Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Role of compliance in security audits
1. Role of Compliance in
Security Audits
Agenda :
Information Security Compliance
Memory Techniques for quick revision / recall
2. Information Security
Compliance
The Road Ahead:
Need for Compliance
The Five R’s for IS Compliance
ISO 27001 : An Introduction
Steps for ISMS Implementation
Common Myths on ISO 27001
4. The Five R ‘s of IS Compliance
Reputation
• Protecting the business impact from security breach
Regulation
• Complying with multiple regulations
• Developing a common security and audit framework
Revenue
• Protecting the corporate intellectual property / trade secrets.
Resilience
• Ensuring continuity of critical business processes during
disaster.
Recession Proofing
• Reduces The Spend To Counter Economic Pressures. e.g GRC
tools
5. ISO 27001 : Overview
• ISO 27001 defines best practices for information security
management
• A management system should balance physical, technical,
procedural, and personnel security
• Without a formal Information Security Management
System, there is a greater risk to your security being
breached
• Information security is a management process, NOT a
technological process
6. ISO 27001 : Family of Standards
• ISO 27000 – Principles and vocabulary
• ISO 27001 – ISMS requirements
• ISO 27002 – ISO/ IEC 17799:2005 (from 2007 onwards)
• ISO 27003 – ISMS Implementation guidelines
• ISO 27004 – ISMS Metrics and measurement
• ISO 27005 – ISMS Risk Management
• ISO 27006 – 27010 – allocation for future use
8. Steps for ISMS Implementation
1. Obtain management support
2. Treat as a project
3. Define the scope
4. Write an ISMS Policy
5. Define the Risk Assessment methodology
6. Perform the risk assessment & risk treatment
7. Write the Statement of Applicability
8. Write the Risk Treatment Plan
9. Define how to measure the effectiveness of controls
10. Implement the controls & mandatory procedures
11. Implement training and awareness programs
12. Operate the ISMS
13. Monitor the ISMS
14. Internal audit
15. Management review
16. Corrective and preventive actions
9. Common Myths about ISO 27001
"The standard requires..."
"We'll let the IT department handle it"
"We'll implement it in a few months"
"This standard is all about documentation"
"The only benefit of the standard is for marketing purposes"
11. Memory Techniques
The Road Ahead:
Mnemonics
Sentence Aid
Workflow Diagrams
Colour Coding differentiation
12. Mnemonics
Abbreviated Character Strings for easy memory aid
How to operate?
Take the first alphabet of each word point and arrange them in
"useful" order.
Best Practices:
For a long mnemonic string , group it into chunks of 2 or 3 for quick recall
If mnemonic comes to resemble a DISTINCT Entity or person. Assign that entity
with mnemonic for lasting impact.
13. Mnemonics
Examples :
Process Workflow (Plan – Do – Check – Act)
Mnemonic: PDCA
Memory Aid :
Imagine “Pen Drive “ of CA
• (CA = Certifying Authority)
14. Mnemonics (contd.)
Examples :
COBIT Domains:
a) Plan and Organize
b) Acquire and Implement
c) Deliver and Support
d) Monitor and Evaluate
Mnemonic: PADM
Memory Aid: (Imagine PADM Shri Award)
PADM
15. Sentence Aid
Memory Recall technique to easily recall long Mnemonic Strings
“in order”.
Advantage:
Used esp. when Mnemonic string is quite long (>= 5 points).
Helpful for easy recall.
Example:
Mnemonic for OWASP Top 10 is: ICBI CS IF I U
16. Sentence Aid
Prerequisites:
Sentence Aid MUST be :
expression making a
visual impact on your memory.
Always design a Sentence Aid which is :
a) Mnemonic Workflow oriented (to maintain serial order)
b) Bound to a strong event in your memory
c) Natural Progression
d) Capital letters indicating actual point of Mnemonic.
17. EXAMPLE:
Sentence Aid OWASP Top 10 Mnemonic : ICBI CS IF I U
• Injection
•Cross Site Scripting (XSS)
•Broken Authentication and Session Mgmt
•Insecure Direct Object References
•Cross Site Request Forgery (CSRF)
If •Security Misconfiguration
•Insecure Cryptographic Storage
Fails •Failure to Restrict URL Access
Informs •Insufficient Transport Layer Protection
U •Unvalidated Redirects and Forwards
Sentence Aid: ICBI Counter Strike If Fails, Informs U.
18. Sentence Aid
Example:
OSI Layer Model
Layer 1: Physical layer
Layer 2: Data link layer
Layer 3: Network layer
Layer 4: Transport layer
Layer 5: Session layer
Layer 6: Presentation layer
Layer 7: Application layer
Sentence Aid:
Please Do Not Take Sales Person’s Advice
19. Workflow Diagrams
These figures/diagrams give the directive flow of the process
Advantage is that they can summarize vast information in a
appealing view.
We can grasp readily the “gist” of the process workflow.
Workflow Types are
• Flowcharts
• Hierarchy Diagrams (Pyramids, Topology figures)
• Data Flow Diagrams (DFD’s)
• Cyclic Processes
23. Color Coding Differentiation
This technique takes advantage of the fact that we better remember the
figures if they are filled with different background colors.
Using same colors for related fields help us to better distinguish the same
genre of the entities.
25. Quotes:
Imagination is more important than knowledge. For knowledge is limited, whereas
imagination embraces the entire world, stimulating progress, giving birth to evolution. It is,
strictly speaking, a real factor in scientific research.
--Albert Einstein
But in reality, without knowledge, imagination can not be developed.
-- Wikipedia (on Imagination) , after Einstein quote.
26. Precautions
Study thoroughly the subject matter before venturing into
memorizing techniques.
Know WHAT YOUR ABBREVATION stands for rather than keeping
in mind only the Mnemonic.
Memory Techniques are only an AID. They are NOT SUBSTITUTE
for comprehensive study.
Utilized Best AFTER comprehensive study for REVISION.