Auditing The Information Security Function Kevin Wheeler, CISSP
Auditing The Information Security Function Kevin Wheeler, CISSP
Auditing The Information Security Function Kevin Wheeler, CISSP
Availability
Information Security Controls
Technical Access Control Systems, Multi-Factor
Authentication, Firewalls, Encryption Systems,
Uninterruptible Power Supplies, Intrusion Detection
Systems, Malware Protection Software, Redundant
Systems or System Components, Back-up Systems,
Audit and Logging Systems, System Hardening
Physical Security Guard, Card-key Physical Access Control
Systems, Alarm Systems, Safes, Fire Suppression
Systems, HVAC Systems, Fences, Lighting,
Security Cameras
Administrative Acceptable Use Policy, Business Continuity Plan,
Password Policy, Incident Response Plan, System
Baseline Configurations, Remote Access Policy, File
Recovery Procedures, Information Classification,
Security Awareness Training, Audits and
Assessments, Non-disclosure Agreements
Security Governance Lifecycle
Risk
Assessment
Measurement
and
Security
Assurance Strategy
Governance,
Risk, and
Compliance
Security Security
Management Policy
Security
Architecture
Information Security Frameworks
Information Security Frameworks
• ISO 27001
• COBIT 5.0
• NIST 800-53
• NIST Cyber Security Framework
• PCI DSS
PCI DSS 3.0
NIST Cyber Security Framework
Auditing Information Security
Information Security Program Elements
18
Auditing Policies, Standards and
Procedures
IT Policy Framework
Supporting
Document
Procedure
Supporting
Standard Document
Supporting
Procedure
Document
Policy Supporting
Document
Supporting
Procedure
Document
Standard
Supporting
Procedure
Document
Policies and Procedures
[Company Logo]
Policy Title: Information Protection Policy
Policy Number: ITP-01 Version: 0.1 Effective Date: mm/dd/yyyy
Overview
Description
This policy contains high-level information protection mandates as set forth by executive management in
response to enterprise risk and regulatory compliance requirements. As with all corporate IT policies, supporting
standards outline the technical security requirements and procedures outline the methods used to create or
maintain security controls. The following policy statements are not meant to specify the methods of protection.
Purpose
The Information Protection Policy was set forth to protect [Company Name] from unauthorized information
disclosure and other information security risks. Many of the policy statements below have been developed in
response to regulatory requirements.
Applicability
There are two audiences for policies: general users and users that perform IT functions. This policy is directed at
users that perform IT functions.
Policy Statements
Policy
Information will be protected in a way that reduces IT risk and complies with applicable regulations.
2) Sensitive information residing on enterprise systems must be protected by appropriate security controls
according to its level of sensitivity. See the Systems Security Policy and Sensitive Information Protection
Standard for additional information.
3) Private cryptographic keys must be stored and managed in a secure manner. See the Encryption Standard
for more information.
4) New employees, contract employees and business partners that will have access to sensitive information
must undergo a background check.
21
Security Policy Audit Tips
© ISACA
How Do Most Organizations Rate?
CMM Level 2
People
• Some technical personnel trained in security
• Immature security organization (if any)
• Most employees unaware of corporate security policies
Process
• Basic processes such as change control, backup/restore, etc.
• Little or no process automation
• Immature risk and security strategy
Tools
• Firewall, Anti-virus, Spam protection and other basic security tools
• Sometimes advanced point solutions such a network IDS or multi-
factor authentication
• Little or no integration of security tools
• No real-time visibility into security
What is the Target Maturity Level?
CMM Level 3+
People
• Subject matter experts within the security organization, other IT
functions well-trained in security
• Security organization is an integral part of the business
• Employees understand and embrace security policies and information
handling best practices
Process
• IT processes are well defined
• Labor intensive processes such as password resets are automated
• IT risk is actively managed using a well defined security strategy
Tools
• Security technologies are optimized and fully integrated
• Advanced security technologies are employed according to the security
strategy (plan)
• Security personnel have real-time visibility into organizational security
at all times enabling rapid response to incidents
• Systems are highly standardized and managed efficiently
26
Security From Inhibitor to Enabler
Security (Today)
Security (Yesterday)