�ݺ�ߣ

Auditing Security and Business Continuity
Management
Rob Kloots – CISA CISM CRISC,
Owner, TrustingtheCloud

Berlin, June 2012 1

Content

• 2012 Risk Landscape
• Some definitions, models & standards
• Audit & Control
– Information security governance
– Administration of user access, passwords
– Access security controls
– Remote access and third parties
– User awareness
– How to deal with an IT system crash? What to do and how to
continue?

Auditing Security and Business Continuance 2

2012 Risk Landscape

PWC Global Internal Audit survey
2012: The risks ahead
Intensifying economic and financial
market uncertainty
Increased regulation and changes in
government policy
Data security threats and reputation
Mergers and acquisitions risks


More attention required


Importance of IA's contribution to
monitoring each risk


More IA audit capacity planned


Definition of Internal Auditing

The Definition of Internal Auditing states the fundamental purpose,
nature, and scope of internal auditing.

Internal auditing is an independent, objective assurance and
consulting activity designed to add value and improve an
organization's operations. It helps an organization accomplish its
objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management,
control, and governance processes.


Definition of Business Continuity
Management
BCM is defined by the British Standards Institute (BSI) as:
'an holistic management process that identifies potential impacts that
threaten an organisation and provides a framework for building resilience
and the capability for an effective response that safeguards the interests
of its key stakeholders, reputation brand and value creating activities'.

Business Continuity is defined by the International Standards Organization
as the:
"capability of the organization to continue delivery of services or products
at acceptable predefined levels following disruptive incidents"*
*Source ISO 22300 Vocabulary


Principles of ICT Continuity

Protect—Protecting the ICT environment from ...
Detect—Detecting incidents at the earliest opportunity ...
React—Reacting to an incident in the most appropriate manner ...
Recover—Identifying and implementing the appropriate recovery
strategy will ensure the timely resumption of services and maintain
the integrity of data.
Operate—Operating in disaster recovery mode until return to normal
is possible may require some time and necessitate “scaling up”
disaster recovery operations to support increasing business
volumes that need to be serviced over time.
Return—Devising a strategy for every IT continuity plan allows an
organization to migrate back from disaster recovery mode to a
position in which it can support normal business.


Business Continuity within
Management


BCP details

BUSINESS CONTINUITY 2. BUSINESS ASSESSMENT
PLANNING Risk Assessment
1. Project Foundation Information Protection
2. Business Assessment Protection
3. Strategy Selection Detection
4. Plan Development Response
5. Testing and Maintenance Business Impact Analysis (BIA)
1. PROJECT FOUNDATION 4. PLAN DEVELOPMENT
Business Continuity Planning #1-Develop Response and Recovery
Evaluation Teams
Plan Management #2-Develop Draft Action Plan
Business Impact Analysis #3-Prioritize Action Plan Execution
Recovery Strategies #4-Document General Plan Sections
Plan Development #5-Document the Technical Recovery
Plan Maintenance Processes
Plan Testing

Basic terms used in a standard

Business Continuity Management System (BCMS) – part of an
overall management system that takes care business continuity is
planned, implemented, maintained, and continually improved
Maximum Acceptable Outage (MAO) – the maximum amount of
time an activity can be disrupted without incurring unacceptable
damage (also Maximum Tolerable Period of Disruption – MTPD)
Recovery Time Objective (RTO) – the pre-determined time at which
an activity must be resumed, or resources must be recovered
Recovery Point Objective (RPO) – maximum data loss, i.e.,
minimum amount of data that needs to be restored
Minimum Business Continuity Objective (MBCO) – the minimum
level of services or products an organization needs to produce
after resuming its business operations


Trust Services Principles and Criteria

Security - The system is protected against unauthorized access
(both physical and logical).
Availability - The system is available for operation and use as
committed or agreed.
Processing Integrity - System processing is complete, accurate,
timely, and authorized.
Online Privacy - Personal information obtained as a result of e-
commerce is collected, used, disclosed, and retained as
committed or agreed.
Confidentiality - Information designated as confidential is protected
as committed or agreed.


Best Practices For IT Availability
And Service Continuity Management
1) Classify systems for criticality.
2) Develop tiers of service for both availability and IT service
continuity.
3) Measure availability from the end-user perspective.
4) Include availability and continuity considerations in application
development and testing.


Incident timeline


BS25777 –IT Continuity


Information Risk Component

The confidentiality, integrity and availability of information systems must
be ensured to protect the business from the risks relating to information
technology. An IS audit helps to identify areas where these are vulnerable
or inadequately protected through systematic examination and evaluation.
Every organization should have a business continuity plan that seeks to
ensure that its information systems are available and running at all times
to support and enable the business to function and grow. In spite of all
precautions and preventive controls, disasters can occur.
Approach to Auditing Business Continuity
The audit of business continuity can be broken into three major components:
– Validating the business continuity plan
– Scrutinizing and verifying preventive and facilitating measures
for ensuring continuity
– Examining evidence about the performance of activities that
can assure continuity and recovery

BIA focus

Recovery Time Objective
“Target time set for resumption of product,
service or activity delivery after an incident” BS
25999:1

Maximum Tolerable Period of Disruption
“Duration after which an organisation’s viability
will be irrevocably threatened if product and
service delivery cannot be resumed” BS 25999:1


Risks related to technology


Information Assurance Structure


Crash and Restart
ISO 27001 Security
Infosec governance

Crash and Restart

User awareness
Remote access 3rd pty

Access security ctls User access/pw

Risk and Controls

Business Continuity risk profile is prepared for each business
function
Controls are set to address risk, in consultation with the support /
business function
Weight are assigned to each control according to type of the control
(e.g. A preventative control has the highest weight)

Type of control
Preventative
Corrective
Other entity


Example of Risk and Control

Risk: Electricity failure

Controls:
Uninteruptable power supply (UPS)
Generators
Preventive maintenance reports


Fail a Security Audit Already -- it's Good
for You

Network World — Failing an audit sounds like the last thing any
company wants to happen. But that's because audits are seen by
many as the goal of a security program. In reality, audits are only
the means of testing whether enforcement of security matches the
policies. In the broader context, though, an audit is a means to
avoid a breach by learning the lesson in a "friendly" exercise
rather than in the real world. If the audit is a stress-test of your
environment that helps you find the weaknesses before a real
attack, you should be failing audit every now and then. After all, if
you're not failing any audits there are two possible explanations:

1) You have perfect security.
2) You're not trying hard enough.


Your turn

Questions ???

Rob Kloots – CISA CISM CRISC,
Owner, TrustingtheCloud
E rob.kloots@trustingthecloud.eu
M +32.499-374713


ISO27001 – 14. BCM


ISO27001 – 11. AC


ISO27001 – 11. ework


ISO27001 – 6. EP


ISO27001 – 8. HR


ISO27001 – 9. PhySec


ISO27001 – 10. 3rd pty


ISO27001 – 10. Mon


ISO27001 – 13. IncMgt


�ݺ�ߣ

Rob kloots auditingforscyandbcm

More Related Content

Rob kloots auditingforscyandbcm