Controls are security mechanisms that can counter threats and reduce risks. They focus on protecting data at rest, in transit, and in process. The first step in developing controls is to categorize systems and data based on their security needs. This informs the selection of appropriate controls. Finally, controls are implemented through a process of identifying responsibilities, integrating engineering efforts, and establishing processes to continuously monitor and respond to threats.

1. SECURITY CONTROLS
Controls are a security mechanism, policy, or procedure that can successfully
counter attacks, reduce risk, resolve vulnerabilities and otherwise improve
security within an organization.
Whether an organization is considering a technical or operational control to
mitigate risk, or an administrative solution such as training and new procedures
or policies, the control needs to focus on the hardware, telecommunications, and
software that protect sensitive information in one of the following three states:
 Data at rest
 Data in transit
 Data in process

2. GOAL-BASED SECURITY CONTROLS

3. IMPLEMENTATION-BASED CONTROLS

4. SECURITY CONTROL FORMULATION
Any information resource with value to an organization requires some degree of
security protection. This provides a starting point for formulation and development
of security controls.
The wide variety of ICT system components within an organization’s supply chain
result in significantly different security requirements, with the potential for equally
different corresponding protective mechanisms to satisfy the requirements.
Security Categorization of ICT Systems -
The first step in the formulation and development of security controls establishes
the security categorization for the ICT system. In addition to categorizing each ICT
component and the data stored and processed within them, the security team
begins the process of developing the system security plan by documenting security
categorization and system description information.

5. SECURITY CONTROL FORMULATION
• Identifying Information Types: organizations may group information types
into categories defined by guidelines such as FIPS 199 or CNSSI 1253.
However, organizations have the flexibility to define or identify their own
information types and to select their own impact levels.
• Each information system categorization can be represented as
SC information type =
{(confidentiality, impact), (integrity, impact), (availability, impact)},
where the acceptable values for potential impact are LOW, MODERATE,
HIGH, or NOT APPLICABLE
• The resulting level, is subsequently used to determine overall system
security categorization and serve as the basis for selecting a security
control baseline.

7. Setting stage for Control Implementation
• Coming out of the security control selection process, the security plan will
provide criteria relative to what controls and control enhancements will be
implemented for the ICT system.
• Prior to engaging in control implementation, functional and technical
members of the implementation project group facilitate decisions related to
how each control will be implemented and assign responsibility of activities
to be performed within the process, to individuals with the appropriate skill
level and knowledge of the system; including hardware, software, and
associated configurations.
• Managers that assign responsibilities need to be mindful that the nature of
the work required to implement a control varies considerably across
management, operational, and technical controls.

8. Setting stage for Control Implementation
Control Implementation through Security Engineering:
• Identify the organizational security risks Define the security needs to
counter identified risks
• Transform the security needs into activities
• Establish confidence and trustworthiness in correctness and effectiveness
in a system
• Determine that operational impacts due to residual security vulnerabilities
in a system or its operation are tolerable (acceptable risks)
• Integrate the efforts of all engineering disciplines and specialties into a
combined understanding of the trustworthiness of a system

9. TYPES OF IT AUDITS
• Technological position audit : - This audit reviews the technologies that the
business currently has and that it needs to add. Technologies are
characterized as being either "base", "key", "pacing" or "emerging".
• Systemsand ApplicationsAudit :- An audit to verify that systems and
applications are appropriate, are efficient, and are adequately controlled to
ensure valid, reliable, timely, and secure input, processing, and output at all
levels of a system's activity. System and process assurance audits form a
subtype, focussing on business process-centric business IT systems. Such
audits have the objective to assist financial auditors.
• Information ProcessingAudit :- An audit to verify that the processing
facility is controlled to ensure timely, accurate, and efficient processing of
applications under normal and potentially disruptive conditions.

10. TYPES OF IT AUDITS
• SystemsDevelopment Audit :- An audit to verify that the systems under
development meet the objectives of the organization, and to ensure that the
systems are developed in accordance with generally accepted standards for
systems development.
• Management of IT and Enterprise Architecture Audit :- An audit to verify that
IT management has developed an organizational structure and procedures
to ensure a controlled and efficient environment for information processing.
• Client/Server, Intranets, and Extranets Audit :- An audit to verify that
telecommunications controls are in place on the client (computer receiving
services), server, and on the network connecting the clients and servers

11. Implementing a Multi-tired Governance
Making Information Governance Tangible:
• The mandate of information governance is to add value to the business as
well as to help it achieve its goals.
• Therefore, capable information governance will link technology processes,
resources, and information to the overall purposes of the enterprise.
• Since information is an asset, all organizations have the obligation to assure
its uninterrupted confidentiality, integrity, and availability for use.
• Therefore, managers have the responsibility to establish a tangible internal
control system, which will explicitly protect the everyday functioning of the
information processing and retrieval processes of the particular business.

12. Implementing a Multi-tired Governance
There are seven universally desirable characteristics, which an
information governance infrastructure should embody:
Effectiveness—that is, the organization’s information must be ensured relevant
and pertinent to the business process that it serves as well as delivered in a
timely, correct, consistent, and usable manner.
Efficiency—in the simplest terms information must be made readily available
through the most optimal (productive and economical) means possible.
Confidentiality—sensitive information must be protected from unauthorized
disclosure or access as well as tampering.
Integrity—the accuracy and completeness of information as well as its validity
must be assured in accordance purpose.
.

13. Implementing a Multi-tired Governance
Availability—information must be accessible when required by the business
Process
Compliance—all information and information processing must comply with
those laws, regulations, and contractual arrangements to which the business
process is subject, that is, externally imposed business criteria.
Reliability—relates to the provision of appropriate information for management
to operate the entity and for management to exercise its financial and
compliance reporting responsibilities.
These generic qualities are operationalized through an explicit set of control
behaviors that are executed in a practical, day-to-day systematic fashion.

14. Establish Real, Working Control Framework
• The process of implementing a set of controls entails the
identification, prioritization, assurance, and sustainment of
an effective response to every plausible threat.
• This control deployment function is not a one-shot “front-
end” to setting up a static security solution.
• It is a constant and organized probing of the environment to
sense the presence of and respond appropriately to any
potential sources of harm to the organization’s information
assets.

15. AUDIT PROCESS
• One of the best practices for an audit function is to
have an audit universe.The audit universe is an
inventory of all the potential audit areas within an
organization.
• Basic functional audit areas within an organization
include sales,marketing, customer service,
operations, research and development,finance,
human resource,information technology,and legal.
• An audit universeincludes the basic functional
audit area, organization objectives,key business
processesthat support those organization
objectives,specific audit objectives,risks of not
achieving those objectives,and controls that
mitigate the risks

16. QUESTIONS ??

17. THANK YOU !!