Sandeep,
Thanks for the informative answer to my question.
Actually i am asking about how we can audit/ check the technical
related controls as per the SOA constructed at the time of GAP Analysis
process.
If you take example in the ISO/IEC 27001: 2005 the domains A.10 & A.11
mainly talks about the technical aspects like Access control, control
against malicious code, Domain controls, Cryptographic controls, etc.
So i am asking, wht type of approach we have to follow.
Regards,
Rajesh.
On Sun, Jul 4, 2010 at 2:16 AM, Sandeep Thakur <[email protected]> wrote:
> Rajesh,
>
> I understand you are looking for various technical aspects to be
> considered during audit of your corporate. The first thing to
> understand is.... if you are auditing in terms of IT Security
> baselining the appropriate international standards as you said ISO/IEC
> 27001:2005 or any other...
>
> You shall first prepare the statement of applicability SOA and find/
> list out all the applicable controls with respect to all the domains
> involved in company (say: telecom, finance, banking, healthcare, etc)
> but need not based on type of company (KPO, BPO, ITES, etc)
>
> Categorize all these into Administrative, Operational and Technical
> controls...
>
> Now, during auditing you shall have lot many questionare and reviews
> based on discussions with auditee for Administrative and Operational
> controls... But, Technical controls is one part which you shall test
> it for its effectiveness with some kind of technical skills.. Most of
> auditors does not have this as a skill set and more often fail to do
> their work correctly or cannot manage the audit program due to hurdles
> from management in discussing these... Good that you have bought up
> this question.
>
> The regular technical controls involve study / test the effectiveness
> of User access to Environment / System / Data. Each of these
> environment or system or data can again be subject to additional
> controls with respect to Law, Legal regulations or corporate policy.
> Further, I would like to tell you that all control areas which you
> were refering to (Vulnerability assessment, patch management, or any
> process ) can usually be associated with Environment (Audit area).
> Similarly, Application security / code review / penetration testing is
> associated with System (Audit area) and Data privacy / Data security
> in Data (Audit area).
>
> One opinion based on my experience i would like to share with you is,
> It will be myth if you assume that you are secured if you are
> following international standards. You shall infact take baseline
> controls from these international standards and establish your own
> custom policies and procedures. The SOA and respective standard
> operating procedures SOPs' should be prepared covering all types of
> controls (say: Security, Finance, Healthcare, Legal regulations,
> Country laws, etc)
>
> Let me try and come up with various regular technical controls or
> checklist you shall follow and check during audit... Meanwhile others
> if have any inputs can continue this discussion...
>
>
> Regards
> Sandeep Thakur
>
>
> On Jun 29, 2:04 am, rajesh kumar <[email protected]> wrote:
> > Hi Team,
> >
> > I am new to this group, its very nice to see discussions on
> > different aspects.
> >
> > Can anyone of you let me know what type of technical aspects to
> be
> > considered at the time of auditing in different industries like software,
> > BPO, KPO, etc.
> >
> > In my view some examples are like.... Vulnerability assessment,
> > Patch Management, Access privileges,Group Management........... so many
> as
> > per the standard ISO 27001:2005.
> >
> > Thanks & Regards,
> > Rajesh.
>
> --
> You received this message because you are subscribed to the Google Groups
> "nforceit" group.
> To post to this group, send an email to [email protected].
> To unsubscribe from this group, send email to
> [email protected]<nforceit%[email protected]>
> .
> For more options, visit this group at
> http://groups.google.com/group/nforceit?hl=en-GB.
>
>
--
You received this message because you are subscribed to the Google Groups
"nforceit" group.
To post to this group, send an email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/nforceit?hl=en-GB.
