Ca Iacsd
Ca Iacsd
Ca Iacsd
Patil Pratishthan’s
Institute for
AdvancedComputing
&Software
Development
IACSD
Compliance Audit
INDEX
1. What is compliance audit…………………………………………………………1
4. Principal of Audit…………………………………………………………………..7
6. Components of framework……………………………………………………….9
1
What Is a Compliance Audit?
A compliance audit is an independent evaluation to ensure that an
organization is following external laws, rules, and regulations or internal
guidelines, such as corporate bylaws, controls, and policies and procedures.
Compliance audits may also determine if an organization is conforming to an
agreement, such as when an entity accepts government or other funding
Depending on the circumstances, the audit may be conducted by an employee,
such as an internal auditor, a certified public accountant, a third-party auditor, or
a government auditor. In many circumstances, auditors may seek the expert
advice of outside specialists, such as lawyers.
Essentially, a compliance audit asks if you are doing what you said you
would do.
1
just limited to securing the information in IT industry but also to various other
fields like cyber space etc.
Even the latest technologies like cloud computing, mobile computing, E-
commerce, net banking etc also needs high level of security. Since these
technologies hold some important information regarding a person their security
has become a must thing. Enhancing cyber security and protecting critical
information infrastructures are essential to each nation’s security and economic
wellbeing. Making the Internet safer (and protecting Internet users) has become
integral to the development of new services as well as governmental policy. The
fight against cybercrime needs a comprehensive and a safer approach. Given that
technical measures alone cannot prevent any crime, it is critical that law
enforcement agencies are allowed to investigate and prosecute cybercrime
effectively. Today many nations and governments are imposing strict laws on
cyber securities in order to prevent the loss of some important information. Every
individual must also be trained on this cyber security and save themselves from
these increasing cyber crimes
CYBER CRIME
Cybercrime is a term for any illegal activity that uses a computer as its
primary means of commission and theft. The U.S. Department of Justice expands
the definition of cybercrime to include any illegal activity that uses a computer
for the storage of evidence. The growing list of cybercrimes includes crimes that
have been made possible by computers, such as network intrusions and the
dissemination of computer viruses, as well as computer-based variations of
existing crimes, such as identity theft, stalking, bullying and terrorism which have
become as major problem to people and nations. Usually in common man’s
language cybercrime may be defined as crime committed using a computer and
the internet to steel a person’s identity or sell contraband or stalk victims or
disrupt operations with malevolent programs. As day-by-day technology is
playing in major role in a person’s life the cybercrimes also will increase along
with the technological advances.
2
Compliance Basics
Compliance is the state of being in accordance with established guidelines
or specifications, or the process of becoming so. Software, for example, may be
developed in compliance with specifications created by a standards body, and
then deployed by user organizations in compliance with a vendor's licensing
agreement. The definition of compliance can also encompass efforts to ensure
that organizations are abiding by both industry regulations and government
legislation.
1. Risk Assessment:
2. Vulnerability Assessment:
Just like the risk assessment helps businesses identify possible risks, the purpose
of the vulnerability assessment is to showcase the areas of the business’s security
that are vulnerable and can be exploited to do harm to the business. During the
vulnerability audit, the security audit companies indicate the aspects of the
business that are weak and thus can be used to cause significant harm to the
business.
3
The business’s vulnerability keeps changing as the business grows and flourishes.
Therefore, vulnerability assessment is a type of security audit that should be
repeated on a regular basis so that the business owners are truly in touch with the
weak links of their businesses and can plan the proper strategies to cover up and
conceal these weaknesses to prevent any sort of exploitation.
3. Penetration Testing:
One of the major cyber security issues that businesses always have to face include
hacking attempts. This is where penetration testing comes in. Penetration testing
is a form of data security audit in which one of the auditors acts as a hacker and
attempts to bypass the company’s security system. The hacker may use different
hacking methodologies and attempt different techniques to highlight the areas of
the business that require a security upgrade. This helps businesses gather data
which can then be used to strengthen the business’s security system and ensure
that the business is strong and can withstand any unauthorized attacks.
Penetration testing can be further divided into internal penetration testing and
external penetration testing. In case of internal penetration testing, the business’s
internal security fortress is put to the test whereas the external penetration testing
checks the business’s overall security protocols. There is no way to label one of
these penetration tests as better than the other and businesses should always opt
for a hybrid approach where the auditors perform both internal as well as external
penetration testing so that a comprehensive analysis of the company’s security
infrastructure and its reliability can be drawn.
4. Compliance Audit:
Almost all businesses have to abide by a certain set of rules and regulations. This
compliance is necessary for the business’s legal status. The set of the compliance
rules is quite extensive and it also keeps changing and updating depending on the
overall circumstances of the economy and the business community.
4
be extensive and tedious. But when the experts handle this matter, the results are
reliable and the businesses can be assured and have a peace of mind that they are
headed in the right direction.
Lay out the goals that the auditing team aims to achieve by conducting the IT
security audit. Make sure to clarify the business value of each objective so that
specific goals of the audit align with the larger goals of your company.
Use this list of questions as a starting point for brainstorming and refining your
own list of objectives for the audit.
5
2. Plan the Audit
You’ll want to define the roles and responsibilities of the management team and
the IT system administrators assigned to perform the auditing tasks, as well as the
schedule and methodology for the process. Identify any monitoring, reporting and
data classification tools that the team will use and any logistical issues they may
face, like taking equipment offline for evaluation.
Once you’ve decided on all the details, document and circulate the plan to ensure
that all staff members have a common understanding of the process before the
audit begins.
The auditing team should conduct the audit according to the plan and
methodologies agreed upon during the planning phase. This will typically include
running scans on IT resources like file-sharing services, database servers and
SaaS applications like Office 365 to assess network security, data access
levels, user access rights and other system configurations. It’s also a good idea to
physically inspect the data centre for resilience to fires, floods and power surges
as part of a disaster recovery evaluation.
During this process, interview employees outside the IT team to assess their
knowledge of security concerns and adherence to company security policy, so
any holes in your company’s security procedures can be addressed moving
forward. Be sure to document all findings uncovered during the audit.
Compile all your audit-related documentation into a formal report that can be
given to management stakeholders or the regulatory agency. The report should
include a list of any security risks and vulnerabilities detected in your systems, as
well as actions that IT staff recommend taking to mitigate them.
6
5. Take Necessary Action
Finally, follow through with the recommendations outlined in your audit report.
Examples of security-enhancement actions can include:
Principal of Audit
The basic principles of auditing are confidentiality, integrity, objectivity,
and independence, skills and competence, work performed by others,
documentation, planning, audit evidence, accounting system and internal control,
and audit reporting.
Security evaluation
The examination of a system to determine its degree of compliance with a
stated security model, security standard, or specification. The evaluation may be
conducted
7
(a) by analysing the detailed design, especially of the software, often
using verification and validation
(b) by observing the functional behaviour of the system, or
(c) by attempting to penetrate the system using techniques available to an
“attacker”.
8
the Hollings Manufacturing Extension Partnership, a nationwide network
of local centres offering technical and business assistance to smaller
manufacturers to help them create and retain jobs, increase profits, and save
time and money; and
the Baldrige Performance Excellence Program, which promotes
performance excellence among U.S. manufacturers, service companies,
educational institutions, health care providers, and non-profit
organizations; conducts outreach programs; and manages the annual
Malcolm Baldrige National Quality Award, which recognizes performance
excellence and quality achievement.
Components of framework
NIST Cybersecurity Framework consists of 3 parts. These parts must work jointly
to assist organizations to build a comprehensive cybersecurity strategy.
1. Framework core
The first framework component of the NIST Cybersecurity Framework is
framework core. The framework core mostly contains guidance information and
cybersecurity activities. In other words, it presents industry standards in a way
that helps organizations tackle cyber risks.
2. Implementation tiers
3. Profiles
9
General Data Protection Regulation (GDPR) Overview
GDPR can be considered as the world's strongest set of data protection rules,
which enhance how people can access information about them and places limits
on what organisations can do with personal data. The full text of GDPR is an
unwieldy beast, which contains 99 individual articles.
The regulation exists as a framework for laws across the continent and replaced
the previous 1995 data protection directive. The GDPR's final form came about
after more than four years of discussion and negotiations – it was adopted by
both the European Parliament and European Council in April 2016. The
underpinning regulation and directive were published at the end of that month.
GDPR came into force on May 25, 2018. Countries within Europe were given
the ability to make their own small changes to suit their own needs. Within the
UK this flexibility led to the creation of the Data Protection Act (2018), which
superseded the previous 1998 Data Protection Act.
10
execution of a contract to which the Data Subject is a party; or
processing is necessary for the performance of a task carried out
in the public interest or in the exercise of official authority etc.
b. Personal Data should be collected for specified legitimate and
explicit purposes and not further processed if incompatible with
those purposes (except where specifically permitted under
GDPR), and it should be adequate, accurate, relevant and limited
to what is necessary in relation to the purposes for which they are
processed.
11
Information to be provided to Data Subject: The controller at the time
of obtaining the personal data has to provide the Data Subject with all
the required information such as contact details and identity and contact
details of the data protection officer (only required in some cases),
purposes and legal basis of processing, existence of the data subject's
rights such as right to access, recipients or categories of recipients of
the personal data, period of storage of personal data, rectification or
erasure of personal data, right to withdraw consent, t he right to lodge a
complaint with a supervisory authority, right to data portability etc.
Information on similar lines is also to be provided to the data subject
(where personal data has not been obtained from the data subject) under
Article 14 of GDPR, except in certain prescribed circumstances which
enumerate following rights of data subjects:
Right to get their data removed: Right to obtain from the controller
erasure of personal data and the controller is required to remove
personal data where one of the grounds applies such as: (a) the personal
data is no longer necessary in relation to the purposes for which it was
collected (b) the Data Subject withdraws their co nsent on which the
processing was based (c) the Data Subject objects to the processing and
there are no legitimate grounds for the processing, etc.
13
A scheme has been introduced by various certification bodies for conversion from
BS 7799 certification to ISO 27001 certification.
14
and other organizations with whom they interact for operational or
commercial reasons;
implementation of business-enabling information security;
use by organizations to provide relevant information about information
security to customers.
SOx Reports
The Sarbanes-Oxley Act of 2002, often simply called SOX or Sarbox, is U.S. law
meant to protect investors from fraudulent accounting activities by corporations.
Sarbanes-Oxley was enacted after several major accounting scandals in the early
2000’s perpetrated by companies such as Enron, Tyco, and WorldCom. So what
is SOX? The law mandates strict reforms to improve financial disclosures from
corporations and prevent accounting fraud. It also covers issues such as auditor
independence, corporate governance, internal control assessment, and enhanced
financial disclosure.
The law is named for the two congressmen who drafted it, Paul Sarbanes and
Michael Oxley. The U.S. Securities and Exchange Commission (SEC)
administers the act.
Though Sarbanes-Oxley does not call out any specific IT requirements, the law
does have a great impact on information systems – and in particular the security
of those systems – owed to the fact that the financial information covered under
the law is processed and stored by IT systems. Section 404 in particular has had
very costly implications for publicly-traded companies as it is expensive to
establish, maintain, and validate the required internal controls.
15
To understand SOC lingo, there are a few key terms you will want to be familiar
with:
To this end, while SOX measures seek to govern the financial operations and
disclosures of corporate entities and any of their contracted financial service
providers, the regulations pertain to a breadth of departments, and a few to IT.
16
SOX reporting specifically involves IT departments because adequate SOX
internal controls require complete file safety and full visibility into financial
record history—conditions which require each IT employee to understand his or
her role in demonstrating SOX compliance.
COBIT framework
COBIT (Control Objectives for Information and Related Technologies) is a
framework created by ISACA for information technology (IT)
management and IT governance.
The COBIT business orientation includes linking business goals with its IT
infrastructure by providing various maturity models and metrics that measure the
achievement while identifying associated business responsibilities of IT
processes. The main focus of COBIT 4.1 was illustrated with a process-based
model subdivided into four specific domains, including:
All of this is further understood under 34 processes as per the specific line of
responsibilities. COBIT has a high position in business frameworks and has been
recognized under various international standards, including ITIL,
CMMI, COSO, PRINCE2, TOGAF, PMBOK, TOGAF, and ISO 27000. COBIT
acts as a guideline integrator—merging all solutions under one umbrella.
The latest COBIT version 5 came out in April 2012 and consolidated the
principles of COBIT 4.1, Risk IT Frameworks, and Val IT 2.0. This version
draws reference from IT Assurance Framework (ITAF) from ISACA and the
revered BMIS (Business Model for Information Security).
17
The Various COBIT Components
Framework
Process Descriptions
It is a reference model and also acts as a common language for every individual
in the organization. The process descriptions include planning, building,
running, and monitoring of all IT processes.
Control Objectives
This provides a complete list of requirements that have been considered by the
management for effective IT business control.
Maturity Models
Accesses the maturity and the capability of every process while addressing the
gaps.
Management Guidelines
18
Difference between COBIT and ITIL
COBIT ITIL
Definition A set of guidelines for any A framework for best practices, planning, and selection,
organization to develop, geared to improving IT services to better meet the
implement, monitor, and improve company’s needs.
technology governance.
Scope Focuses on ITSM, but has a Focuses on ITSM, and not on the whole company. It
broader scope than ITIL, since it remains within the domain of IT.
studies the entire organization.
Goals and 1. Effectively manage the IT 1. Organize all the IT services within the company and
Objectives department to the company’s make them run smoothly.
advantage and set it in the right
direction. 2. Create opportunities for constant operational
perfection.
2. Align IT goals and business
goals. 3. Reduce the company’s IT costs without sacrificing
effectiveness.
3. Bring IT values to the business.
4. Improve the decision-making within the company.
4. Manage resources, risks, and
IT efficiency.
The Big “How do I best leverage my IT “How do I organize my IT teams and their workload in
Question department’s resources for the the most efficient way?”
benefit of the company?”
19
Health Insurance Portability and Accountability Act
(HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a
federal law that required the creation of national standards to protect sensitive
patient health information from being disclosed without the patient’s consent or
knowledge. The US Department of Health and Human Services (HHS) issued the
HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA
Security Rule protects a subset of information covered by the Privacy Rule.
Covered Entities
The following types of individuals and organizations are subject to the Privacy
Rule and considered covered entities:
20
maintenance organizations (HMOs); Medicare, Medicaid,
Medicare+Choice, and Medicare supplement insurers; and long-term care
insurers (excluding nursing home fixed-indemnity policies). Health plans
also include employer-sponsored group health plans, government- and
church-sponsored health plans, and multi-employer health plans.
21
Public interest and benefit activities—The Privacy Rule permits use and
disclosure of protected health information, without an individual’s
authorization or permission, for 12 national priority purposes external icon:
To comply with the HIPAA Security Rule, all covered entities must do the
following:
Covered entities should rely on professional ethics and best judgment when
considering requests for these permissive uses and disclosures. The HHS Office
22
for Civil Rights enforces HIPAA rules, and all complaints should be reported to
that office. HIPAA violations may result in civil monetary or criminal penalties.
History of PCI-DSS
Five different programs have been started by card companies:
23
of PCI DSS. Independent/private organizations can participate in PCI
development after proper registration. Each participating organization joins a
particular SIG (Special Interest Group) and contributes to the activities which are
mandated by the SIG. The following versions of the PCI DSS have been made
available:
24
CIS Compliance
The Centre for Internet Security (CIS) benchmarks are a set of best-practice
cybersecurity standards for a range of IT systems and products. CIS Benchmarks
provide the baseline configurations to ensure compliance with industry-agreed
cybersecurity standards. The benchmarks are developed by CIS alongside
communities of cybersecurity experts within industry and research institutes.
CIS Benchmarks are free to use and are easily downloaded. They’re useful to any
stakeholders dealing with an organization’s IT governance, cybersecurity policies
and systems. The Center for Internet Security also offers a membership option
which enhances cybersecurity compliance monitoring and resources. CIS
Benchmarks are also important to IT system vendors, who can gain certification
to show the product reaches CIS compliance.
CIS Benchmarks
CIS Benchmarks are frameworks for calibrating a range of IT services and
products to ensure the highest standards of cybersecurity. They’re developed
through a collaborative process with input from experts within the cybersecurity
community. There are more than 100 different benchmarks covering a range of
well-known vendors and systems. CIS Benchmarks provide guidance for all areas
of an IT network, including operating systems, server systems, office software
and network devices.
CIS Benchmarks are free to download and use. The documents cover everything
from initial set up to configuration of all parts of the IT system. The guidance is
regularly updated and renewed to reflect new iterations of the IT service or
product. CIS Benchmarks represent the baseline settings to ensure an IT system
25
or product is secure. The aim is to enhance international cybersecurity standards
in all types of organizations. CIS Benchmarks are used by organizations,
governments and institutes across the world.
CIS Benchmarks are compatible with existing IT risk management policies and
procedure. They can slot into well-known frameworks for IT governance such as
the NIST Cybersecurity Framework.
SSE-CMM Project
An alternative approach to evaluating assurance is built on the capability maturity
model (CMM) paradigm, which is a five-level model of increasingly mature
processes and continuous improvement. The CMM originated in the Carnegie
Mellon Software Engineering Institute (SEI) under the auspices of the U.S.
Department of Defense (DoD).
Operations security
Information security
26
Network security
Physical security
Personnel security
Administrative security
Communications security
Emanation’s security ...
27