A Comprehensive Guide to Information Security Management and Audit

Cover
Half Title
Title Page
Copyright Page
Dedication
Table of Contents
Author Bios
Preface
Acknowledgments
Acronyms/Abbreviations
Chapter 1 Information Security and Management System
	Information Security Overview
	1.1 The OSI Security Architecture
	1.2 Information Security
		Security attacks
			Passive attack
			Active attack
	1.3 Security Services
		Confidentiality
		Authentication
		Integrity
		Non-repudiation
		Access control
		Availability
	1.4 Security Mechanisms
		Specific security mechanisms
		Pervasive security mechanisms
		Model for network security
		Some basic terminologies
		Cryptography
		Cryptanalysis
		Introduction and importance of Information Security and Management System (ISMS)
			Why security management?
	1.5 The CIA and DAD Triads
		The CIA triad
		The DAD triad
			How are the CIA and DAD triads mutually exclusive?
			How can you relate the CIA triad in your everyday life?
	1.6 ISMS Purpose and Objectives
		Introduction to information security policies
		Elements of information security policy
		Scope (objective)
		Security policies
		Security policy development
		Phased approach
		Security policy contributors
		Security policy audience
		Policy categories
	1.7 Frameworks
		Policy categories
		Additional regulations and frameworks
		Security management policies
	1.8 Security Standards
		Security standard example
	1.9 Standard
		Services
		Initial password and login settings
		Send mail
	1.10 Security procedures
		Security procedure example
		Apache web server security procedure
	1.11 Security Guidelines
		Security guideline example
		Password selection guidelines
			Do
			Don’t
			Suggestions
	1.12 Compliance vs. Conformance
		Compliance
		Conformance
		Special applications
		Conclusion on compliance and conformance
		Bibliography
Chapter 2 Audit Planning and Preparation
	Introduction
	2.1 Reasons for Auditing
	2.2 Audit Principles
		2.2.1 Planning
		2.2.2 Honesty
		2.2.3 Secrecy
		2.2.4 Audit evidence
		2.2.5 Internal control system
		2.2.6 Skill and competence
		2.2.7 Work done by others
		2.2.8 Working papers
		2.2.9 Legal framework
		2.2.10 Audit report
	2.3 Process of Audit Program Management
		2.3.1 Preparing for an audit
		2.3.2 Audit process
	2.4 Audit competence and evaluation methods
		2.4.1 Audit of individuals
		2.4.2 Audit of sole trader’s books of accounts
		2.4.3 Audit of partnership firm
			Important provision of Partnership Act
		2.4.4 Government audit
			Important features of the government audit
			Objectives
		2.4.5 Statutory audit
		2.4.6 Audit of companies
		2.4.7 Audit of trust
		2.4.8 Audit of cooperative societies
		2.4.9 Audit of other institutions
			Cost audit
			Objectives of cost audit
		2.4.10 Tax audit
		2.4.11 Balance sheet audit
			Continuous audit
			Annual audit
		2.4.12 Partial audit
		2.4.13 Internal audit
		2.4.14 Management audit
			Objectives of management audit
		2.4.15 Post & Vouch Audit
		2.4.16 Audit in depth
		2.4.17 Interim audit
	2.5 Audit Responsibilities
		2.5.1 Reporting on the financial statements
		2.5.2 Unmodified opinions
		2.5.3 Modified opinions
		2.5.4 Emphasizing certain matters without modifying the opinion
		2.5.5 Communicating “other matters”
		2.5.6 Other information included in the annual report
		2.5.7 Other legal and regulatory requirements
		2.5.8 Reporting on the financial statements
	2.6 Audit Time and Process Flow
		2.6.1 What is a process?
		2.6.2 Process description
		2.6.3 Control of processes
		2.6.4 Advanced process and system modeling
	2.7 ISMS audit checklist
		2.7.1 Why ISO 27001 Checklist is required? What is the importance of ISO 27001 Checklists?
		2.7.2 Who all can use ISO 27001 Audit Checklist?
		2.7.3 How many ISO 27001 Checklists are available?
		2.7.4 How to find out which ISO 27001 Checklists are suitable for me?
			2.7.4.1 For an organization aiming for ISO 27001 Certification
			2.7.4.2 For a head of the department?
			2.7.4.3 For a CISO (Chief Information Security Officer)
			2.7.4.4 For a CTO (Chief Technology Officer) and CIO
			2.7.4.5 For IT department professionals
			2.7.4.6 For preparing for a job interview
		2.7.5 Important information on ISO 27001 Checklist file
		2.7.6 Who has prepared and who has validated ISO 27001 Checklists?
		2.7.7 What is the basis of the ISO 27001 Checklist?
		2.7.8 How to use ISO 27001 Checklist?
		Bibliography
Chapter 3 Audit Techniques and Collecting Evidence
	3.1 Auditor Quality and Selection
		How to prepare for an auditor selection process
		Four steps to select an auditor
	3.2 Audit Script
		Customizing audit scripts
		Customize standard audit scripts
		To customize an audit script
		Using standard audit scripts
		Create new audit scripts
		Enable audit scripts
		Install audit scripts
		Print audit scripts
		Remove audit script
		Set audit scripts
		Update audit scripts
		Using product-specific audit scripts
	3.3 Audit Stages
		Levels of audit engagement
	3.4 Audit Techniques
		Inspection
		Observation
		Inquiry and confirmation
		Computation
		Analytical procedures
	3.5 Collecting Evidence through Questions
		Inquiry
		Sufficient appropriate audit evidence
		Ways of collecting audit evidence
			Inspection
			Observation
			External confirmation
			Documentation
			Recalculation
			Re-performance
			Analytical procedures
			Inquiry
	3.6 Observation
	3.7 Reporting to Audit Finding
		Different types of audit findings
		Respond to audit findings
	3.8 Audit Team Meeting
		Importance of opening meetings
		Opening meeting
		Introduction
		Confirm the scope and objectives of the assessment
		Confirm communications, resources, and escorts
		Current number of employees
		Confirm auditor confidentiality
		Explain the audit program and the reporting process for deficiencies
		Confirm time and place for closing meeting
		Appeals process
		Audit team safety induction
	3.9 Nonconformities and Observation
		Example of a well-written nonconformity
		Auditors are held to a higher standard
	3.10 Corrective and Preventive Actions
		An in-depth look at corrective and preventive action
		Corrective action
		What’s the scope of corrective action?
		Benefits of corrective action
		Issues of corrective action
		Corrective Action Request (CAR)
		Preventive action
		What’s the scope of preventive action?
		How does corrective action differ from preventive action?
		How is corrective action similar to preventive action?
		Corrective action and preventive action in practice
		Implementing corrective and preventive action
		Using the corrective and preventive action subsystem
		Bibliography
Chapter 4 ISO 27001
	4.1 Overview of an Information Security and Management System
		ISO publishes two standards that focus on an organization’s ISMS:
	4.2 Purchase a Copy of the ISO/IEC Standards
	4.3 Determine the Scope of the ISMS
	4.4 Identify Applicable Legislation
		Scope and purpose
	4.5 Define a Method of Risk Assessment
	4.6 Create an Inventory of Information Assets to Protect
	4.7 Identify Risks
	4.8 Assess the Risks
	4.9 Identify Applicable Objectives and Controls
	4.10 Set Up Policy, Procedures, and Documented Information to Control Risks
	4.11 Allocate Resources and Train the Staff
	4.12 Monitor the Implementation of the ISMS
	4.13 Prepare for the Certification Audit
		Bibliography
Chapter 5 Asset Management
	5.1. What Are Assets According to ISO 27001?
	5.2. Why Are Assets Important for Information Security Management?
	5.3. How to Build an Asset Inventory?
	5.4. Who Should be the Asset Owner?
	5.5. ISO 27001/ISO 27005 Risk Assessment & Treatment – Six Basic Steps
	5.6. The Basic Steps Will Shed Light on What One Has to Do
		5.6.1 ISO 27001 risk assessment methodology
		5.6.2 Risk assessment implementation
		5.6.3 Risk treatment implementation
		5.6.4 ISMS risk assessment report
		5.6.5 Statement of applicability
		5.6.6 Risk treatment plan
	5.7. ISO 27001 Controls from Annex A
		5.7.1 How many domains are there in ISO 27001?
		5.7.2 What are the 14 domains of ISO 27001?
	5.8. The Importance of Statement of Applicability for ISO 27001
		5.8.1 Why it is needed?
	5.9. ISO 27001: A.8 Asset Management
		5.9.1 Introduction
		5.9.2 Level of assets
		5.9.3 Asset management
		5.9.4 The principles of asset management
		5.9.5 Asset life cycle
			How to go about it?
		5.9.6 Seven steps to implement asset management
	5.10. Responsibility for Assets
		A.8.1 Responsibility for assets
			A.8.1.1 Inventory of assets
			A.8.1.2 Ownership of assets
			A.8.1.3. Acceptable use of assets
			A.8.1.4. Return of asset
			A.8.1.5. Responsibility for assets
	5.11. Information Classification
		A.8.2 Information classification
			A.8.2.1 Classification of information
			A.8.2.2 Labeling of information control
			A.8.2.3 Handling of assets
	5.12. Media Handling
		A.8.3 Media handling
			A.8.3.1 Management of removable media
			A.8.3.2 Disposal of media
			A.8.3.3 Physical media transfer
	5.13. BYOD
		5.13.1 What are the types of BYOD?
		5.13.2 Why is BYOD important?
		5.13.3 Benefits of BYOD improve productivity
			Boost employee satisfaction
			Cut enterprise costs
			Attract new hires
		5.13.4 Risks of BYOD
		5.13.5 Keys to effective BYOD
		5.13.6 Guidelines to help plan and implement effective BYOD
		Bibliography
Index