SlideShare a Scribd company logo

Auditing Organizational Information Assurance (IA) Governance Practices

M
Mansoor Faridi, CISA
1 of 13
Download to read offline
Auditing Organizational Information Assurance (IA) Governance Practices Auditing Organizational Information Assurance (IA) Governance Practices Mansoor Faridi Fort Hays State University July 23, 2014
Auditing Organizational Information Assurance (IA) Governance Practices ii Table of Contents Introduction ..................................................................................................................................1 Proposed Concept ........................................................................................................................2 Research Approaches ...................................................................................................................3 Review of Feasibility ...................................................................................................................7 Conclusion ....................................................................................................................................8 References ....................................................................................................................................9
Auditing Organizational Information Assurance (IA) Governance Practices 1 Auditing Organizational Information Assurance (IA) Governance Practices Mansoor Faridi Fort Hays State University Introduction This concept paper evaluates the feasibility of conducting a formal scientific study to audit an organization's information assurance governance practices. In today’s computing environment, it is paramount to have sophisticated controls in place to safeguard organizational information while ensuring its Confidentiality, Integrity, Availability and Non-Repudiation [emphasis added]. Research indicates that in the absence of a robust security program, organizations expose themselves (“Open Security,” 2014) to data breaches resulting in flailing shareholder confidence, litigation and possible financial collapse. Auditing organization's information assurance governance practices will identify opportunities for improvement and provide an independent and objective assessment of organization’s information assurance governance practice’s effectiveness. It will also enable the organization to comply with regulatory requirements, increase stakeholder confidence and strengthen security posture in the face of numerous threats (“Ponemon,” 2013). As part of governance, it will be management’s responsibility to either engage Internal or External Auditors to develop and execute an audit program evaluating internal controls relating to organization’s information assurance governance practices. Leveraging leading industry frameworks (Arora, 2013; “SOX-Online,” 2012), such as, COBIT, COSO, NIST, ITIL, ISO27002, the audit program will assess organizational information assurance governance practices; the scope of which will include data governance, incident response, user-training and attestation, and periodic reviews. Finally, a conclusion will be drawn to determine the feasibility of auditing an organization’s information assurance governance practices.
Auditing Organizational Information Assurance (IA) Governance Practices 2 Proposed Concept With the passage of time, more and more data is getting digitized and thus increasing organizational risk exposure. Globally, forty percent of the largest data breaches recorded occurred in 2013 (“Online Trust,” 2014, p. 4). Hence, it becomes critical to have proactive vigilance over organization’s internal controls over information assurance via a formal audit program. The audit program will be developed after performing a comprehensive risk assessment (“United Kingdom,” 2004, p. 3) to identify risks (See Appendices A & B) within the four aforementioned areas. Subsequently, as per organization’s risk management strategy, these risks will be accepted, mitigated, transferred or avoided (“United Kingdom,” 2004, p. 24). Upon successful risk assessment, audit program will be implemented to assess effectiveness of internal controls. Following is a list of areas and scope of audit coverage over internal controls:  Data governance Is there a standard procedure for user-access provision? Is user-access periodically validated? Is data custody and ownership defined? Is data access logged and monitored? Is data classified indicating sensitivity and storage location? Is data retention policy defined?  Incident response Are there protocols in place in case of a data breach? Is there a communication/notification plan? Is there effective coordination between key stakeholders and support personnel? Are there disaster recovery and business continuity plans in place?  User-training & attestation
Auditing Organizational Information Assurance (IA) Governance Practices 3 Are users educated on their roles and expectations via Information Security policy, seminars, online training, informational videos and brochures, etc. Are users required to attest their participation in mandatory online training?  Periodic reviews Was vulnerability testing performed? Was penetration testing performed? Was system hardening performed? Was the evidence of this testing reviewed, approved and archived for audit purposes? Internal Controls’ design in the above areas will be examined and tested for operational effectiveness over a period of time. Once the audit is concluded, management will be provided with a formal audit report detailing ineffective controls, risk(s) posed, risk impact along with audit recommendation to bridge identified gaps. Management will then review, approve and accept the audit report with a formal sign-off. The review approaches for these areas are discussed in detail in the next section. Review Approaches This section describes audit program’s review approaches that will test internal controls relating to data governance, incident response, user-training and periodic reviews. This program will determine the design and operational effectiveness of internal controls as follows:  Data governance By examining relevant documentation, it will be determined if there is a standard procedure to provision user-access that requires data owner to approve the requested access and data custodian to provision the approved access. Alignment of data ownership and data custody will also be verified by reviewing documents detailing
Auditing Organizational Information Assurance (IA) Governance Practices 4 roles and responsibilities. It is to be noted that data ownership and data custody is aligned with different roles for segregation of duties purposes (“Separation of,” 2014). It will also be determined if this access was granted on the principle of least access privilege (Langford, 2003). It will also be determined if user access is monitored and logged each time data is accessed and/or modified. It will also be examined if data is classified appropriately, indicating data sensitivity, storage location and log details (“Online Trust,” 2014, p. 10). Furthermore, data retention policy will be reviewed to determine if data will be destroyed when no longer required as per data management lifecycle and prevailing legislation(s) in effect (“Retention Period”, 2014). Please note that above controls relate to the capability to protect organizational data from unauthorized access, and sending and receiving protocols in place, hence this satisfies both the Confidentiality [emphasis added] and the Non-Repudiation [emphasis added] aspects of information assurance governance practices.  Incident response By examining communication plan/notification plan, it will be determined if there are protocols in place in case of data breach. Evidence of effective coordination between organizational stakeholders and external support personnel (e.g., Law enforcement) will be determined based on periodic joint exercises simulating emergency drills. These drills will be confirmed by reviewing detailed reports listing date, time, venue, simulated scenario(s) and participants. In addition, evidence relating to the execution of Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) will also be examined (“United Kingdom,” 2004, p. 35). Concerned departments will be expected to produce satisfactory evidence noting
Auditing Organizational Information Assurance (IA) Governance Practices 5 successful completion of the drill and issues encountered, if any. Since this area highlights system’s capability to provide access to network resources and data despite disruptive events or conditions, hence above controls satisfy the Availability [emphasis added] aspect of information assurance governance practices.  User-training & attestation Users will be expected to play a critical role in supporting organizations’ information assurance governance practices. They will be expected to participate in both formal and informal learning activities (See Figure 1) by participating in awareness, literacy, training and education sessions (“United Kingdom,” 2004, p. 37). Each phase will have various activities within it; some of those activities will be audited. After completing each activity they will be issued a certificate of completion, record of which will be verified during audit examination. For sampled users, record of completion for various activities will be compared against the established benchmark to determine if a minimum number of users have completed mandatory training which will enable them to effectively safeguard and protect organizational assets against possible abuse/misuse. Figure 1. Information assurance learning continuum (Maconachy, Schou, Ragsdale, Welch) 2001 Finally, a user listing will be produced noting user compliance (vis-à-vis
Auditing Organizational Information Assurance (IA) Governance Practices 6 mandatory training) below the acceptable threshold. Subsequently, user’s manager will be communicated, who will be responsible to ensure that users successfully complete all required training sessions within an agreed upon timeframe. Record of all completed training and audit activities will be examined to close audit findings, if any. This area highlights the emphasis on user education continuum, preparing users to ensure that organizational system is capable to provide services and process data with the assurance that it is accurate and uncorrupted. This satisfies the Integrity [emphasis added] aspect of information assurance governance.  Periodic reviews Record of system vulnerability testing will be examined to determine if any gaps exist. (Based on vulnerability testing results, administrators are expected to close the gaps by addressing audit assertions. This is knows as system hardening.) Subsequently, results of system hardening will also be examined to determine if any gaps exist. In the event of reported gaps, auditor will verify their successful closure. Audit will also examine the result of external penetration testing. The result will help determine if any gaps need to be addressed. In the event where organization is dependent on a service organization for their computing needs, the vendor will be requested to produce a Service Auditors Report (Statement on Standards for Attestation Engagements (SSAE) No.16) to determine if all controls relating to the data center are designed appropriately and operated effectively over a period of time (“SSAE 16,” 2014). It is important to note that in case the organization chooses to engage a third-party vendor for its computing needs, its responsibility for governing security has not been removed, it is merely different. (Kirkpatrick, 2011).
Auditing Organizational Information Assurance (IA) Governance Practices 7 Please note that SSAE 16 Type I report only lists the design of a control at a given point in time, whereas, Type II lists the design of control and its operational effectiveness over a period of time. All of the controls detailed above will be examined in detail and documentary proofs will have evidence of management review and sign-off. Absence of documentary evidence relating to the activities, tasks or review & sign-off will lead to audit assertion(s). Audits will be planned as per the audit schedule and performed on a periodic basis. Review of Feasibility Management/stakeholder support (Anhal, 2002) is the main criteria for any governance program to be successful. This section discusses the feasibility of the concept idea presented to determine if it is feasible to conduct a formal scientific study to audit an organization’s information assurance governance practices. The feasibility is ascertained by breaking down the main concept into four main governance areas and then listing critical operational activities aligning with each one of these areas. Each activity also lists internal controls that ensure its governance at a more granular level. Subsequently, review approaches relevant to each activity are listed along with corresponding audit activities. Review approach describes the evidence to be examined for each internal control. It is also meant to assess the design and implementation of internal controls and comment on their operational effectiveness over a period of time. In summary, by reviewing the methodology presented above, it is feasible to audit an organization’s information assurance governance practices.
Auditing Organizational Information Assurance (IA) Governance Practices 8 Conclusion This concept paper evaluates the feasibility of conducting a formal scientific study to audit an organization's information assurance governance practices. Four critical areas (data governance, incident response, user-training and attestation, and periodic reviews) are examined to assess their suitability for inclusion in this study. Confidentiality, Integrity, Availability and Non-Repudiation aspects of information assurance are also reviewed in this context. Corresponding review approaches for internal controls aligned with each aforementioned area is also discussed. Based on the discussion in conjunction with review approaches, there is ample support for feasibility of auditing an organization's information assurance governance practices.
Auditing Organizational Information Assurance (IA) Governance Practices 9 References Anhal, A. (2002). Information Assurance and Corporate Governance: Engaging Senior Management. SC Magazine. Retrieved July 22, 2014 from http://www.scmagazine.com/information-assurance-and-corporate-governance-engaging- senior-management/article/30725/ Arora, V. (2013). Comparing different information security standards: COBIT vs. ISO 27001. Unpublished manuscript. Carnegie Mellon University, Doha, Qatar. Open Security Foundation. (2014). Data Loss Statistics [Data file]. Retrieved July 22, 2014 from http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=current_year Jaspal, S. (2011). Fraud Symptom 10 – Lapses in Information Assurance. Sonia Jaspal’s RiskBoard. Retrieved July 22, 2014 from http://soniajaspal.wordpress.com/2011/09/30/fraud-symptom-10-lapses-in-information- assurance/ Kirkpatrick, J. (2011). Governance in the cloud. ISACA Journal, 5, 1-2. Retrieved July 22, 2014 from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5- Governance-in-the-Cloud.pdf Langford, J. (2003). Implementing Least Privilege at your Enterprise. SANS Institute InfoSec Reading Room. Retrieved July 22, 2014 from http://www.sans.org/reading- room/whitepapers/bestprac/implementing-privilege-enterprise-1188 Maconachy, W., Schou, C., Ragsdale, D., & Welch, D. (2001). A model for information assurance: An integrated approach. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, US Military Academy, West Point, NY, USA.
Auditing Organizational Information Assurance (IA) Governance Practices 10 Retrieved July 22, 2014 from http://it210web.groups.et.byu.net/lectures/MSRW%20Paper.pdf Online Trust Alliance, (2014). 2014 Data Protection & Breach Readiness Guide. Retrieved July 22, 2014 from https://otalliance.org/system/files/files/resource/documents/2014otadatabreachguide4.pdf Ponemon Institute LLC, (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved July 22, 2014 from http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%2 0FINAL%205-2.pdf Retention Period. (2014). In Wikipedia. Retrieved July 22, 2014 from http://en.wikipedia.org/wiki/Retention_period Separation of duties. (2014). In Wikipedia. Retrieved July 22, 2014 from http://en.wikipedia.org/wiki/Separation_of_duties Sherwood, J. (2009). Historical Background: Information Assurance. SABSA Institute Community Forum. Retrieved July 22, 2014 from http://www.sabsa- institute.com/members/node/19 SOX-online: The Vendor-Neutral Sarbanes Oxley Site. (2012). Mapping COBIT to other guidance. Retrieved July 22, 2014 from http://www.sox-online.com/cobit_mapping.html Speed, R. (2011). IT governance and the cloud: Principles and practice for governing adoption of cloud computing. ISACA Journal, 5, 1-6. Retrieved July 22, 2014 from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5-IT- Governance-and-the-Cloud-Principles-and-Practice-for-Governing-Adoption-of-Cloud- Computing.pdf
Auditing Organizational Information Assurance (IA) Governance Practices 11 SSAE 16 Overview. (2014). Auditing Standards Board. Retrieved July 22, 2014 from http://ssae16.com/SSAE16_overview.html United Kingdom Cabinet Office. (2004). Information Assurance Governance Framework. Retrieved July 22, 2014 from http://www.sylviterma.com/Portals/0/resources/ia_governance_framework8ddbf733- 48c5-4056-807b-42a756dd4b05.pdf

Recommended

Hsa 520 Education Specialist -snaptutorial.com
Hsa 520 Education Specialist -snaptutorial.comHsa 520 Education Specialist -snaptutorial.com
Hsa 520 Education Specialist -snaptutorial.comDavisMurphyC55
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Grievance Redressal System
Grievance Redressal SystemGrievance Redressal System
Grievance Redressal SystemBOHR International Journal of Data Mining and Big Data
 
Document Management Solutions: Combining Process Automation and AP
Document Management Solutions: Combining Process Automation and APDocument Management Solutions: Combining Process Automation and AP
Document Management Solutions: Combining Process Automation and APosaminc
 
Hsa 520 Success Begins / snaptutorial.com
Hsa 520 Success Begins / snaptutorial.comHsa 520 Success Begins / snaptutorial.com
Hsa 520 Success Begins / snaptutorial.comMistryNorrisk
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-PaperPierre Samson
 

Recommended

Hsa 520 Education Specialist -snaptutorial.com
Hsa 520 Education Specialist -snaptutorial.comHsa 520 Education Specialist -snaptutorial.com
Hsa 520 Education Specialist -snaptutorial.comDavisMurphyC55
 
Cyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follCyb 690 cybersecurity program template directions the foll
Cyb 690 cybersecurity program template directions the follAISHA232980
 
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...
A MULTI-CRITERIA EVALUATION OF INFORMATION SECURITY CONTROLS USING BOOLEAN FE...IJNSA Journal
 
Challenges in implementing effective data security practices
Challenges in implementing effective data security practicesChallenges in implementing effective data security practices
Challenges in implementing effective data security practiceswacasr
 
Grievance Redressal System
Grievance Redressal SystemGrievance Redressal System
Grievance Redressal SystemBOHR International Journal of Data Mining and Big Data
 
Document Management Solutions: Combining Process Automation and AP
Document Management Solutions: Combining Process Automation and APDocument Management Solutions: Combining Process Automation and AP
Document Management Solutions: Combining Process Automation and APosaminc
 
Hsa 520 Success Begins / snaptutorial.com
Hsa 520 Success Begins / snaptutorial.comHsa 520 Success Begins / snaptutorial.com
Hsa 520 Success Begins / snaptutorial.comMistryNorrisk
 
Enterprise Risk Management-Paper
Enterprise Risk Management-PaperEnterprise Risk Management-Paper
Enterprise Risk Management-PaperPierre Samson
 
McMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMcMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMatthew J McMahon
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Hsa 315 Massive Success / snaptutorial.com
Hsa 315 Massive Success / snaptutorial.comHsa 315 Massive Success / snaptutorial.com
Hsa 315 Massive Success / snaptutorial.comStephenson0122
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comUOPCourseHelp
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?Tieu Luu
 
Performance improvement through mobile devices
Performance improvement through mobile devicesPerformance improvement through mobile devices
Performance improvement through mobile devicesSawad thotathil
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsIT-Toolkits.org
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar ProposalAbsar Husain
 
PGodfrey_IS &_DSS_Term_Paper
PGodfrey_IS &_DSS_Term_PaperPGodfrey_IS &_DSS_Term_Paper
PGodfrey_IS &_DSS_Term_PaperPaul Godfrey
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...CSCJournals
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
BSI 100-30
BSI 100-30BSI 100-30
BSI 100-30Sergey Erohin
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
The Future of Pharmacovigilance
The Future of PharmacovigilanceThe Future of Pharmacovigilance
The Future of PharmacovigilanceCovance
 
Bf25342345
Bf25342345Bf25342345
Bf25342345IJERA Editor
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program AssessmentsJohn Anderson
 
Trends in Cloud Computing
Trends in Cloud ComputingTrends in Cloud Computing
Trends in Cloud Computingawais mushtaq
 
PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016
PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016
PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016Muhammad Sirajuddin
 
SLAFINALpdf
SLAFINALpdfSLAFINALpdf
SLAFINALpdfMeghan Hersh
 

More Related Content

What's hot

McMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMcMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMatthew J McMahon
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...IT-Toolkits.org
 
Hsa 315 Massive Success / snaptutorial.com
Hsa 315 Massive Success / snaptutorial.comHsa 315 Massive Success / snaptutorial.com
Hsa 315 Massive Success / snaptutorial.comStephenson0122
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comUOPCourseHelp
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee StudyHiten Sethi
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?Tieu Luu
 
Performance improvement through mobile devices
Performance improvement through mobile devicesPerformance improvement through mobile devices
Performance improvement through mobile devicesSawad thotathil
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance ProgramBohdiman
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsIT-Toolkits.org
 
PGodfrey_IS &_DSS_Term_Paper
PGodfrey_IS &_DSS_Term_PaperPGodfrey_IS &_DSS_Term_Paper
PGodfrey_IS &_DSS_Term_PaperPaul Godfrey
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Sreekanth Narendran
 
Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...CSCJournals
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Aladdin Dandis
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001Hiran Kanishka
 
The Future of Pharmacovigilance
The Future of PharmacovigilanceThe Future of Pharmacovigilance
The Future of PharmacovigilanceCovance
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program AssessmentsJohn Anderson
 
Trends in Cloud Computing
Trends in Cloud ComputingTrends in Cloud Computing
Trends in Cloud Computingawais mushtaq
 

What's hot (20)

McMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management StrategyMcMahon & Associates Risk Management Strategy
McMahon & Associates Risk Management Strategy
 
Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...Protecting business interests with policies for it asset management it-tool...
Protecting business interests with policies for it asset management it-tool...
 
Hsa 315 Massive Success / snaptutorial.com
Hsa 315 Massive Success / snaptutorial.comHsa 315 Massive Success / snaptutorial.com
Hsa 315 Massive Success / snaptutorial.com
 
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.comCmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
Cmgt 430 cmgt430 cmgt 430 education for service uopstudy.com
 
State of Security McAfee Study
State of Security McAfee StudyState of Security McAfee Study
State of Security McAfee Study
 
How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?How Do You Define Continuous Monitoring?
How Do You Define Continuous Monitoring?
 
Performance improvement through mobile devices
Performance improvement through mobile devicesPerformance improvement through mobile devices
Performance improvement through mobile devices
 
Information Governance Program
Information Governance ProgramInformation Governance Program
Information Governance Program
 
The benefits of technology standards it-toolkits
The benefits of technology standards it-toolkitsThe benefits of technology standards it-toolkits
The benefits of technology standards it-toolkits
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
PGodfrey_IS &_DSS_Term_Paper
PGodfrey_IS &_DSS_Term_PaperPGodfrey_IS &_DSS_Term_Paper
PGodfrey_IS &_DSS_Term_Paper
 
Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1Information Systems Audit - Ron Weber chapter 1
Information Systems Audit - Ron Weber chapter 1
 
Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...Information Technology (IT) Security Framework for Kenyan Small and Medium En...
Information Technology (IT) Security Framework for Kenyan Small and Medium En...
 
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014Fraudulent Methods for Attacking Bank Networks and Prevention 2014
Fraudulent Methods for Attacking Bank Networks and Prevention 2014
 
BSI 100-30
BSI 100-30BSI 100-30
BSI 100-30
 
Information security management iso27001
Information security management iso27001Information security management iso27001
Information security management iso27001
 
The Future of Pharmacovigilance
The Future of PharmacovigilanceThe Future of Pharmacovigilance
The Future of Pharmacovigilance
 
Bf25342345
Bf25342345Bf25342345
Bf25342345
 
Cybersecurity Program Assessments
Cybersecurity Program AssessmentsCybersecurity Program Assessments
Cybersecurity Program Assessments
 
Trends in Cloud Computing
Trends in Cloud ComputingTrends in Cloud Computing
Trends in Cloud Computing
 

Viewers also liked

PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016
PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016
PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016Muhammad Sirajuddin
 
Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...
Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...
Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...Aini Sahriza
 
Breaking the login wall
Breaking the login wall Breaking the login wall
Breaking the login wall Idit Minka
 
bảng giá thiết kế video quảng cáo độc đáo
bảng giá thiết kế video quảng cáo độc đáobảng giá thiết kế video quảng cáo độc đáo
bảng giá thiết kế video quảng cáo độc đáomercedez164
 
Professional Acheivement
Professional AcheivementProfessional Acheivement
Professional AcheivementZahidur Rahman
 
01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыі
01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыі01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыі
01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыіAnastasiyaF
 
13. Развіццё адукацыі, навукі і культуры ў РБ
13. Развіццё адукацыі, навукі і культуры ў РБ13. Развіццё адукацыі, навукі і культуры ў РБ
13. Развіццё адукацыі, навукі і культуры ў РБAnastasiyaF
 
07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...
07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...
07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...AnastasiyaF
 
نتيجة إدارة مغاغة التعليمية مايو 2016
نتيجة إدارة مغاغة التعليمية مايو 2016نتيجة إدارة مغاغة التعليمية مايو 2016
نتيجة إدارة مغاغة التعليمية مايو 2016Nour Elbader
 
0851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 2015
0851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 20150851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 2015
0851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 2015Beasiswa S-1 Sinergi Foundation
 
Главное - жить любя
Главное - жить любяГлавное - жить любя
Главное - жить любяФонд Вера
 

Viewers also liked (20)

PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016
PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016
PERATURAN MENTER! KEUANGAN REPUBLIK INDONESIA NOMOR 96/PMK.05/2016
 
SLAFINALpdf
SLAFINALpdfSLAFINALpdf
SLAFINALpdf
 
Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...
Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...
Bu subari mengajar kelas v di satu sd di daerah pegunungan yang dikelilingi o...
 
Breaking the login wall
Breaking the login wall Breaking the login wall
Breaking the login wall
 
bảng giá thiết kế video quảng cáo độc đáo
bảng giá thiết kế video quảng cáo độc đáobảng giá thiết kế video quảng cáo độc đáo
bảng giá thiết kế video quảng cáo độc đáo
 
Samuel Ataguba's Cv
Samuel Ataguba's CvSamuel Ataguba's Cv
Samuel Ataguba's Cv
 
Professional Acheivement
Professional AcheivementProfessional Acheivement
Professional Acheivement
 
Richella CV NEW
Richella CV NEWRichella CV NEW
Richella CV NEW
 
01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыі
01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыі01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыі
01. Становішча ў Беларусі напярэдадні Кастрычніцкай рэвалюцыі
 
13. Развіццё адукацыі, навукі і культуры ў РБ
13. Развіццё адукацыі, навукі і культуры ў РБ13. Развіццё адукацыі, навукі і культуры ў РБ
13. Развіццё адукацыі, навукі і культуры ў РБ
 
07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...
07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...
07. Палітыка перабудовы ў БССР. Адукацыя і навука ў другой палове 1950-х - 19...
 
Health hazards- http://www.healthhazards.in
Health hazards- http://www.healthhazards.inHealth hazards- http://www.healthhazards.in
Health hazards- http://www.healthhazards.in
 
SHAKESPEARE by Pepe Payá
SHAKESPEARE by Pepe PayáSHAKESPEARE by Pepe Payá
SHAKESPEARE by Pepe Payá
 
نتيجة إدارة مغاغة التعليمية مايو 2016
نتيجة إدارة مغاغة التعليمية مايو 2016نتيجة إدارة مغاغة التعليمية مايو 2016
نتيجة إدارة مغاغة التعليمية مايو 2016
 
Timeline
Timeline Timeline
Timeline
 
Richfeel Anagrow
Richfeel AnagrowRichfeel Anagrow
Richfeel Anagrow
 
0851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 2015
0851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 20150851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 2015
0851 0004 2009 ( Telkomsel), Beasiswa Kuliah, Beasiswa Untuk s-1, Beasiswa 2015
 
Zakir_Hussain_cv
Zakir_Hussain_cvZakir_Hussain_cv
Zakir_Hussain_cv
 
Plan
PlanPlan
Plan
 
Главное - жить любя
Главное - жить любяГлавное - жить любя
Главное - жить любя
 

Similar to Auditing Organizational Information Assurance (IA) Governance Practices

u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterDavid Sweigert
 
2172020 Originality Reporthttpsucumberlands.blackboar.docx
2172020 Originality Reporthttpsucumberlands.blackboar.docx2172020 Originality Reporthttpsucumberlands.blackboar.docx
2172020 Originality Reporthttpsucumberlands.blackboar.docxjesusamckone
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STakishaPeck109
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docxLynellBull52
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxadampcarr67227
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft CorpAntoinette Williams
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxchristiandean12115
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Laura Benitez
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docxdurantheseldine
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information Systemijsrd.com
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxcravennichole326
 
HealthCare Information Security Program Guidelines
HealthCare Information Security Program GuidelinesHealthCare Information Security Program Guidelines
HealthCare Information Security Program GuidelinesSeema Mozaffar
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxjoellemurphey
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxINTERCERT
 
Running head MOBILE APPLICATION SECURITY .docx
Running head MOBILE APPLICATION SECURITY .docxRunning head MOBILE APPLICATION SECURITY .docx
Running head MOBILE APPLICATION SECURITY .docxcharisellington63520
 

Similar to Auditing Organizational Information Assurance (IA) Governance Practices (20)

u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project CharterSAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
SAMPLE HIPAA Security Rule Corrective Action Plan Project Charter
 
2172020 Originality Reporthttpsucumberlands.blackboar.docx
2172020 Originality Reporthttpsucumberlands.blackboar.docx2172020 Originality Reporthttpsucumberlands.blackboar.docx
2172020 Originality Reporthttpsucumberlands.blackboar.docx
 
To meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, STo meet the requirements for lab 10 you were to perform Part 1, S
To meet the requirements for lab 10 you were to perform Part 1, S
 
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
· Processed on 09-Dec-2014 901 PM CST · ID 488406360 · Word .docx
 
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docxHomework AssignmentShort Answer Responses.1. Describe the fiv.docx
Homework AssignmentShort Answer Responses.1. Describe the fiv.docx
 
Standards For Wright Aircraft Corp
Standards For Wright Aircraft CorpStandards For Wright Aircraft Corp
Standards For Wright Aircraft Corp
 
IT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docxIT 549 Final Project Guidelines and Rubric Overview .docx
IT 549 Final Project Guidelines and Rubric Overview .docx
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Ict governance
Ict governanceIct governance
Ict governance
 
web-MINImag
web-MINImagweb-MINImag
web-MINImag
 
Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...Information Assurance Guidelines For Commercial Buildings...
Information Assurance Guidelines For Commercial Buildings...
 
1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx1chapter42BaseTech Principles of Computer Securit.docx
1chapter42BaseTech Principles of Computer Securit.docx
 
A Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information SystemA Monitor System in Data Redundancy in Information System
A Monitor System in Data Redundancy in Information System
 
Chapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docxChapter 1The International Information Systems Security Certifi.docx
Chapter 1The International Information Systems Security Certifi.docx
 
HealthCare Information Security Program Guidelines
HealthCare Information Security Program GuidelinesHealthCare Information Security Program Guidelines
HealthCare Information Security Program Guidelines
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docxRunning head AUDITING INFORMATION SYSTEMS PROCESS .docx
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docx
 
Ffiec cat may_2017
Ffiec cat may_2017Ffiec cat may_2017
Ffiec cat may_2017
 
Running head MOBILE APPLICATION SECURITY .docx
Running head MOBILE APPLICATION SECURITY .docxRunning head MOBILE APPLICATION SECURITY .docx
Running head MOBILE APPLICATION SECURITY .docx
 

Auditing Organizational Information Assurance (IA) Governance Practices

  • 1. Auditing Organizational Information Assurance (IA) Governance Practices Auditing Organizational Information Assurance (IA) Governance Practices Mansoor Faridi Fort Hays State University July 23, 2014
  • 2. Auditing Organizational Information Assurance (IA) Governance Practices ii Table of Contents Introduction ..................................................................................................................................1 Proposed Concept ........................................................................................................................2 Research Approaches ...................................................................................................................3 Review of Feasibility ...................................................................................................................7 Conclusion ....................................................................................................................................8 References ....................................................................................................................................9
  • 3. Auditing Organizational Information Assurance (IA) Governance Practices 1 Auditing Organizational Information Assurance (IA) Governance Practices Mansoor Faridi Fort Hays State University Introduction This concept paper evaluates the feasibility of conducting a formal scientific study to audit an organization's information assurance governance practices. In today’s computing environment, it is paramount to have sophisticated controls in place to safeguard organizational information while ensuring its Confidentiality, Integrity, Availability and Non-Repudiation [emphasis added]. Research indicates that in the absence of a robust security program, organizations expose themselves (“Open Security,” 2014) to data breaches resulting in flailing shareholder confidence, litigation and possible financial collapse. Auditing organization's information assurance governance practices will identify opportunities for improvement and provide an independent and objective assessment of organization’s information assurance governance practice’s effectiveness. It will also enable the organization to comply with regulatory requirements, increase stakeholder confidence and strengthen security posture in the face of numerous threats (“Ponemon,” 2013). As part of governance, it will be management’s responsibility to either engage Internal or External Auditors to develop and execute an audit program evaluating internal controls relating to organization’s information assurance governance practices. Leveraging leading industry frameworks (Arora, 2013; “SOX-Online,” 2012), such as, COBIT, COSO, NIST, ITIL, ISO27002, the audit program will assess organizational information assurance governance practices; the scope of which will include data governance, incident response, user-training and attestation, and periodic reviews. Finally, a conclusion will be drawn to determine the feasibility of auditing an organization’s information assurance governance practices.
  • 4. Auditing Organizational Information Assurance (IA) Governance Practices 2 Proposed Concept With the passage of time, more and more data is getting digitized and thus increasing organizational risk exposure. Globally, forty percent of the largest data breaches recorded occurred in 2013 (“Online Trust,” 2014, p. 4). Hence, it becomes critical to have proactive vigilance over organization’s internal controls over information assurance via a formal audit program. The audit program will be developed after performing a comprehensive risk assessment (“United Kingdom,” 2004, p. 3) to identify risks (See Appendices A & B) within the four aforementioned areas. Subsequently, as per organization’s risk management strategy, these risks will be accepted, mitigated, transferred or avoided (“United Kingdom,” 2004, p. 24). Upon successful risk assessment, audit program will be implemented to assess effectiveness of internal controls. Following is a list of areas and scope of audit coverage over internal controls:  Data governance Is there a standard procedure for user-access provision? Is user-access periodically validated? Is data custody and ownership defined? Is data access logged and monitored? Is data classified indicating sensitivity and storage location? Is data retention policy defined?  Incident response Are there protocols in place in case of a data breach? Is there a communication/notification plan? Is there effective coordination between key stakeholders and support personnel? Are there disaster recovery and business continuity plans in place?  User-training & attestation
  • 5. Auditing Organizational Information Assurance (IA) Governance Practices 3 Are users educated on their roles and expectations via Information Security policy, seminars, online training, informational videos and brochures, etc. Are users required to attest their participation in mandatory online training?  Periodic reviews Was vulnerability testing performed? Was penetration testing performed? Was system hardening performed? Was the evidence of this testing reviewed, approved and archived for audit purposes? Internal Controls’ design in the above areas will be examined and tested for operational effectiveness over a period of time. Once the audit is concluded, management will be provided with a formal audit report detailing ineffective controls, risk(s) posed, risk impact along with audit recommendation to bridge identified gaps. Management will then review, approve and accept the audit report with a formal sign-off. The review approaches for these areas are discussed in detail in the next section. Review Approaches This section describes audit program’s review approaches that will test internal controls relating to data governance, incident response, user-training and periodic reviews. This program will determine the design and operational effectiveness of internal controls as follows:  Data governance By examining relevant documentation, it will be determined if there is a standard procedure to provision user-access that requires data owner to approve the requested access and data custodian to provision the approved access. Alignment of data ownership and data custody will also be verified by reviewing documents detailing
  • 6. Auditing Organizational Information Assurance (IA) Governance Practices 4 roles and responsibilities. It is to be noted that data ownership and data custody is aligned with different roles for segregation of duties purposes (“Separation of,” 2014). It will also be determined if this access was granted on the principle of least access privilege (Langford, 2003). It will also be determined if user access is monitored and logged each time data is accessed and/or modified. It will also be examined if data is classified appropriately, indicating data sensitivity, storage location and log details (“Online Trust,” 2014, p. 10). Furthermore, data retention policy will be reviewed to determine if data will be destroyed when no longer required as per data management lifecycle and prevailing legislation(s) in effect (“Retention Period”, 2014). Please note that above controls relate to the capability to protect organizational data from unauthorized access, and sending and receiving protocols in place, hence this satisfies both the Confidentiality [emphasis added] and the Non-Repudiation [emphasis added] aspects of information assurance governance practices.  Incident response By examining communication plan/notification plan, it will be determined if there are protocols in place in case of data breach. Evidence of effective coordination between organizational stakeholders and external support personnel (e.g., Law enforcement) will be determined based on periodic joint exercises simulating emergency drills. These drills will be confirmed by reviewing detailed reports listing date, time, venue, simulated scenario(s) and participants. In addition, evidence relating to the execution of Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) will also be examined (“United Kingdom,” 2004, p. 35). Concerned departments will be expected to produce satisfactory evidence noting
  • 7. Auditing Organizational Information Assurance (IA) Governance Practices 5 successful completion of the drill and issues encountered, if any. Since this area highlights system’s capability to provide access to network resources and data despite disruptive events or conditions, hence above controls satisfy the Availability [emphasis added] aspect of information assurance governance practices.  User-training & attestation Users will be expected to play a critical role in supporting organizations’ information assurance governance practices. They will be expected to participate in both formal and informal learning activities (See Figure 1) by participating in awareness, literacy, training and education sessions (“United Kingdom,” 2004, p. 37). Each phase will have various activities within it; some of those activities will be audited. After completing each activity they will be issued a certificate of completion, record of which will be verified during audit examination. For sampled users, record of completion for various activities will be compared against the established benchmark to determine if a minimum number of users have completed mandatory training which will enable them to effectively safeguard and protect organizational assets against possible abuse/misuse. Figure 1. Information assurance learning continuum (Maconachy, Schou, Ragsdale, Welch) 2001 Finally, a user listing will be produced noting user compliance (vis-à-vis
  • 8. Auditing Organizational Information Assurance (IA) Governance Practices 6 mandatory training) below the acceptable threshold. Subsequently, user’s manager will be communicated, who will be responsible to ensure that users successfully complete all required training sessions within an agreed upon timeframe. Record of all completed training and audit activities will be examined to close audit findings, if any. This area highlights the emphasis on user education continuum, preparing users to ensure that organizational system is capable to provide services and process data with the assurance that it is accurate and uncorrupted. This satisfies the Integrity [emphasis added] aspect of information assurance governance.  Periodic reviews Record of system vulnerability testing will be examined to determine if any gaps exist. (Based on vulnerability testing results, administrators are expected to close the gaps by addressing audit assertions. This is knows as system hardening.) Subsequently, results of system hardening will also be examined to determine if any gaps exist. In the event of reported gaps, auditor will verify their successful closure. Audit will also examine the result of external penetration testing. The result will help determine if any gaps need to be addressed. In the event where organization is dependent on a service organization for their computing needs, the vendor will be requested to produce a Service Auditors Report (Statement on Standards for Attestation Engagements (SSAE) No.16) to determine if all controls relating to the data center are designed appropriately and operated effectively over a period of time (“SSAE 16,” 2014). It is important to note that in case the organization chooses to engage a third-party vendor for its computing needs, its responsibility for governing security has not been removed, it is merely different. (Kirkpatrick, 2011).
  • 9. Auditing Organizational Information Assurance (IA) Governance Practices 7 Please note that SSAE 16 Type I report only lists the design of a control at a given point in time, whereas, Type II lists the design of control and its operational effectiveness over a period of time. All of the controls detailed above will be examined in detail and documentary proofs will have evidence of management review and sign-off. Absence of documentary evidence relating to the activities, tasks or review & sign-off will lead to audit assertion(s). Audits will be planned as per the audit schedule and performed on a periodic basis. Review of Feasibility Management/stakeholder support (Anhal, 2002) is the main criteria for any governance program to be successful. This section discusses the feasibility of the concept idea presented to determine if it is feasible to conduct a formal scientific study to audit an organization’s information assurance governance practices. The feasibility is ascertained by breaking down the main concept into four main governance areas and then listing critical operational activities aligning with each one of these areas. Each activity also lists internal controls that ensure its governance at a more granular level. Subsequently, review approaches relevant to each activity are listed along with corresponding audit activities. Review approach describes the evidence to be examined for each internal control. It is also meant to assess the design and implementation of internal controls and comment on their operational effectiveness over a period of time. In summary, by reviewing the methodology presented above, it is feasible to audit an organization’s information assurance governance practices.
  • 10. Auditing Organizational Information Assurance (IA) Governance Practices 8 Conclusion This concept paper evaluates the feasibility of conducting a formal scientific study to audit an organization's information assurance governance practices. Four critical areas (data governance, incident response, user-training and attestation, and periodic reviews) are examined to assess their suitability for inclusion in this study. Confidentiality, Integrity, Availability and Non-Repudiation aspects of information assurance are also reviewed in this context. Corresponding review approaches for internal controls aligned with each aforementioned area is also discussed. Based on the discussion in conjunction with review approaches, there is ample support for feasibility of auditing an organization's information assurance governance practices.
  • 11. Auditing Organizational Information Assurance (IA) Governance Practices 9 References Anhal, A. (2002). Information Assurance and Corporate Governance: Engaging Senior Management. SC Magazine. Retrieved July 22, 2014 from http://www.scmagazine.com/information-assurance-and-corporate-governance-engaging- senior-management/article/30725/ Arora, V. (2013). Comparing different information security standards: COBIT vs. ISO 27001. Unpublished manuscript. Carnegie Mellon University, Doha, Qatar. Open Security Foundation. (2014). Data Loss Statistics [Data file]. Retrieved July 22, 2014 from http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=current_year Jaspal, S. (2011). Fraud Symptom 10 – Lapses in Information Assurance. Sonia Jaspal’s RiskBoard. Retrieved July 22, 2014 from http://soniajaspal.wordpress.com/2011/09/30/fraud-symptom-10-lapses-in-information- assurance/ Kirkpatrick, J. (2011). Governance in the cloud. ISACA Journal, 5, 1-2. Retrieved July 22, 2014 from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5- Governance-in-the-Cloud.pdf Langford, J. (2003). Implementing Least Privilege at your Enterprise. SANS Institute InfoSec Reading Room. Retrieved July 22, 2014 from http://www.sans.org/reading- room/whitepapers/bestprac/implementing-privilege-enterprise-1188 Maconachy, W., Schou, C., Ragsdale, D., & Welch, D. (2001). A model for information assurance: An integrated approach. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, US Military Academy, West Point, NY, USA.
  • 12. Auditing Organizational Information Assurance (IA) Governance Practices 10 Retrieved July 22, 2014 from http://it210web.groups.et.byu.net/lectures/MSRW%20Paper.pdf Online Trust Alliance, (2014). 2014 Data Protection & Breach Readiness Guide. Retrieved July 22, 2014 from https://otalliance.org/system/files/files/resource/documents/2014otadatabreachguide4.pdf Ponemon Institute LLC, (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved July 22, 2014 from http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%2 0FINAL%205-2.pdf Retention Period. (2014). In Wikipedia. Retrieved July 22, 2014 from http://en.wikipedia.org/wiki/Retention_period Separation of duties. (2014). In Wikipedia. Retrieved July 22, 2014 from http://en.wikipedia.org/wiki/Separation_of_duties Sherwood, J. (2009). Historical Background: Information Assurance. SABSA Institute Community Forum. Retrieved July 22, 2014 from http://www.sabsa- institute.com/members/node/19 SOX-online: The Vendor-Neutral Sarbanes Oxley Site. (2012). Mapping COBIT to other guidance. Retrieved July 22, 2014 from http://www.sox-online.com/cobit_mapping.html Speed, R. (2011). IT governance and the cloud: Principles and practice for governing adoption of cloud computing. ISACA Journal, 5, 1-6. Retrieved July 22, 2014 from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5-IT- Governance-and-the-Cloud-Principles-and-Practice-for-Governing-Adoption-of-Cloud- Computing.pdf
  • 13. Auditing Organizational Information Assurance (IA) Governance Practices 11 SSAE 16 Overview. (2014). Auditing Standards Board. Retrieved July 22, 2014 from http://ssae16.com/SSAE16_overview.html United Kingdom Cabinet Office. (2004). Information Assurance Governance Framework. Retrieved July 22, 2014 from http://www.sylviterma.com/Portals/0/resources/ia_governance_framework8ddbf733- 48c5-4056-807b-42a756dd4b05.pdf