AuditDirectiveI m plenetation AuditDirectiveI m plenetation - - PowerPoint PPT Presentation

auditdirectivei m plenetation auditdirectivei m
SMART_READER_LITE
LIVE PREVIEW

AuditDirectiveI m plenetation AuditDirectiveI m plenetation - - PowerPoint PPT Presentation

Aug 18, 2023 33 likes •114 views

AuditDirectiveI m plenetation AuditDirectiveI m plenetation Sebastian Strobl, Pierre Kwaku, Christoph Gruber CC: Oliver van Assche Oliver Eckel CC: Oliver van Assche, Oliver Eckel 29.09.2010 Document Hierarchy of Information Security Audit

slide-1
SLIDE 1

AuditDirectiveI m plenetation AuditDirectiveI m plenetation

Sebastian Strobl, Pierre Kwaku, Christoph Gruber CC: Oliver van Assche Oliver Eckel CC: Oliver van Assche, Oliver Eckel 29.09.2010

slide-2
SLIDE 2

Document Hierarchy of Information Security Audit Policy

Generalregulation for conducting audits Generalregulation for conducting audits

Audit Standard “A dit Ch t ”

When, how and where audits are performed

“Audit Charter”

performed How to audit things How to audit things,

  • rganisations, etc.

Things audit needs

General Directive(s) Specific Directive(s)

slide-3
SLIDE 3

Principles for Audit Directives

  • Derived from Audit Standard or a more abstract Directive
  • Dedicated the a special task, region or audience
  • Only needed if Standard is not adequate or specific enough
slide-4
SLIDE 4

Requirem ents for Audit Docum ents

  • Internal “Code of Conduct for Audit Department”
  • How the things are done
  • Quality Assurance
  • Requirements for Others
  • What data has to be provided
  • Quality of data (integrity, …

) Q y ( g y, )

  • Cooperation with external auditors
  • Corporate Audit has to be single point of contact to external auditors

p g p

slide-5
SLIDE 5

Code Of Conduct

  • Information systems audit controls
  • Protection of information systems audit tools
  • Other internal regulations, beside IT
slide-6
SLIDE 6

Directive to Others

  • Starts with ISS ch. 6 (Security Coordinators), one contact in each department
  • Implementation of audit rights into contracts with internal and external staff
  • ISS 9.1.2 physical entry controls
  • ISS 10 1 1 documented operating procedures
  • ISS 10.1.1 documented operating procedures
  • ISS 10.1.2 change management
  • ISS 10.2.2 monitoring and review of third party services
  • ISS 10.6.2 security of network services

ISS 10 7 media management

  • ISS 10.7 media management
  • ISS 10.10 audit logging
  • ISS 11.7.2 teleworking
  • ISS 12.3.2 keymanagement

ISS 12 4 2 t ti f t t t d t

  • ISS 12.4.2 protection of system test data
  • ISS 12.4.3 access control to program source code
  • ISS 12.5.1 change control procedures
  • ISS 12.5.5 outsourced software development

ISS 13 2 t f i f ti it i id t d i t

  • ISS 13.2 management of information security incidents and improvements
  • ISS 15.1 compliance with legal requirements
  • ISS 15.2 Compliance with security policies and standards, and technical

compliance

slide-7
SLIDE 7

Cooperation w ith external Auditors

  • Corporate Audit Department has to be the single point of contact for external

auditors Exceptions?

  • Exceptions?

Tax audit?

  • Law enforcement
  • Law enforcement
slide-8
SLIDE 8

Thank You Thank You