Governance & Compliance
-
Data PrivacyAuthority
-
Why data privacy matters?
-
Where you are most likely to encounter Personal Data?
-
How to collect and use Personal Data appropriately?
-
How to share, store, and protect Personal Data?
-
When retained Personal Data is no longer needed?
-
How to manage data privacy queries?
-
Information ProtectionHow to manage data privacy incidents?
-
Data Classification
-
Audit & Security Testing
-
Continuous Improvement
-
Darkline
-
Data Handling and Privacy Process
-
Document Management Process
-
Backup & Recovery Process
-
Change Management Process
-
Communication Process
-
Escalation Process
-
Identity & Access Management Process
-
Incident Management Process
-
Human ResourcesCareer Management Process
-
Resource On-boarding Process
-
Resource Off-boarding Process
-
Service Desk Management Process
-
Test Management Process
-
Detection Optimization Process
-
Service Oriented ModelService Management
-
Subsidiary Onboarding Process
-
Non-attribution Process
-
SOAR Management Process
-
Security Incident Management Process
-
Shift Management Process
-
Triage Process
Participants3
Audit & Security Testing
1 Introduction
1.1 Purpose
The purpose of this document is to provide principles that will guide the audit and security testing of processes, services and technology used within the GSOC.
1.2 Scope
The GSOC Audit and Security Testing Policy applies to the following:
- All processes within the GSOC.
- Services provided by the GSOC.
- All hardware and software used to support the GSOC services.
1.3 Audience
All KPMG staff, suppliers and business partners involved with the operations of the GSOC, and representatives from member firms that have opted into the GSOC service shall read and understand this policy document.
A Glossary of the terminology used can be found in the GSOC Information Security Policy [1].
Any exceptions shall be managed and maintained.
2 Policy Statements
2.1 Scoping
The scope of all audits and security testing activities shall be clearly defined and approved by the GSOC Manager before commencement.
All equipment and infrastructure included in the scope for security testing or audit shall be assessed to determine the impact of such activities on the operation of the GSOC.
All stakeholders that will be impacted by security testing and audit activities as well those that must be present shall be identified in advance and arrangements made to ensure that they are aware, and available when required.
2.2 Scheduling and Timeframes
The GSOC Manager shall identify in writing the allowable dates for any audits and security testing and make necessary arrangements to facilitate such activities. The only exception is where audits / security testing must be conducted with no advanced notice. The Global CISO must be notified in writing of such audit / security tests.
2.3 Approvals
Any audits or security testing with potential impact to the operations must be approved before said audit / test can proceed.
2.4 Audit / Security Testing Approach
An audit / security testing approach shall be defined prior to any audit / security testing.
2.5 Findings Notification
Audit findings shall be made available to the GSOC Manager and Global CISO.
2.6 Third Party Services
Approval shall be sought from Third Parties for audits and security testing performed on third party services or infrastructure used by the GSOC outside of the GSOC.