SlideShare a Scribd company logo

Role of compliance in security audits

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

null - Mumbai June 2012 Meet

Technology
1 of 28
Role of Compliance in Security Audits Agenda :  Information Security Compliance  Memory Techniques for quick revision / recall
Information Security Compliance The Road Ahead: Need for Compliance The Five R’s for IS Compliance ISO 27001 : An Introduction Steps for ISMS Implementation Common Myths on ISO 27001
Information Security and Compliance Relationship
The Five R ‘s of IS Compliance  Reputation • Protecting the business impact from security breach  Regulation • Complying with multiple regulations • Developing a common security and audit framework  Revenue • Protecting the corporate intellectual property / trade secrets.  Resilience • Ensuring continuity of critical business processes during disaster.  Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC tools
ISO 27001 : Overview • ISO 27001 defines best practices for information security management • A management system should balance physical, technical, procedural, and personnel security • Without a formal Information Security Management System, there is a greater risk to your security being breached • Information security is a management process, NOT a technological process
ISO 27001 : Family of Standards • ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards) • ISO 27003 – ISMS Implementation guidelines • ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management • ISO 27006 – 27010 – allocation for future use
PDCA Cycle: Steps for ISMS Implementation 4 1 3 2
Steps for ISMS Implementation 1. Obtain management support 2. Treat as a project 3. Define the scope 4. Write an ISMS Policy 5. Define the Risk Assessment methodology 6. Perform the risk assessment & risk treatment 7. Write the Statement of Applicability 8. Write the Risk Treatment Plan 9. Define how to measure the effectiveness of controls 10. Implement the controls & mandatory procedures 11. Implement training and awareness programs 12. Operate the ISMS 13. Monitor the ISMS 14. Internal audit 15. Management review 16. Corrective and preventive actions
Common Myths about ISO 27001 "The standard requires..." "We'll let the IT department handle it" "We'll implement it in a few months" "This standard is all about documentation" "The only benefit of the standard is for marketing purposes"
Memory Techniques for Quick Revision The fun part of learning 
Memory Techniques The Road Ahead:  Mnemonics  Sentence Aid  Workflow Diagrams Colour Coding differentiation
Mnemonics  Abbreviated Character Strings for easy memory aid How to operate? Take the first alphabet of each word point and arrange them in "useful" order. Best Practices:  For a long mnemonic string , group it into chunks of 2 or 3 for quick recall  If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.
Mnemonics Examples : Process Workflow (Plan – Do – Check – Act) Mnemonic: PDCA Memory Aid : Imagine “Pen Drive “ of CA • (CA = Certifying Authority)
Mnemonics (contd.) Examples : COBIT Domains: a) Plan and Organize b) Acquire and Implement c) Deliver and Support d) Monitor and Evaluate Mnemonic: PADM Memory Aid: (Imagine PADM Shri Award)  PADM
Sentence Aid Memory Recall technique to easily recall long Mnemonic Strings “in order”. Advantage: Used esp. when Mnemonic string is quite long (>= 5 points). Helpful for easy recall. Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U
Sentence Aid Prerequisites: Sentence Aid MUST be :    expression making a  visual impact on your memory. Always design a Sentence Aid which is : a) Mnemonic Workflow oriented (to maintain serial order) b) Bound to a strong event in your memory c) Natural Progression d) Capital letters indicating actual point of Mnemonic.
EXAMPLE: Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U • Injection •Cross Site Scripting (XSS) •Broken Authentication and Session Mgmt •Insecure Direct Object References •Cross Site Request Forgery (CSRF) If •Security Misconfiguration •Insecure Cryptographic Storage Fails •Failure to Restrict URL Access Informs •Insufficient Transport Layer Protection U •Unvalidated Redirects and Forwards Sentence Aid: ICBI Counter Strike If Fails, Informs U.
Sentence Aid Example: OSI Layer Model Layer 1: Physical layer Layer 2: Data link layer Layer 3: Network layer Layer 4: Transport layer Layer 5: Session layer Layer 6: Presentation layer Layer 7: Application layer Sentence Aid: Please Do Not Take Sales Person’s Advice
Workflow Diagrams  These figures/diagrams give the directive flow of the process Advantage is that they can summarize vast information in a appealing view. We can grasp readily the “gist” of the process workflow.  Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s) • Cyclic Processes
Workflow Type : Flowcharts Risk Assessment Process
Workflow Type : Hierarchy Figures
Workflow Type : Cyclic Process
Color Coding Differentiation  This technique takes advantage of the fact that we better remember the figures if they are filled with different background colors.  Using same colors for related fields help us to better distinguish the same genre of the entities.
Color Coding Differentiation EXAMPLE : Mnemonic: SOA ACP HSC IB Sentence Aid : Develop a SOA for ACP to help him pass HSC exam for IB entrance.
Quotes: Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to evolution. It is, strictly speaking, a real factor in scientific research. --Albert Einstein But in reality, without knowledge, imagination can not be developed. -- Wikipedia (on Imagination) , after Einstein quote.
Precautions Study thoroughly the subject matter before venturing into memorizing techniques. Know WHAT YOUR ABBREVATION stands for rather than keeping in mind only the Mnemonic. Memory Techniques are only an AID. They are NOT SUBSTITUTE for comprehensive study. Utilized Best AFTER comprehensive study for REVISION.
THANK YOU !! Presented By: Manasdeep
- Questions ?

Recommended

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...gemmarie1
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0theonassiokas
 
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANTMANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANTAsociatia de Standardizare din Romania
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 

Recommended

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005ControlCase
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITYAhmed Moussa
 
Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...gemmarie1
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0theonassiokas
 
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANTMANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANTAsociatia de Standardizare din Romania
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategyJason Clark
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...SafeNet
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0theonassiokas
 
IT Career Opportunities
IT Career OpportunitiesIT Career Opportunities
IT Career Opportunitiessamsontamwaiho
 
Splunk guide for_iso_27002
Splunk guide for_iso_27002Splunk guide for_iso_27002
Splunk guide for_iso_27002Greg Hanchin
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)samsontamwaiho
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms ComplianceRamkumar Ramachandran
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...IndependentCertificationServices
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Trainingpivotalsecurity
 
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?FIAT/IFTA
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managersNitin T Bhat
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramFRSecure
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
The 7 quests of resilient software design
The 7 quests of resilient software designThe 7 quests of resilient software design
The 7 quests of resilient software designUwe Friedrichsen
 
Constraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPMConstraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPMFaculty of Computer Science - Free University of Bozen-Bolzano
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingAtif Ghauri
 

More Related Content

Viewers also liked

Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...SafeNet
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance WorldEvan Francen
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Maxime CARPENTIER
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......centralohioissa
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0theonassiokas
 
IT Career Opportunities
IT Career OpportunitiesIT Career Opportunities
IT Career Opportunitiessamsontamwaiho
 
Splunk guide for_iso_27002
Splunk guide for_iso_27002Splunk guide for_iso_27002
Splunk guide for_iso_27002Greg Hanchin
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...centralohioissa
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentDavid Sweigert
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)samsontamwaiho
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...IndependentCertificationServices
 

Viewers also liked (12)

Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0
 
IT Career Opportunities
IT Career OpportunitiesIT Career Opportunities
IT Career Opportunities
 
Splunk guide for_iso_27002
Splunk guide for_iso_27002Splunk guide for_iso_27002
Splunk guide for_iso_27002
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State Government
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms Compliance
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
 

Similar to Role of compliance in security audits

2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class TenFRSecure
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Trainingpivotalsecurity
 
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?FIAT/IFTA
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managersNitin T Bhat
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Amazon Web Services
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramFRSecure
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009Security Ninja
 
The 7 quests of resilient software design
The 7 quests of resilient software designThe 7 quests of resilient software design
The 7 quests of resilient software designUwe Friedrichsen
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingAtif Ghauri
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsDinis Cruz
 
PMI-ACP Exam Prep Course Preview
PMI-ACP Exam Prep Course PreviewPMI-ACP Exam Prep Course Preview
PMI-ACP Exam Prep Course PreviewInvensis Learning
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...SeniorStoryteller
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Deliverydevopsdaysaustin
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecurityTao Xie
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!Steven Carlson
 

Similar to Role of compliance in security audits (20)

2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
 
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managers
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
The 7 quests of resilient software design
The 7 quests of resilient software designThe 7 quests of resilient software design
The 7 quests of resilient software design
 
Constraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPMConstraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPM
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
 
PMI-ACP Exam Prep Course Preview
PMI-ACP Exam Prep Course PreviewPMI-ACP Exam Prep Course Preview
PMI-ACP Exam Prep Course Preview
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Data mining applications
Data mining applicationsData mining applications
Data mining applications
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Lean Security
Lean SecurityLean Security
Lean Security
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 

More from n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 

Role of compliance in security audits

  • 1. Role of Compliance in Security Audits Agenda :  Information Security Compliance  Memory Techniques for quick revision / recall
  • 2. Information Security Compliance The Road Ahead: Need for Compliance The Five R’s for IS Compliance ISO 27001 : An Introduction Steps for ISMS Implementation Common Myths on ISO 27001
  • 3. Information Security and Compliance Relationship
  • 4. The Five R ‘s of IS Compliance  Reputation • Protecting the business impact from security breach  Regulation • Complying with multiple regulations • Developing a common security and audit framework  Revenue • Protecting the corporate intellectual property / trade secrets.  Resilience • Ensuring continuity of critical business processes during disaster.  Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC tools
  • 5. ISO 27001 : Overview • ISO 27001 defines best practices for information security management • A management system should balance physical, technical, procedural, and personnel security • Without a formal Information Security Management System, there is a greater risk to your security being breached • Information security is a management process, NOT a technological process
  • 6. ISO 27001 : Family of Standards • ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards) • ISO 27003 – ISMS Implementation guidelines • ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management • ISO 27006 – 27010 – allocation for future use
  • 7. PDCA Cycle: Steps for ISMS Implementation 4 1 3 2
  • 8. Steps for ISMS Implementation 1. Obtain management support 2. Treat as a project 3. Define the scope 4. Write an ISMS Policy 5. Define the Risk Assessment methodology 6. Perform the risk assessment & risk treatment 7. Write the Statement of Applicability 8. Write the Risk Treatment Plan 9. Define how to measure the effectiveness of controls 10. Implement the controls & mandatory procedures 11. Implement training and awareness programs 12. Operate the ISMS 13. Monitor the ISMS 14. Internal audit 15. Management review 16. Corrective and preventive actions
  • 9. Common Myths about ISO 27001 "The standard requires..." "We'll let the IT department handle it" "We'll implement it in a few months" "This standard is all about documentation" "The only benefit of the standard is for marketing purposes"
  • 10. Memory Techniques for Quick Revision The fun part of learning 
  • 11. Memory Techniques The Road Ahead:  Mnemonics  Sentence Aid  Workflow Diagrams Colour Coding differentiation
  • 12. Mnemonics  Abbreviated Character Strings for easy memory aid How to operate? Take the first alphabet of each word point and arrange them in "useful" order. Best Practices:  For a long mnemonic string , group it into chunks of 2 or 3 for quick recall  If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.
  • 13. Mnemonics Examples : Process Workflow (Plan – Do – Check – Act) Mnemonic: PDCA Memory Aid : Imagine “Pen Drive “ of CA • (CA = Certifying Authority)
  • 14. Mnemonics (contd.) Examples : COBIT Domains: a) Plan and Organize b) Acquire and Implement c) Deliver and Support d) Monitor and Evaluate Mnemonic: PADM Memory Aid: (Imagine PADM Shri Award)  PADM
  • 15. Sentence Aid Memory Recall technique to easily recall long Mnemonic Strings “in order”. Advantage: Used esp. when Mnemonic string is quite long (>= 5 points). Helpful for easy recall. Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U
  • 16. Sentence Aid Prerequisites: Sentence Aid MUST be :    expression making a  visual impact on your memory. Always design a Sentence Aid which is : a) Mnemonic Workflow oriented (to maintain serial order) b) Bound to a strong event in your memory c) Natural Progression d) Capital letters indicating actual point of Mnemonic.
  • 17. EXAMPLE: Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U • Injection •Cross Site Scripting (XSS) •Broken Authentication and Session Mgmt •Insecure Direct Object References •Cross Site Request Forgery (CSRF) If •Security Misconfiguration •Insecure Cryptographic Storage Fails •Failure to Restrict URL Access Informs •Insufficient Transport Layer Protection U •Unvalidated Redirects and Forwards Sentence Aid: ICBI Counter Strike If Fails, Informs U.
  • 18. Sentence Aid Example: OSI Layer Model Layer 1: Physical layer Layer 2: Data link layer Layer 3: Network layer Layer 4: Transport layer Layer 5: Session layer Layer 6: Presentation layer Layer 7: Application layer Sentence Aid: Please Do Not Take Sales Person’s Advice
  • 19. Workflow Diagrams  These figures/diagrams give the directive flow of the process Advantage is that they can summarize vast information in a appealing view. We can grasp readily the “gist” of the process workflow.  Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s) • Cyclic Processes
  • 20. Workflow Type : Flowcharts Risk Assessment Process
  • 21. Workflow Type : Hierarchy Figures
  • 22. Workflow Type : Cyclic Process
  • 23. Color Coding Differentiation  This technique takes advantage of the fact that we better remember the figures if they are filled with different background colors.  Using same colors for related fields help us to better distinguish the same genre of the entities.
  • 24. Color Coding Differentiation EXAMPLE : Mnemonic: SOA ACP HSC IB Sentence Aid : Develop a SOA for ACP to help him pass HSC exam for IB entrance.
  • 25. Quotes: Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to evolution. It is, strictly speaking, a real factor in scientific research. --Albert Einstein But in reality, without knowledge, imagination can not be developed. -- Wikipedia (on Imagination) , after Einstein quote.
  • 26. Precautions Study thoroughly the subject matter before venturing into memorizing techniques. Know WHAT YOUR ABBREVATION stands for rather than keeping in mind only the Mnemonic. Memory Techniques are only an AID. They are NOT SUBSTITUTE for comprehensive study. Utilized Best AFTER comprehensive study for REVISION.
  • 27. THANK YOU !! Presented By: Manasdeep