information security audits certification
play

Information security audits & certification Security in - PowerPoint PPT Presentation

Oct 05, 2023 •555 likes •1.26k views

Information security audits & certification Security in Organizations 2011 Eric Verheul 1 Literature Main literature for this lecture: 1. NOREA beroepsregels http://www.norea.nl/Norea/Thema's/Gedrags-

  1. Information security audits & certification Security in Organizations 2011 Eric Verheul 1

  2. Literature Main literature for this lecture: 1. NOREA beroepsregels http://www.norea.nl/Norea/Thema's/Gedrags- +en+beroepsregels/Richtlijn+Assurance-opdrachten 2. TTP.NL schema (http://www.ecp.nl/sites/default/files/TTP- NL_Scheme_version_8.1_final__June_2010_.pdf ) Variants on ISO 2700* 3. Common Criteria part 1 (http://standards.iso.org/ittf/PubliclyAvailableStandards/c050 341_ISO_IEC_15408-1_2009.zip ) 2

  3. Assignment #5 • Assignment #3 is on Blackboard • It uses VMWARE image. This is available: • Through Klaus/DVD • On-line sftp://lilo.science.ru.nl/vol/xpsoftware/sio2009/image_1111 09/*.* Variants on ISO 2700* • Note: starting the VMWARE image takes time; first start the image then read the assignment 3

  4. Outline • Audit introduction • IT security audits in general • management system certification audits • IT security product certification audits (‘common criteria’) • Recap & Practicum 4

  5. Audit introduction Types of audits • The audits we are discussing include: • IT security audits in general, • management systemcertification audits, • IT security product certification audits • As there is – as far as we know – no common terminology used for these three types of audits simultaneously, we will introduce our own terminology. This is actually based on a combination of terms taken from these audit types. 5

  6. Audit introduction Terminology • An audit is the process in which an competent, impartial judgment (‘ opinion ’) is formed on one or more aspects of an object (‘criteria’). • The result of an audit is typically a document in which the auditor expresses his opinion, the supporting findings and the limitations that apply. • The opinion provides assurance to the auditee itself or to a third party. • The assurance can be either positive or negative: • Positive assurance - An affirmative statement or opinion given by the auditor, generally based on a high level of work performed. • Negative assurance - A statement indicating that nothing came to the auditor's attention indicating that the subject matter in question did not meet a specified criteria. 6

  7. Audit introduction Terminology Scheme Criteria maintainer maintainer (e.g. association organization) Independent overseer (e.g. association organization) Audit Audit Audit Auditor Criteria Scheme Object Opinion (report) 7

  8. Audit introduction Terminology • The audit process should be reproducible and should not depend on the (qualified) auditor. • An opinion can also take the form of a ‘certificate’. • Audits are historically associated with accounting: a financial audit of the financial accounts (‘ jaarrekening audit’) performed by (registered) accountants. In this situation the criteria are based on the laws on accounting (‘ Wet op de jaarrekening ’). In the accounting context the term ‘audit’ is a very sensitive notion. 8

  9. Audit introduction Terminology • The audit is performed for a client , that also sponsors the audit. • The aspects that form the basis of the audit are formulated as a set of criteria ( audit criteria ), determined prior to the actual audit and agreed upon with the client. In Dutch these criteria are sometimes ‘ de gehanteerde (audit) norm ’. • The set of criteria could be an open standard, a tailored version of it, or even some assertions made by the client management. In the latter case, the opinion can be a statement of the auditor that the assertions are correct. • The object type can vary, examples are: a person, a product, a process, a system or an organization. 9

  10. Audit introduction Audit schemes • Closely linked with the audit criteria is the audit scheme used. These are rules describing how the audits shall be conducted and what requirements should be met by the auditor organization itself • An audit scheme provides a ‘manual’ for conducting audits and typically answers questions like: • What steps shall an audit have? • When is a criterion met? • What qualifications should an auditor have? • When can the auditor ‘built’ on prior work done by other auditors? • When can an opinion be provided and what can be part of it? 10

  11. Audit introduction Audit schemes Important general topics in audit schemes are: • impartiality requirements of auditors and the organizations they work for, • confidentiality, • providing auditees the opportunity to respond to findings (‘ hoor en wederhoor ’) • ethics, e.g., ‘do not audit your own work’, • quality, e.g. filing of evidence 11

  12. Audit introduction Audit schemes The audit scheme can be: • an open standard itself, e.g., • ISO 19011 ‘Guidelines for quality and/or environmental management systems auditing’ • ISO/IEC 17021 ‘Requirements for bodies providing audit and certification of management systems, • and its particularization ISO 27006 ‘Requirements for bodies providing audit and certification of information security management systems’ • a dedicated document, e.g., the TTP- NL scheme ‘Scheme For Certification of Certification Authorities against ETSI TS 101 456’ • or it could be part of the rules of conduct of the professional associations (‘ beroepsverenigingen ’) of auditors, e.g. of NOREA (http://www.norea.nl/Norea/Thema's/Gedrags- +en+beroepsregels/Richtlijn+Assurance-opdrachten) or ISACA (www.isaca.org). 12

  13. Audit introduction Terminology Object Criteria Scheme Opinion Source: https://cert.webtrust.org/SealFile?seal=304&file=pdf 13

  14. Audit introduction Terminology Scheme Criteria maintainer maintainer (e.g. association organization) Independent overseer (e.g. association organization) Audit Audit Audit Auditor Criteria Scheme Object Opinion (report) 14

  15. Outline • Audit introduction • IT security audits in general • management systemcertification audits, • IT security product certification audits (‘common criteria’) • Recap & Practicum 15

  16. IT security audits in general IT (security) audits • An IT security audit is a particular type of an IT audit. • An IT audit is also known as an EDP audit and focuses on the following aspects of IT systems (cf. COBIT): • Effectiveness • Efficiency • Compliance • Reliability • Confidentiality • Integrity • Availability • An IT audit can therefore include much more than information security. 16

  17. IT security audits in general IT audit aspects • Effectiveness Deals with information being relevant and pertinent to the business process as well as being delivered in a timely, correct, consistent and usable manner. • Efficiency Concerns the provision of information through the optimal (most productive and economical) usage of resources • Reliability Relates to systems providing management with appropriate information for it to use in operating the entity, in providing financial reporting to users of the financial information, and in providing information to report to regulatory bodies with regard to compliance with laws and regulations • Compliance Deals with complying with those laws, regulations and contractual arrangements to which the business process is subject; i.e., externally imposed business criteria 17

  18. IT security audits in general IT effectiveness 18

  19. IT security audits in general IT audit aspects • Confidentiality Concerns protection of sensitive information from unauthorized disclosure. • Integrity Relates to the accuracy and completeness of information as well as to its validity in accordance with the business' set of values and expectations. • Availability Relates to information being available when required by the business process, and hence also concerns the safeguarding of resources. 19

  20. IT security audits in general IT security audits • IT security audits (aka IT security reviews) concentrate on information security aspects, i.e.: • Confidentiality • Integrity • Availability • Sometimes IT security audits are called IT security reviews to prevent confusion with financial audits. • IT security audits can be: • technically oriented; then the objects are IT systems, e.g., a whole IT infrastructure, a network, a Windows environment, a specific application • process oriented; then the objects are IT processes, e.g., a security management process, a change management process. • The audit criteria are typically formulated in information security objectives or security controls, e.g. based on ISO 27002. 20

  21. IT security audits in general Example of technical IT Security criteria 21

  22. IT security audits in general Example of non-technical IT Security criteria 22

  23. IT security audits in general Audit evidence • Practically speaking, the auditor should: • determine the scope of the audit (e.g., Windows based office automation network), • agree the audit criteria with the audit sponsor and put them in a table and compare the criteria with the object setting. • But what should an auditor accept as compliance evidence? 23

  24. IT security audits in general Audit evidence • What if the IT administrator says in an interview: ‘Sure, we have this password policy and account lockout setting’? • What if there is an official document stating compliance with these setting? • When should you believe this setting is actually implemented? 24

Recommend

Safety and Security Certification Program Safety and Security Certification A process to

Safety and Security Certification Program Safety and Security Certification A process to

Safety and Security Certification Program Safety and Security Certification A process to assure that safety & security concerns, vulnerabilities, and hazards are adequately addressed prior to the initiation of service. Safety and

97 views • 9 slides
1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

1 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

403 views • 5 slides
Information Security Management and ISO 27000 certification: the .SE view Anne-Marie Eklund

Information Security Management and ISO 27000 certification: the .SE view Anne-Marie Eklund

Information Security Management and ISO 27000 certification: the .SE view Anne-Marie Eklund Lwinder Security Manager .SE amel@iis.se @amelsec Agenda About .SE Risk and Information Security Management in a ccTLD. ISO 27001,

754 views • 37 slides
Information Security Officer (ISO) Appointment Overview Bob Auton VITA - Centralized Information

Information Security Officer (ISO) Appointment Overview Bob Auton VITA - Centralized Information

Information Security Officer (ISO) Appointment Overview Bob Auton VITA - Centralized Information Security Services Mark Martens Security Risk Management Analyst 1 Areas for Review Commonwealth ISO Certification IT Security

832 views • 40 slides
Public-Private proposal for a European Cloud Security Certification Scheme C5 success story and

Public-Private proposal for a European Cloud Security Certification Scheme C5 success story and

Berlin 2 nd April 2019 Public-Private proposal for a European Cloud Security Certification Scheme C5 success story and the way forward to a European certification for cloud services Clemens Doubrava Head of Section of Information Security in

367 views • 36 slides
On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com

On the Security of Election Audits with Low Entropy Randomness Eric Rescorla ekr@rtfm.com EVT/WOTE 2009 On the Security of Election Audits with Low Entropy Randomness 1 Overview Secure auditing requires random sampling The units to be

478 views • 23 slides
Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech -

Security Models: Proofs, Protocols and Certification Florent Autrau - Yassine Lakhnech - Jean-Louis Roch Master-2 Security, Cryptology and Coding of Information Systems ENSIMAG/Grenoble-INP UJF Grenoble University, France Security Models,

396 views • 20 slides
Declassification Options and Requirements Information Security Webinar Marc Brandsness

Declassification Options and Requirements Information Security Webinar Marc Brandsness

6/20/2013 Declassification Options and Requirements Information Security Webinar Marc Brandsness Security Asset Protection Professional Certification (SAPPC) Retired US Air Force-Security Forces with over 25 years of Law Enforcement

307 views • 15 slides
Ex ante certification Ex ante certification & outsourced outsourced audits audits &

Ex ante certification Ex ante certification & outsourced outsourced audits audits &

1 9 June 2 0 0 8 1 9 June 2 0 0 8 I nternational W orkshop on Accountability Challenges: I nternational W orkshop on Accountability Challenges: Choosing the Right Direction Choosing the Right Direction Ex ante certification Ex ante

564 views • 18 slides
Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP

Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP

Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP Certification WG with Q&A Objectives 1. The objective of the group is to explore the possibility of developing a European Cloud Certification

144 views • 13 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Noise Audits What they are and the training required to do them The Hearing Loss Prevention/

Noise Audits What they are and the training required to do them The Hearing Loss Prevention/

Noise Audits What they are and the training required to do them The Hearing Loss Prevention/ Noise Rule includes a section on noise audits. The following three modules provide information on noise audits: Module 1 is a general overview of

570 views • 18 slides
GENI real time workshop, Reston VA, 6,7 Feb 2006 Assurance, Security, Certification for GENI John

GENI real time workshop, Reston VA, 6,7 Feb 2006 Assurance, Security, Certification for GENI John

GENI real time workshop, Reston VA, 6,7 Feb 2006 Assurance, Security, Certification for GENI John Rushby Computer Science Laboratory SRI International Menlo Park CA USA John Rushby, SR I Assurance, Security, Certification: 1 Certification

333 views • 17 slides
PER-based certification of secure information flow (Work in progress) Andrzej Filinski Ken

PER-based certification of secure information flow (Work in progress) Andrzej Filinski Ken

PER-based certification of secure information flow (Work in progress) Andrzej Filinski Ken Friis Larsen Thomas Jensen University of Copenhagen and INRIA Rennes Workshop on Foundations of Computer Security June 22, 2020 Background and

149 views • 4 slides
63 Free Audits 185 buildings Commercial 11,232,843.0 Square Feet Thousands Of Employees

63 Free Audits 185 buildings Commercial 11,232,843.0 Square Feet Thousands Of Employees

Green Business Certification Press Conference on Earth Week Get Certified Today! 520 Green 8,063,559 $851,677 Businesses kWh kWh reduced In enhanced rebates 63 Free Audits 185 buildings Commercial 11,232,843.0 Square Feet Thousands

464 views • 23 slides
Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen

Agenda Linux security 1. System hardening 2. Technical audits 3. Automation 2 Michael Boelen 3 Linux security Areas Core Resources Services Environment System Hardening Boot Process Accounting Database Forensics Containers

821 views • 34 slides
Certification and Endorsement Certification and Endorsement Information for School Information

Certification and Endorsement Certification and Endorsement Information for School Information

Certification and Endorsement Certification and Endorsement Information for School Information for School Administrators Administrators 1 Agenda Agenda 1. Certification 1. Certification Completed once per year per student Completed once

664 views • 13 slides
Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing

Certification and Accreditation of Certification and Accreditation of PIV Card Issuing Organizations PIV Card Issuing Organizations Joan Hash Manager, Computer Security Management & Assistance June 28, 2005 1 NIST Special Publication

256 views • 25 slides
The Shepherd Project Automated security audits of web login processes Benjamin Krumnow

The Shepherd Project Automated security audits of web login processes Benjamin Krumnow

The Shepherd Project Automated security audits of web login processes Benjamin Krumnow Employee at the TH Kln External PhD student (50%) at the OU (~2 years) H. Jonker, M. Van Eekelen, H. Vranken, S. Karsch Joined the

565 views • 38 slides
Structural Cloud Audits that Protect Private Information Hongda Xiao, Bryan Ford, Joan Feigenbaum

Structural Cloud Audits that Protect Private Information Hongda Xiao, Bryan Ford, Joan Feigenbaum

Structural Cloud Audits that Protect Private Information Hongda Xiao, Bryan Ford, Joan Feigenbaum Department of Computer Science Yale University Cloud Computing Security Workshop November 8, 2013 Motivation Cloud computing and cloud

655 views • 41 slides
Trustless Computing Certification Body Can a new international certification body deliver

Trustless Computing Certification Body Can a new international certification body deliver

Trustless Computing Certification Body Can a new international certification body deliver radically unprecedented IT security for all, while at once ensuring legitimate lawful access? Rufo Guerreschi | Exec. Dir. rufo@trustlesscomputing.org

701 views • 39 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network

CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network

CYBERSECURITY CERTIFICATION PROGRAMS Workforce Training Need 30% more computer and network workers needed from 2008 to 2018 1 ; 433 New Mexico IT job postings in 2012 for security- specific positions 2 ; 110,000 information assurance

144 views • 11 slides

More recommend