- Information Security Management Principles Part-II
Information Security Audit
An information security audit is an audit on the level of information security in an organization.
An evaluation of a person, organization, system, process, enterprise, project or product (Wikipedia)
The relationship between ISEC Audit and ISEC Management
- ISEC Audit is mainly based on the standard of ISEC Management like ISO/IEC 17799, ISO 17799/27001, COSO, COBIT, ITIL, NIST SP800.
- These standards constructed mechanisms that can effectively control information security risks, thus we can achieve the purpose of information security audit.
Information Security Management Tools
Two important tools are metrics and service agreements.
Metrics are a management tool that facilitates decision-making and accountability through practical and relevant data collection, data analysis, and performance data reporting.
A service agreement serves as the agreement between the service provider and the organization requesting the service.
ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full name is ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements.ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. Being a formal specification means that it mandates specific requirements. Organizations that claim to have adopted ISO/IEC 27001 can therefore be formally audited and certified compliant with the standard.
ISO/IEC 27002:2005 has developed from BS7799, published in the mid-1990s. The British Standard was adopted by ISO/IEC as ISO/IEC 17799:2000, revised in 2005, and renumbered (but otherwise unchanged) in 2007 to align with the other ISO/IEC 27000-series standards.ISO/IEC 27002 provides best practice recommendations on information security management for use by those responsible for initiating, implementing or maintaining information security management systems (ISMS).
ISO/IEC 27004:2009, part of a growing family of ISO/IEC ISMS standards, the ‘ISO/IEC 27000 series’, is an information security standard developed by the International organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The purpose of ISO/IEC 27004 is to help organizations measure, report and hence systematically improve the effectiveness of their Information Security Management System (ISMS).
ISO/IEC 27005, part of a growing family of ISO/IEC ISMS standards, the ‘ISO/IEC 27000 series’, is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its full title is ISO/IEC 27005:2008 Information technology — Security techniques — Information security risk management. The purpose of ISO/IEC 27005 is to provide guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. It does not specify, recommend or even name any specific risk analysis method, although it does specify a structured, systematic and rigorous process from analyzing risks to creating the risk treatment plan.
Threat – a potential for violation of security
Vulnerability – a way by which loss can happen
Attack – an assault on system security, a deliberate attempt to evade security services
Passive attacks – focus on Prevention
- Easy to stop
- Hard to detect
Active attacks – focus on Detection and Recovery
- Hard to stop
- Easy to detect