rob kloots auditingforscyandbcm
Post on 13-Sep-2014
319 views
DESCRIPTION
TRANSCRIPT
Auditing Security and Business Continuity Management
Rob Kloots – CISA CISM CRISC,
Owner, TrustingtheCloud
1Berlin, June 2012
Auditing Security and Business Continuance Management
2
Content
• 2012 Risk Landscape
• Some definitions, models & standards
• Audit & Control
– Information security governance
– Administration of user access, passwords
– Access security controls
– Remote access and third parties
– User awareness
– How to deal with an IT system crash? What to do and how to continue?
Auditing Security and Business Continuance Management
3
2012 Risk Landscape
PWC Global Internal Audit survey
2012: The risks ahead
Intensifying economic and financial market uncertainty
Increased regulation and changes in government policy
Data security threats and reputation
Mergers and acquisitions risks
Auditing Security and Business Continuance Management
4
More attention required
Auditing Security and Business Continuance Management
5
Importance of IA's contribution to monitoring each risk
Auditing Security and Business Continuance Management
6
More IA audit capacity planned
Auditing Security and Business Continuance Management
7
Definition of Internal Auditing
The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing.
Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Auditing Security and Business Continuance Management
8
Definition of Business Continuity Management
BCM is defined by the British Standards Institute (BSI) as:
'an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation brand and value creating activities'.
Business Continuity is defined by the International Standards Organization as the:
"capability of the organization to continue delivery of services or products at acceptable predefined levels following disruptive incidents"*
*Source ISO 22300 Vocabulary
Auditing Security and Business Continuance Management
9
Principles of ICT Continuity
Protect—Protecting the ICT environment from ...
Detect—Detecting incidents at the earliest opportunity ...
React—Reacting to an incident in the most appropriate manner ...
Recover—Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data.
Operate—Operating in disaster recovery mode until return to normal is possible may require some time and necessitate “scaling up” disaster recovery operations to support increasing business volumes that need to be serviced over time.
Return—Devising a strategy for every IT continuity plan allows an organization to migrate back from disaster recovery mode to a position in which it can support normal business.
Auditing Security and Business Continuance Management
10
Business Continuity within Management
Auditing Security and Business Continuance Management
11
BCP details
BUSINESS CONTINUITY PLANNING1. Project Foundation2. Business Assessment3. Strategy Selection4. Plan Development5. Testing and Maintenance
1. PROJECT FOUNDATIONBusiness Continuity Planning EvaluationPlan ManagementBusiness Impact AnalysisRecovery StrategiesPlan DevelopmentPlan MaintenancePlan Testing
2. BUSINESS ASSESSMENTRisk AssessmentInformation ProtectionProtectionDetectionResponseBusiness Impact Analysis (BIA)
4. PLAN DEVELOPMENT#1-Develop Response and Recovery Teams#2-Develop Draft Action Plan#3-Prioritize Action Plan Execution#4-Document General Plan Sections#5-Document the Technical Recovery Processes
Auditing Security and Business Continuance Management
12
Basic terms used in a standard
Business Continuity Management System (BCMS) – part of an overall management system that takes care business continuity is planned, implemented, maintained, and continually improved
Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD)
Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed, or resources must be recovered
Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restored
Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce after resuming its business operations
Auditing Security and Business Continuance Management
13
Trust Services Principles and Criteria
Security - The system is protected against unauthorized access (both physical and logical).
Availability - The system is available for operation and use as committed or agreed.
Processing Integrity - System processing is complete, accurate, timely, and authorized.
Online Privacy - Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
Confidentiality - Information designated as confidential is protected as committed or agreed.
Auditing Security and Business Continuance Management
14
Best Practices For IT Availability And Service Continuity Management
1) Classify systems for criticality.
2) Develop tiers of service for both availability and IT service continuity.
3) Measure availability from the end-user perspective.
4) Include availability and continuity considerations in application development and testing.
Auditing Security and Business Continuance Management
15
Incident timeline
Auditing Security and Business Continuance Management
16
BS25777 –IT Continuity
Auditing Security and Business Continuance Management
17
Information Risk Component
The confidentiality, integrity and availability of information systems must be ensured to protect the business from the risks relating to information technology. An IS audit helps to identify areas where these are vulnerable or inadequately protected through systematic examination and evaluation.
Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur.
Approach to Auditing Business Continuity
The audit of business continuity can be broken into three major components:
– Validating the business continuity plan
– Scrutinizing and verifying preventive and facilitating measures for ensuring continuity
– Examining evidence about the performance of activities that can assure continuity and recovery
Auditing Security and Business Continuance Management
18
BIA focus
Recovery Time Objective“Target time set for resumption of product,
service or activity delivery after an incident” BS 25999:1
Maximum Tolerable Period of Disruption “Duration after which an organisation’s viability
will be irrevocably threatened if product and service delivery cannot be resumed” BS 25999:1
Auditing Security and Business Continuance Management
19
Risks related to technology
Auditing Security and Business Continuance Management
20
Information Assurance Structure
Auditing Security and Business Continuance Management
21
ISO 27001 Security
User access/pwAccess security ctls
Infosec governance
Remote access 3rd pty
User awareness
Crash and Restart
Crash and Restart
Auditing Security and Business Continuance Management
22
Risk and Controls
Business Continuity risk profile is prepared for each business function
Controls are set to address risk, in consultation with the support / business function
Weight are assigned to each control according to type of the control (e.g. A preventative control has the highest weight)
Type of control
Preventative
Corrective
Other entity
Auditing Security and Business Continuance Management
23
Example of Risk and Control
Risk: Electricity failure
Controls:
Uninteruptable power supply (UPS)
Generators
Preventive maintenance reports
Auditing Security and Business Continuance Management
24
Fail a Security Audit Already -- it's Good for You
Network World — Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations:
1) You have perfect security.
2) You're not trying hard enough.
Auditing Security and Business Continuance Management
25
Your turn
Questions ???
Rob Kloots – CISA CISM CRISC,
Owner, TrustingtheCloud
M +32.499-374713
Auditing Security and Business Continuance Management
26
ISO27001 – 14. BCM
Auditing Security and Business Continuance Management
27
ISO27001 – 11. AC
Auditing Security and Business Continuance Management
28
ISO27001 – 11. ework
Auditing Security and Business Continuance Management
29
ISO27001 – 6. EP
Auditing Security and Business Continuance Management
30
ISO27001 – 8. HR
Auditing Security and Business Continuance Management
31
ISO27001 – 8. HR
Auditing Security and Business Continuance Management
32
ISO27001 – 9. PhySec
Auditing Security and Business Continuance Management
33
ISO27001 – 10. 3rd pty
Auditing Security and Business Continuance Management
34
ISO27001 – 10. Mon
Auditing Security and Business Continuance Management
35
ISO27001 – 13. IncMgt