SlideShare a Scribd company logo

Rob kloots auditingforscyandbcm

Robert Kloots
Robert Kloots
1 of 35
Download to read offline
Auditing Security and Business Continuity Management Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud Berlin, June 2012 1
Content • 2012 Risk Landscape • Some definitions, models & standards • Audit & Control – Information security governance – Administration of user access, passwords – Access security controls – Remote access and third parties – User awareness – How to deal with an IT system crash? What to do and how to continue? Auditing Security and Business Continuance 2
2012 Risk Landscape PWC Global Internal Audit survey 2012: The risks ahead Intensifying economic and financial market uncertainty Increased regulation and changes in government policy Data security threats and reputation Mergers and acquisitions risks Auditing Security and Business Continuance 3
More attention required Auditing Security and Business Continuance 4
Importance of IA's contribution to monitoring each risk Auditing Security and Business Continuance 5
More IA audit capacity planned Auditing Security and Business Continuance 6
Definition of Internal Auditing The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Auditing Security and Business Continuance 7
Definition of Business Continuity Management BCM is defined by the British Standards Institute (BSI) as: 'an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation brand and value creating activities'. Business Continuity is defined by the International Standards Organization as the: "capability of the organization to continue delivery of services or products at acceptable predefined levels following disruptive incidents"* *Source ISO 22300 Vocabulary Auditing Security and Business Continuance 8
Principles of ICT Continuity Protect—Protecting the ICT environment from ... Detect—Detecting incidents at the earliest opportunity ... React—Reacting to an incident in the most appropriate manner ... Recover—Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data. Operate—Operating in disaster recovery mode until return to normal is possible may require some time and necessitate “scaling up” disaster recovery operations to support increasing business volumes that need to be serviced over time. Return—Devising a strategy for every IT continuity plan allows an organization to migrate back from disaster recovery mode to a position in which it can support normal business. Auditing Security and Business Continuance 9
Business Continuity within Management Auditing Security and Business Continuance 10
BCP details BUSINESS CONTINUITY 2. BUSINESS ASSESSMENT PLANNING Risk Assessment 1. Project Foundation Information Protection 2. Business Assessment Protection 3. Strategy Selection Detection 4. Plan Development Response 5. Testing and Maintenance Business Impact Analysis (BIA) 1. PROJECT FOUNDATION 4. PLAN DEVELOPMENT Business Continuity Planning #1-Develop Response and Recovery Evaluation Teams Plan Management #2-Develop Draft Action Plan Business Impact Analysis #3-Prioritize Action Plan Execution Recovery Strategies #4-Document General Plan Sections Plan Development #5-Document the Technical Recovery Plan Maintenance Processes Plan Testing Auditing Security and Business Continuance 11
Basic terms used in a standard Business Continuity Management System (BCMS) – part of an overall management system that takes care business continuity is planned, implemented, maintained, and continually improved Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD) Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed, or resources must be recovered Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restored Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce after resuming its business operations Auditing Security and Business Continuance 12
Trust Services Principles and Criteria Security - The system is protected against unauthorized access (both physical and logical). Availability - The system is available for operation and use as committed or agreed. Processing Integrity - System processing is complete, accurate, timely, and authorized. Online Privacy - Personal information obtained as a result of e- commerce is collected, used, disclosed, and retained as committed or agreed. Confidentiality - Information designated as confidential is protected as committed or agreed. Auditing Security and Business Continuance 13
Best Practices For IT Availability And Service Continuity Management 1) Classify systems for criticality. 2) Develop tiers of service for both availability and IT service continuity. 3) Measure availability from the end-user perspective. 4) Include availability and continuity considerations in application development and testing. Auditing Security and Business Continuance 14
Incident timeline Auditing Security and Business Continuance 15
BS25777 –IT Continuity Auditing Security and Business Continuance 16
Information Risk Component The confidentiality, integrity and availability of information systems must be ensured to protect the business from the risks relating to information technology. An IS audit helps to identify areas where these are vulnerable or inadequately protected through systematic examination and evaluation. Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur. Approach to Auditing Business Continuity The audit of business continuity can be broken into three major components: – Validating the business continuity plan – Scrutinizing and verifying preventive and facilitating measures for ensuring continuity – Examining evidence about the performance of activities that can assure continuity and recovery Auditing Security and Business Continuance 17
BIA focus Recovery Time Objective “Target time set for resumption of product, service or activity delivery after an incident” BS 25999:1 Maximum Tolerable Period of Disruption “Duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed” BS 25999:1 Auditing Security and Business Continuance 18
Risks related to technology Auditing Security and Business Continuance 19
Information Assurance Structure Auditing Security and Business Continuance 20
Crash and Restart ISO 27001 Security Infosec governance Crash and Restart User awareness Remote access 3rd pty Access security ctls User access/pw Auditing Security and Business Continuance 21
Risk and Controls Business Continuity risk profile is prepared for each business function Controls are set to address risk, in consultation with the support / business function Weight are assigned to each control according to type of the control (e.g. A preventative control has the highest weight) Type of control Preventative Corrective Other entity Auditing Security and Business Continuance 22
Example of Risk and Control Risk: Electricity failure Controls: Uninteruptable power supply (UPS) Generators Preventive maintenance reports Auditing Security and Business Continuance 23
Fail a Security Audit Already -- it's Good for You Network World — Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations: 1) You have perfect security. 2) You're not trying hard enough. Auditing Security and Business Continuance 24
Your turn Questions ??? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud E rob.kloots@trustingthecloud.eu M +32.499-374713 Auditing Security and Business Continuance 25
ISO27001 – 14. BCM Auditing Security and Business Continuance 26
ISO27001 – 11. AC Auditing Security and Business Continuance 27
ISO27001 – 11. ework Auditing Security and Business Continuance 28
ISO27001 – 6. EP Auditing Security and Business Continuance 29
ISO27001 – 8. HR Auditing Security and Business Continuance 30
ISO27001 – 8. HR Auditing Security and Business Continuance 31
ISO27001 – 9. PhySec Auditing Security and Business Continuance 32
ISO27001 – 10. 3rd pty Auditing Security and Business Continuance 33
ISO27001 – 10. Mon Auditing Security and Business Continuance 34
ISO27001 – 13. IncMgt Auditing Security and Business Continuance 35

Recommended

Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsGlobal Risk Forum GRFDavos
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301IT Governance Ltd
 
Business continuity management system overveiw
Business continuity management system overveiwBusiness continuity management system overveiw
Business continuity management system overveiwNaresh Rao
 
what is Business Continuity Management System?
what is Business Continuity Management System?what is Business Continuity Management System?
what is Business Continuity Management System?Ascent World
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 

Recommended

Business Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewBusiness Continuity Management System ISO 22301:2012 An Overview
Business Continuity Management System ISO 22301:2012 An OverviewAhmed Riad .
 
Five principles for improving your cyber security
Five principles for improving your cyber securityFive principles for improving your cyber security
Five principles for improving your cyber securityWGroup
 
Implementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsImplementing a Business Continuity Management System in Telecoms
Implementing a Business Continuity Management System in TelecomsGlobal Risk Forum GRFDavos
 
Ebsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationEbsl Technologies It Operations Internal Presentation
Ebsl Technologies It Operations Internal PresentationPublicly traded global multi-billion services company
 
Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301Business Continuity Management & ISO 22301
Business Continuity Management & ISO 22301IT Governance Ltd
 
Business continuity management system overveiw
Business continuity management system overveiwBusiness continuity management system overveiw
Business continuity management system overveiwNaresh Rao
 
what is Business Continuity Management System?
what is Business Continuity Management System?what is Business Continuity Management System?
what is Business Continuity Management System?Ascent World
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certificationtschraider
 
Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Eneni Oduwole
 
Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBC Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBCContinuity and Resilience
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be Resilient
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be ResilientBCM Institute MTE Richard Stuart - IPS Securex: Journey to be Resilient
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be ResilientBCM Institute
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Global Risk Forum GRFDavos
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2FCA Vikram S Mathur
 
Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Rudi Kurniawan
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
BSI 100-30
BSI 100-30BSI 100-30
BSI 100-30Sergey Erohin
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementRamiro Cid
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementContinuity and Resilience
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 

More Related Content

What's hot

Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Eneni Oduwole
 
Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBC Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBCContinuity and Resilience
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business ValueHyTrust
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security BaselineBarry Caplin
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistIvan Piskunov
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62AlliedConSapCourses
 
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be Resilient
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be ResilientBCM Institute MTE Richard Stuart - IPS Securex: Journey to be Resilient
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be ResilientBCM Institute
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity AssessmentClaude Baudoin
 
Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Global Risk Forum GRFDavos
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2FCA Vikram S Mathur
 
Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Rudi Kurniawan
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMShantanu Rai
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness governmentHamisi Kibonde
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementRamiro Cid
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementLars Neupart
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMIvanti
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTGaffri Johnson
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Apoorva Ajmani
 

What's hot (20)

Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010Business Continuity Management In The Erm Framework February 2010
Business Continuity Management In The Erm Framework February 2010
 
Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBC Business Continuity Management Culture at NCBC
Business Continuity Management Culture at NCBC
 
G12: Implementation to Business Value
G12: Implementation to Business ValueG12: Implementation to Business Value
G12: Implementation to Business Value
 
Use of the COBIT Security Baseline
Use of the COBIT Security BaselineUse of the COBIT Security Baseline
Use of the COBIT Security Baseline
 
ISO 27001 (v2013) Checklist
ISO 27001 (v2013) ChecklistISO 27001 (v2013) Checklist
ISO 27001 (v2013) Checklist
 
D1 security and risk management v1.62
D1 security and risk management v1.62D1 security and risk management v1.62
D1 security and risk management v1.62
 
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be Resilient
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be ResilientBCM Institute MTE Richard Stuart - IPS Securex: Journey to be Resilient
BCM Institute MTE Richard Stuart - IPS Securex: Journey to be Resilient
 
Security Maturity Assessment
Security Maturity AssessmentSecurity Maturity Assessment
Security Maturity Assessment
 
Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...Societal Security – the new standard ISO 22301 for Business Continuity Manage...
Societal Security – the new standard ISO 22301 for Business Continuity Manage...
 
Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2Information systems control and audit ~ Lecture # 2
Information systems control and audit ~ Lecture # 2
 
Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)Cobit 5 (Control and Audit Information System)
Cobit 5 (Control and Audit Information System)
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
Is awareness government
Is awareness governmentIs awareness government
Is awareness government
 
BSI 100-30
BSI 100-30BSI 100-30
BSI 100-30
 
ISO 22301 Business Continuity Management
ISO 22301 Business Continuity ManagementISO 22301 Business Continuity Management
ISO 22301 Business Continuity Management
 
Security policy
Security policySecurity policy
Security policy
 
How the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk ManagementHow the the 2013 update of ISO 27001 Impacts your Risk Management
How the the 2013 update of ISO 27001 Impacts your Risk Management
 
SMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSMSMB270: Security Essentials for ITSM
SMB270: Security Essentials for ITSM
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206Enterprise Information Security Architecture_Paper_1206
Enterprise Information Security Architecture_Paper_1206
 

Similar to Rob kloots auditingforscyandbcm

Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & complianceVandana Verma
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security ManagementMark Conway
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxINTERCERT
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurAlan Yau Ti Dun
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention Manish Dixit Ceh
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationSyed Azher
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...PECB
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIskcon Ahmedabad
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirementshumanus2
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management WorkshopStacy Willis
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should KnowIBM Security
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13subramanian K
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Eneni Oduwole
 

Similar to Rob kloots auditingforscyandbcm (20)

Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Security audits & compliance
Security audits & complianceSecurity audits & compliance
Security audits & compliance
 
A to Z of Information Security Management
A to Z of Information Security ManagementA to Z of Information Security Management
A to Z of Information Security Management
 
Understanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docxUnderstanding the Roles and Responsibilities of ISMS Auditor.docx
Understanding the Roles and Responsibilities of ISMS Auditor.docx
 
Qatar Proposal
Qatar ProposalQatar Proposal
Qatar Proposal
 
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala LumpurCybersecurity Assurance at CloudSec 2015 Kuala Lumpur
Cybersecurity Assurance at CloudSec 2015 Kuala Lumpur
 
Cyber crime with privention
Cyber crime with privention Cyber crime with privention
Cyber crime with privention
 
Why ISO 27001 for an Organisation
Why ISO 27001 for an OrganisationWhy ISO 27001 for an Organisation
Why ISO 27001 for an Organisation
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Presentation1.pptx
Presentation1.pptxPresentation1.pptx
Presentation1.pptx
 
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
Nagios Conference 2013 - Jorge Higueros - Trust Management in Monitoring Fina...
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Iso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consultingIso 27001 2005- by netpeckers consulting
Iso 27001 2005- by netpeckers consulting
 
ISMS Requirements
ISMS RequirementsISMS Requirements
ISMS Requirements
 
2016 Risk Management Workshop
2016 Risk Management Workshop2016 Risk Management Workshop
2016 Risk Management Workshop
 
10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know10 Security Essentials Every CxO Should Know
10 Security Essentials Every CxO Should Know
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Assocham conf grc sept 13
Assocham conf grc sept 13Assocham conf grc sept 13
Assocham conf grc sept 13
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...Operational Risk Management - A Gateway to managing the risk profile of your...
Operational Risk Management - A Gateway to managing the risk profile of your...
 
Mahalakshmi_Profile
Mahalakshmi_ProfileMahalakshmi_Profile
Mahalakshmi_Profile
 

More from Robert Kloots

Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdfRobert Kloots
 
Cyber Security Management.pdf
Cyber Security Management.pdfCyber Security Management.pdf
Cyber Security Management.pdfRobert Kloots
 
Rob kloots auditoutsourcedit
Rob kloots auditoutsourceditRob kloots auditoutsourcedit
Rob kloots auditoutsourceditRobert Kloots
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRobert Kloots
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLPRobert Kloots
 

More from Robert Kloots (6)

Cyber object types and controls.pdf
Cyber object types and controls.pdfCyber object types and controls.pdf
Cyber object types and controls.pdf
 
Cyber Security Management.pdf
Cyber Security Management.pdfCyber Security Management.pdf
Cyber Security Management.pdf
 
Rob kloots auditoutsourcedit
Rob kloots auditoutsourceditRob kloots auditoutsourcedit
Rob kloots auditoutsourcedit
 
Csa dlp
Csa dlpCsa dlp
Csa dlp
 
Rob kloots presentation_issa_spain
Rob kloots presentation_issa_spainRob kloots presentation_issa_spain
Rob kloots presentation_issa_spain
 
Metrics, Risk Management & DLP
Metrics, Risk Management & DLPMetrics, Risk Management & DLP
Metrics, Risk Management & DLP
 

Rob kloots auditingforscyandbcm

  • 1. Auditing Security and Business Continuity Management Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud Berlin, June 2012 1
  • 2. Content • 2012 Risk Landscape • Some definitions, models & standards • Audit & Control – Information security governance – Administration of user access, passwords – Access security controls – Remote access and third parties – User awareness – How to deal with an IT system crash? What to do and how to continue? Auditing Security and Business Continuance 2
  • 3. 2012 Risk Landscape PWC Global Internal Audit survey 2012: The risks ahead Intensifying economic and financial market uncertainty Increased regulation and changes in government policy Data security threats and reputation Mergers and acquisitions risks Auditing Security and Business Continuance 3
  • 4. More attention required Auditing Security and Business Continuance 4
  • 5. Importance of IA's contribution to monitoring each risk Auditing Security and Business Continuance 5
  • 6. More IA audit capacity planned Auditing Security and Business Continuance 6
  • 7. Definition of Internal Auditing The Definition of Internal Auditing states the fundamental purpose, nature, and scope of internal auditing. Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Auditing Security and Business Continuance 7
  • 8. Definition of Business Continuity Management BCM is defined by the British Standards Institute (BSI) as: 'an holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation brand and value creating activities'. Business Continuity is defined by the International Standards Organization as the: "capability of the organization to continue delivery of services or products at acceptable predefined levels following disruptive incidents"* *Source ISO 22300 Vocabulary Auditing Security and Business Continuance 8
  • 9. Principles of ICT Continuity Protect—Protecting the ICT environment from ... Detect—Detecting incidents at the earliest opportunity ... React—Reacting to an incident in the most appropriate manner ... Recover—Identifying and implementing the appropriate recovery strategy will ensure the timely resumption of services and maintain the integrity of data. Operate—Operating in disaster recovery mode until return to normal is possible may require some time and necessitate “scaling up” disaster recovery operations to support increasing business volumes that need to be serviced over time. Return—Devising a strategy for every IT continuity plan allows an organization to migrate back from disaster recovery mode to a position in which it can support normal business. Auditing Security and Business Continuance 9
  • 10. Business Continuity within Management Auditing Security and Business Continuance 10
  • 11. BCP details BUSINESS CONTINUITY 2. BUSINESS ASSESSMENT PLANNING Risk Assessment 1. Project Foundation Information Protection 2. Business Assessment Protection 3. Strategy Selection Detection 4. Plan Development Response 5. Testing and Maintenance Business Impact Analysis (BIA) 1. PROJECT FOUNDATION 4. PLAN DEVELOPMENT Business Continuity Planning #1-Develop Response and Recovery Evaluation Teams Plan Management #2-Develop Draft Action Plan Business Impact Analysis #3-Prioritize Action Plan Execution Recovery Strategies #4-Document General Plan Sections Plan Development #5-Document the Technical Recovery Plan Maintenance Processes Plan Testing Auditing Security and Business Continuance 11
  • 12. Basic terms used in a standard Business Continuity Management System (BCMS) – part of an overall management system that takes care business continuity is planned, implemented, maintained, and continually improved Maximum Acceptable Outage (MAO) – the maximum amount of time an activity can be disrupted without incurring unacceptable damage (also Maximum Tolerable Period of Disruption – MTPD) Recovery Time Objective (RTO) – the pre-determined time at which an activity must be resumed, or resources must be recovered Recovery Point Objective (RPO) – maximum data loss, i.e., minimum amount of data that needs to be restored Minimum Business Continuity Objective (MBCO) – the minimum level of services or products an organization needs to produce after resuming its business operations Auditing Security and Business Continuance 12
  • 13. Trust Services Principles and Criteria Security - The system is protected against unauthorized access (both physical and logical). Availability - The system is available for operation and use as committed or agreed. Processing Integrity - System processing is complete, accurate, timely, and authorized. Online Privacy - Personal information obtained as a result of e- commerce is collected, used, disclosed, and retained as committed or agreed. Confidentiality - Information designated as confidential is protected as committed or agreed. Auditing Security and Business Continuance 13
  • 14. Best Practices For IT Availability And Service Continuity Management 1) Classify systems for criticality. 2) Develop tiers of service for both availability and IT service continuity. 3) Measure availability from the end-user perspective. 4) Include availability and continuity considerations in application development and testing. Auditing Security and Business Continuance 14
  • 15. Incident timeline Auditing Security and Business Continuance 15
  • 16. BS25777 –IT Continuity Auditing Security and Business Continuance 16
  • 17. Information Risk Component The confidentiality, integrity and availability of information systems must be ensured to protect the business from the risks relating to information technology. An IS audit helps to identify areas where these are vulnerable or inadequately protected through systematic examination and evaluation. Every organization should have a business continuity plan that seeks to ensure that its information systems are available and running at all times to support and enable the business to function and grow. In spite of all precautions and preventive controls, disasters can occur. Approach to Auditing Business Continuity The audit of business continuity can be broken into three major components: – Validating the business continuity plan – Scrutinizing and verifying preventive and facilitating measures for ensuring continuity – Examining evidence about the performance of activities that can assure continuity and recovery Auditing Security and Business Continuance 17
  • 18. BIA focus Recovery Time Objective “Target time set for resumption of product, service or activity delivery after an incident” BS 25999:1 Maximum Tolerable Period of Disruption “Duration after which an organisation’s viability will be irrevocably threatened if product and service delivery cannot be resumed” BS 25999:1 Auditing Security and Business Continuance 18
  • 19. Risks related to technology Auditing Security and Business Continuance 19
  • 20. Information Assurance Structure Auditing Security and Business Continuance 20
  • 21. Crash and Restart ISO 27001 Security Infosec governance Crash and Restart User awareness Remote access 3rd pty Access security ctls User access/pw Auditing Security and Business Continuance 21
  • 22. Risk and Controls Business Continuity risk profile is prepared for each business function Controls are set to address risk, in consultation with the support / business function Weight are assigned to each control according to type of the control (e.g. A preventative control has the highest weight) Type of control Preventative Corrective Other entity Auditing Security and Business Continuance 22
  • 23. Example of Risk and Control Risk: Electricity failure Controls: Uninteruptable power supply (UPS) Generators Preventive maintenance reports Auditing Security and Business Continuance 23
  • 24. Fail a Security Audit Already -- it's Good for You Network World — Failing an audit sounds like the last thing any company wants to happen. But that's because audits are seen by many as the goal of a security program. In reality, audits are only the means of testing whether enforcement of security matches the policies. In the broader context, though, an audit is a means to avoid a breach by learning the lesson in a "friendly" exercise rather than in the real world. If the audit is a stress-test of your environment that helps you find the weaknesses before a real attack, you should be failing audit every now and then. After all, if you're not failing any audits there are two possible explanations: 1) You have perfect security. 2) You're not trying hard enough. Auditing Security and Business Continuance 24
  • 25. Your turn Questions ??? Rob Kloots – CISA CISM CRISC, Owner, TrustingtheCloud E rob.kloots@trustingthecloud.eu M +32.499-374713 Auditing Security and Business Continuance 25
  • 26. ISO27001 – 14. BCM Auditing Security and Business Continuance 26
  • 27. ISO27001 – 11. AC Auditing Security and Business Continuance 27
  • 28. ISO27001 – 11. ework Auditing Security and Business Continuance 28
  • 29. ISO27001 – 6. EP Auditing Security and Business Continuance 29
  • 30. ISO27001 – 8. HR Auditing Security and Business Continuance 30
  • 31. ISO27001 – 8. HR Auditing Security and Business Continuance 31
  • 32. ISO27001 – 9. PhySec Auditing Security and Business Continuance 32
  • 33. ISO27001 – 10. 3rd pty Auditing Security and Business Continuance 33
  • 34. ISO27001 – 10. Mon Auditing Security and Business Continuance 34
  • 35. ISO27001 – 13. IncMgt Auditing Security and Business Continuance 35