ITGC

How to build that

Airline

O
ITGovernance.co.uk

Audit CAtegories : Technical (T) , Non Technical(NT), Physical ( P)

Risk Management

1. Risk Assessment Report

2. Documented Risk Register

3. Risk Management Policy / Risk Assessment Policy

Training Awareness

Cyber Security Awareness Training : Frequency : Once in a year.Both old employees /

new employees

Privacy Awareness Trainings : Do your employees understand what a data breach is ?

Do they have a data classification policy to identify sensitive data and apply
controls there ?

Carrying out privacy checks : Carrying our privacy related leaks in your code

Secure Code Review but SCR does not include carrying our privacy checks in the
code.

https://docs.privado.ai/getting-started-with-privado/understanding-the-results

Cloud : Middle East - AWS had a data centre in Bahrain.UAE has a strong data
protection law.

Policies and Procedures.

Cyber Security Policy

Asset Management Policy ( Do you have an asset inventory)
Access Control Policy
IAM Policy
Data Security Policy
Encryption Policy
Data Lifecycle Management Policy
Data Governance Policy --( A company could he having hundreds of applications)
( Complete Visibility of Data at the org level)
Data Privacy Policy
System Audit Policy
Privacy Audit Policy
Risk Assessment Policy
Do you have risk management / risk assessment policy or program for third parties ?

Contract or external parties .

If the company for whom you are doing an audit do they have third party security
audits clause documented in the contract.

https://frsecure.com/resources/

Incident REsponse

Incident management policy

Whether users are reporting are reporting any security incidents.

BCP

BCP or they have a DR policy

If they carried out any DR / BCP exercise in last 12 months

BCP plan

RTO / RPO values ?

What kind of DR test have they performed ?

Whether did they undergo any BCP external audit in the last 12 months

Third party contract

Asking a company to share their contract and you are looking any of the security
clause for third parties ?

IF the company is sharing any customer data or their own data with third parties.

Secure Configuration -- Technical

Secure config of Servers, Applications , Devops processes , Databases , firewalls m

for the entire infrastructure

Are they maintaining a configuration change history and audit trail ?

Audit Trail : Examples of operating system changes

October 2021 : transparent_huge_pages =disabled

February 2022 : transparent_huge_pages = 4 GB : who enabled this parameter and

what was the first changed value.Audit trail

June 2022 : transparent_huge_pages = 16 GB

August 2022 : transparent_huge_pages= 8 GB

SEcurity Updates and PAtches

patches for infrastructure levels ?

If a company is maintaining cloud assets you could ask them for their cloud
inventory and if they have applied patches across their all cloud resources.
Development environment is not to be overlooked.

Breach Management

Data Breach REsponse Policy ?

Not a Cyber Security Incident Response.

Are they maintaining a privacy risk register .

Privacy code check tool : at the code level

Look at some specific areas : 1. As an auditor show us your reporting layer and
how the data is getting accessed there and for sensitive data
what security controls have been deployed.

2. ETL layer : What security controls are in place to secure sensitive data ?

3. Whether they are allowing any users to use their personal devices to access
corporate information ?

Usrs Having Access to Microsoft Teams on their personal devices as well.? Look at
developers or sales people and do a random audit of their devices.

How do you address risk ? Quantitative Risk Analysis or is Qualitative Risk

analysis

Qualitative Risk Analysis : Risk is assessment from human judgement and experience.

Quantitative Risk Analysis : AV = Asset Value , EF = Exposure Factor in terms of

percentage - 30% , Rate of Occurence - in one year chosen as a unit how

many times this threat could occur = 3 times in year.

Overall Loss Expected == Asset Value (* EF ) * 0.25

Risk Register is a document used to track all going cyber security risks and it
serves as the document for remediation status., new risk.

Mobile devices

Do you have a BYOD policy ? have you defined any controls for the mobile
application ?

If somebody uses a mobile device to what commands have been on the mobile device
for accessing a corporate asset ? Mobile Device Management.

Audit and Assess what was accessed by whom.

How is a organization addressing mobile security concerns ?

Data Storage ( Encryption)

Data at rest , data in transit and data in use ? What security controls deployed ?

evaluating those security controls

1. Data Encryption

Futhermore in Data Storage if you are encrypting the data where are you storing the
encryption key

how is the encryption key secured ?

DAta that you encrypt is encrypted using a key known as DEK ( Data Encryption Key)
and this DEK is further encrypted with another key known as
MK or MEK ( Master Encryption Key)

Whether they have a encryption policy ?

These question will get covered for data backups ?\

Data Security

Data Masking 3.Data Tokenization 4.Data Anonymization

Data Tokenization

Today is the first day of September 2022 CISA class.

Replace actual data with some junk data but behind the scenes when this data will
be used by the application the tokenization
server will replace junk data with actual data. There is some character mapping
done for actual data with some junk
data.

bdfskfsndkdfsnfdsndfsndfsjndsfjjdjnkdsfnksdfnksdfnkdsf -- generating a token for

your data.

Data Anonymization ---REmoving PII information from actual data

Development

If they are performing a secure code review or not ?

Most organization fail in compliance ?

Change Ticket raised for a code fix .-- Approval is generally given for fixing the
functionality but is the code fix assessed from security perspective
before moving in production ? 70% percentage of non compliances

Secure SDLC ?

Secure Monitoring

Firewalls , SIEM , IDS/IPS , DLP

Data Privacy

Does the company deal with GDPR ?

data privacy policy do you have it ?

Past Privacy Impact Assessment Reports ?

ITGC : Information Technology General Controls

Case Study : Airlines

ITGC : IT Related General Controls

IT General Controls Audit Report

Looking at Workstations and Laptops

Whether password protection is in place

Disk Encryption in place or not

whether user has any admin rights

Whether endpoint protection is enabled

Whether user can bypass corporate security controls and cause data leaks

Whether there is a provision for stopping access to Bad websites / Blocked sites

Conducting ITGC Audit which may not include regulations

IF you a audit of a healthcare company may be you are not including HIPAA
regulations in the ITGC Audit

CIS critical security controls

List of Questionnaires
Akasa Air Data Breach ?

For the Aviation Sector purely from a overall security point of view

Credit Card Details -- Passenger Details

Infrastrucure

Data Governance Policy : In a business what are the areas that generate data .

Critical Infrastrucure Sector.

Passenger Traffic - Generating Data -- Bookings and other things we are storing
that data

Credit Card Data -- PCI-DSS Compliance ( majority of those tweleve

recommendations or requirements will come into play)

Infrstructure - Servers , WEb application , Mobile Application , Networks etc

Aircraft is crucial for cyber security ? Asset Value -= Physical Security

A single aicraft on a single route generates tremendous amount of aircraft

cockpit - Avionics Software -- altimeter : current height at which aircraft is

floating and what is the current speed ?

CAN network : Controllable Area Network : all those in flight apparatus on the
cockpt

anybody has physical access to this can cause damage.A lot of new feature
s including wireless and bluetooth there are chances of remote accees.

CAn bus sofware can have software vulnerabilities

Passenger infotainment system -- third party vendors

ACARS - Aircraft Communication addressing amd reporting system -- this entire

communication is left unencrypted

AMS - encrypted communication

LAPP --

FLS - Field Loadable Software - security assessment -- TCAS -

UMS = USer Modifiable Software : undergoes no certification

ADS- B- Automatic Surveillance Dependence Broadcast

EFB : Touchpad / ipads

inflight data backup

baways.com

Middle East -- public terminals

End to end encryption

Software glitch-- Boeing 737 Max issues with

Stuxnet

10 to 11 pm IST

Saturday : 5 hrs

Saturday : 5 hrs