SlideShare a Scribd company logo

Role of compliance in security audits

Download as PPTX, PDF
n|u - The Open Security Community
n|u - The Open Security Community

null - Mumbai June 2012 Meet

Technology
1 of 28
Role of Compliance in Security Audits Agenda :  Information Security Compliance  Memory Techniques for quick revision / recall
Information Security Compliance The Road Ahead: Need for Compliance The Five R’s for IS Compliance ISO 27001 : An Introduction Steps for ISMS Implementation Common Myths on ISO 27001
Information Security and Compliance Relationship
The Five R ‘s of IS Compliance  Reputation • Protecting the business impact from security breach  Regulation • Complying with multiple regulations • Developing a common security and audit framework  Revenue • Protecting the corporate intellectual property / trade secrets.  Resilience • Ensuring continuity of critical business processes during disaster.  Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC tools
ISO 27001 : Overview • ISO 27001 defines best practices for information security management • A management system should balance physical, technical, procedural, and personnel security • Without a formal Information Security Management System, there is a greater risk to your security being breached • Information security is a management process, NOT a technological process
ISO 27001 : Family of Standards • ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards) • ISO 27003 – ISMS Implementation guidelines • ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management • ISO 27006 – 27010 – allocation for future use
PDCA Cycle: Steps for ISMS Implementation 4 1 3 2
Steps for ISMS Implementation 1. Obtain management support 2. Treat as a project 3. Define the scope 4. Write an ISMS Policy 5. Define the Risk Assessment methodology 6. Perform the risk assessment & risk treatment 7. Write the Statement of Applicability 8. Write the Risk Treatment Plan 9. Define how to measure the effectiveness of controls 10. Implement the controls & mandatory procedures 11. Implement training and awareness programs 12. Operate the ISMS 13. Monitor the ISMS 14. Internal audit 15. Management review 16. Corrective and preventive actions
Common Myths about ISO 27001 "The standard requires..." "We'll let the IT department handle it" "We'll implement it in a few months" "This standard is all about documentation" "The only benefit of the standard is for marketing purposes"
Memory Techniques for Quick Revision The fun part of learning 
Memory Techniques The Road Ahead:  Mnemonics  Sentence Aid  Workflow Diagrams Colour Coding differentiation
Mnemonics  Abbreviated Character Strings for easy memory aid How to operate? Take the first alphabet of each word point and arrange them in "useful" order. Best Practices:  For a long mnemonic string , group it into chunks of 2 or 3 for quick recall  If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.
Mnemonics Examples : Process Workflow (Plan – Do – Check – Act) Mnemonic: PDCA Memory Aid : Imagine “Pen Drive “ of CA • (CA = Certifying Authority)
Mnemonics (contd.) Examples : COBIT Domains: a) Plan and Organize b) Acquire and Implement c) Deliver and Support d) Monitor and Evaluate Mnemonic: PADM Memory Aid: (Imagine PADM Shri Award)  PADM
Sentence Aid Memory Recall technique to easily recall long Mnemonic Strings “in order”. Advantage: Used esp. when Mnemonic string is quite long (>= 5 points). Helpful for easy recall. Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U
Sentence Aid Prerequisites: Sentence Aid MUST be :    expression making a  visual impact on your memory. Always design a Sentence Aid which is : a) Mnemonic Workflow oriented (to maintain serial order) b) Bound to a strong event in your memory c) Natural Progression d) Capital letters indicating actual point of Mnemonic.
EXAMPLE: Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U • Injection •Cross Site Scripting (XSS) •Broken Authentication and Session Mgmt •Insecure Direct Object References •Cross Site Request Forgery (CSRF) If •Security Misconfiguration •Insecure Cryptographic Storage Fails •Failure to Restrict URL Access Informs •Insufficient Transport Layer Protection U •Unvalidated Redirects and Forwards Sentence Aid: ICBI Counter Strike If Fails, Informs U.
Sentence Aid Example: OSI Layer Model Layer 1: Physical layer Layer 2: Data link layer Layer 3: Network layer Layer 4: Transport layer Layer 5: Session layer Layer 6: Presentation layer Layer 7: Application layer Sentence Aid: Please Do Not Take Sales Person’s Advice
Workflow Diagrams  These figures/diagrams give the directive flow of the process Advantage is that they can summarize vast information in a appealing view. We can grasp readily the “gist” of the process workflow.  Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s) • Cyclic Processes
Workflow Type : Flowcharts Risk Assessment Process
Workflow Type : Hierarchy Figures
Workflow Type : Cyclic Process
Color Coding Differentiation  This technique takes advantage of the fact that we better remember the figures if they are filled with different background colors.  Using same colors for related fields help us to better distinguish the same genre of the entities.
Color Coding Differentiation EXAMPLE : Mnemonic: SOA ACP HSC IB Sentence Aid : Develop a SOA for ACP to help him pass HSC exam for IB entrance.
Quotes: Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to evolution. It is, strictly speaking, a real factor in scientific research. --Albert Einstein But in reality, without knowledge, imagination can not be developed. -- Wikipedia (on Imagination) , after Einstein quote.
Precautions Study thoroughly the subject matter before venturing into memorizing techniques. Know WHAT YOUR ABBREVATION stands for rather than keeping in mind only the Mnemonic. Memory Techniques are only an AID. They are NOT SUBSTITUTE for comprehensive study. Utilized Best AFTER comprehensive study for REVISION.
THANK YOU !! Presented By: Manasdeep
- Questions ?

Recommended

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...
gemmarie1
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0
theonassiokas
 
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANTMANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
Asociatia de Standardizare din Romania
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 

Recommended

Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
Julia Urbina-Pineda
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
n|u - The Open Security Community
 
Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005Information Security Management System ISO/IEC 27001:2005
Information Security Management System ISO/IEC 27001:2005
ControlCase
 
INFORMATION SECURITY
INFORMATION SECURITYINFORMATION SECURITY
INFORMATION SECURITY
Ahmed Moussa
 
Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...Providing a Flexible Approach to the Inflexible World of Information Security...
Providing a Flexible Approach to the Inflexible World of Information Security...
gemmarie1
 
The Business Of Information Security V2.0
The Business Of Information Security V2.0The Business Of Information Security V2.0
The Business Of Information Security V2.0
theonassiokas
 
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANTMANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
MANAGEMENTUL RISCULUI, PARTE INTEGRANTA A UNUI MANAGEMENT PERFORMANT
Asociatia de Standardizare din Romania
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
SafeNet
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
Evan Francen
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
Maxime CARPENTIER
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
centralohioissa
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0
theonassiokas
 
IT Career Opportunities
IT Career OpportunitiesIT Career Opportunities
IT Career Opportunities
samsontamwaiho
 
Splunk guide for_iso_27002
Splunk guide for_iso_27002Splunk guide for_iso_27002
Splunk guide for_iso_27002
Greg Hanchin
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State Government
David Sweigert
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
samsontamwaiho
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms Compliance
Ramkumar Ramachandran
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
IndependentCertificationServices
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
FRSecure
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
pivotalsecurity
 
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
FIAT/IFTA
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managers
Nitin T Bhat
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
Amazon Web Services
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
FRSecure
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
Security Ninja
 
The 7 quests of resilient software design
The 7 quests of resilient software designThe 7 quests of resilient software design
The 7 quests of resilient software design
Uwe Friedrichsen
 
Constraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPMConstraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPM
Faculty of Computer Science - Free University of Bozen-Bolzano
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
Atif Ghauri
 

More Related Content

Viewers also liked

Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
SafeNet
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
centralohioissa
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
centralohioissa
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
samsontamwaiho
 

Viewers also liked (12)

Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...Perpetual Information Security - Driving Data Protection in an Evolving Compl...
Perpetual Information Security - Driving Data Protection in an Evolving Compl...
 
Information Security in a Compliance World
Information Security in a Compliance WorldInformation Security in a Compliance World
Information Security in a Compliance World
 
Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...Operational security | How to design your information security GRC (governanc...
Operational security | How to design your information security GRC (governanc...
 
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
Robert Brzezinski - Office 365 Security & Compliance: Cloudy Collaboration......
 
The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0The Business Of Identity, Access And Security V1.0
The Business Of Identity, Access And Security V1.0
 
IT Career Opportunities
IT Career OpportunitiesIT Career Opportunities
IT Career Opportunities
 
Splunk guide for_iso_27002
Splunk guide for_iso_27002Splunk guide for_iso_27002
Splunk guide for_iso_27002
 
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
Jason Harrell - Compliance and Security: Building a Cybersecurity Risk Manage...
 
Roles of Information Security Officers in State Government
Roles of Information Security Officers in State GovernmentRoles of Information Security Officers in State Government
Roles of Information Security Officers in State Government
 
Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)Iso27001 Isaca Seminar (23 May 08)
Iso27001 Isaca Seminar (23 May 08)
 
Popular Pitfalls In Isms Compliance
Popular Pitfalls In Isms CompliancePopular Pitfalls In Isms Compliance
Popular Pitfalls In Isms Compliance
 
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...Iso 27000 it management systems presentation peter greenham iigi fwr group i...
Iso 27000 it management systems presentation peter greenham iigi fwr group i...
 

Similar to Role of compliance in security audits

Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
pivotalsecurity
 
The 7 quests of resilient software design
The 7 quests of resilient software designThe 7 quests of resilient software design
The 7 quests of resilient software design
Uwe Friedrichsen
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
devopsdaysaustin
 

Similar to Role of compliance in security audits (20)

2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
 
Secure Application Development Training
Secure Application Development TrainingSecure Application Development Training
Secure Application Development Training
 
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?EVAIN Artificial intelligence and semantic annotation: are you serious about it?
EVAIN Artificial intelligence and semantic annotation: are you serious about it?
 
Tech essentials for Product managers
Tech essentials for Product managersTech essentials for Product managers
Tech essentials for Product managers
 
Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017Incident Response in the Cloud - SID319 - re:Invent 2017
Incident Response in the Cloud - SID319 - re:Invent 2017
 
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor ProgramSlide Deck – Class Session 1 – FRSecure CISSP Mentor Program
Slide Deck – Class Session 1 – FRSecure CISSP Mentor Program
 
The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009The Principles of Secure Development - BSides Las Vegas 2009
The Principles of Secure Development - BSides Las Vegas 2009
 
The 7 quests of resilient software design
The 7 quests of resilient software designThe 7 quests of resilient software design
The 7 quests of resilient software design
 
Constraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPMConstraints for Process Framing in Augmented BPM
Constraints for Process Framing in Augmented BPM
 
Its Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples CounselingIts Not You Its Me MSSP Couples Counseling
Its Not You Its Me MSSP Couples Counseling
 
Evolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIsEvolving challenges for modern enterprise architectures in the age of APIs
Evolving challenges for modern enterprise architectures in the age of APIs
 
PMI-ACP Exam Prep Course Preview
PMI-ACP Exam Prep Course PreviewPMI-ACP Exam Prep Course Preview
PMI-ACP Exam Prep Course Preview
 
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting LeftDevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
DevSecCon Asia 2017 Shannon Lietz: Security is Shifting Left
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Data mining applications
Data mining applicationsData mining applications
Data mining applications
 
2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery2016 - Safely Removing the Last Roadblock to Continuous Delivery
2016 - Safely Removing the Last Roadblock to Continuous Delivery
 
Lean Security
Lean SecurityLean Security
Lean Security
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
Threat Modeling All Day!
Threat Modeling All Day!Threat Modeling All Day!
Threat Modeling All Day!
 

More from n|u - The Open Security Community

More from n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Recently uploaded (20)

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Role of compliance in security audits

  • 1. Role of Compliance in Security Audits Agenda :  Information Security Compliance  Memory Techniques for quick revision / recall
  • 2. Information Security Compliance The Road Ahead: Need for Compliance The Five R’s for IS Compliance ISO 27001 : An Introduction Steps for ISMS Implementation Common Myths on ISO 27001
  • 3. Information Security and Compliance Relationship
  • 4. The Five R ‘s of IS Compliance  Reputation • Protecting the business impact from security breach  Regulation • Complying with multiple regulations • Developing a common security and audit framework  Revenue • Protecting the corporate intellectual property / trade secrets.  Resilience • Ensuring continuity of critical business processes during disaster.  Recession Proofing • Reduces The Spend To Counter Economic Pressures. e.g GRC tools
  • 5. ISO 27001 : Overview • ISO 27001 defines best practices for information security management • A management system should balance physical, technical, procedural, and personnel security • Without a formal Information Security Management System, there is a greater risk to your security being breached • Information security is a management process, NOT a technological process
  • 6. ISO 27001 : Family of Standards • ISO 27000 – Principles and vocabulary • ISO 27001 – ISMS requirements • ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards) • ISO 27003 – ISMS Implementation guidelines • ISO 27004 – ISMS Metrics and measurement • ISO 27005 – ISMS Risk Management • ISO 27006 – 27010 – allocation for future use
  • 7. PDCA Cycle: Steps for ISMS Implementation 4 1 3 2
  • 8. Steps for ISMS Implementation 1. Obtain management support 2. Treat as a project 3. Define the scope 4. Write an ISMS Policy 5. Define the Risk Assessment methodology 6. Perform the risk assessment & risk treatment 7. Write the Statement of Applicability 8. Write the Risk Treatment Plan 9. Define how to measure the effectiveness of controls 10. Implement the controls & mandatory procedures 11. Implement training and awareness programs 12. Operate the ISMS 13. Monitor the ISMS 14. Internal audit 15. Management review 16. Corrective and preventive actions
  • 9. Common Myths about ISO 27001 "The standard requires..." "We'll let the IT department handle it" "We'll implement it in a few months" "This standard is all about documentation" "The only benefit of the standard is for marketing purposes"
  • 10. Memory Techniques for Quick Revision The fun part of learning 
  • 11. Memory Techniques The Road Ahead:  Mnemonics  Sentence Aid  Workflow Diagrams Colour Coding differentiation
  • 12. Mnemonics  Abbreviated Character Strings for easy memory aid How to operate? Take the first alphabet of each word point and arrange them in "useful" order. Best Practices:  For a long mnemonic string , group it into chunks of 2 or 3 for quick recall  If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity with mnemonic for lasting impact.
  • 13. Mnemonics Examples : Process Workflow (Plan – Do – Check – Act) Mnemonic: PDCA Memory Aid : Imagine “Pen Drive “ of CA • (CA = Certifying Authority)
  • 14. Mnemonics (contd.) Examples : COBIT Domains: a) Plan and Organize b) Acquire and Implement c) Deliver and Support d) Monitor and Evaluate Mnemonic: PADM Memory Aid: (Imagine PADM Shri Award)  PADM
  • 15. Sentence Aid Memory Recall technique to easily recall long Mnemonic Strings “in order”. Advantage: Used esp. when Mnemonic string is quite long (>= 5 points). Helpful for easy recall. Example: Mnemonic for OWASP Top 10 is: ICBI CS IF I U
  • 16. Sentence Aid Prerequisites: Sentence Aid MUST be :    expression making a  visual impact on your memory. Always design a Sentence Aid which is : a) Mnemonic Workflow oriented (to maintain serial order) b) Bound to a strong event in your memory c) Natural Progression d) Capital letters indicating actual point of Mnemonic.
  • 17. EXAMPLE: Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U • Injection •Cross Site Scripting (XSS) •Broken Authentication and Session Mgmt •Insecure Direct Object References •Cross Site Request Forgery (CSRF) If •Security Misconfiguration •Insecure Cryptographic Storage Fails •Failure to Restrict URL Access Informs •Insufficient Transport Layer Protection U •Unvalidated Redirects and Forwards Sentence Aid: ICBI Counter Strike If Fails, Informs U.
  • 18. Sentence Aid Example: OSI Layer Model Layer 1: Physical layer Layer 2: Data link layer Layer 3: Network layer Layer 4: Transport layer Layer 5: Session layer Layer 6: Presentation layer Layer 7: Application layer Sentence Aid: Please Do Not Take Sales Person’s Advice
  • 19. Workflow Diagrams  These figures/diagrams give the directive flow of the process Advantage is that they can summarize vast information in a appealing view. We can grasp readily the “gist” of the process workflow.  Workflow Types are • Flowcharts • Hierarchy Diagrams (Pyramids, Topology figures) • Data Flow Diagrams (DFD’s) • Cyclic Processes
  • 20. Workflow Type : Flowcharts Risk Assessment Process
  • 21. Workflow Type : Hierarchy Figures
  • 22. Workflow Type : Cyclic Process
  • 23. Color Coding Differentiation  This technique takes advantage of the fact that we better remember the figures if they are filled with different background colors.  Using same colors for related fields help us to better distinguish the same genre of the entities.
  • 24. Color Coding Differentiation EXAMPLE : Mnemonic: SOA ACP HSC IB Sentence Aid : Develop a SOA for ACP to help him pass HSC exam for IB entrance.
  • 25. Quotes: Imagination is more important than knowledge. For knowledge is limited, whereas imagination embraces the entire world, stimulating progress, giving birth to evolution. It is, strictly speaking, a real factor in scientific research. --Albert Einstein But in reality, without knowledge, imagination can not be developed. -- Wikipedia (on Imagination) , after Einstein quote.
  • 26. Precautions Study thoroughly the subject matter before venturing into memorizing techniques. Know WHAT YOUR ABBREVATION stands for rather than keeping in mind only the Mnemonic. Memory Techniques are only an AID. They are NOT SUBSTITUTE for comprehensive study. Utilized Best AFTER comprehensive study for REVISION.
  • 27. THANK YOU !! Presented By: Manasdeep