KEMBAR78
CCISO Notes 3 | PDF | Audit | Information Security
0% found this document useful (0 votes)
16 views8 pages

CCISO Notes 3

The document outlines key aspects of information security controls and audit management, emphasizing the importance of security frameworks like ISO/IEC and NIST, control lifecycle management, and the necessity of regular audits to ensure compliance and effectiveness. It also discusses the roles of a CISO in managing security programs, including budgeting strategies and personnel management techniques. Overall, it highlights the structured approach to establishing and maintaining robust information security practices within an organization.

Uploaded by

Ronit Yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
16 views8 pages

CCISO Notes 3

The document outlines key aspects of information security controls and audit management, emphasizing the importance of security frameworks like ISO/IEC and NIST, control lifecycle management, and the necessity of regular audits to ensure compliance and effectiveness. It also discusses the roles of a CISO in managing security programs, including budgeting strategies and personnel management techniques. Overall, it highlights the structured approach to establishing and maintaining robust information security practices within an organization.

Uploaded by

Ronit Yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 8

DOMAIN 2 : INFORMATION SECURITY CONTROLS &

AUDIT MANAGEMENT

2.1 Security framework


o ISO/IEC 27001/27002
o NIST
Are widely used & preferred by CISOs when it comes to security
framework. Some of the widely known ones which are derived from them
are:
o HITRUST
o ISF
o ITIL

2.1.1 Security controls


2.1.2 Control lifecycle
Controls are assets and needs to be managed based on their lifecycle.

Select

Monitor Validate

Impleme
Catalog
nt

Fig: Control lifecycle management

o SELECT – SELECT the control &


o VALIDATE – to make sure they are adequate
o CATALOG – maintaining an inventory of controls(NIST 800-53)
o IMPLEMENT – IMPLEMENT the controls & then
o MONITOR – to make sure they are effective. As system/threat
landscape changes within the organisation we modify the controls
by adopting a new control or getting rid of ineffective controls.

Control catalogue:
 Control catalogs are used to identify the family or category of
controls and the objectives of each control.
 Catalogs provides guidance or recommendations for implementing
controls.
 Two most widely referred catalogs are:
o ISO 27002
o NIST 800-53
2.1.3 Control Classification

Control classification allows CISOs to select a control for specific purpose.


They serve to protect information & assets or support security tenets:
CIA triad
COSO PDC Defence-in-depth
NIST Security Control Classes They are the baseline of security
control, the
NIST minimum Security Controls minimum controls needs to be
there.

In 2001, NIST 800-26, guide for information Security Program Assessment


and System Reporting Form describes the classes of controls:
o Management
o Operational
o Technical

Fig: NIST classes of controls

Laws, are regulatory requirements mandated by government entities,


they are legally binding and enforceable, often with penalties for non-
compliance :
 HIPAA
 FISMA
 GDPR

Standards, are voluntary guidelines or framework established by industry


organisations:
 ISO 2700X family
 PCI DSS
 SOC2
 NIST
ISO family of standards

PCI-DSS
NIST Publication

2.2 Audit Management

Audits are designed to :


 Confirm that Information technology is adequately safeguarded to
prevent compromise or interruption affecting an organisation’s
finances and reputation.
 Highlights violation of legal and regulatory requirements

The most frequently used and referenced IS audit practice are:

 ISO/IEC
 NIST
 COBIT

There are two types of audits:


 Internal audit – Focuses on financial controls, It will have one or
several employees who have experience in information technology
and information security controls.
 External audit – Focuses on verifying financial statements and risk
to the organisation and is typically performed by third parties or
regulatory agencies.
Fig: Internal vs External Audit function comparison chart

2.2.1 Audit process

 Planning
o Review previous audits.
o Research area of planned audits.
o Schedule audit
o Request documentation.
o Hold pre-audit meeting.
 Fieldwork
o Interview Staff
o Review proof of design
o Test design effectiveness.
o Analyse controls compared to standards and practices.
o Identify strengths & weaknesses.
 Reporting
o Compile evidence & results.
o Discuss results with auditee.
o Request remediation action plans.
o Create reports for senior management & audit committee.
 Follow-up
o Monitor remediation action plan progress.
o Validate remediation actions.

Audit approaches:
 Compliance-based Audit (CBA) – whether an organisation
complies with policies, regulation, standards & legal statutes.
 Risk-based Audit (RBA) – Focuses on the identification & analysis
of Risk in comparison to how an organisation manages and
mitigates that risk.

Domain 2: Summary

 CISO should use IS control catalog when creating their controls list.
 Regular audits are necessary to assure security controls are
performing their intended purpose.
 Audit exists to evaluate the control compliance & effectiveness.
 Auditing can determine a measurement of the level of conformity to
a requirement.
DOMAIN 3: SECURITY PROGRAM MANAGEMENT AND
OPERATION

As a CISO of a portfolio or a program you will need to:

 Identify the program requirement to ensure continuously supported


security services and operation.
 Identify key stakeholders and Influencers to help establish program
support.
 Specify the objectives you wish to accomplish and when they will be
completed.
 Define program charter to set the focus and goals of the
organisation.

SECURITY PROGRAM CHARTER


 Resource – the personnel who will support, staff, and lead the IS
program.
 Guidance – influences that guides the design of the IS program.
 Objectives – Planning documents that will shape the foundation of
the IS program.
 Constraints – factors that could inhibit program progress and
delivery of services.

SECURITY PROGRAM REQUIREMENTS


 Identify assets requiring protection.
 Inventory legal, regulatory, & compliance requirements.
 Define the attack surface.
 Determine the profiles.
 Complete Business Impact Analysis (BIA)

3 BASIC APPROACHES TO DEVELOPING STRATEGIC PLAN:


 Critical assets: this is the traditional approach that is based on
protecting the most critical assets(crown jewel) of the organisations.
 Playbook: this sports-like approach is usually preferred by the
organisation with substantial resources and funding. It executes an
Information security program based on a published playbook.
 Attack surface: this approach focuses on identifying and defending
against threat that could successfully breach the organisation.

An information security program generally has two types of activities:


Stream of work, also known as subprogram, which are long-term
activities or ongoing activities.
Security projects, which have a defined end state that, when achieved,
signals the end of the activity.

BUDGETING
 Looking at comparative organizations can be a good data point; it
should not be the primary method of determining an information
security budget.
 In almost every case the information security budget is based on
the organization’s historical spending, as in, “What did we spend
last year?” In fact, that isn’t a bad place to start the budget process.
 Budgeting is all about predicting the future, and the more data the
CISO has about the past, the better informed the CISO will be about
what might happen down the road.

A list of some of the methods and factors that go into establishing the
information security budget:

Start with a baseline: Use the prior year’s data as a starting point. The
CISO should consider not just the past year’s spending but also the past
year’s budget.

Build a Work Breakdown Structure: A WBS is a method of estimating


the work required on a large effort by breaking down the work into smaller
units that are easier to estimate and control.

Look at Risk assessment report: If the spending for firewall


administration was X but testing indicates the firewalls are frequently
misconfigured, maybe the future spending for firewall administration
should be more than X.

Estimate cost of addressing gaps: The CISO uses the results of


assessments and audits to determine where spending should occur.

Address life cycle cost: The costs of technology refresh and


maintenance agreements are included in the budget.

Conduct value engineering: A good CISO is always considering if there


is a less costly way to do something.
Determine what’s new: The CISO should estimate the costs of
addressing new initiatives, making improvements, incorporating new
technologies, or addressing new regulations. Organizations change as
well.

Consider what could possibly go wrong: Bad things can and will
happen. The CISO should establish budgets for unexpected items such as
significant security incidents, pandemics, disasters, labour strikes, or
things that may pop up that can’t be specifically predicted.
Establish management reserve: Few organizations allow the CISO to
create a budget for undefined spending, it is simply an extra amount
added to the estimate “just in case.”

Do a rolling forecast: The CISO needs to look ahead and plan beyond
the next year.

Determine what’s in the budget: This includes hardware, software,


employees, consultants, outsourced services, vendors, managed services,
and any other items within the scope of the security program for which
the CISO has been designated responsibility.

Establish not just What to spend but when: The CISO should
establish how much can be spent on each WBS element and when that
spending will occur.

Managing the people of the Security program

Following ideas can help CISO to manage people effectively:

 Find what motivates each employee.


 Apply positive corrective feedback to the employee who makes
mistake.
 Challenge employee to surpass their core skills.
 Give employees a voice in IS program evaluation.
 Growth plan: Training, certification goal, career path advisement

You might also like