Role of Compliance in Security Audits
Agenda :
Information Security Compliance Memory Techniques for quick revision / recall
Information Security Compliance
Need for ComplianceThe Five R’s for IS ComplianceISO 27001 : An IntroductionSteps for ISMS ImplementationCommon Myths on ISO 27001
The Road Ahead:
Information Security and Compliance Relationship
The Five R ‘s of IS Compliance Reputation• Protecting the business impact from security breach
Regulation• Complying with multiple regulations• Developing a common security and audit framework
Revenue• Protecting the corporate intellectual property / trade secrets.
Resilience• Ensuring continuity of critical business processes during
disaster.
Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC
tools
• ISO 27001 defines best practices for information security management
• A management system should balance physical, technical, procedural, and personnel security
• Without a formal Information Security Management System, there is a greater risk to your security being breached
• Information security is a management process, NOT a technological process
ISO 27001 : Overview
• ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)• ISO 27003 – ISMS Implementation guidelines• ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management• ISO 27006 – 27010 – allocation for future use
ISO 27001 : Family of Standards
PDCA Cycle: Steps for ISMS Implementation
1
4
3
2
Steps for ISMS Implementation1. Obtain management support2. Treat as a project3. Define the scope4. Write an ISMS Policy5. Define the Risk Assessment methodology6. Perform the risk assessment & risk treatment7. Write the Statement of Applicability8. Write the Risk Treatment Plan9. Define how to measure the effectiveness of controls10. Implement the controls & mandatory procedures11. Implement training and awareness programs12. Operate the ISMS13. Monitor the ISMS14. Internal audit15. Management review16. Corrective and preventive actions
Common Myths about ISO 27001
"The standard requires..."
"We'll let the IT department handle it"
"We'll implement it in a few months"
"This standard is all about documentation"
"The only benefit of the standard is for marketing purposes"
Memory Techniques
for Quick Revision
The fun part of learning
Mnemonics Sentence Aid Workflow DiagramsColour Coding differentiation
Memory Techniques
The Road Ahead:
Mnemonics Abbreviated Character Strings for easy memory aid
How to operate?
Take the first alphabet of each word point and arrange them in "useful" order.
Best Practices: For a long mnemonic string , group it into chunks of 2 or 3 for quick recall
If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.
MnemonicsExamples :
Process Workflow (Plan – Do – Check – Act)Mnemonic: PDCA
Memory Aid :
Imagine “Pen Drive “ of CA • (CA = Certifying Authority)
Mnemonics (contd.)Examples :
COBIT Domains: a) Plan and Organize b) Acquire and Implement c) Deliver and Supportd) Monitor and Evaluate
Mnemonic: PADM
Memory Aid: (Imagine PADM Shri Award)
PADM श्री�
Sentence Aid Memory Recall technique to easily recall long Mnemonic Strings “in order”.
Advantage: Used esp. when Mnemonic string is quite long (>= 5 points). Helpful for easy recall.
Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U
Sentence Aid Prerequisites:Sentence Aid MUST be :
expression making a
visual impact on your memory.
Always design a Sentence Aid which is :
a) Mnemonic Workflow oriented (to maintain serial order)b) Bound to a strong event in your memoryc) Natural Progressiond) Capital letters indicating actual point of Mnemonic.
Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U
Fails
U
Informs
If
का�
• Injection
•Cross Site Scripting (XSS)
•Broken Authentication and Session Mgmt
•Insecure Direct Object References
•Cross Site Request Forgery (CSRF)
•Security Misconfiguration
•Insecure Cryptographic Storage
•Failure to Restrict URL Access
•Insufficient Transport Layer Protection
•Unvalidated Redirects and Forwards
EXAMPLE:
Sentence Aid: ICBI का� Counter Strike If Fails, Informs U.
Sentence Aid
Layer 1: Physical layerLayer 2: Data link layerLayer 3: Network layerLayer 4: Transport layerLayer 5: Session layerLayer 6: Presentation layerLayer 7: Application layer
OSI Layer Model
Sentence Aid: Please Do Not Take Sales Person’s Advice
Example:
Workflow Diagrams These figures/diagrams give the directive flow of the process
Advantage is that they can summarize vast information in a appealing view.
We can grasp readily the “gist” of the process workflow.
Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s)• Cyclic Processes
Workflow Type : FlowchartsRisk Assessment Process
Workflow Type : Hierarchy Figures
Workflow Type : Cyclic Process
Color Coding Differentiation This technique takes advantage of the fact that we better remember the figures if they are filled with different background colors.
Using same colors for related fields help us to better distinguish the same genre of the entities.
Color Coding Differentiation
Sentence Aid : Develop a SOA for ACP to help him pass HSC exam for IB entrance.
Mnemonic: SOA ACP HSC IB
EXAMPLE :
Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to evolution. It is, strictly speaking, a real factor in scientific research.
--Albert Einstein
But in reality, without knowledge, imagination can not be developed.-- Wikipedia (on Imagination) , after Einstein quote.
Quotes:
PrecautionsStudy thoroughly the subject matter before venturing into memorizing techniques.
Know WHAT YOUR ABBREVATION stands for rather than keeping in mind only the Mnemonic.
Memory Techniques are only an AID. They are NOT SUBSTITUTE for comprehensive study.
Utilized Best AFTER comprehensive study for REVISION.
THANK YOU !!
Presented By: Manasdeep
- Questions ?