Scribd
Upload
54 views7 pages

CCISO Notes 2

The document outlines the importance of information security controls and audit management, detailing frameworks like ISO/IEC 27001/27002 and NIST, as well as the control lifecycle management process. It emphasizes the necessity of regular audits to ensure the effectiveness of security controls and compliance with legal and regulatory requirements. Additionally, it discusses the role of a CISO in managing security programs, including identifying requirements, stakeholders, and strategic planning approaches.

Uploaded by

Ronit Yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
54 views7 pages

CCISO Notes 2

The document outlines the importance of information security controls and audit management, detailing frameworks like ISO/IEC 27001/27002 and NIST, as well as the control lifecycle management process. It emphasizes the necessity of regular audits to ensure the effectiveness of security controls and compliance with legal and regulatory requirements. Additionally, it discusses the role of a CISO in managing security programs, including identifying requirements, stakeholders, and strategic planning approaches.

Uploaded by

Ronit Yadav
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

DOMAIN 2 : INFORMATION SECURITY CONTROLS &

AUDIT MANAGEMENT

2.1 Security framework


o ISO/IEC 27001/27002
o NIST
Are widely used & preferred by CISOs when it comes to security
framework. Some of the widely known ones which are derived from them
are:
o HITRUST
o ISF
o ITIL

2.1.1 Security controls


2.1.2 Control lifecycle
Controls are assets and needs to be managed based on their lifecycle.

Select

Monitor Validate

Impleme
Catalog
nt

Fig: Control lifecycle management

o SELECT – SELECT the control &


o VALIDATE – to make sure they are adequate
o CATALOG – maintaining an inventory of controls(NIST 800-53)
o IMPLEMENT – IMPLEMENT the controls & then
o MONITOR – to make sure they are effective. As system/threat
landscape changes within the organisation we modify the controls
by adopting a new control or getting rid of ineffective controls.

Control catalogue:
 Control catalogs are used to identify the family or category of
controls and the objectives of each control.
 Catalogs provides guidance or recommendations for implementing
controls.
 Two most widely referred catalogs are:
o ISO 27002
o NIST 800-53
2.1.3 Control Classification

Control classification allows CISOs to select a control for specific purpose.


They serve to protect information & assets or support security tenets:
CIA triad
COSO PDC Defence-in-depth
NIST Security Control Classes They are the baseline of security
control, the
NIST minimum Security Controls minimum controls needs to be
there.

In 2001, NIST 800-26, guide for information Security Program Assessment


and System Reporting Form describes the classes of controls:
o Management
o Operational
o Technical

Fig: NIST classes of controls

Laws, are regulatory requirements mandated by government entities,


they are legally binding and enforceable, often with penalties for non-
compliance :
 HIPAA
 FISMA
 GDPR

Standards, are voluntary guidelines or framework established by industry


organisations:
 ISO 2700X family
 PCI DSS
 SOC2
 NIST
ISO family of standards

PCI-DSS
NIST Publication

2.2 Audit Management

Audits are designed to :


 Confirm that Information technology is adequately safeguarded to
prevent compromise or interruption affecting an organisation’s
finances and reputation.
 Highlights violation of legal and regulatory requirements

The most frequently used and referenced IS audit practice are:

 ISO/IEC
 NIST
 COBIT

There are two types of audits:


 Internal audit – Focuses on financial controls, It will have one or
several employees who have experience in information technology
and information security controls.
 External audit – Focuses on verifying financial statements and risk
to the organisation and is typically performed by third parties or
regulatory agencies.
Fig: Internal vs External Audit function comparison chart

2.2.1 Audit process

 Planning
o Review previous audits.
o Research area of planned audits.
o Schedule audit
o Request documentation.
o Hold pre-audit meeting.
 Fieldwork
o Interview Staff
o Review proof of design
o Test design effectiveness.
o Analyse controls compared to standards and practices.
o Identify strengths & weaknesses.
 Reporting
o Compile evidence & results.
o Discuss results with auditee.
o Request remediation action plans.
o Create reports for senior management & audit committee.
 Follow-up
o Monitor remediation action plan progress.
o Validate remediation actions.

Audit approaches:
 Compliance-based Audit (CBA) – whether an organisation
complies with policies, regulation, standards & legal statutes.
 Risk-based Audit (RBA) – Focuses on the identification & analysis
of Risk in comparison to how an organisation manages and
mitigates that risk.

Domain 2: Summary

 CISO should use IS control catalog when creating their controls list.
 Regular audits are necessary to assure security controls are
performing their intended purpose.
 Audit exists to evaluate the control compliance & effectiveness.
 Auditing can determine a measurement of the level of conformity to
a requirement.
DOMAIN 3: SECURITY PROGRAM MANAGEMENT AND
OPERATION

As a CISO of a portfolio or a program you will need to:

 Identify the program requirement to ensure continuously supported


security services and operation.
 Identify key stakeholders and Influencers to help establish program
support.
 Specify the objectives you wish to accomplish and when they will be
completed.
 Define program charter to set the focus and goals of the
organisation.

SECURITY PROGRAM CHARTER


 Resource – the personnel who will support, staff, and lead the IS
program.
 Guidance – influences that guides the design of the IS program.
 Objectives – Planning documents that will shape the foundation of
the IS program.
 Constraints – factors that could inhibit program progress and
delivery of services.

SECURITY PROGRAM REQUIREMENTS


 Identify assets requiring protection.
 Inventory legal, regulatory, & compliance requirements.
 Define the attack surface.
 Determine the profiles.
 Complete Business Impact Analysis (BIA)

3 BASIC APPROACHES TO DEVELOPING STRATEGIC PLAN:


Critical assets: this is the traditional approach that is based on protecting
the most critical assets(crown jewel) of the organisations.
Playbook: this sports-like approach is usually preferred by the organisation
with substantial resources and funding. It executes an Information
security program based on a published playbook.
Attack surface: this approach focuses on identifying and defending against
threat that could successfully breach the organisation.

You might also like