Upload
donald-hester
View
99
Download
0
Embed Size (px)
DESCRIPTION
Overview of Maze & Associates ISR process for financial audits, 2003.
Citation preview
Information Systems Security Review (ISR)A Brief Overview
Maze & Associates
Instructor:Donald E. HesterCISSP, MCSE, Security+, CTT+
Everyone has a job in Security
There is a misconception that security is a job for the Experts or the security professionals.
Everyone plays an important role in security Security should be a part of everyone’s job
description History comes from accountants and military
– Auditors
– Network Admins
– Business Managers
Part 1: Objectives of IS Security
The Confidentiality of Data The Integrity of Data The Availability of Data
C.I.A.
Basic Security Triad As more and more informationbecomes available electronically, IS security will become more and more important.
Business Need for Security
Each business model requires emphasis on different security objectives.
A national defense system will place the greatest emphasis on confidentiality.
A bank has a greater need for integrity. An emergency medical system will
emphasize availability.
Part 2: Areas of Security
Part 3: ISR Sources
Legal and Regulatory Sources NIST - National Institute of Standards and
Technology ISO - International Standards Organization RFCs – Request for Comments Industry Standards Yellow Book SAS 94
Part 4: ISR Scope Limited Scope
– Not a full risk assessment– Review not an Audit– Based on information provided by client
Benefits include– Gaining better understanding of FS environment– Raise awareness about controls– Highlight managements responsibilities– Uncover major risks to Financial data– Raise awareness about regulatory requirements– Helped clients improve security – Dispel client myth that everything is public knowledge
Part 5: Parts of ISR
Sec 1: Statistics Sec 2: Disaster Plans Sec 3A: Security Management Sec 3B: Physical Security Sec 3C: Personnel Security Sec 3D: Application Security Sec 3E: Network Security Sec 4: Open Questions
Review ISR
Review Sections of ISR Review Internal Memo Questions