IT Audit and Compliance

General IT Security Controls

We have been performing assessments, audits, and policy development based on ISO 27002 and the SANS 20 Critical Controls for almost 7 years.  The ISO 27002:2013 standard is internationally recognized and broadly covers aspects of information security extending to areas including compliance and human resources.  It takes the approach that information security is not an IT responsibility, but rather an organizational responsibility. Use of this standard provides assurance that controls impacting information security, even those that reside within areas beyond the traditional information technology and information security functions, are addressed.  It is, however, a high-level standard and does not provide specific recommendations regarding technical controls.  The SANS 20 CC aligns well with ISO 27002 and fills in many of the gaps by providing recommended technical controls geared toward defending against, and limiting the damage of, an Advanced Persistent Threat.  These controls can generally be automated, and have been broken down into sub-controls to allow for prioritization based on ROI in terms of both cost and effort required.  Incendio often recommends using the ISO standard as an overall framework against which to audit client controls, while inserting the SANS 20 Critical Controls where appropriate to provide for a more detailed, technical review.

Validation of our approach has come in many forms.  Reviews by various regulatory agencies of audits and assessments using the approach have garnered positive feedback on multiple occasions.  In addition, recent cyber-security questionnaires sent to regulated companies by the SEC and the New York Department of Financial Services (formerly the New York State Banking Department) have shown the need for the more detailed approach of the SANS 20 CC, most of which address the agencies’ concerns demonstrated in the questionnaires.

Cloud Computing

One of the biggest technology changes faced by business today is the rise of cloud computing.  While a variety of definitions exist for cloud computing, Accenture concisely defines it as “the dynamic provisioning of IT capabilities (hardware, software, or services) from third parties over a network.” From an IT security standpoint, the primary concern is that the user of cloud computing services is relinquishing physical control of its data by transmitting and/or storing it on infrastructures owned and controlled by an outside party or parties, which presents additional risks that require consideration and, possibly, additional controls.  While some organizations simply shun the use of cloud computing as a result, the reality is that the use of cloud computing can be difficult to avoid, can offer significant business advantages, and is sometimes more secure than locally hosted systems that are often not secured or managed properly.

To assist our clients with the enhancement of controls surrounding the use of cloud computing services, Incendio can perform an assessment or audit of controls surrounding cloud computing, while also developing a detailed risk assessment to be used for both initial and ongoing assessments of cloud computing vendors.  The controls used to create the risk assessment and audit steps are derived from a combination of sources, including ISACA, the FBI’s Recommendations for Implementation of Cloud Computing Solutions, Gartner, and the Cloud Security Alliance.  Incendio separates the high-level controls related to the management of cloud computing services as a whole from more specific controls related to specific cloud computing vendors to provide a comprehensive cloud computing control environment.  The high-level controls address the following areas:

• Governance Model
• Identification of Risk
• Monitoring of Vendor Compliance with SLAs and Contractual Requirements
• BCP/DR Plans for Loss of Provider Services
• Incident Response Related to Cloud Computing Services
• Formal Compliance Review Related to Cloud Computing Services
• Customer Control Over Identity Provisioning for Cloud Computing Services

The more detailed controls specific to each cloud computing vendor are customized for each client and used to develop the risk assessment template to be used by the client for current and future assessment of cloud computing services.

IT Risk Assessments

Every journey, no matter how long, begins with a single step.  In our world, that first step is a risk assessment.  Ideally, those charged with securing organizational information will already have the support of management when beginning a risk assessment. For those that do not have this support, a risk assessment can be a good tool for clearly presenting to management, in business terms, the risk posed to the organization by a lack of security, thus presenting the business case for implementing or improving an information security program.  Although this can often be an intensive process, it is not without tangential benefits, including increased integration between the business and IT and enhanced visibility into business continuity management via the identification of critical information assets and related processes.

Business Continuity Management and Disaster Recovery

Although this topic gets little attention these days, having peaked during Y2K and 9/11, Business Continuity Management and Disaster Recovery is still a key component to an overall information security program. We use our business process and IT security backgrounds to review your plans and corresponding testing to ensure you are able to securely operate and recover in the event of a disaster.

Compliance

We have expertise in multiple compliance areas to help you meet your requirements. We can provide audit, assessment, and compliance services in the following areas:

• PCI Readiness Assessments and Reports on Compliance (ROC)
• HIPAA Risk Analysis
• Financial Services (FFIEC, NCUA, NYDFS, etc.)
• Other Compliance Reviews and Readiness Assessments
  –ISO 27002
  – NIST Guideline
  – SEC requirements