A Comprehensive Guide to Information Security Management and Audit

Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
Author Bios
Preface
Acknowledgments
Acronyms/Abbreviations
Chapter 1 Information Security and Management System
Information Security Overview
1.1 The OSI Security Architecture
1.2 Information Security
Security attacks
Passive attack
Active attack
1.3 Security Services
Confidentiality
Authentication
Integrity
Non-repudiation
Access control
Availability
1.4 Security Mechanisms
Specific security mechanisms
Pervasive security mechanisms
Model for network security
Some basic terminologies
Cryptography
Cryptanalysis
Introduction and importance of Information Security and Management System (ISMS)
Why security management?
1.5 The CIA and DAD Triads
The CIA triad
The DAD triad
How are the CIA and DAD triads mutually exclusive?
How can you relate the CIA triad in your everyday life?
1.6 ISMS Purpose and Objectives
Introduction to information security policies
Elements of information security policy
Scope (objective)
Security policies
Security policy development
Phased approach
Security policy contributors
Security policy audience
Policy categories
1.7 Frameworks
Policy categories
Additional regulations and frameworks
Security management policies
1.8 Security Standards
Security standard example
1.9 Standard
Services
Initial password and login settings
Send mail
1.10 Security procedures
Security procedure example
Apache web server security procedure
1.11 Security Guidelines
Security guideline example
Password selection guidelines
Do
Don’t
Suggestions
1.12 Compliance vs. Conformance
Compliance
Conformance
Special applications
Conclusion on compliance and conformance
Bibliography
Chapter 2 Audit Planning and Preparation
Introduction
2.1 Reasons for Auditing
2.2 Audit Principles
2.2.1 Planning
2.2.2 Honesty
2.2.3 Secrecy
2.2.4 Audit evidence
2.2.5 Internal control system
2.2.6 Skill and competence
2.2.7 Work done by others
2.2.8 Working papers
2.2.9 Legal framework
2.2.10 Audit report
2.3 Process of Audit Program Management
2.3.1 Preparing for an audit
2.3.2 Audit process
2.4 Audit competence and evaluation methods
2.4.1 Audit of individuals
2.4.2 Audit of sole trader’s books of accounts
2.4.3 Audit of partnership firm
Important provision of Partnership Act
2.4.4 Government audit
Important features of the government audit
Objectives
2.4.5 Statutory audit
2.4.6 Audit of companies
2.4.7 Audit of trust
2.4.8 Audit of cooperative societies
2.4.9 Audit of other institutions
Cost audit
Objectives of cost audit
2.4.10 Tax audit
2.4.11 Balance sheet audit
Continuous audit
Annual audit
2.4.12 Partial audit
2.4.13 Internal audit
2.4.14 Management audit
Objectives of management audit
2.4.15 Post & Vouch Audit
2.4.16 Audit in depth
2.4.17 Interim audit
2.5 Audit Responsibilities
2.5.1 Reporting on the financial statements
2.5.2 Unmodified opinions
2.5.3 Modified opinions
2.5.4 Emphasizing certain matters without modifying the opinion
2.5.5 Communicating “other matters”
2.5.6 Other information included in the annual report
2.5.7 Other legal and regulatory requirements
2.5.8 Reporting on the financial statements
2.6 Audit Time and Process Flow
2.6.1 What is a process?
2.6.2 Process description
2.6.3 Control of processes
2.6.4 Advanced process and system modeling
2.7 ISMS audit checklist
2.7.1 Why ISO 27001 Checklist is required? What is the importance of ISO 27001 Checklists?
2.7.2 Who all can use ISO 27001 Audit Checklist?
2.7.3 How many ISO 27001 Checklists are available?
2.7.4 How to find out which ISO 27001 Checklists are suitable for me?
2.7.4.1 For an organization aiming for ISO 27001 Certification
2.7.4.2 For a head of the department?
2.7.4.3 For a CISO (Chief Information Security Officer)
2.7.4.4 For a CTO (Chief Technology Officer) and CIO
2.7.4.5 For IT department professionals
2.7.4.6 For preparing for a job interview
2.7.5 Important information on ISO 27001 Checklist file
2.7.6 Who has prepared and who has validated ISO 27001 Checklists?
2.7.7 What is the basis of the ISO 27001 Checklist?
2.7.8 How to use ISO 27001 Checklist?
Bibliography
Chapter 3 Audit Techniques and Collecting Evidence
3.1 Auditor Quality and Selection
How to prepare for an auditor selection process
Four steps to select an auditor
3.2 Audit Script
Customizing audit scripts
Customize standard audit scripts
To customize an audit script
Using standard audit scripts
Create new audit scripts
Enable audit scripts
Install audit scripts
Print audit scripts
Remove audit script
Set audit scripts
Update audit scripts
Using product-specific audit scripts
3.3 Audit Stages
Levels of audit engagement
3.4 Audit Techniques
Inspection
Observation
Inquiry and confirmation
Computation
Analytical procedures
3.5 Collecting Evidence through Questions
Inquiry
Sufficient appropriate audit evidence
Ways of collecting audit evidence
Inspection
Observation
External confirmation
Documentation
Recalculation
Re-performance
Analytical procedures
Inquiry
3.6 Observation
3.7 Reporting to Audit Finding
Different types of audit findings
Respond to audit findings
3.8 Audit Team Meeting
Importance of opening meetings
Opening meeting
Introduction
Confirm the scope and objectives of the assessment
Confirm communications, resources, and escorts
Current number of employees
Confirm auditor confidentiality
Explain the audit program and the reporting process for deficiencies
Confirm time and place for closing meeting
Appeals process
Audit team safety induction
3.9 Nonconformities and Observation
Example of a well-written nonconformity
Auditors are held to a higher standard
3.10 Corrective and Preventive Actions
An in-depth look at corrective and preventive action
Corrective action
What’s the scope of corrective action?
Benefits of corrective action
Issues of corrective action
Corrective Action Request (CAR)
Preventive action
What’s the scope of preventive action?
How does corrective action differ from preventive action?
How is corrective action similar to preventive action?
Corrective action and preventive action in practice
Implementing corrective and preventive action
Using the corrective and preventive action subsystem
Bibliography
Chapter 4 ISO 27001
4.1 Overview of an Information Security and Management System
ISO publishes two standards that focus on an organization’s ISMS:
4.2 Purchase a Copy of the ISO/IEC Standards
4.3 Determine the Scope of the ISMS
4.4 Identify Applicable Legislation
Scope and purpose
4.5 Define a Method of Risk Assessment
4.6 Create an Inventory of Information Assets to Protect
4.7 Identify Risks
4.8 Assess the Risks
4.9 Identify Applicable Objectives and Controls
4.10 Set Up Policy, Procedures, and Documented Information to Control Risks
4.11 Allocate Resources and Train the Staff
4.12 Monitor the Implementation of the ISMS
4.13 Prepare for the Certification Audit
Bibliography
Chapter 5 Asset Management
5.1. What Are Assets According to ISO 27001?
5.2. Why Are Assets Important for Information Security Management?
5.3. How to Build an Asset Inventory?
5.4. Who Should be the Asset Owner?
5.5. ISO 27001/ISO 27005 Risk Assessment & Treatment – Six Basic Steps
5.6. The Basic Steps Will Shed Light on What One Has to Do
5.6.1 ISO 27001 risk assessment methodology
5.6.2 Risk assessment implementation
5.6.3 Risk treatment implementation
5.6.4 ISMS risk assessment report
5.6.5 Statement of applicability
5.6.6 Risk treatment plan
5.7. ISO 27001 Controls from Annex A
5.7.1 How many domains are there in ISO 27001?
5.7.2 What are the 14 domains of ISO 27001?
5.8. The Importance of Statement of Applicability for ISO 27001
5.8.1 Why it is needed?
5.9. ISO 27001: A.8 Asset Management
5.9.1 Introduction
5.9.2 Level of assets
5.9.3 Asset management
5.9.4 The principles of asset management
5.9.5 Asset life cycle
How to go about it?
5.9.6 Seven steps to implement asset management
5.10. Responsibility for Assets
A.8.1 Responsibility for assets
A.8.1.1 Inventory of assets
A.8.1.2 Ownership of assets
A.8.1.3. Acceptable use of assets
A.8.1.4. Return of asset
A.8.1.5. Responsibility for assets
5.11. Information Classification
A.8.2 Information classification
A.8.2.1 Classification of information
A.8.2.2 Labeling of information control
A.8.2.3 Handling of assets
5.12. Media Handling
A.8.3 Media handling
A.8.3.1 Management of removable media
A.8.3.2 Disposal of media
A.8.3.3 Physical media transfer
5.13. BYOD
5.13.1 What are the types of BYOD?
5.13.2 Why is BYOD important?
5.13.3 Benefits of BYOD improve productivity
Boost employee satisfaction
Cut enterprise costs
Attract new hires
5.13.4 Risks of BYOD
5.13.5 Keys to effective BYOD
5.13.6 Guidelines to help plan and implement effective BYOD
Bibliography
Index