One of the core Meaningful use measures requires providers to perform a security audit to ensure the protection of patient information. Learn more about what a security audit should entail, as well as potential risks and how configuration options within the SuccessEHS solution can be used to protect patient data.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
One of the core Meaningful use measures requires providers to perform a security audit to ensure the protection of patient information. Learn more about what a security audit should entail, as well as potential risks and how configuration options within the SuccessEHS solution can be used to protect patient data.
Defining an IT Auditor,
IT Auditor Certifications & ISACA,
IT Audit Phases,
Preparing to be Audited,
How IT auditor audits an Applications,
Auditing technology for Information System.
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization. It is all about the physical security of the of the organization using the information technology and for the purpose of the restricting the access of unauthorized people and unauthorized employees. Saving your organization physically.
Control physical and logical access to assets, Manage identification and authentication of people and devices, Integrate identity as a service (e.g., cloud identity),
Integrate third-party identity services (e.g., on-premise), Implement and manage authorization mechanisms, Prevent or mitigate access control attacks, Manage the identity and access provisioning life cycle (e.g., provisioning, review)
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
Cyber crisis management refers to the plan that includes steps to recover IT Services from an emergency disruption. It is crucial to have a cyber crisis management plan to minimize the impact of incidents while quickly restoring security, operations, and credibility.
There are two general types of data dictionaries a database managGrazynaBroyles24
There are two general types of data dictionaries: a database management system data dictionary and an organization-wide data dictionary. For this assignment, we are focusing on the organization-wide data dictionary. In a data dictionary, individual data elements and definitions are defined to ensure consistency and accuracy. Assume you need to collect and analyze data on patients discharged and readmitted to hospital X within 90 days of discharge. Develop the data dictionary for this study by completing the table below. Your data dictionary must include a minimum of 15 discreet data elements. Include information you would need to identify:
· the patient (Unique identifier)
· the admission(s)
· the reason for each admission (why the patient presented to the hospital emergency department)
· the principal diagnosis which is defined as the condition of the patient made after studying the patient and their admission to the hospital.
· the indicator for justified readmission or questionable readmission.
Guided response: Include at least 15 data elements and the rationale for each data element, using the format below and include:
· A title page with the following:
· Title of paper
· Student’s name
· Course name and number
· Instructor’s name
· Date submitted
· Include two scholarly references, excluding the textbook, formatted according to APA style as outlined in the Writing Center.
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know a ...
Here is an easy to use checklist for ISO 27001
if you require any advise please call CAW Consultancy Business Solutions on 01772 932058 or our 24 hour hotline 07427535662
Building an effective Information Security RoadmapElliott Franklin
As company information security functions continue to grow each year with increasing attacks and regulations, how are you handling the
pressure? Are you constantly battling to run the business projects and reacting to customer requests? Have you blocked off a few hours each week
on your calendar to close your email, turn off your phone and try to build, assess and maintain an effective vision for your security team? This
presentation will discuss a cascading approach to creating such a roadmap that is easily understood by executives and has helped gain quick buy
in for multiple enterprise wide security projects.
National Cybersecurity - Roadmap and Action PlanDr David Probert
Analysis, strategies and practical action plans for National Government Cybersecurity based upon the United Nations - International Telecommunications Union - UN/ITU Cybersecurity Framework and their Global Cybersecurity Agenda - GCA.
In the fields of physical security and information security, access control (AC) is the selective restriction of access to a place or other resource. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization. It is all about the physical security of the of the organization using the information technology and for the purpose of the restricting the access of unauthorized people and unauthorized employees. Saving your organization physically.
Control physical and logical access to assets, Manage identification and authentication of people and devices, Integrate identity as a service (e.g., cloud identity),
Integrate third-party identity services (e.g., on-premise), Implement and manage authorization mechanisms, Prevent or mitigate access control attacks, Manage the identity and access provisioning life cycle (e.g., provisioning, review)
Being aware of the trends that are expected to shape the digital landscape is an important step in ensuring the security of your data and online assets.
Amongst others, the webinar covers:
• Top Cyber Trends for 2023
• Cyber Insurance
• Prioritization of Cyber Risk
Presenters:
Colleen Lennox
Colleen Lennox is the Founder of Cyber Job Central, a newly formed job board dedicated to Cybersecurity job openings. Colleen has 25+ years in Technical Recruiting and loves to help other find their next great job!
Madhu Maganti
Madhu is a goal-oriented cybersecurity/IT advisory leader with more than 20 years of comprehensive experience leading high-performance teams with a proven track record of continuous improvement toward objectives. He is highly knowledgeable in both technical and business principles and processes.
Madhu specializes in cybersecurity risk assessments, enterprise risk management, regulatory compliance, Sarbanes-Oxley (SOX) compliance and system and organization controls (SOC) reporting.
Date: January 25, 2023
Tags: ISO, ISO/IEC 27032, Cybersecurity Management
-------------------------------------------------------------------------------
Find out more about ISO training and certification services
Training: https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27032
https://pecb.com/article/cybersecurity-risk-assessment
https://pecb.com/article/a-deeper-understanding-of-cybersecurity
Webinars: https://pecb.com/webinars
Article: https://pecb.com/article
Whitepaper: https://pecb.com/whitepaper
-------------------------------------------------------------------------------
For more information about PECB:
Website: https://pecb.com/
LinkedIn: https://www.linkedin.com/company/pecb/
Facebook: https://www.facebook.com/PECBInternational/
Slideshare: http://www.slideshare.net/PECBCERTIFICATION
YouTube video: https://youtu.be/BAAl_PI9uRc
Cyber crisis management refers to the plan that includes steps to recover IT Services from an emergency disruption. It is crucial to have a cyber crisis management plan to minimize the impact of incidents while quickly restoring security, operations, and credibility.
There are two general types of data dictionaries a database managGrazynaBroyles24
There are two general types of data dictionaries: a database management system data dictionary and an organization-wide data dictionary. For this assignment, we are focusing on the organization-wide data dictionary. In a data dictionary, individual data elements and definitions are defined to ensure consistency and accuracy. Assume you need to collect and analyze data on patients discharged and readmitted to hospital X within 90 days of discharge. Develop the data dictionary for this study by completing the table below. Your data dictionary must include a minimum of 15 discreet data elements. Include information you would need to identify:
· the patient (Unique identifier)
· the admission(s)
· the reason for each admission (why the patient presented to the hospital emergency department)
· the principal diagnosis which is defined as the condition of the patient made after studying the patient and their admission to the hospital.
· the indicator for justified readmission or questionable readmission.
Guided response: Include at least 15 data elements and the rationale for each data element, using the format below and include:
· A title page with the following:
· Title of paper
· Student’s name
· Course name and number
· Instructor’s name
· Date submitted
· Include two scholarly references, excluding the textbook, formatted according to APA style as outlined in the Writing Center.
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know a ...
CHAPTER
5
Security Policies, Standards, Procedures, and
Guidelines
The four components of security documentation are policies, standards,
procedures, and guidelines. Together, these form the complete definition of a
mature security program. The Capability Maturity Model (CMM), which measures
how robust and repeatable a business process is, is often applied to security
programs. The CMM relies heavily on documentation for defining repeatable,
optimized processes. As such, any security program considered mature by CMM
standards needs to have well-defined policies, procedures, standards, and
guidelines.
• Policy is a high-level statement of requirements. A security policy is the primary
way in which management’s expectations for security are provided to the
builders, installers, maintainers, and users of an organization’s information
systems.
• Standards specify how to configure devices, how to install and configure
software, and how to use computer systems and other organizational assets, to be
compliant with the intentions of the policy.
• Procedures specify the step-by-step instructions to perform various tasks in
accordance with policies and standards.
• Guidelines are advice about how to achieve the goals of the security policy, but
they are suggestions, not rules. They are an important communication tool to let
people know how to follow the policy’s guidance. They convey best practices for
using technology systems or behaving according to management’s preferences.
This chapter covers the basics of what you need to know about policies,
standards, procedures, and guidelines, and provides some examples to illustrate
the principles. Of these, security policies are the most important within the
context of a security program, because they form the basis for the decisions that
are made within the security program, and they give the security program its
“teeth.” As such, the majority of this chapter is devoted to security policies. There
are other books that cover policies in as much detail as you like. See the
References section for some recommendations. The end of this chapter provides
you with some guidance and examples for standards, procedures, and guidelines,
so you can see how they are made, and how they relate to policies.
Security Policies
A security policy is the essential foundation for an effective and comprehensive
security program. A good security policy should be a high-level, brief, formalized
statement of the security practices that management expects employees and
other stakeholders to follow. A security policy should be concise and easy to
understand so that everyone can follow the guidance set forth in it.
In its basic form, a security policy is a document that describes an
organization’s security requirements. A security policy specifies what should be
done, not how; nor does it specify technologies or specific solutions. The security
policy defines a specific set of ...
Mrs Bianca Pasipanodya, the Group ICT executive for First Mutual Group an esteemed speaker at the ISACA Harare Chapter, gives her remarks about the implementation of an effective Information Security Management System” in Zimbabwe.
Build an Information Security StrategyAndrew Byers
Organizations are struggling to keep up with today’s evolving threat landscape.
From technology sophistication and business adoption to the proliferation of hacking techniques and the expansion of hacking motivations, organizations are facing major security risks.
Every organization needs some kind of information security program to protect their systems and assets.
Organizations today face pressure from regulatory or legal obligations, customer requirement, and now, senior management expectations.
Black-Box Testing, Model-Based Testing, Testing for Specialized Environments, Architecture, Object-Oriented Testing Strategies, Object-Oriented Testing Methods, Test Cases and the Class Hierarchy, Testing Concepts for WebApps, Testing Process – An Overview, User Interface Testing, Test Plan, Positive Testing Negative Testing
Strategic Approach to Software Testing, Strategic Issues, Test Conventional Software, Test Strategies for Object-Oriented Software, Test Strategies for WebApps, Validation Testing, System Testing, The Art of Debugging, Software Testing Fundamentals, White-Box Testing, Basis Path Testing,
Control Structure Testing
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
About
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Technical Specifications
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
Key Features
Indigenized remote control interface card suitable for MAFI system CCR equipment. Compatible for IDM8000 CCR. Backplane mounted serial and TCP/Ethernet communication module for CCR remote access. IDM 8000 CCR remote control on serial and TCP protocol.
• Remote control: Parallel or serial interface
• Compatible with MAFI CCR system
• Copatiable with IDM8000 CCR
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
Application
• Remote control: Parallel or serial interface.
• Compatible with MAFI CCR system.
• Compatible with IDM8000 CCR.
• Compatible with Backplane mount serial communication.
• Compatible with commercial and Defence aviation CCR system.
• Remote control system for accessing CCR and allied system over serial or TCP.
• Indigenized local Support/presence in India.
• Easy in configuration using DIP switches.
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Sachpazis:Terzaghi Bearing Capacity Estimation in simple terms with Calculati...Dr.Costas Sachpazis
Terzaghi's soil bearing capacity theory, developed by Karl Terzaghi, is a fundamental principle in geotechnical engineering used to determine the bearing capacity of shallow foundations. This theory provides a method to calculate the ultimate bearing capacity of soil, which is the maximum load per unit area that the soil can support without undergoing shear failure. The Calculation HTML Code included.
1. PLANNING FOR SECURITY
&
SECURITY AUDIT PROCESS
SECURITY & RISK MANAGEMENT
MODULE 6
DIVYA TIWARI
MEIT
TERNA ENGINEERING COLLEGE
Information Security Planning and Governance, Information Security Policy Standards, EISP, ISSP, SysSP, Policy Management,
Pre-planning audit, Audit Risk Management, Performing Audit, Internal Controls, Audit Evidence, Audit Testing, Audit Finding,
Follow-up activities
2. PLANNING FOR SECURITY
Information Security
Planning and
Governance
Information Security
Policy, Standards
and Practices
Enterprise
Information Security
Policy (EISP)
Issue-Specific
Security Policy
(ISSP)
System-Specific
Policy (SysSP)
Policy Management
3. Information Security Panning and Governance
• Strategic Planning provides a long-term direction to be taken by whole organization and
also by each of its component parts.
• Strategic planning should guide organizational efforts and focus resource es toward specific,
clearly defined goals.
Organization develops
general strategy
Overall strategic plan for
major divisions
Each level of division then
translates plan objectives
into more specific
objectives
Executive teams also
called C-level of the
organization defines
individual responsibilities
Each individual of the
organization works
towards executing the
broad strategy and turns
general strategy into
action
4. Planning Levels
• Once organization’s overall strategic plan is translated into strategic plans for each major
division or operation, next step is to translate these plans into tactical objectives that move
toward reaching specific, measurable, achievable and time-bound accomplishments.
• Strategic plans are used to create tactical plans, which are in turn used to develop operational
plans.
• Tactical planning focuses on shorter-term undertakings that will be completed within one or
two years.
• Tactical planning breaks each strategic goal into a series of incremental objectives.
• Each objective in a tactical plan should be specific and should have a delivery date within a
year of the plan’s start.
• Budgeting, resource allocation, and personnel are critical components of the tactical plan.
• Tactical plans often include project plans and resource acquisition planning documents (such
as product specifications), project budgets, project reviews, and monthly and annual reports.
• Since tactical plans are often created for specific projects, some organizations call this
process project planning or intermediate planning.
5. • The chief information security officer (CISO) and the security managers use the tactical plan
to organize, prioritize, and acquire resources necessary for major projects and to provide
support for the overall strategic plan.
• Managers and employees use operational plans, which are derived from the tactical plans, to
organize the ongoing, day-to-day performance of tasks.
• An operational plan includes the necessary tasks for all relevant departments, as well as
communication and reporting requirements, which might include weekly meetings, progress
reports, and other associated tasks.
• These plans must reflect the organizational structure, with each subunit, department, or
project team conducting its own operational planning and reporting.
• Frequent communication and feedback from the teams to the project managers and/or team
leaders, and then up to the various management levels, makes planning process more
manageable and successful.
6. Planning and the CISO
• The first priority of the CISO and the information security management team is the creation
of a strategic plan to accomplish the organization’s information security objectives.
• Each organization may have its own format for the design and distribution of a strategic
plan, the fundamental elements of planning share characteristics across all types of
enterprises.
• The plan is an evolving statement of how the CISO and the various elements of the
organization will implement the objectives of the information security charter.
Information Security Governance
• Governance is the set of responsibilities and practices exercised by the board and executive
management with the goal of providing strategic direction, ensuring that objectives are
achieved, ascertaining that risks are managed appropriately and verifying that the
enterprise’s resources are used responsibly.
• In order to secure information assets, an organization’s management must integrate
information security practices into the fabric of the organization, expanding corporate
governance policies and controls to encompass the objectives of the information security
process.
7. • Information security objectives must be addressed at the highest levels of an organization’s
management team in order to be effective and sustainable.
• A broader view of information security encompasses all of an organization’s information
assets, including the knowledge managed by those IT assets.
• According to the Information Technology Governance Institute (ITGI), information security
governance includes all of the accountabilities and methods undertaken by the board of
directors and executive management to provide strategic direction, establishment of
objectives, measurement of progress toward those objectives, verification that risk
management practices are appropriate, and validation that the organization’s assets are used
properly.
Information Security Governance Outcomes
• Effective communication among stakeholders is critical to the structures and processes used
in governance at every level especially in information security governance.
• This requires the development of constructive relationships, a common language, and a
commitment to the objectives of the organization.
8. Strategic alignment of information security with business strategy to support organizational
objectives
Risk management by executing appropriate measures to manage and mitigate threats to
information resources
Resource management by utilizing information security knowledge and infrastructure efficiently
and effectively
Performance measurement by measuring, monitoring, and reporting information security
governance metrics to ensure that organizational objectives are achieved
Value delivery by optimizing information security investments in support of organizational
objectives
Five Goals of Information Security Governance are as follows:
9. Governance Framework
• Corporate Governance Task Force (CGTF) recommends that organizations follow an
established framework, such as the IDEAL framework from the Carnegie Mellon University
Software Engineering Institute.
• This framework, which is described in the document “Information Security Governance:
Call to Action,” defines the responsibilities of:
(1) the board of directors or trustees
(2) the senior organizational executive (i.e., CEO)
(3) executive team members
(4) senior managers
(5) all employees and users.
11. For a policy to
be effective and
thus legally
enforceable, it
must meet the
given criteria:
Dissemination (distribution)
Review (reading)
Comprehension
(understanding)
Compliance (agreement)
Uniform enforcement
12. Enterprise Information Security Policy (EISP)
• An enterprise information security policy (EISP) is also known as a general security policy,
organizational security policy, IT security policy, or information security policy.
• The EISP guides the development, implementation, and management of the security
program.
• It sets out the requirements that must be met by the information security blueprint or
framework.
• It defines the purpose, scope, constraints, and applicability of the security program.
• It also assigns responsibilities for the various areas of security, including systems
administration, maintenance of the information security policies, and the practices and
responsibilities of the users. It also, addresses legal compliance.
13. • According to the National Institute of Standards and Technology (NIST), the EISP typically
addresses compliance in the following two areas:
1. General compliance to ensure meeting the requirements to establish a program and
the responsibilities assigned therein to various organizational components.
2. The use of specified penalties and disciplinary action.
• The specifics of EISPs vary from organization to organization, most EISP documents should
include the following elements:
1. An overview of the corporate philosophy on security.
2. Information on the structure of the information security organization and individuals who
fulfill the information security role.
3. Fully articulated responsibilities for security that are shared by all members of the
organization (employees, contractors, consultants, partners, and visitors).
4. Fully articulated responsibilities for security that are unique to each role within the
organization.
14. Issue-Specific Security Policy (ISSP)
• As an organization executes various technologies and processes to support routine
operations, it must instruct employees on the proper use of these technologies and
processes.
• Issue-specific security policy, or ISSP:
(1) addresses specific areas of technology.
(2) requires frequent updates.
(3) contains a statement on the organization’s position on a specific issue.
• There are number of approaches to creating and managing ISSPs within an organization.
• Three of the most common are:
1. Independent ISSP documents, each tailored to a specific issue.
2. A single comprehensive ISSP document covering all issues.
3. A modular ISSP document that unifies policy creation and administration, while
maintaining each specific issue’s requirements
15.
16. Systems-Specific Policy (SysSP)
• SysSPs functions as standards or procedures to be used when configuring or maintaining
systems.
• For example, a SysSP might describe the configuration and operation of a network firewall.
Types of SysSP
Managerial Guidance
SysSP
Technical
Specifications SysSP
Combination SysSP
17. Managerial Guidance SysSPs
• A managerial guidance SysSP document is created by management to guide the
implementation and configuration of technology as well as to address the behavior of people
in the organization in ways that support the security of information.
• For example, while the method for implementing a firewall belongs in the technical
specifications SysSP, the firewall’s configuration must follow guidelines established by
management.
• An organization might not want its employees to access the Internet via the organization’s
network, for instance; in that case, the firewall should be implemented accordingly.
• Firewalls are not the only technology that may require system-specific policies. Any system
that affects the confidentiality, integrity, or availability of information must be assessed to
evaluate the trade-off between improved security and restrictions.
Technical Specifications SysSP
• A manager can work with a systems administrator to create managerial.
• Similarly, the system administrator may need to create a policy to implement the managerial
policy.
18. • Each type of equipment requires its own set of policies, which are used to translate the
management intent for the technical control into an enforceable technical approach.
• For example, an ISSP may require that user passwords be changed quarterly; a systems
administrator can implement a technical control within a specific application to enforce this
policy.
• There are two general methods of implementing such technical controls:
1. access control lists
2. configuration rules.
Combination SysSPs
• Many organizations create a single document that combines the management guidance
SysSP and the technical specifications SysSP.
• If this approach is employed, care should be taken to clearly articulate the required actions.
• This policy is a hybrid document that combines policy with procedural guidance for the
convenience of the implementers of the system being managed.
• This approach is best used by organizations that have multiple technical control systems of
different types, and by smaller organizations that are seeking to document policy and
procedure in a compact format.
19. Policy Management
• Policies are living documents that must be managed.
• These documents must be properly disseminated (distributed, read, understood, agreed to,
and uniformly applied) and managed.
• When two companies merge but retain separate policies, the difficulty of implementing
security controls increases.
• Likewise, when one company with unified policies splits in two, each new company may
require different policies.
• To remain viable, security policies must have:
1. a responsible individual
2. a schedule of reviews
3. a method for making recommendations for reviews
4. policy issuance and revision date.
21. Preplanning Audits
• The first step in preplanning is to ask, “What is the objective of this particular audit?”
• The objective may be compliance to a particular standard, surveillance auditing as follow-
up to determine if the staff is still adhering to their own procedures, or something that is
new.
• An excellent method for determining the scope is to start a discussion asking questions
about six key areas.
• Scope is defined as a boundary of what is included and what is not.
Some example questions and topics are given below:
1. Management: What are the business rules and objectives? Has management formally
adopted a standard to be followed? Does management require their systems to be
certified? Does executive management provide accreditation of the complete
hardware/software system before it enters production?
22. 2. Data: What data is involved? Is this customer data, engineering data, financial data? Are
there any regulations governing data restrictions, acceptable or unacceptable use?
3. Intended Usage in Their Workflow: How is this data used? What is it for? Possibly a
manual operation? Is it part of a software application? Ask for their workflow diagram.
4. Technology Platform: Is this data controlled in a computer program? In a file cabinet?
Transmitted wirelessly on cell phones?
5. Facilities: Where does the work get done? Are the main systems located here or
somewhere else? How much space is required to accommodate the staff? Where are the
customers located?
6. People Involved: Who are the people we will work with on the client side? Who are the
people on the auditee side? Using the skills matrix for reference, who is available to be on
the audit team? Do we have the appropriate technical experts available?
23. Audit Risk Assessment
• The purpose of a risk assessment is to ensure that sufficient evidence will be collected
during an audit.
• An audit risk assessment should take into account the following types of risks:
1. Inherent Risks: These are natural or built-in risks that always exist. Driving your
automobile holds the inherent risk of an automobile accident or a flat tire. Theft is an
inherent risk for items of high value.
2. Detection Risks: These are the risks that an auditor will not be able to detect what is
being sought. It would be terrible to report no negative results when material conditions
(faults) actually exist. Detection risks include sampling and nonsampling risks.
a) Sampling Risks: These are the risks that an auditor will falsely accept or erroneously
reject an audit sample (evidence).
b) Nonsampling Risks: These are the risks that an auditor will fail to detect a condition
because of not applying the appropriate procedure or using procedures inconsistent
with the audit objective (detection fault).
24. 3. Control Risks: These are the risks that an auditor could lose control, errors could be
introduced, or errors may not be corrected in a timely manner (if ever).
4. Business Risks: These are risks that are inherent in the business or industry itself. They
may be regulatory, contractual, or financial. Technological Risks These are inherent risks
of using automated technology. Systems do fail.
5. Operational Risks: These are the risks that a process or procedure will not perform
correctly.
6. Residual Risks: These are the risks that remain after all mitigation and control efforts are
performed.
7. Technological Risks: These are inherent risks of using automated technology. Systems do
fail.
8. Audit Risks: These are the combination of inherent, detection, control, and residual risks.
Will your audit be able to accurately prove or disprove the target objective? Is the audit
scope, time allotted, sponsor’s political strength, priorities, and available technical abilities
sufficient?
25. Performing the Audit
• Here one need to make sure you have the appropriate staff, ensure audit quality control,
define auditee communications, perform proper data collection, and review existing
controls.
• In order to perform real audit one must carry out following activities:
1. Selecting the Audit Team
2. Determining Competence and Evaluating Auditors
3. Creating a Skills Matrix
4. Using the Work of Other People
5. Ensuring Audit Quality Control
6. Establishing Contact with the Auditee
7. Making Initial Contact with the Auditee
26. Internal Controls
• Every auditor should consider two fundamental issues concerning internal control:
• Issue 1: Management is often exempt from controls.
• Issue 2: How controls are implemented determines the level of assurance.
• The basic framework of controls according to the ISACA standards.
• The controls are summarized here:
• General Controls (Overall)
• Pervasive Controls (Follows Technology)
• Detailed Controls (Tasks)
• Application Controls (Embedded in Programs)
• Reviewing Existing Controls
27. Audit Evidence
• Evidence will either prove or disprove a point. The absence of evidence is the absence of
proof. Despite your best efforts, if you’re unable to prove those points, you would receive
zero credit for your efforts.
• An auditor should not give any credit to claims or positive assertions that cannot be
documented by evidence. No evidence, no proof equals no credit.
• There are two primary types of evidence, according to legal definition:
• Direct Evidence.
• Indirect Evidence.
28. • Examples of the various types of audit evidence include the following:
• Documentary evidence, which can include a business record of transactions, receipts,
invoices, and logs
• Data extraction, which uses automated tools to mine details from data files
• Auditee claims, which are representations made in oral or written statements
• Analysis of plans, policies, procedures, and flowcharts
• Results of compliance and substantive audit tests
• Auditor’s observations of auditee work or re-performance of the selected process
29. Audit Testing
• Compliance Testing
Compliance testing tests for the presence or absence of something. Compliance testing
includes verifying that policies and procedures have been put in place, and checking that
user access rights, program change control procedures, and system audit logs have been
activated. An example of a compliance test is comparing the list of persons with physical
access to the datacenter against the HR list of current employees.
• Substantive Testing
Substantive testing seeks to verify the content and integrity of evidence. Substantive tests
may include complex calculations to verify account balances, perform physical inventory
counts, or execute sample transactions to verify the accuracy of supporting
documentation. Substantive tests use audit samples selected by dollar value or to project
(forecast or estimate) a total for groups with related characteristics.
30. Audit Findings
• There are two concerns as auditors related to testing:
1. sufficiency of evidence
2. contradictory evidence
• Detecting Irregularities and Illegal Acts.
• Indicators of Illegal or Irregular Activity.
• Responding to Irregular or Illegal Activity.
• Findings Outside of Audit Scope .
• Report Findings.
31. Follow-up Activities
• After issuing a report, you are required to conduct an exit interview with management to
obtain a commitment for the recommendations made in your audit. Management is
responsible for acknowledging the recommendations and designating whatever corrective
action will be taken, including the estimated dates for the action.
• Sometimes events of concern are discovered, or occur, after an audit has been completed.
You should be concerned about the discovery of subsequent events that pose a material
challenge to your final report. Accounting standards recognize these events and classify
them as follows:
• Type 1 events refer to those that occurred before the balance sheet date.
• Type 2 events are those that occurred after the balance sheet date.
• Depending on the type of audit, you may have additional reporting requirements or
activities.
32. MU Exam Questions
May 2017
• What are the components of Enterprise Information Security Policy (EISP)? Compare with Issue
Specific Security Policy SysSP. 10 marks
• Explain what is information planning and governance. What are information policy standards?
10 marks
Dec 2017
• Explain what is information planning and governance. What are information policy standards?
10 marks
• Explain the role of the Audit Committee and how it helps the organization. What is the need of
conducting Audit? 10 marks
May 2018
• SN: Enterprise Information Security Policy (EISP). 5 marks
Dec 2018
• Explain information security policy standards. 10 marks
• SN: Security Audit process. 5 marks
33. May 2019
• Explain what is information planning and governance. What are information policy standards?
10 marks
• Explain the role of the Audit Committee and how it helps the organization. What is the need of
conducting Audit? 10 marks