pentest auditing standards 09 2012-mdp - copy

7/23/2019 Pentest Auditing Standards 09 2012-Mdp - Copy

http://slidepdf.com/reader/full/pentest-auditing-standards-09-2012-mdp-copy 1/10

PLUS

A

u

d

&

S

t

a

n

d

Page 48 http://pentestmag.com09/2012(9)

We conduct business with our partnersfrom anywhere around the globe thanksto digital communication networks.

This article is focused on helping you understandthe fundamental elements that an IT security gov-ernance program should have in place. I’ll also ex-pound a bit and include some of the governancesupporting functions to help illustrate how IT se-curity governance would be integrated within yourcorporate IT security department. As with any endeavor in this life, our risk expo-

sure potential increases exponentially with our in-crease in these activities. Not that taking risks isbad or that increasing our potential exposure is anegative thing, on the contrary! We increase ouropportunities and potential by taking risks. Thebest approach is one that is well informed and withour eyes wide open.

The Internet was conceived with the intention ofmaking communications and transactions easier;mission accomplished. To many people, the Inter-net and Internetworking appear to be totally openwithout controls and without consequences. It is

as if the world no longer had countries, borders, orboundaries in place to enforce a local set of stan-dards for its citizens.

The reality is quite different. Our networks, evenDarknets, are all built on systems of control. They

The Security TrifectaIT Security Governance Demystified

Let’s begin with one simple undisputable fact about information

security; we are all in the same boat! Information security must

evolve just as information security challenges or threats evolve.

Cyberspace criminals are becoming more organized, more educated,

and more brazen in their pursuits. Once our market place consisted

of what were predominately localized transactions and interactions.

Now everything has changed.

all have boundaries. We have the ability to enforcethese controls between a state of no control andtotal control. We establish control to eliminate risksand to facilitate opportunities.

When considering risks, these come in the formof human conduct and technological malfunctions.The technological facet consists entirely of tech-nological applications that break down for somereason or that is out of our control and ability topredict.

The human element is by far the most dynamicbut also the easiest to predict. There are some fun-damental attributes to consider when you examinethis challenge.

Just like we see in American police shows wherethe criminals have the means, the motive, and theopportunity (MMO) of the individual.

For example, cyber-criminals are increasinglysponsored by governments or criminal organiza-tions now. Under this situation, criminals are pro-vided with the resources, or means, they needto wage cyber-attacks against some externalentity.

Where once the motives of hackers was notori-ety, now they are more for profit, hacktivism andespionage. Cyber-crime and Cyber-espionage hasbecome a business and no longer a novelty pursuitfor the technologically talented.



A

u

d

&

S

t

a

n

d


Let’s review these common motivatorsEspionage

This has become a state supported and a corpo-ration supported practice without visible repercus-sions or penalties. Intellectual property is stolen bycompanies devastating business value. Govern-ments destroy critical infrastructure or subvert thesovereignty of other nations.

Financial GainThe theft of human identities and financial datahas led to epic economic damage. Our trust in fi-nancial organizations, security practitioners, secu-

rity products and security services is in questionwith good reason.

HacktivismThe more random element is in hacktivism. Thereare some really great cases where exposing thetruth brings positive changes to the world. Wehave also seen instances that more resemble an-archy than the more noble cause.

The Security Trifecta

There is a way forward to a successful cyber de-fense. At a high level, it is crucial we apply a threephased approach through governance, technologi-cal enforcement, and vigilance to security. I’ve re-ferred to this approach as The Security Trifecta inmy books and publications to raise awareness ona sustainable and fundamental process to reducecyber threats to your organizations.

• Governance: We set standards through gov-ernance. Rules, laws, processes, and proce-

dures set the framework for our success.• Technology: We enforce our governance

through technological controls.• Vigilance: We test; we rene; and we monitor

our cyber defense programs vigilantly alwaysworking to maintain our edge.

Without order, we have disorder; the opportunityfor these events to occur increases exponentiallywith the complexity of our technology systems, net-works, and applications we implement. This con-

dition is exacerbated when the same systems fun-damental underpinnings are not maintained ade-quately. New threats are being discovered regular-ly and new countermeasures are keeping pace; butonly if we maintain these countermeasures.

So what exactly are some of the challenges weare faced with as security practitioners? Only untilvery recently, information security was consideredby most to be just a niche profession or technologi-cal process. This scenario has changed complete-ly in just the past ten years.

Information security had been the realm of ChiefNo Way Officers and other security technologistswho only offered barriers to business. The reality isthat information security must be transformed intoa business enabler instead of the business inhibi-tor it has the reputation be being. What do we needto do within our organizations to change this nega-tive situation and turn it into something with posi-tive business value?

We get there when we enable business by elim-inating risks to business. We get there by elimi-nating the threats to the line of business. As se-curity practitioners, we must be creative and agilein our professions to identify opportunities for im-proving the overall security posture we are dili-gently striving for. We must also understand thelanguage of our customers regardless if they areoutside of the company or employees of our com-pany. They have a job just like we have a job todo and when we take the time to understand that,when we take the time to listen effectively, we putourselves into a position to do the most good andto be more effective at removing those business

barriers. Only when we achieve success in thisspace will we be able to move forward and ad-vance our information security mission.

The very heart and soul of The Security Trifectaare three distinct facets we will explore together.Figure 1. Security Trifecta Scheme



PLUS

A

u

d

&

S

t

a

n

d


Those three well defined pragmatic steps I men-tioned earlier are Governance, Technology, and

Vigilance. Without order, we have disorder right?How do we begin implementing order from thetechnological chaos many of our corporate infra-structures are made of?

Top Down GovernanceThrough Governance activities which is the writtenword, the law, or policies and procedures! Informa-tion technology and security policies hold a specialplace within the enterprise. Just like our techno-logical implementations have risen to importance

supporting the majority of our business process-es today, the obvious need for standards, policies,and controls has become obvious.

It might seem that the definition you use to de-scribe the particular governance document doesnot really matter, but you would be mistaken. Whilegenerically referring to all governance documentsas policies is fine, the actual textual descriptionsare very important. The reason for this need forspecificity hinges primarily on regulatory taxono-my. Policies will be viewed as concrete directives

whereas standards are more transitive. You muststrike a balance between maximizing security, riskmanagement, and meeting regulatory require-ments, while minimizing business impact.

External Regulations within the context of thispublication refer to any external legislative man-date, regulatory obligation, and industry require-ment facing the organization. Examples are Sar-

banes-Oxley (SOX), Payment Card IndustriesData Security Standard (PCI DSS), Federal In-

formation Security Management Act (FISMA), UKData Protection Act, or the Data Protection Act (In-dia) are just a few examples of the plethora of reg-ulations potentially facing your organization.

The most prudent first step in determining whichexternal regulations are applicable to your orga-nization would be to consult the General Counselif your company has one or consult with an attor-ney who specializes in Federal and Internationalcyberspace law. There is inner-state, intra-state,federal, international, cross-border, and specific

country laws and regulations to adhere to. Keepyour facts straight to prevent any unwanted conse-quences from occurring.

The Corporate Charter for information technologyand security serves as the capstone document forthe Information Security Program. The Informationsecurity charter defines how the organization ap-proaches security and if a governance frameworkwill define the trajectory of the complete set of infor-mation technology and security governance docu-ments. This of course sets the foundation for the

technical controls, monitoring, testing, and ongoingpace for the entire security program.

Choose wisely and ensure that whatever frame-work you select, it is comprehensive. There are logi-cally seven overarching topical areas applicable toInformation Security. First, there is the asset identifi-cation and classification category, second, the assetprotection category, third, the asset managementcategory, fourth, the acceptable use category, fifth,the vulnerability assessment and management cat-egory, sixth, the threat assessment and monitoringcategory, and finally, the security awareness catego-ry. Corporate Policies are specifically used to estab-lish the holistic requirements and guiding principleused to set direction in an organization. They canbe a course of action to guide and influence deci-sions. Policies should be used as a guide to decisionmaking under a given set of circumstances withinthe framework of objectives, goals and managementphilosophies as determined by senior management.

An example of this would be that your comprehen-sive information technology and security programinclude the holistic set of controls covering asset

identification and classification, asset protection,asset monitoring, asset management, acceptableuse, vulnerability assessment and management,threat assessment and monitoring, and securityawareness.Figure 2. External Regulations hierarchy



A

u

d

&

S

t

a

n

d


Corporate Standards are specifically used to de-fine some of the overarching specifics mandated

by the higher-level policies. They are used to es-tablish normal operations or requirements as theyapply toward technology-based systems. Informa-tion Security standards provide more measurableguidance in each policy area. They establish uni-form engineering or technical criteria, methods,processes and practices. A standard may alsobe used as a controlling artifact or similar formalmeans used to establish evidence of review ac-tivities, governance expectations, compliance re-quirements, and other regulating activities included

in your information technology and security gover-nance program. An example of a standard wouldbe defining the encryption cipher strength permit-ted for corporate business applications as definedby the encryption standard.

Corporate Procedures or guidelines are specifi-cally used to articulate in great detail the steps, con-figuration specifics, and production requirementsnecessary in the designated usage of corporateinformation assets and business applications. In-formation Security procedures describe how to im-

plement the standards. An example would be thatemployees should not cite or reference clients, part-ners or suppliers without their approval. When youdo make a reference, where possible, link back tothe source as required by the companies SocialComputing Guidelines governance document.

With the explosion of a plethora of technologicalpermutations touching every aspect of our life andbusiness activities driving this change, so too mustthe bedrock of our governance activities remainagile as well. Without order, we have disorder.Rules must be established so boundaries remaindefined. The rules of the road were established tokeep us safe so that we arrive alive.

Other facets of our lives have rules in force thathelp increase efficiency, decrease risk potentials,increase accountability and protect the innocent.The logical conclusion from a technological stand-point is that governance activities are vital to oursuccess.

The single biggest problem facing corporate in-formation security can be directly traced back tothe lack of well-defined corporate information tech-

nology and security governance documents. Thisis in part what I wrote about in my recent book,Governance Documentation and IT Security Poli-cies Demystified . It establishes the baseline for ev-erything we are trying to do.

At the very top of the governance structure youmust set the pace for everything else that follows.

With the Internet, we are all members of interna-tional organizations. Think like an international or-ganization and begin with an international standardsuch as the ISO 27001 and ISO 27002 informationsecurity standards.

The key to a successful security program beginswith the top of the organization and works its waydown to the entry-level employees. This top downapproach ensures your success. For example, if theCEO of the company refused to abide by the pass-word policy the company established, why would

anyone expect the entire organization to abide bythe rules? Senior leadership must set the tone forthe company and set the example. There should beno room for compromise. The alternative is a break-down of command and control leading toward vul-nerabilities, risks, and potential company damagethat might not be repairable. The same approachis equally effective when we are working with the

Figure 3. Informations Security Program Charter



PLUS

A

u

d

&

S

t

a

n

d

2 http://pentestmag.com09/2012(9)

organizations governance documentation. Theremust be a logical hierarchical framework distilled

from the distinctive facets of technology implement-ed, its usage, and its management (Figure 3).

We all know by now that our security efforts willgenerally fail without the support of senior man-agement. The same top down principle applies toour governance documentation and program. Atthe very top level, we need to set the tone for ev-erything that follows. A corporate IT security char-ter and IT security policy accomplishes this need.From there we make the decision to model ourstandards after a particular security framework or

standard. What I’m going to share with you rightnow is a deeper dive into the distinct facets of aholistically applied governance program.

Asset Identification and Classification

The Asset Identification and Classification categorythat defines company objectives for establishing spe-cific standards on the identification, classification, andlabeling of company information assets (Figure 4).

You must know where you are going in order toget there efficiently. You need to discover what

your critical assets are, what their value is, andhow to rank their priority for protection before youdo anything else.

For example, confidentiality classifications areimportant so that information is not improperlyhandled. You may have company information and

intellectual property that would be restricted ac-cess, or confidential access, or internal use only,

and even publicly available information classifica-tions. By determining up front what your informa-tion classifications are, you will get a better idea onwhat protective measures are required.

We all like names don’t we? Once you have de-cided how to classify something, make sure a la-bel of some form is attached to it. This might be aphysical tag or it might be an electronic tag. In ei-ther situation, it provides a mechanism to manageyour business assets through the use of technol-ogy or process.

Consider date integrity for a moment. When shar-ing information or transmitting information whichcould be in the form of a business transaction orsimple file transfer to another person. How do youensure that your data is not corrupted or tamperedwith by another person? There are encryption andother data tampering protective technologies avail-able today to help with integrity.

Let’s consider data availability . Information isuseless if it is not accessible to the people it is in-tended for. When you ranked the importance of

your information assets, you decided how criticalit is to make it available. Maybe something is so

Figure 4. Asset Indentification and Classification Standard Figure 5. Asset Protection Standard



A

u

d

&

S

t

a

n

d


valuable that you cannot afford to have it offline foran extended period of time. These factors will go

into your decisions.

Asset ProtectionThe Asset Protection category defines the companyobjectives for establishing specific standards on theprotection of the confidentiality, integrity, and avail-ability of company information assets I just men-tioned (Figure 5). There are several asset protec-tion facets to consider. For example, access controlstandards provide specific instructions and require-ments for the proper identification, authentication,

and authorization controls necessary to accesscompany information assets. Both physical accessand electronic access must be considered. Whenprotecting electronic assets, encryption is a neces-sity. An encryption standard will provide specific in-structions and requirements for the encryption ofsensitive information assets to your enterprise. Di-saster recovery and business continuity standardswill be used to define how the availability and in-tegrity facets of the asset protection needs of yourorganization are defined. Anti-virus and malware

protective standards will all help to define the stan-dard you intend on utilizing to again, protect thosevaluable corporate assets. Part of asset protectioninvolves implementing the controls over your infor-mation classification and labeling exercise with in-formation handling standards. All of these controlsI’ve mentioned require oversight and testing so es-

tablishing our auditing control standards over ourasset protection efforts is essential.

Asset ManagementThe Asset Management category defines compa-ny objectives for establishing specific standardsfor the management of the networks, systems, andapplications that store, process and transmit com-pany information assets (Figure 6).

We are now looking at a whole batch of activi-ties revolving around controlling configurations ofthe technology controls you have implemented al-ready. The enemy to operational stability and in-

formation security is effectively changed. Not thatchange is a bad thing, quite the contrary, but wemust be aware of the challenges it brings so thatchange is managed effectively.

Change will most often be associated with soft-ware or system development life cycles. Considerthe implications for a moment. If you develop soft-ware or deploy new technology, it all introducesnew benefits and new challenges.

We all know by now that not updating softwaremight benefit operational stability, but we also

know that software bugs and security vulnerabil-ities are discovered that negatively affect opera-tional stability. During your risk assessment, youidentified business assets and placed a value onthem. You could take annualized loss expectan-cy, otherwise known as ALE, and place a tangiblecost to doing something about it or doing nothingabout it. Maybe your solution comes in the form ofa compensating control instead. The second stepis identifying risks to your identified business as-sets and making an educated guess at what thelikelihood that event will actually occur in a yearand how often that event will occur again.

These have so far all been enterprise level stan-dards that you control.

Acceptable UseThe Acceptable Use category defines company ob-

jectives for establishing specific standards on ap-propriate business use of the company informationand telecommunications systems and equipment.

The acceptable use category is all about what ourend users have control over. Certain usage activi-

ties such as Internet traffic, email usage, telecom-munications, social computing, and software usageall play a part in The Security Trifecta (Figure 7). A user has the choice to behave inappropriate-

ly while using the company’s technology assets.Figure 6. Asset Protection chart



PLUS

A

u

d

&

S

t

a

n

d


An employee does not have a choice in how com-plex their password is because you have estab-

lished an unbending standard defined in yourasset management activities. Do you see the dis-tinction?

When misconduct occurs, you need employeesto know how to report it and to do so without beingconcerned about management reprisal.

Vulnerability Assessment andManagementThe Vulnerability Assessment and Managementcategory defines the company objectives for es-

tablishing specific standards for the assessmentand ongoing management of vulnerabilities.When I refer to vulnerability assessment and man-agement, I am talking about the actual task of as-sessing security risks and the actual managementof those risks (Figure 8).

Security vulnerabilities continue to emerge on aregular basis and if we are not vigilant in the iden-tification, remediation, and even compensation ofthose risks, we increase the risk to our enterprisenot to mention the people who depend on our work

whether they realize it or not.

Threat Assessment and MonitoringThe Threat Assessment and Monitoring categorydefines company objectives for establishing vigi-lant standards for the assessment and ongoingmonitoring of threats to company information as-

sets (Figure 9). The latest buzzword in the busi-ness is threat modeling which is really just a fancy

term for placing a value on our business assetsand making determinations about potential threatsto that intellectual property or business asset.

Remember, security and governance are costcenters to the business, not profit centers, so thetraditional return on investment ROI models do notwork properly when making your case for funding.You need to speak to other business leaders, es-pecially the ones approving your budget, in a busi-ness language. I’ve seen many formulas to calcu-late what we need to spend on security controls

and the only one that makes sense to me and tothe CFO is a simple thing called ALE or AnnualizedLoss Expectancy. This is something learned byMBA and accounting students alike. The very firstthing you should be doing is placing a monetaryvalue on that business asset you are charged withprotecting. Other executives, such as the CFO,would be the best person for this information.

To provide hopefully a brief explanation of how itis calculated, there are two factors that comprisethe ALE. They are the Single Loss Expectancy

(SLE), which is the percentage of the asset youare attempting to protect that would be lost in asingle exposure, and the Annualized Rate of Oc-

currence (ARO), which is the frequency the lossevent occurs in a year. Those two factors multi-plied together give you’re the ALE (ALE = SLE *

ARO) (Figure 10).

Figure 7. Acceplable Use Standard Figure 8. Vulnerability Assessment & Management Standard



A

u

d

&

S

t

a

n

d


For example, suppose than a business asset isvalued at $200,000 and the single cost of exposure

is $50,000. Your SLE is now defined as $50,000right? How many times in a year do we expect thisexposure event to occur in a year? If we expect anexposure to occur once every year, then ARO is100% whereas if we think there is a 50/50 shot, our ARO is now 50% right?

Once you have these numbers, some simplemath will enable you to make a stronger businesscase for security initiatives because you will bespeaking the language of business and not tech-nology which goes a long way in the board room.

Now that you have identified and placed a valueon your business assets, you must monitor yourcontrols effectiveness. In the realm of monitoring,consolidation and centralization of your commandand control will help you master your domain.

Security AwarenessThe Security Awareness category defines Com-pany objectives for establishing a formal Security Awareness Program, and specific standards for theeducation and communication of the Information

Security Program Charter and associated policies,standards, guidelines, and procedures (Figure 11).

The final task you have in the governance do-main of The Security Trifecta is security aware-

ness. When I talk about awareness, the essenceis really about educating your users of the busi-ness technology and resources on the rules youhave implemented.

Here is a question for you; do you have todaya security awareness policy? Now, do you havethird party relationships with vendors, auditors, orguests who in some way utilize your business tech-nology or assets? Last question, does your secu-rity awareness campaign extend beyond the com-pany’s employees to these third parties? Chances

are you have these third party relationships andyou must be bringing awareness to these peopleabout your expectations for their usage.

To put it another way, in my home, when some-one visits me, they are required to remove theirshoes before entering my home. I do this not tobe a pain, but to keep the dirt and grime they haveaccumulated on their shoes outside from makingmy home dirty. I look at my IT security policies thesame way. Why should I allow your computers vi-ruses and other malware into my corporate house?

If you have disk encryption, security software, andare properly patched, I’ll let your computer join my

Figure 9. Threat Assessment & Monitoring Standard

Figure 10. Annualized Loss Expectancy Formula

Figure 11. Security Awarness Standard



PLUS

A

u

d

&

S

t

a

n

d


network. Make sure that your awareness cam-paigns include new hires, ongoing employee, and

third party users.

Technological ApplicationNow that we have the foundation of our informa-tion security program built upon the governanceframework we have constructed, what next? Howdo we enforce these rules effectively? With tech-nology and technological controls that enforce ourgovernance program of course!

Within the technological environments of any or-ganization, some facets of technology are hard-

coded and enforcement of those business rules isunbending. In other instances, employees or oth-er individuals using those systems have a degreeof latitude to make decisions on the usage of thatparticular technological permutation.

If you think that absolute security exists you wouldbe absolutely incorrect. The reality is that securityis a process of risk identification, mitigation andvigilance. It is incumbent upon both the securityprofessional and the supporting leadership to firstidentify what must be protected in order of priority.

Next we mitigate or otherwise offset the risks byusing technological tools and procedural changesthat are institutionalized. And finally, we apply vigi-lance to keep ahead of the threats that exist. Vigi-lance involves personal education in any form, beit formal or self-guided, and the discipline to carrythrough the charter we pledge to adhere to as se-curity professionals. Security is a process; it is anintegral part of our business. Just like any busi-ness process, security must be updated, tweakedand tuned. The consequences of not adhering tothis philosophy are potentially catastrophic. Manyorganizations and security professionals are run-ning on borrowed time. I’m not prophesying thatthere is no hope for security. Quite the contrary!What I am suggesting is that a healthy dose of re-ality be introduced into the mixture. We must un-derstand that mitigating risks are more importantthan mitigating fear with a false sense of security.

The key is to implement governance standardsthat are holistic enough to establish the organiza-tions command-and-control while remaining agileenough to adapt to the natural progression of tech-

nological permutations. You will want to avoid beingtoo restrictive and too specific because this will in-troduce unnecessary loopholes which will be takenadvantage of by employees and third party’s alike.

You must find the point of technological equilib-

rium that balances the maximum level of informa-tion security without negatively impacting the core

business processes that you are protecting. Secu-rity should not be a barrier to business, but an en-abler to business.

VigilanceNow that we have the governance structure insti-tuted and the technological controls implemented tomaintain our utopia, what is next? Are we at the placewhere we get to congratulate ourselves and take along vacation? Sorry, as security leaders, I don’t fore-see a long vacation in your horizon which brings me

to the Vigilance part of The Security Trifecta.The reality is that nothing works very well with-

out teamwork. Controls and standards break downwithout careful tending just like weeds take over ourgardens without vigilance. We must regularly re-view our security standards validating their relevan-cy and we will remain agile to adapt to the changingbusiness landscape putting into practice carefullyconsidered revisions to our ongoing security pro-gram. We must always strive to be active, not reac-tive in our pursuit of information security excellence.

There is nothing perfect in this world that peo-ple have made or accomplished. That being said,it is incumbent upon us to monitor, test and im-prove our creations. Information is your friend andthe more information you collect, the better under-standing you will have of what you are protecting.

Now that we know a lot about out systems, it is agood time to help others understand how they af-fect them through awareness education activities.When we help others understand why we do thethings we do and they see the relationship to howthey do their work, most of them will begin to in-crease their support for you and your mission.

ConclusionBeing technologists, we all understand that weshare the same common challenges that face ev-ery other company. Security threats are only tem-pered by putting into practice The Security Trifecta.This approach applies to everyone with few devia-tions. The foundation to our successful IT securityprograms are built with a holistic approach towardgovernance. Every facet of our governance pro-

gram must be reviewed on a regular basis in orderto maintain its relevancy to the organizations.

Security threats will never go away and the chal-lenge bubble will only get bigger until we eitherproactively or reactively adapt to it. Our world is


http://slidepdf.com/reader/full/pentest-auditing-standards-09-2012-mdp-copy 10/1009/2012(9)

MICHAEL D. PETERS

Michael D. Peters has been an inde-

pendent information security con-

sultant, executive, researcher, au-

thor, and catalyst with many years

of information technology and busi-

ness leadership experience. He has

been referred to as the “Michelan-

gelo of Security”. Michael’s current and previous execu-

tive positions include Chief Security Officer, Chief Infor-

mation Security Officer and advising Chief Information

Officer. From a credential perspective, Michael holds

an Executive Juris Doctor in Cyberspace Law; a certified

MBA in IT Management, undergraduate degree in IT Se-

curity, CISSP, CRISC, CISM, CCE, CMBA, SCSA and he is

an ISSA Hall of Fame recipient. In the realm of thought

leadership, Michael is the author of “Securing the C Lev-

el”, “Governance Documentation and Information Tech-

nology Security Policies Demystified”, “The Security Tri-

fecta” and thousands of blogging, tweeting, social me-

dia networking and professional network syndication

and industry feature publications. He has contribut-

ed significantly towards curriculum development as ad-

junct professor for graduate degree information secu-

rity, advanced technology, cyberspace law, and priva-

cy programs and toward industry standard profession-

al certifications.

globally connected and increasingly interactive

through technology. I challenge security and busi-ness leadership alike to join together at the sametable and leverage each other’s strengths for thecollective good. No more myth propagation, nomore corner cutting for the sake of expediency ormarginal gain, no more discounting the importanceof security to business and individuals alike.

Feel free to connect with me in our common pro-fessional networks. I’d welcome sharing ideas withyou on increasing the effectiveness of IT securitygovernance.

Closing Comment

I’ve mentioned many IT securitygovernance policies in this article.You may already have these ratifiedbut in the event that you do not, acomprehensive suite of governancedocuments are available in mybook Governance Documentationand Information Technology Securi-ty Policies Demystified which will putyour organization on the fast track.

16th INTERNATIONAL SECURITY AND RFID EXHIBITION16th INTERNATIONAL FIRE,EMERGENCY RESCUE EXHIBITION

SMART HOUSES AND BUILDING AUTOMATION EXHIBITION

OCCUPATIONAL SAFETY AND HEALTH EXHIBITION

INFORMATION, DATA AND NETWORK SECURITY EXHIBITION

The Most Comprehensive Exhibitionof the Fastest Growing Sectors of recent years

in the Center of Eurasia

SEPTEMBER 20th - 23rd, 2012 IFM ISTANBUL EXPO CENTER (IDTM)

THIS EXHIBITION IS ORGANIZED WITH THE PERMISSIONS OF T.O.B.B.

IN ACCORDANCE WITH THE LAW NUMBER 5174.

http://www.isaffuari.com/










































pentest auditing standards 09 2012-mdp - copy

Documents