Auditing Security and Business ContinuityManagementRob Kloots – CISA CISM CRISC,Owner, TrustingtheCloud                   ...
Content• 2012 Risk Landscape• Some definitions, models & standards• Audit & Control       –    Information security govern...
2012 Risk LandscapePWC Global Internal Audit survey2012: The risks ahead   Intensifying economic and financial      market...
More attention required        Auditing Security and Business Continuance   4
Importance of IAs contribution tomonitoring each risk           Auditing Security and Business Continuance   5
More IA audit capacity planned        Auditing Security and Business Continuance   6
Definition of Internal AuditingThe Definition of Internal Auditing states the fundamental purpose,  nature, and scope of i...
Definition of Business ContinuityManagementBCM is defined by the British Standards Institute (BSI) as:an holistic manageme...
Principles of ICT ContinuityProtect—Protecting the ICT environment from ...Detect—Detecting incidents at the earliest oppo...
Business Continuity withinManagement         Auditing Security and Business Continuance   10
BCP detailsBUSINESS CONTINUITY            2. BUSINESS ASSESSMENT  PLANNING                     Risk Assessment  1. Project...
Basic terms used in a standardBusiness Continuity Management System (BCMS) – part of an  overall management system that ta...
Trust Services Principles and CriteriaSecurity - The system is protected against unauthorized access  (both physical and l...
Best Practices For IT AvailabilityAnd Service Continuity Management1) Classify systems for criticality.2) Develop tiers of...
Incident timeline        Auditing Security and Business Continuance   15
BS25777 –IT Continuity      Auditing Security and Business Continuance   16
Information Risk ComponentThe confidentiality, integrity and availability of information systems must   be ensured to prot...
BIA focusRecovery Time Objective“Target time set for resumption of product,  service or activity delivery after an inciden...
Risks related to technology           Auditing Security and Business Continuance   19
Information Assurance Structure        Auditing Security and Business Continuance   20
Crash and Restart   ISO 27001 Security                                               Infosec governance Crash and Restart ...
Risk and ControlsBusiness Continuity risk profile is prepared for each business  functionControls are set to address risk,...
Example of Risk and ControlRisk: Electricity failureControls:  Uninteruptable power supply (UPS)  Generators  Preventive m...
Fail a Security Audit Already -- its Goodfor YouNetwork World — Failing an audit sounds like the last thing any  company w...
Your turn                   Questions ???Rob Kloots – CISA CISM CRISC,Owner, TrustingtheCloudE rob.kloots@trustingthecloud...
ISO27001 – 14. BCM         Auditing Security and Business Continuance   26
ISO27001 – 11. AC         Auditing Security and Business Continuance   27
ISO27001 – 11. ework          Auditing Security and Business Continuance   28
ISO27001 – 6. EP          Auditing Security and Business Continuance   29
ISO27001 – 8. HR         Auditing Security and Business Continuance   30
ISO27001 – 8. HR         Auditing Security and Business Continuance   31
ISO27001 – 9. PhySec          Auditing Security and Business Continuance   32
ISO27001 – 10. 3rd pty          Auditing Security and Business Continuance   33
ISO27001 – 10. Mon         Auditing Security and Business Continuance   34
ISO27001 – 13. IncMgt          Auditing Security and Business Continuance   35
Upcoming SlideShare
Loading in …5
×

Rob kloots auditingforscyandbcm

233 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
233
On SlideShare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Rob kloots auditingforscyandbcm

  1. 1. Auditing Security and Business ContinuityManagementRob Kloots – CISA CISM CRISC,Owner, TrustingtheCloud Berlin, June 2012 1
  2. 2. Content• 2012 Risk Landscape• Some definitions, models & standards• Audit & Control – Information security governance – Administration of user access, passwords – Access security controls – Remote access and third parties – User awareness – How to deal with an IT system crash? What to do and how to continue? Auditing Security and Business Continuance 2
  3. 3. 2012 Risk LandscapePWC Global Internal Audit survey2012: The risks ahead Intensifying economic and financial market uncertainty Increased regulation and changes in government policy Data security threats and reputation Mergers and acquisitions risks Auditing Security and Business Continuance 3
  4. 4. More attention required Auditing Security and Business Continuance 4
  5. 5. Importance of IAs contribution tomonitoring each risk Auditing Security and Business Continuance 5
  6. 6. More IA audit capacity planned Auditing Security and Business Continuance 6
  7. 7. Definition of Internal AuditingThe Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organizations operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Auditing Security and Business Continuance 7
  8. 8. Definition of Business ContinuityManagementBCM is defined by the British Standards Institute (BSI) as:an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation brand and value creating activities.Business Continuity is defined by the International Standards Organization as the: "capability of the organization to continue delivery of services or products at acceptable predefined levels following disruptive incidents"**Source ISO 22300 Vocabulary Auditing Security and Business Continuance 8
  9. 9. Principles of ICT ContinuityProtect—Protecting the ICT environment from ...Detect—Detecting incidents at the earliest opportunity ...React—Reacting to an incident in the most appropriate manner ...Recover—Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data.Operate—Operating in disaster recovery mode until return to normal is possible may require some time and necessitate “scaling up” disaster recovery operations to support increasing business volumes that need to be serviced over time.Return—Devising a strategy for every IT continuity plan allows an organization to migrate back from disaster recovery mode to a position in which it can support normal business. Auditing Security and Business Continuance 9
  10. 10. Business Continuity withinManagement Auditing Security and Business Continuance 10
  11. 11. BCP detailsBUSINESS CONTINUITY 2. BUSINESS ASSESSMENT PLANNING Risk Assessment 1. Project Foundation Information Protection 2. Business Assessment Protection 3. Strategy Selection Detection 4. Plan Development Response 5. Testing and Maintenance Business Impact Analysis (BIA)1. PROJECT FOUNDATION 4. PLAN DEVELOPMENT Business Continuity Planning #1-Develop Response and Recovery Evaluation Teams Plan Management #2-Develop Draft Action Plan Business Impact Analysis #3-Prioritize Action Plan Execution Recovery Strategies #4-Document General Plan Sections Plan Development #5-Document the Technical Recovery Plan Maintenance Processes Plan Testing Auditing Security and Business Continuance 11
  12. 12. Basic terms used in a standardBusiness Continuity Management System (BCMS) – part of an overall management system that takes care business continuity is planned, implemented, maintained, and continually improvedMaximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed, or resources must be recoveredRecovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restoredMinimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce after resuming its business operations Auditing Security and Business Continuance 12
  13. 13. Trust Services Principles and CriteriaSecurity - The system is protected against unauthorized access (both physical and logical).Availability - The system is available for operation and use as committed or agreed.Processing Integrity - System processing is complete, accurate, timely, and authorized.Online Privacy - Personal information obtained as a result of e- commerce is collected, used, disclosed, and retained as committed or agreed.Confidentiality - Information designated as confidential is protected as committed or agreed. Auditing Security and Business Continuance 13
  14. 14. Best Practices For IT AvailabilityAnd Service Continuity Management1) Classify systems for criticality.2) Develop tiers of service for both availability and IT service continuity.3) Measure availability from the end-user perspective.4) Include availability and continuity considerations in application development and testing. Auditing Security and Business Continuance 14
  15. 15. Incident timeline Auditing Security and Business Continuance 15
  16. 16. BS25777 –IT Continuity Auditing Security and Business Continuance 16
  17. 17. Information Risk ComponentThe confidentiality, integrity and availability of information systems must be ensured to protect the business from the risks relating to information technology. An IS audit helps to identify areas where these are vulnerable or inadequately protected through systematic examination and evaluation.Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur.Approach to Auditing Business ContinuityThe audit of business continuity can be broken into three major components: – Validating the business continuity plan – Scrutinizing and verifying preventive and facilitating measures for ensuring continuity – Examining evidence about the performance of activities that can assure continuity and recovery Auditing Security and Business Continuance 17
  18. 18. BIA focusRecovery Time Objective“Target time set for resumption of product, service or activity delivery after an incident” BS 25999:1Maximum Tolerable Period of Disruption“Duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed” BS 25999:1 Auditing Security and Business Continuance 18
  19. 19. Risks related to technology Auditing Security and Business Continuance 19
  20. 20. Information Assurance Structure Auditing Security and Business Continuance 20
  21. 21. Crash and Restart ISO 27001 Security Infosec governance Crash and Restart User awarenessRemote access 3rd pty Access security ctls User access/pw Auditing Security and Business Continuance 21
  22. 22. Risk and ControlsBusiness Continuity risk profile is prepared for each business functionControls are set to address risk, in consultation with the support / business functionWeight are assigned to each control according to type of the control (e.g. A preventative control has the highest weight)Type of control Preventative Corrective Other entity Auditing Security and Business Continuance 22
  23. 23. Example of Risk and ControlRisk: Electricity failureControls: Uninteruptable power supply (UPS) Generators Preventive maintenance reports Auditing Security and Business Continuance 23
  24. 24. Fail a Security Audit Already -- its Goodfor YouNetwork World — Failing an audit sounds like the last thing any company wants to happen. But thats because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if youre not failing any audits there are two possible explanations:1) You have perfect security.2) Youre not trying hard enough. Auditing Security and Business Continuance 24
  25. 25. Your turn Questions ???Rob Kloots – CISA CISM CRISC,Owner, TrustingtheCloudE rob.kloots@trustingthecloud.euM +32.499-374713 Auditing Security and Business Continuance 25
  26. 26. ISO27001 – 14. BCM Auditing Security and Business Continuance 26
  27. 27. ISO27001 – 11. AC Auditing Security and Business Continuance 27
  28. 28. ISO27001 – 11. ework Auditing Security and Business Continuance 28
  29. 29. ISO27001 – 6. EP Auditing Security and Business Continuance 29
  30. 30. ISO27001 – 8. HR Auditing Security and Business Continuance 30
  31. 31. ISO27001 – 8. HR Auditing Security and Business Continuance 31
  32. 32. ISO27001 – 9. PhySec Auditing Security and Business Continuance 32
  33. 33. ISO27001 – 10. 3rd pty Auditing Security and Business Continuance 33
  34. 34. ISO27001 – 10. Mon Auditing Security and Business Continuance 34
  35. 35. ISO27001 – 13. IncMgt Auditing Security and Business Continuance 35

×