Back to Course

Governance & Compliance

0% Complete
0/33 Steps
  1. Data Privacy
    Authority
  2. Why data privacy matters?
  3. Where you are most likely to encounter Personal Data?
  4. How to collect and use Personal Data appropriately?
  5. How to share, store, and protect Personal Data?
  6. When retained Personal Data is no longer needed?
  7. How to manage data privacy queries?
  8. Information Protection
    How to manage data privacy incidents?
  9. Data Classification
  10. Audit & Security Testing
  11. Continuous Improvement
  12. Darkline
  13. Data Handling and Privacy Process
  14. Document Management Process
  15. Backup & Recovery Process
  16. Change Management Process
  17. Communication Process
  18. Escalation Process
  19. Identity & Access Management Process
  20. Incident Management Process
  21. Human Resources
    Career Management Process
  22. Resource On-boarding Process
  23. Resource Off-boarding Process
  24. Service Desk Management Process
  25. Test Management Process
  26. Detection Optimization Process
  27. Service Oriented Model
    Service Management
  28. Subsidiary Onboarding Process
  29. Non-attribution Process
  30. SOAR Management Process
  31. Security Incident Management Process
  32. Shift Management Process
  33. Triage Process

Participants3

Governance & Compliance Audit & Security Testing
In Progress
Lesson 10 of 33
In Progress

Audit & Security Testing

Secure x Design

1                  Introduction

1.1              Purpose

The purpose of this document is to provide principles that will guide the audit and security testing of processes, services and technology used within the GSOC.

1.2          Scope

The GSOC Audit and Security Testing Policy applies to the following:

  • All processes within the GSOC.
  • Services provided by the GSOC.
  • All hardware and software used to support the GSOC services.

1.3              Audience

All KPMG staff, suppliers and business partners involved with the operations of the GSOC, and representatives from member firms that have opted into the GSOC service shall read and understand this policy document.

A Glossary of the terminology used can be found in the GSOC Information Security Policy [1].

Any exceptions shall be managed and maintained.

2                  Policy Statements

2.1              Scoping

The scope of all audits and security testing activities shall be clearly defined and approved by the GSOC Manager before commencement.

All equipment and infrastructure included in the scope for security testing or audit shall be assessed to determine the impact of such activities on the operation of the GSOC.

All stakeholders that will be impacted by security testing and audit activities as well those that must be present shall be identified in advance and arrangements made to ensure that they are aware, and available when required.

2.2              Scheduling and Timeframes

The GSOC Manager shall identify in writing the allowable dates for any audits and security testing and make necessary arrangements to facilitate such activities. The only exception is where audits / security testing must be conducted with no advanced notice. The Global CISO must be notified in writing of such audit / security tests.

2.3              Approvals

Any audits or security testing with potential impact to the operations must be approved before said audit / test can proceed.

2.4              Audit / Security Testing Approach

An audit / security testing approach shall be defined prior to any audit / security testing.

2.5              Findings Notification

Audit findings shall be made available to the GSOC Manager and Global CISO.

2.6              Third Party Services

Approval shall be sought from Third Parties for audits and security testing performed on third party services or infrastructure used by the GSOC outside of the GSOC.

3                  References