IBM ICE (Innovation Centre for

Welcome to:
Unit 5 - Audit and Monitoring, Intelligence, Compliance,
Management and Governance

© Copyright IBM Corporation 2015 9.1

Unit objectives IBM ICE (Innovation Centre for Education)

After completing this unit, you should be able to:

• Understand the process of Information Security Audit
• Recognize the Auditing & Regulatory Standards used
in India
• Enumerate various concepts of Governance, Risk &
Compliance

© Copyright IBM Corporation 2015

Background IBM ICE (Innovation Centre for Education)

• The process of verifying the security implementation and

comparing it with a standard is known as audit or security
audit
• These audits are carried based on certain frameworks or
best practices that are also known as standards
• The security system of an organization can be improved if
an audit program which is risk based is carried out in an
organization

© Copyright IBM Corporation 2015

Introduction to Information
Security Audit IBM ICE (Innovation Centre for Education)

• Definition – An
information
security audit
is a process
in which the
organization’
s technology
team
conducts an
organizationa
l review to
ensure that
the correct
and most up-
to-date
processes
and
infrastructure
© Copyright IBM Corporation 2015
 are being applied.
• Explanation
– Auditing is an evaluation of a person,
organization, system, process, enterprise,
project or product performed to determine the
validity and reliability of information and also to
provide an assessment of system’s internal
controls

© Copyright IBM Corporation 2015

Audit Drivers IBM ICE (Innovation Centre for Education)

• Drivers are responsible for initiating & implementing any

project. Following drivers are responsible for an audit:
– Policies
• Policies of an organization generally cover various aspects of the
audits that must be conducted for verifying proper functioning of its
processes
– Regulations
• Various regulations provide various requirements that are important for
the regulation of various domains.
– Customer requirements
• Audits also depends on the various requirements of the customers to
improve the working of certain processes of the outsourced organization
that actually wants to ensure that the outsourcing partner will employ
the same amount of due diligence in its operations as the customer

© Copyright IBM Corporation 2015

Types of IBM ICE (Innovation Centre for Education)

Audit
• Internal Audit
– Internal audit, sometimes called 1st party audit, is a systematic,
independent and documented process usually conducted by
organizations themselves
– Internal auditing is an independent, consulting and assuring
activity designed to improve an organization's operations.
• External Audit
– These audits are conducted by the other organizations for to verify
and validate the status of information security
• There are generally 2 types of external audits:
– 2nd party audit
– 3rd party audit

© Copyright IBM Corporation 2015

Audit Process IBM ICE (Innovation Centre for Education)

• The main objectives for a security audit are:

– Verify the existing security policy, guidelines, procedures
and standards
– Determine the insufficiencies and verify the effectiveness of
the existing policy, guidelines, procedures and standards
– Identify and determine the existing vulnerabilities and risks
– Analyze in-place security controls on administrative, managerial
and operational issues together with ensuring compliance with the
minimum security standards
– Offer recommendations on corrective actions for improvements

© Copyright IBM Corporation 2015

Approach for Information Security
Audit IBM ICE (Innovation Centre for Education)

© Copyright IBM Corporation 2015

Information Security Audit Process IBM ICE (Innovation Centre for Education)

© Copyright IBM Corporation 2015

Information Security Auditing
Standards IBM ICE (Innovation Centre for Education)

• There are
many audit
standards for
security which
specifies
certain
techniques
that must be
followed to
make sure
that IT
resources are
protected
appropriately
© Copyright IBM Corporation 2015
• Type of Auditing Standards
– Management Standard
– Accounting Standard
– Regulatory Standards

© Copyright IBM Corporation 2015

Management Standard IBM ICE (Innovation Centre for Education)

• There are certain standards on which the information

security audit is based. These standards provide criteria on
which an organization’s security process is judged
• Types of management standards:
– ISO 27001
– SAS 70
– SSAE 16
– COBIT
– COSO
– HITRUST CSF

© Copyright IBM Corporation 2015

Accounting Standard IBM ICE (Innovation Centre for Education)

• There are other standards as well apart from ISO standards

which can provide guidelines for an information security
audit such as:
• The Sarbanes-Oxley Act of 2002
– The legislation came into force in 2002 and introduced major
changes to the regulation of financial practice and corporate
governance

© Copyright IBM Corporation 2015

Regulatory Standards IBM ICE (Innovation Centre for Education)

• Telecom
– The Draft National Telecom Policy – 2011 (NTP-2011), released on 10
October, 2011 directionally sets the groundwork for the next round of
transformation in the Indian telecommunications sector
• Banking
– The Reserve Bank of India (RBI) released detailed guidelines on
information technology (IT) governance, information security, and cyber
fraud for the Indian banking industry.
• Insurance
– The Insurance Regulatory and Development Authority (IRDA) has
released a draft guidelines on participation in its Electronic Transaction
Administration and Settlement System (ETASS)
• Healthcare
– Health Insurance Portability and Accountability Act (HIPAA) of 1996,
the Department of Health and Human Services promulgates rules and
regulations to regulate the privacy and security of medical information
© Copyright IBM Corporation 2015
Benefits IBM ICE (Innovation Centre for Education)

• The ability to systematically and proactively protect the

company form the dangers and potential costs of computer
misuses and cybercrime
• The ability to make informed practical decisions about
security technologies and solutions and thus increases the
return on information security investments
• The management and control of costs related to
information security
• Greater organizational credibility with staff, customers, and
partner organizations
• Better compliance with regulatory requirements for security
and privacy

© Copyright IBM Corporation 2015

Data Sampling and Collection IBM ICE (Innovation Centre for Education)

• For collecting accurate and appropriate data, proper

filtering mechanisms must be employed so that relevant
data could be extracted from chunks of raw data. Once the
relevant data is identified, then it is collected and stored for
further processing

© Copyright IBM Corporation 2015

Log Management 1
IBM ICE (Innovation Centre for Education)

• The process of transmitting, analyzing, storing and

disposing of computer security log data is known as log
management of computer security.
• The events which are occurring inside an organization’s
networks and systems are recorded and noted down.
These records are known as logs
• The logs were originally used for problems of
troubleshooting, but now a log does many more functions
as well in most organizations
• Types of function performed by log:
– To optimize the performance of the networks and systems
– To record the employee’s actions
– In case of a malicious activity, providing useful data

© Copyright IBM Corporation 2015

• The volume, number and variety of logs associated to
computer security have increased due to two main reasons:
– Deployment of workstations, networked servers and devices
of computing has been widespread
– The threats against the systems and networks has increased as well
• Types of sources of logs
– Security Software logs
– Operating System logs
– Application logs
Security Software Logs IBM ICE (Innovation Centre for Education)

• A major source of computer security log data is the

security software
• To perform the following action several types of host based
and network based software of security are used by most
organizations
• Example
– Detection of malicious activities
– Protection of data and system
– Supporting the efforts of incident response

© Copyright IBM Corporation 2015

Security Softwares generating logs IBM ICE (Innovation Centre for Education)

• Antimalware Software
• Intrusion prevention and detection systems
• Web Proxies
• Authentication Servers
• Routers
• Firewalls
• Network Quarantine Servers

© Copyright IBM Corporation 2015

Operating System Logs IBM ICE (Innovation Centre for Education)

• A variety of information is usually logged by operating

systems. The common types of operating system logs
related to security are as follow:
– System Events
• These operating systems usually permit the administrators to specify
which event types will be logged.
– Audit Records:
• A list of events of security information is in an Audit record
– Failed and successful attempts of authentication
– Changes in the security policy
– Changes in the account details
– Attempts to access a file

© Copyright IBM Corporation 2015

Application Logs IBM ICE (Innovation Centre for Education)

• Operating systems and security software provide the

foundation and protection for applications, which are used
to store, access, and manipulate the data used for the
organization’s business processes
• Types of log information gathered:
– Account information
• The account changes, failed and successful attempts of authentication
all this kind of information falls in this category
– Usage information
• The number of transaction that has taken place in a period of time
• The transaction’s size

© Copyright IBM Corporation 2015

Application Log Indicators IBM ICE (Innovation Centre for Education)

• If there is an increase in the e-mail activity, the rise of a new

malware which is e-mail borne is indicated
• Inappropriate information release is indicated if there is a
large e-mail that has been sent
• Operational actions of significant level
– This category has many actions of operations under its umbrella.
They are:
• Shutting down and starting up the application
• Failures in the application
• Changes in the configuration of major application. This can be
used to identify security compromises and operational failures

© Copyright IBM Corporation 2015

Data aggregation and IBM ICE (Innovation Centre for Education)

reduction
• The analysis, storage and disposal of log data is typically
performed by the several functions of the log management
infrastructures. It is seen that the original logs are not
altered by the functions that are performed by these
functions.
• Most common type of infrastructure of log management are
as follows:
– General Log Management
– Log Storage

© Copyright IBM Corporation 2015

General Log Management IBM ICE (Innovation Centre for Education)

• Log parsing
– To use inputs from another process of logging by extracting data
from another log is called log parsing
• Event filtering
– The log entries are suppressed from reporting, long-term analysis
or simple analysis and this process is known as event filtering
• Event aggregation
– A single entry is made by consolidating many entries which are similar.
This process is known as event aggregation

© Copyright IBM Corporation 2015

Log Storage IBM ICE (Innovation Centre for Education)

• Rotation of log
– The process of opening a new log file after closing an existing log file is
called log rotation
• Archival of log
– : Important logs are sometimes retained for an extended time period,
this process is known as log archival
• Compression of log
– The process of storing a log file in such a way that it doesn’t alter
the content’s meaning and the size of the log file is reduced as well
• Reduction of log
– The process of creation of a new log by removing entries from a log which
are not needed
• Conversion of log
– This process parses a log in one format and stores its entry in a
second format
© Copyright IBM Corporation 2015
Monitoring and control IBM ICE (Innovation Centre for Education)

• These events can be studied mainly by analyzing network

behavior or by reviewing computer security event logs.
• In order to avoid or minimize the losses from an incident
outcome, the events need to be analyzed as close to real-
time as possible
• Log monitoring is done by the third tier of log architecture
which contains consoles that may be used to monitor and
review log data and the results of automated analysis
• Log monitoring consoles can also be used to generate
reports

© Copyright IBM Corporation 2015

Importance of logs IBM ICE (Innovation Centre for Education)

• Logs can be very helpful in the determination of what had

happened when there was a security breach
• Logs are used basically to make the records of the data
• Other use of logs
– Logs can be helpful in detecting inappropriate use of data, attacks
on the systems and other frauds
– Logs can attack as the preliminary source of the information of the
attack as it records the malicious activities and commands that
are being issued to a server
– Logs can also help in correlating recorded events which are
being captured by the log types of primary level
– A log in the firewall can be helpful as it will store the connection
attempts which were unauthorized and were tried from the
same source IP address

© Copyright IBM Corporation 2015

Needs for management of logs 1
IBM ICE (Innovation Centre for Education)

• Log management help in following ways:

– It is made sure by logs that the records of the computer security
are stored for a suitable time period and in sufficient details
– The log analysis and reviews are helpful for identifying violations of
the policy, security incidents, activity which is fraudulent and problems
in the operations in a very short period of time. The logs can also
provide data which can be useful for solving these problems
– The logs can support in carrying out internal investigation,
identifying operational trends, baseline establishment and carrying
out forensic and auditing analysis

© Copyright IBM Corporation 2015

• A number of regulations and laws are present beside the benefits
of management of logs which makes it compulsory for an
organization review and store certain logs
• Regulatory compliances are as follow:
– Federal Information Security Management Act of 2002 (FISMA)
– Gramm-Leach-Bliley Act (GLBA)
– Health Insurance Portability and Accountability Act of 1996 (HIPAA)
– Sarbanes-Oxley Act (SOX) of 2002
– PCI DSS
Considerations for effective
log
management IBM ICE (Innovation Centre for Education)

• The issues which should be kept in mind while developing

the log management process are as follows:
– To balance a limited amount of the resources of log
management effectively
– There is an ever-increasing supply of log data which causes
more confusion
– The initial log generations have raised several problems of
potential nature because of their prevalence and variety
– The integrity, availability and confidentiality of the logs that are
being generated could be penetrated intentionally or inadvertently
– The preparation of the personnel responsible for performing analysis
of log are not supported or prepared well

© Copyright IBM Corporation 2015

Challenges affecting log
management IBM ICE (Innovation Centre for Education)

• Logs have their own challenges if they are monitored,

controlled and segregated properly. The challenges that an
organization face during the management of logs can have
catastrophic effect
• Types of Challenges are as follows:
– Challenges of Log Generation & Storage
– Challenge of Log Protection
– Challenges of Log Analysis

© Copyright IBM Corporation 2015

Challenges of Log Generation and
Storage 1
IBM ICE (Innovation Centre for Education)

• Log sources are too many

– Multiple logs are generated by a single source of log
• Example
– The network activity and the attempts of authentication being stored
in a single application in two different logs
• Log content is in consistent
– Certain information pieces are recorded in each log source.
The information is stored in its log entries
• Example
– Host IP usernames and their addresses

© Copyright IBM Corporation 2015

• Timestamps are inconsistent
– The timestamp in the log will be inaccurate if a clock of host is
inaccurate. When logs from multiple hosts are being analyzed,
the analysis of log becomes more difficult due to this
• Example
– . An example of such an incident can be that two events that are
occurring at a gap of 2 minutes can be indicated by a false
timestamp that they occurred at a gap of 45 seconds
Challenges of log protection IBM ICE (Innovation Centre for Education)

• Unintentional or intentional destruction and alteration can

happen to the logs which are not secured properly in transit
or in storage
• The logs need to be protected from breach of confidentiality
and integrity because logs contain network and system
security records
• Example
– User’s password and the email contents can be inadvertently
or intentionally captured by the logs

© Copyright IBM Corporation 2015

Challenges of Log Analysis 1
IBM ICE (Innovation Centre for Education)

• Administrators treat it as a low priority task because of

other responsibilities such as mitigating security
vulnerabilities and fixing operational problems together with
management requiring quick responses
• Administrator’s that mostly perform log analysis does not
have any training for prioritization of tasks that increases
the effectiveness and efficiency of it
• Administrators generally do not have effective tools for
automating the process of analyzing the logs using scripts
and security software tools
• Example
– Host-based intrusion detection products,
– Security information
– Event management software
© Copyright IBM Corporation 2015
• Most of these tools are specifically designed to find patterns
that are difficult to track by humans
– Correlating of multiple logs to track an event that may be invalid
• Most of the administrators are not inclined towards
analyzing logs that takes a lot of time and benefits are little
– After identifying problem through other means, analysis is done on logs to
get to the root cause
• Log analysis is mostly used as a reactive counter-measure
rather than proactive
– Monitoring logs to identify upcoming problems through various issues
Introduction to Governance,
Risk & Compliance IBM ICE (Innovation Centre for Education)

– GRC is an
• Definition integrated
approach for
improving
governance
through more-
effective
compliance
and a better
understanding
of the impact
of risk on
business
performance.
It used by
corporations to
act in
accordance
© Copyright IBM Corporation 2015
 with the guidelines set for each of risks
category.
• Explanation
– GRC is the integration of all
governance, risk assessment and
mitigation, and compliance and
control activities to operate in
synergy and balance.
– Governance, Risk
Management and Compliance
(GRC) are three pillars that
work together for the purpose
of assuring that an organization
meets its objectives
– A GRC strategy can help create
business value by reducing
costs, identifying operational
inefficiencies, rationalizing
controls, and enabling
identification and management
© Copyright IBM Corporation 2015
GRC Pillars IBM ICE (Innovation Centre for Education)

• Governance
– Good governance is about steering the company in the right
direction as well as evolving policies and procedures and improving
process efficiency to achieve better alignment with corporate goals
• Risk Management
– Effective risk management enables companies to protect the
value built within an organization and can also create new value
by identifying opportunities to build growth, increase competitive
advantage and drive efficiencies throughout the organization
• Compliance
– Compliance is achieved through various controls that are defined
and established to help organizations prevent or detect policy
violations and to improve business processes throughout the
organization

© Copyright IBM Corporation 2015

The value of GRC to business IBM ICE (Innovation Centre for Education)

• GRC promote the criteria unification, the effort coordination

and collaboration between different characters involve in
the direction of the organization
• Business values are as follows
– The integration of the government officials, administration and
risk management, internal control and compliance
– Role and responsibility assignation to key personnel
– Communication channels formalization
– Applying a risk-based approach
– The implementation of a compliance program

© Copyright IBM Corporation 2015

Benefits IBM ICE (Innovation Centre for Education)

• Reduced time and cost for audits

• Easy validation of compliance standards
• Reducing risks and increasing confidence in financial
reporting
• Improved decision-making process through real-time
diagnostics
• Generation of internal control guidelines in organizational
culture

© Copyright IBM Corporation 2015

Tools for GRC 1
IBM ICE (Innovation Centre for Education)

• Accelus GRC
– Solution built to handle the diverse requirements of internal audit,
internal controls management, risk management, policy
management, legal and compliance professionals
• Key benefits:
– Provides visibility, transparency and oversight over GRC processes
– Monitor and track regulatory rule changes
– Mitigate risk hiding in client relationships and related human networks
– Identify and mitigate legal, regulatory and business risk
– Maintain effective policies and demonstrate supervision
– Streamline, audit, risk management and internal control processes
– Efficiently address required regulatory disclosure deadlines

© Copyright IBM Corporation 2015

• Open-Pages
– Is an integrated governance, risk and compliance platform that
enables companies to manage risk and regulatory challenges across
the enterprise
• Key benefits:
– Internal Audit
– Definition, planning, execution and reporting audit for all business lines
– Automated workflows and configurable reports
– IT Risk
– IT risk evaluation
– Identified critical risk, controls and gaps
– Operational Risk
– Identify, manage and monitor high level reports
• RSA Archer e-GRC
– RSA Archer e-GRC solutions allows an organization to build an
efficient, collaborative enterprise governance, risk and compliance
(e- GRC) program across IT, finance, operations and legal domains
• Key benefits:
– Flexibility: The Platform offers a point-and-click interface for
building and managing business applications.
– Unified: Provides a common platform to manage policies,
controls, risks, assessments and deficiencies across lines of
business
– Collaborative: The Platform enables cross functional collaboration
and alignment
Implementation in real world 1
IBM ICE (Innovation Centre for Education)

• A large financial institution wanted to implement a GRC

solution to provide reporting, automated scheduling and
facilitate cross-departmental reporting requirements for
approximately 1,000 vendors of various sizes and
capacities located around the globe. One key factor driving
the need for a GRC solution was the organization’s desire
to reduce the significant overhead being generated due to
time-consuming data entry on spreadsheets, regular
initiation of manual vendor reviews and vendor interaction
that provided incomplete questionnaires or missed
deadlines for submission of information

© Copyright IBM Corporation 2015

• GRC is also important for regulatory compliances in
hospitals. Besides this, they also need to have an adequate
governance and risk approach embedded in their
organization. The frequency of new regulations getting
introduced requires for an approach with a strategic and
integrated perspective. Therefore, it is of great necessity
that hospitals develop an integrated and risk based GRC
policy. Moreover, it must also be ensured that this crucial
business concept is incorporated in a timely and consistent
manner and enables hospitals to be future proof. As many
hospitals struggle to organize their GRC processes, an
instrument can be very helpful to enhance the way in which
they deal with GRC related issues
Checkpoint (1 of 5) IBM ICE (Innovation Centre for Education)

1. Which of the following process is responsible for

inspection and verification of procedures?
– Business continuity plan
– Group privilege management
– Audit
– Security review
2. When was ISO 27001 updated?
– 2005
– 2013
– 2012
– Never updated

© Copyright IBM Corporation 2015

Checkpoint Solutions (1 of IBM ICE (Innovation Centre for Education)

5)
1. Which of the following process is responsible for
inspection and verification of procedures?
– Business continuity plan
– Group privilege management
– Audit
– Security review
2. When was ISO 27001 updated?
– 2005
– 2013
– 2012
– Never updated

© Copyright IBM Corporation 2015

Checkpoint (2 of 5) IBM ICE (Innovation Centre for Education)

3. What does GRC stands for?

– Governance, Regulation & Compliance
– Governance, Risk & Controls
– Government, Regulation & Compliance
– None of the above
4. Which is the updated version of SAS 70?
– ISO 27001
– SAS 71
– SAS 70: 2012
– SSAE 16

© Copyright IBM Corporation 2015

Checkpoint Solutions (2 of IBM ICE (Innovation Centre for Education)

5)
3. What does GRC stands for?
– Governance, Regulation & Compliance
– Governance, Risk & Controls
– Government, Regulation & Compliance
– None of the above
4. Which is the updated version of SAS 70?
– ISO 27001
– SAS 71
– SAS 70: 2012
– SSAE 16

© Copyright IBM Corporation 2015

Checkpoint (3 of 5) IBM ICE (Innovation Centre for Education)

5. Who conducts Internal Audit?

– Security Administrator
– Consultant
– Internal Auditor
– External Auditor
6. Who conducts an External Audit?
– Security Administrator
– Consultant
– Internal Auditor
– External Auditor

© Copyright IBM Corporation 2015

Checkpoint Solutions (3 of IBM ICE (Innovation Centre for Education)

5)
5. Who conducts Internal Audit?
– Security Administrator
– Consultant
– Internal Auditor
– External Auditor
6. Who conducts an External Audit?
– Security Administrator
– Consultant
– Internal Auditor
– External Auditor

© Copyright IBM Corporation 2015

Checkpoint (4 of 5) IBM ICE (Innovation Centre for Education)

7. Which of the following is the regulatory standard for

Healthcare?
– SOX
– GLBA
– HIPAA
– None of the above
8. Which of the following is a GRC tool?
– RSA Archer
– RSA GRC
– Arcsight
– All of the above

© Copyright IBM Corporation 2015

Checkpoint Solutions (4 of IBM ICE (Innovation Centre for Education)

5)
7. Which of the following is the regulatory standard for
Healthcare?
– SOX
– GLBA
– HIPAA
– None of the above
8. Which of the following is a GRC tool?
– RSA Archer
– RSA GRC
– Arcsight
– All of the above

© Copyright IBM Corporation 2015

Checkpoint (5 of 5) IBM ICE (Innovation Centre for Education)

9. What does PDCA stands for?

– Plan Do Complete Act
– Process Device Compliance Actions
– Plan Do Check Act
– Plan Do Complete Act
10.What is a Log?
– An information that records every activity related to any device
or application
– A process to store data
– A procedure to collect event information
– A file that stores information of any problem

© Copyright IBM Corporation 2015

Checkpoint Solutions (5 of IBM ICE (Innovation Centre for Education)

5)
9. What does PDCA stands for?
– Plan Do Complete Act
– Process Device Compliance Actions
– Plan Do Check Act
– Plan Do Complete Act
10.What is a Log?
– An information that records every activity related to any device
or application
– A process to store data
– A procedure to collect event information
– A file that stores information of any problem

© Copyright IBM Corporation 2015

Unit summary IBM ICE (Innovation Centre for Education)

Having completed this unit, you should be able to:

• Understand the process of Information Security Audit
• Recognize the Auditing & Regulatory Standards used
in India
• Enumerate various concepts of Governance, Risk &
Compliance

© Copyright IBM Corporation 2015