Information Security Management and Auditing

11.

Specialized Security Auditing Areas

11.1.

Cloud Security Auditing

11.1.1.

Cloud Service Models

11.1.1.1.

Infrastructure as a Service (IaaS)

11.1.1.2.

Platform as a Service (PaaS)

11.1.1.3.

Software as a Service (SaaS)

11.1.2.

Cloud Deployment Models

11.1.2.1.

11.1.2.2.

11.1.2.3.

11.1.2.4.

11.1.3.

Shared Responsibility Model

11.1.3.1.

Provider Responsibilities

11.1.3.2.

Customer Responsibilities

11.1.3.3.

Shared Controls

11.1.4.

Cloud Audit Challenges

11.1.4.1.

Visibility Limitations

11.1.4.2.

Data Location and Sovereignty

11.1.4.3.

Vendor Lock-in Risks

11.1.5.

Cloud Security Alliance (CSA) Framework

11.1.5.1.

Cloud Controls Matrix (CCM)

11.1.5.2.

Consensus Assessments Initiative Questionnaire (CAIQ)

11.1.5.3.

Security Trust Assurance and Risk (STAR)

11.2.

Application Security Auditing

11.2.1.

Secure Development Lifecycle Auditing

11.2.1.1.

Requirements Phase Security

11.2.1.2.

Design Phase Security

11.2.1.3.

Implementation Phase Security

11.2.1.4.

Testing Phase Security

11.2.1.5.

Deployment Phase Security

11.2.1.6.

Maintenance Phase Security

11.2.2.

Code Review and Analysis

11.2.2.1.

Static Application Security Testing (SAST)

11.2.2.2.

Dynamic Application Security Testing (DAST)

11.2.2.3.

Interactive Application Security Testing (IAST)

11.2.2.4.

Manual Code Review

11.2.3.

Web Application Security

11.2.3.1.

OWASP Top 10 Vulnerabilities

11.2.3.2.

Web Application Firewalls

11.2.3.3.

11.2.4.

Mobile Application Security

11.2.4.1.

Mobile Platform Security

11.2.4.2.

Application Store Security

11.2.4.3.

Mobile Device Management

11.3.

Identity and Access Management (IAM) Auditing

11.3.1.

Identity Governance

11.3.1.1.

Identity Lifecycle Management

11.3.1.2.

Role Management

11.3.1.3.

Segregation of Duties

11.3.2.

Access Management

11.3.2.1.

Authentication Systems

11.3.2.2.

Authorization Mechanisms

11.3.2.3.

Single Sign-On (SSO)

11.3.3.

Privileged Access Management

11.3.3.1.

Privileged Account Discovery

11.3.3.2.

Session Management

11.3.3.3.

Activity Monitoring

11.3.4.

Access Certification

11.3.4.1.

Periodic Access Reviews

11.3.4.2.

Automated Certification

11.3.4.3.

Exception Management

11.4.

Third-Party Risk Auditing

11.4.1.

Vendor Risk Assessment

11.4.1.1.

Due Diligence Processes

11.4.1.2.

Risk Rating Methodologies

11.4.1.3.

Contract Security Requirements

11.4.2.

Supply Chain Security

11.4.2.1.

Supplier Security Standards

11.4.2.2.

Supply Chain Risk Management

11.4.2.3.

Vendor Monitoring Programs

11.4.3.

Outsourcing Security

11.4.3.1.

Service Level Agreements

11.4.3.2.

Right to Audit Clauses

11.4.3.3.

Performance Monitoring

11.5.

Privacy and Data Protection Auditing

11.5.1.

Privacy Program Assessment

11.5.1.1.

Privacy Governance

11.5.1.2.

Privacy Policies and Procedures

11.5.1.3.

Privacy Training and Awareness

11.5.2.

Data Protection Impact Assessment (DPIA)

11.5.2.1.

DPIA Process Steps

11.5.2.2.

Risk Identification and Mitigation

11.5.2.3.

Stakeholder Consultation

11.5.3.

Data Handling Audits

11.5.3.1.

Data Collection Practices

11.5.3.2.

Data Processing Activities

11.5.3.3.

Data Retention and Disposal

11.5.3.4.

Cross-Border Data Transfers

Previous

10. Security Frameworks and Standards

Go to top

Next

12. Emerging Technologies and Future Considerations