The easiest way to get into an ITGC / ISO 27001 / GRC job is to start doing the smallest level of activity for which there are plenty of jobs. These activities are called 1) Control testing 2) Checklist based Information security audit 3) Risk assessment. These 3 are very valuable skills and if one can demonstrate knowledge / skill / experience on these, they are definite to land up with a job. The best part is that there are plenty of online resources available to practice these. Following are the ways how you could start doing these activities:
Understand the meaning of words - Information security, Cyber security, Confidentiality, Integrity, Availability, Control, Control Objective, Risk, level of risk, residual risk, risk acceptance, risk assessment, risk treatment, Vulnerability, threat, Impact, Likelihood, audit, audit scope, access control, first party, second party, third party, Conformity, Non conformity, Documented information, information security incident, outsource, Policy, Process. ISO 27000 standard may be referred or simple internet research can help understand these.
Draft a few controls on Information security / Cyber security to understand the meaning of Control. Make a document and start writing controls to feel how it is to write an appropriate control. Make sure the language is such that it should appear like a control. You may refer the standards ISO 27001 or NIST 800-53 or NIST CSF for identifying some controls
Understand what is a checklist and the importance of a checklist in control testing / information security audit / cyber security audit / risk assessment
Prepare an excel / google sheet based checklist of controls including columns for how to test, what evidence to see for particular control, a column to mark conformity or nonconformity, a column for comments. Controls may be referred from various International Information security / Cyber security standards such as ISO 27001 or NIST 800-53 or NIST CSF
Prepare an excel / google sheet based checklist of all controls from ISO 27001 and NIST CSF including columns for how to test, what evidence to see for particular control, a column to mark conformity or nonconformity, a column for comments. Please pay attention to the controls, their meaning and objective.
Read and understand the standards such as ISO 27001 and NIST CSF to whatever best extent you can
Read some Information security policies available online. Draft an Information security policy for your college since you may know about the information in your college and would be in a position to draft an appropriate policy. Pay attention particularly to the use of terms “shall”, “should”, “must” etc. and understand what a Policy is meant to achieve for an organization / institution
Read some Information security procedures / processes online. Draft one Information security procedure for your college for one of the Information security aspects. Pay attention to the use of terms such as “should”, “must”, “shall” etc.
Use the checklist you have created and try to conduct a sample audit making assumptions about your college even if you may not know the details. Make sure you mention against each checkpoint what you checked, what evidence you observed, is it a conformity or nonconformity and put some comments to give details.
Write a few risk statements (risk assessment) in google sheets /excel to understand how to draft risks, how to identify vulnerability, likelihood, impact, risk level, existing controls, residual risk. Try to give ratings to likelihood, impact, risk level and residual risk.. Research on internet for sample risk assessments
Understand what are possible risk treatment options such as mitigate, avoid, transfer, accept and apply these risk treatment options in your risk statements to reduce the risk
Write as many risks and policies as possible and conduct as many control testing as possible
Sample Controls:
The access rights of all employees and external party users to information and information processing facilities shall be removed upon termination of their employment, contract or agreement, or adjusted upon change.
Backup copies of information, software and system images shall be taken and tested regularly in accordance with an agreed backup policy.
Sample checklist:
# | Checklist item | Conformity / Non conformity | Evidence | Comments |
1 | Is access removed for all employees within 24 hrs who exited the organization in the last 6 months? | |||
2 | Is there a backup schedule available? | |||
3 | Is backup taken on a periodic basis. What is the periodicity of back and what type of backup is taken (incremental, differential , full)? | |||
4 | Is backup tested on a periodic basis for recovery? What type of testing is conducted? |
Sample audit:
# | Checklist item | Conformity / Non conformity | Evidence | Comments |
1 | Is access removed for all employees within 24 hrs who exited the organization in the last 6 months? | Non conformity | ID 412111 - last working day was 24-April-22 however access has not been removed from AD / Oracle application | Out of 7 samples of employees who left, the process was not followed for 1. |
2 | Is there a backup schedule available? | Conformity | Backup schedule v5.0 dated 22-March-21 has been checked | Backup schedule is available and defines daily, weekly and monthly backups. |
3 | Is backup taken on a periodic basis. What is the periodicity of back and what type of backup is taken (incremental, differential , full)? | Conformity | Backup logs from week ending 28-May and week ending 26-Mar has been validated and daily and weekly backups have been found for the critical oracle database | Critical systems for backup are identified. These include the Oracle database for HR, finance, configurations on AD, network devices etc. Daily incremental and weekly full backup is taken as per policy. |
4 | Is backup tested on a periodic basis for recovery? What type of testing is conducted? | Non conformity | The auditee (Mr. Rajinder) was unable to produce any evidence to demonstrate backup testing | Backup recovery testing is not conducted. |
Sample risk assessment for secure teleworking:
Domain | Teleworking |
Vulnerability & Risk | Lack of two factor authentication for accessing VPN (vulnerability) may lead to compromise of access to organization network in work from home scenario. |
Likelihood | 5 (on a scale of 1 to 5, 5 being the highest) |
Impact | 4 (on a scale of 1 to 5, 5 being the highest) |
Risk level (Likelihood * Impact) | 5*4 = 20 |
Existing control | Strong password policy is already enforced on VPN connectivity. Access to the network does not automatically provide access to resources in the company such as applications. Separate access is required for each resource such as file server & applications. However two factors need to be implemented to fully secure the company network. |
Revised likelihood | 5 |
Revised Impact | 4 |
Residual risk | 20 |
Risk treatment | Mitigate (options available are mitigate, transfer, avoid, accept) |
Recommended control | Implement two factor authentication on VPN. Second factor may be taken as a soft token implemented on mobile or laptop. VPN access should only be granted after the correct password and correct token number has been submitted. |
Sample risk treatment:
Domain | Teleworking |
Vulnerability & Risk | Lack of two factor authentication for accessing VPN (vulnerability) may lead to compromise of access to organization network in work from home scenario. |
Risk level | 20 |
Risk treatment | Mitigate (options available are mitigate, transfer, avoid, accept) |
Recommended control | Implement two factor authentication on VPN. Second factor may be taken as a soft token implemented on mobile or laptop. VPN access should only be granted after the correct password and correct token number has been submitted. |
Helpful resources:
Standards - ISO 27000 (https://www.iso.org/standard/73906.html), ISO 27001: 2013 (https://www.iso.org/isoiec-27001-information-security.html), NIST CSF
OWASP risk rating methodology - https://owasp.org/www-community/OWASP_Risk_Rating_Methodology
NIST CSF - https://www.nist.gov/cyberframework