Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Everand Logo

Welcome to Everand!

  • Discover millions of ebooks, audiobooks, and so much more with a free trial

    From $11.99/month after trial. Cancel anytime.

    Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization
    Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization
    Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization
    Ebook258 pages2 hours

    Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization

    By Eugene A. Razzetti

    ()

    Read preview

    About this ebook

    Developing an internal auditing capability within an organization is as important to the continued success of that organization as any other initiative or process.
    An “audit” is a systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. “Internal audits” are audits conducted by on behalf of the organization itself for internal purposes, and can form the basis of the organizations self-declaration of conformity or compliance.
    A well-planned, effective, internal auditing program should consider the relative importance of the processes and areas to be audited. Don’t waste time on the unimportant.
    The success of an organization is the sum of the effectiveness of Management authority, responsibility, and accountability. They are, in turn, the sum of the manner in which Management deals with the findings of the internal audits.


    The premise of this book and my reason for creating it is simple:
    1. Our organizations (large and small – public and private) and, in fact, our lives are in danger from both physical and cyber-attacks, because we remain incredibly uneducated, unstructured, and vulnerable, when it comes to threats to our security.
    2. Organizational Security can be upgraded profoundly through a well-developed program of internal and outside audits. This book stresses internal audits – those that you do by yourselves and within your walls.
    3. Organizations can combine resources synergistically. That is, the whole of the effort will be greater than the sum of its parts.
    I have kept this work as compact as possible, so as to minimize reading time and maximize productivity. I write for no-nonsense CEOs, acquisition, security, and program managers in both the public and private sectors, with big responsibilities and limited resources. I refer often to four excellent ISO International Standards. They offer guidance for structuring effective management programs rapidly, regardless of whether or not organizations desire certification by accreditation bodies.
    I invite you to use my approach to Risk Management. You will find it an effective and uncomplicated method for developing and monitoring your strategic plans.
    Checklists and “quick-looks” can bring you up to speed fast. Using the checklists provided and taking prompt, positive, action on your findings will improve your security posture almost immediately, as well as boost your confidence to take on greater challenges.
    LanguageEnglish
    PublisherAuthorHouse
    Release dateJul 10, 2022
    ISBN9781665562614
    Hardening by Auditing: A Handbook for Measurably and Immediately Iimrpving the Security Management of Any Organization
    Author

    Eugene A. Razzetti

    Eugene A. (Gene) Razzetti retired from the U.S. Navy as a Captain in 1992, a Vietnam Veteran and having had two at-sea and two major shore commands. Since then, he has been an independent management consultant, project manager, and ISO auditor. He became an adjunct military analyst with the Center for Naval Analyses after September 11, 2001. He has authored six management books, co-authored MVO 8000, a Corporate Responsibility Management Standard, and numerous journal articles related to management systems and the Department of Defense. He has served on boards and committees dealing with ethics and professionalism in the practice of management consulting. He is a senior member of the American Society for Quality (ASQ) and assisted the Government of Guatemala with markedly heightening the security posture of its two principal commercial port facilities.

    Read more from Eugene A. Razzetti

    Related to Hardening by Auditing

    Related ebooks

    Economics For You

    View More
    View More

    Related podcast episodes

    Related articles

    • UNLIMITED

      Writing the Rules of Cyberwar

      Jun 28, 2017

      Writing the Rules of Cyberwar
      9 min read

    • UNLIMITED

      How Do You Know You Are Okay?

      May 27, 2019

      How Do You Know You Are Okay?
      2 min read

    • UNLIMITED

      Approaching Risk from The Boardroom

      Dec 2, 2022

      Looking into risk from the perspective of the boardroom demands a note on the concept of corporate governance itself and the resulting implications. Shareholders are the principals and need to have their rights protected; management is nominated and

      7 min read

    • UNLIMITED

      Choosing The Best Fit

      Aug 7, 2020

      all investments have an impact – either positive or negative. A positive impact can be generated deliberately or unintentionally. Selecting the right metrics is an important tenet of the impact measurement and management process. But simply measuring

      2 min read

    • UNLIMITED

      A Guide to Resilient Leadership

      Jan 1, 2021

      A Guide to Resilient Leadership
      11 min read

    • UNLIMITED

      A Framework For Risk Governance

      Oct 2, 2023

      A Framework For Risk Governance
      11 min read

    • UNLIMITED

      Q & A

      Sep 1, 2024

      Regardless of industry, today’s leaders are facing a high degree of uncertainty—and there is no end in sight. What is your advice for them? Events that cause leaders to pause and rethink their organization’s growth pathway are increasingly common. As

      7 min read

    • UNLIMITED

      A Focus on ESG

      Oct 19, 2021

      A Focus on ESG
      2 min read

    • UNLIMITED

      The Need To Rethink Risk Governance

      Jul 26, 2021

      The Need To Rethink Risk Governance
      5 min read

    • UNLIMITED

      Jobs Of The Future

      Jan 26, 2023

      Jobs Of The Future
      5 min read

    • UNLIMITED

      Take Back Control

      May 22, 2018

      Take Back Control
      11 min read

    Related categories

    Reviews for Hardening by Auditing

    0 ratings

    0 ratings0 reviews

    What did you think?

    Tap to rate

    Review must be at least 10 words

      Book preview

      Hardening by Auditing - Eugene A. Razzetti

      © 2022 Eugene A. Razzetti. All rights reserved.

      No part of this book may be reproduced, stored in a retrieval system, or

      transmitted by any means without the written permission of the author.

      Published by AuthorHouse  06/29/2022

      ISBN: 978-1-6655-6260-7 (sc)

      ISBN: 978-1-6655-6261-4 (e)

      Any people depicted in stock imagery provided by Getty Images are models,

      and such images are being used for illustrative purposes only.

      Certain stock imagery © Getty Images.

      Because of the dynamic nature of the Internet, any web addresses or links contained in

      this book may have changed since publication and may no longer be valid. The views

      expressed in this work are solely those of the author and do not necessarily reflect the

      views of the publisher, and the publisher hereby disclaims any responsibility for them.

      CONTENTS

      Dedication

      Foreword

      SECTION I

      INTERNAL AUDITING IN GENERAL

      Chapter 1     What We Mean by Hardening by Auditing

      Chapter 2     Benchmarking, Dashboards, Metrics, and Measures of Effectiveness

      Chapter 3     Defense Contracting

      Chapter 4     Risk Management

      Chapter 5     Synergy vs. Innovation

      Chapter 6     System Integration - Enabling Capability Through Connectivity

      Chapter 7     Some Additional Thoughts about Internal Auditing Before We Discuss Security

      Section Two

      Organizational Security Management

      Chapter 8     Auditing Organizational Security at Your Command

      Chapter 9     Compliance, Continuity, and COVID

      Chapter 10   Contingency Planning

      Chapter 11   Business Impact Analysis

      Chapter 12   Business Continuity Management

      Chapter 13   Recovery and Restoration

      Chapter 14   Auditing Computer-Based Information Security – Gain Control and Keep it

      APPENDIX

      Appendix I       Business Continuity Management

      Appendix II      Information Security Management

      Appendix III     Supply Chain Security Management

      Appendix IV     Glossary

      About The Author

      DEDICATION

      FOREWORD

      SECTION I

      INTERNAL AUDITING

      IN GENERAL

      CHAPTER ONE

      What We Mean by

      Hardening by Auditing

      Ten areas in which executives and auditors can quantifiably

      improve the security posture of any organization.

      Overview

      Industrial espionage, hacker/cyber-attacks, natural disasters, disgruntled former employees, HAZMAT spills, and (let’s face it) terrorist attacks can close an organization indefinitely, not to mention exacting a concurrent, incidental toll in personnel or equipment. Organizations, especially those contribute to the defense of the United States, have an ethical as well as an economic imperative to assess and harden their security structures. These days, Management can and should assess the security posture of their organizations as part of the organization’s overall auditing strategy – no less vital than Quality, Finance, Marketing, or Human Resource Management.

      The International Standard ISO 28000: Supply Chain Security Management can help to ensure the security of any organization. It was developed in response to the transportation and logistics industries’ need for a commonly applicable security management system specific to the supply chain.

      The main elements of the ISO 28000 Standard are:

      ✓ Security Management Policy

      ✓ Security Planning (risk assessment, regulatory requirements, objectives, and targets)

      ✓ Implementation and Operation (responsibilities and competence, communication, documentation, operational control, and emergency preparedness)

      ✓ Internal auditing, corrective and preventive Action

      ✓ Management review and continual improvement.

      Organizations already certified to ISO 9000 Quality Management) or ISO 14000 (Environment Management) are already well on their way to ISO 28000 certification and to a hardened security posture. These three International Standards mutually support each other, as shown in the following table, and security-minded auditors and consultants will work with an organization’s existing strategic planning, process management, and documentation, to synergistically increase security, as well as the more traditional challenges, like efficiency, safety, profitability, and regulatory compliance. See Table 1-1.

      Table 1-1 Relationship of ISO Standards

      000.jpg

      Ten areas in which executives and auditors can quantifiably harden the security of their organizations

      The ten areas that follow contain segments of a checklist that I use when I audit or consult in ISO 28000. Appendix III contains my complete Supply Chain Security checklist.

      1. Organizing the Security Management System

      Organizing for security means that the organization must establish, document, maintain, and continually improve an effective security management system for identifying security threats, assessing risks, and controlling/mitigating their consequences. The organization must look at all of the functions it performs and assess them according to the amount of vulnerability and the amount of protection required, as shown in the notional matrix below. Figure 1-1 describes a quick and logical vulnerability assessment. As the arrows suggest, you want to minimize vulnerability and maximize protection. Try this with your own organization and/or area of responsibility.

      Figure 1-1 Vulnerability Assessment (example)

      39056.png

      2. Defining the Scope of the Security Management System

      Having completed an initial vulnerability assessment, the organization must next define the scope of its Security Management System, including control of outsourced processes that affect the conformity of product or service. That accomplished, the organization must establish (and maintain) an organizational structure, including roles, responsibilities, and authorities, consistent with the achievement of the security management policy, objectives, targets, and programs; and these must be defined, documented, and communicated to all responsible individuals.

      Management must provide quantifiable and documented evidence of its commitment to development of a security management system and to improving its effectiveness. Specifically, by:

      • Appointing a member of senior management who, irrespective of other responsibilities is responsible for the design, maintenance, documentation and improvement of the security management system

      • Appointing members of management with the necessary authority to ensure that the objectives and targets are implemented

      • Identifying and monitoring the expectations of the organization’s stakeholders and taking appropriate action to manage these expectations¹

      • Ensuring the availability of adequate resources

      • Communicating to the organization the importance of meeting its security management requirements in order to comply with its established policies

      • Ensuring any security programs generated from other parts of the organization complement the security management system

      • Communicating to the organization the importance of meeting its security management requirements in order to comply with its policy

      • Establishing meaningful security metrics and measures of effectiveness, security-related threats, criticalities, and vulnerabilities are evaluated and included in organizational risk assessments as appropriate (see below)

      3. Security Policies – taking a security approach to mission accomplishment

      Top management also must develop, as applicable to the mission of the organization, written security policies that are:

      • Consistent with the other policies of the organization

      • Providing framework for specific security objectives, targets, and programs to be produced

      • Consistent with the organization’s overall security threat and risk management strategy

      • Appropriate to the threats to the organization and the nature and scale of its operations

      • Clear in their statement of overall/broad security management objectives

      • Compliant with current applicable legislation, regulatory and statutory requirements and with other requirements to which the organization subscribes

      • Visibly endorsed by top management

      • Documented, implemented, and maintained

      • Communicated to all relevant employees and third parties including contractors and visitors with the intent that these persons are made aware of their individual security-related obligations

      • Available to stakeholders where appropriate

      • Provided for review in case of acquisition or merger, or other change to the business scope, which may affect the relevance of the security management system.

      4. Security Training and Qualification

      The security-minded organization appoints (and entrusts) personnel to operate the Security Management System. Like any other responsible positions in the organization, the people who design, operate, and manage the security equipment and processes must be suitably qualified in terms of education, training, certification, and/or experience. Further, these personnel must be fully aware and supportive of:

      5. Operational Control

      A.    General

      Effective operational control of the Security Management System means that the organization has identified all operations necessary for achieving its stated security management policies, control of all activities, and mitigation of threats identified as posing significant risks. Control also means compliance with legal, statutory, and other regulatory security requirements, the security management objectives, delivery of its security management programs, and the required level of supply chain security (as appropriate).

      ISO 28000 Certification requires organizations to ensure that operational control is maintained by:

      • Establishing, implementing, and maintaining documented procedures to control situations where their absence could lead to failure to maintain operations

      • Establishing and maintaining the requirements for goods or services which impact on security and communicating these to suppliers and contractors.

      Where existing designs, installations, operations, etc., are

      Enjoying the preview?
      Page 1 of 1