor comprehensive study.Utilized Best AFTER comprehensive study for REVISION.