Professional Documents
Culture Documents
Welcome to:
Unit 5 - Audit and Monitoring, Intelligence, Compliance,
Management and Governance
• Definition – An
information
security audit
is a process
in which the
organization’
s technology
team
conducts an
organizationa
l review to
ensure that
the correct
and most up-
to-date
processes
and
infrastructure
© Copyright IBM Corporation 2015
are being applied.
• Explanation
– Auditing is an evaluation of a person,
organization, system, process, enterprise,
project or product performed to determine the
validity and reliability of information and also to
provide an assessment of system’s internal
controls
Audit
• Internal Audit
– Internal audit, sometimes called 1st party audit, is a systematic,
independent and documented process usually conducted by
organizations themselves
– Internal auditing is an independent, consulting and assuring
activity designed to improve an organization's operations.
• External Audit
– These audits are conducted by the other organizations for to verify
and validate the status of information security
• There are generally 2 types of external audits:
– 2nd party audit
– 3rd party audit
• There are
many audit
standards for
security which
specifies
certain
techniques
that must be
followed to
make sure
that IT
resources are
protected
appropriately
© Copyright IBM Corporation 2015
• Type of Auditing Standards
– Management Standard
– Accounting Standard
– Regulatory Standards
• Telecom
– The Draft National Telecom Policy – 2011 (NTP-2011), released on 10
October, 2011 directionally sets the groundwork for the next round of
transformation in the Indian telecommunications sector
• Banking
– The Reserve Bank of India (RBI) released detailed guidelines on
information technology (IT) governance, information security, and cyber
fraud for the Indian banking industry.
• Insurance
– The Insurance Regulatory and Development Authority (IRDA) has
released a draft guidelines on participation in its Electronic Transaction
Administration and Settlement System (ETASS)
• Healthcare
– Health Insurance Portability and Accountability Act (HIPAA) of 1996,
the Department of Health and Human Services promulgates rules and
regulations to regulate the privacy and security of medical information
© Copyright IBM Corporation 2015
Benefits IBM ICE (Innovation Centre for Education)
• Antimalware Software
• Intrusion prevention and detection systems
• Web Proxies
• Authentication Servers
• Routers
• Firewalls
• Network Quarantine Servers
reduction
• The analysis, storage and disposal of log data is typically
performed by the several functions of the log management
infrastructures. It is seen that the original logs are not
altered by the functions that are performed by these
functions.
• Most common type of infrastructure of log management are
as follows:
– General Log Management
– Log Storage
• Log parsing
– To use inputs from another process of logging by extracting data
from another log is called log parsing
• Event filtering
– The log entries are suppressed from reporting, long-term analysis
or simple analysis and this process is known as event filtering
• Event aggregation
– A single entry is made by consolidating many entries which are similar.
This process is known as event aggregation
• Rotation of log
– The process of opening a new log file after closing an existing log file is
called log rotation
• Archival of log
– : Important logs are sometimes retained for an extended time period,
this process is known as log archival
• Compression of log
– The process of storing a log file in such a way that it doesn’t alter
the content’s meaning and the size of the log file is reduced as well
• Reduction of log
– The process of creation of a new log by removing entries from a log which
are not needed
• Conversion of log
– This process parses a log in one format and stores its entry in a
second format
© Copyright IBM Corporation 2015
Monitoring and control IBM ICE (Innovation Centre for Education)
– GRC is an
• Definition integrated
approach for
improving
governance
through more-
effective
compliance
and a better
understanding
of the impact
of risk on
business
performance.
It used by
corporations to
act in
accordance
© Copyright IBM Corporation 2015
with the guidelines set for each of risks
category.
• Explanation
– GRC is the integration of all
governance, risk assessment and
mitigation, and compliance and
control activities to operate in
synergy and balance.
– Governance, Risk
Management and Compliance
(GRC) are three pillars that
work together for the purpose
of assuring that an organization
meets its objectives
– A GRC strategy can help create
business value by reducing
costs, identifying operational
inefficiencies, rationalizing
controls, and enabling
identification and management
© Copyright IBM Corporation 2015
GRC Pillars IBM ICE (Innovation Centre for Education)
• Governance
– Good governance is about steering the company in the right
direction as well as evolving policies and procedures and improving
process efficiency to achieve better alignment with corporate goals
• Risk Management
– Effective risk management enables companies to protect the
value built within an organization and can also create new value
by identifying opportunities to build growth, increase competitive
advantage and drive efficiencies throughout the organization
• Compliance
– Compliance is achieved through various controls that are defined
and established to help organizations prevent or detect policy
violations and to improve business processes throughout the
organization
• Accelus GRC
– Solution built to handle the diverse requirements of internal audit,
internal controls management, risk management, policy
management, legal and compliance professionals
• Key benefits:
– Provides visibility, transparency and oversight over GRC processes
– Monitor and track regulatory rule changes
– Mitigate risk hiding in client relationships and related human networks
– Identify and mitigate legal, regulatory and business risk
– Maintain effective policies and demonstrate supervision
– Streamline, audit, risk management and internal control processes
– Efficiently address required regulatory disclosure deadlines
5)
1. Which of the following process is responsible for
inspection and verification of procedures?
– Business continuity plan
– Group privilege management
– Audit
– Security review
2. When was ISO 27001 updated?
– 2005
– 2013
– 2012
– Never updated
5)
3. What does GRC stands for?
– Governance, Regulation & Compliance
– Governance, Risk & Controls
– Government, Regulation & Compliance
– None of the above
4. Which is the updated version of SAS 70?
– ISO 27001
– SAS 71
– SAS 70: 2012
– SSAE 16
5)
5. Who conducts Internal Audit?
– Security Administrator
– Consultant
– Internal Auditor
– External Auditor
6. Who conducts an External Audit?
– Security Administrator
– Consultant
– Internal Auditor
– External Auditor
5)
7. Which of the following is the regulatory standard for
Healthcare?
– SOX
– GLBA
– HIPAA
– None of the above
8. Which of the following is a GRC tool?
– RSA Archer
– RSA GRC
– Arcsight
– All of the above
5)
9. What does PDCA stands for?
– Plan Do Complete Act
– Process Device Compliance Actions
– Plan Do Check Act
– Plan Do Complete Act
10.What is a Log?
– An information that records every activity related to any device
or application
– A process to store data
– A procedure to collect event information
– A file that stores information of any problem