The main information you need to pr

The main information you need to protect your organization's information is, for example, order details The company's expenditures employee salary information, password information network officer, etc. Where this information is located on the Database Server or other servers in the protection and security of data are related to the security of the computer hosting and networking. In addition to these important data. If hackers did something else that seems important, but rarely have the hackers can apply that information to improve performance in attack/control systems, resulting in more data, it should be to protect them as well. For example, a network diagram, model/brand of each device, data, name/surname date/month/year of birth of the employee and the officers do networking, etc. Control access to sensitive data from a distance would require risk assessment finds vulnerabilities and vulnerability protection, for example, found that the incidence of skipping through a rights monitoring SQL Injection, which can remove the hand in the Database have protected the XSS attacks can steal the Cookie/Session ID of the Webmaster, and then log on to the Web site with the permission of the Webmaster, Webmaster often manage information in the Database via the Web.In addition to protecting corporate information and need to protect customer data, such as customer credit card information in the Database of the website e-commerce. Various2.4 trainingThe training includes both a general and a baepoprom certificate (Certificate) in the section certificate exam with multiple can be divided as follows:The basics, CCSA, CWNA, i-Net +, Security +, CIW, CCSPA CCSE intermediate Security Analyst, CWSP. High level of Solaris 9 Security, CCSP, CCSE Plus, CCMSE, CISSP, SSCP.2.5 verification (Audit)The current auditor IS/IT Auditor or information system is a career that requires. Specialists working party examines party system development and operation. The information that a big problem is a shortage of information systems auditor. The world at the moment, many people still understand that "internal auditors" refers to "information systems auditor" say this isn't wrong, but it does not mean that the information system Auditors are divided into two categories: internal information system Auditor (Internal Auditor IS/IT) and not exposed to information system auditor.Yonok (IS IT/External Auditor), the difference is that the internal information system Auditors, it is the Organization's own staff do not come from people outside the normal internal information system auditor will audit department belongs. Internal information system which reports to Board of director is responsible for monitoring. The overall information system in the organization is free from the control of the party system.Free Information from the control or the CIO of best free system information from external auditor.Information or the control of the external information system auditor best CIO organizations often make hiring an external professional bodies (3rd Party Security Audit Firm) to act as auditor. Information system in the view of the people. The organization is also obvious differences is the professionalism and independence of the External Auditor summarized IT all IT says is IT Internal Auditor and External Auditor all play an important role in monitoring the Organization's information system, but it may be located in Yamaguchi and mommo different pages by Internal Auditor IT focuses. Check periodically in accordance with the annual audit schedule Mong the point to focus on the security of information system in the view of the expert yu tea. The data security model and techniques of investigation is divided into the following stages, level 3.Step 1: Best Practices Checklist or Interview TechniquesThis procedure is basic steps that should be made in the introduction to the first. Sometimes we prefer are called."Gap Analysis" ISO/IEC 27001-based Best Practice or CobiT Framework.Applied as a Checklist Audit to interview (Interview session) Verification at this stage focus on the PP (People and Process) In PPT (People, Process and Technology) said the Concept is to make information systems auditor. Understand the concept and awareness of information security management organization. Administrator. Information systems, as well as general computer user in the interview (Interview Schedule), which normally should not exceed 10 people, each person should not exceed 1 hour interview and make the information systems auditor is seen as Best Practice Information Security have led enterprise or corporate Framework in which financial organizations may not "Comply" in accordance with Best Practice in some topics cause organizations to be aware of their own weaknesses, as auditing guidelines in the next step.Step 2 Vulnerability Assessment TechniquesThis step focuses on monitoring, in view of the T (Technology) in PPT (People, Process and Technology) Concept is a deep technical review. An interview with Best Practices Checklist (in step 1), which will allow the auditor to have insights into the information system vulnerability (Vulnerability) or weakness of information systems that can be verified by using a Vulnerability Scanner such as Nessus (Opensource Scanner) failing to provide information administrators recognize and agree to. The problem caused by the vulnerability of a system that has not yet been resolved by should be presented in the form of a High level of Risk, risk, Medium Risk or a Low Risk, etc. Information technology auditor, it is necessary to have a basic knowledge of Information Security in one level and should have the skills to use the Vulnerability Scanner, which is regarded as a "Tool" or tools to verify that the required sop monitor using translations. Vulnerability Scanner results and present results in a format that is easy to understand the key points of the VA or Vulnerability Assessment, because if it is not interpreted as an anchor in accordance with SANS TOP 20 or OWASP Web Application Security Standard will make it an objective to refer to the international standard, so the translation of results from various standard Vulnerability Scanner should aid in presented in PowerPoint format that executives can easily understand. Visualize a problem that may occur on the system. The information clearly.

The main information you need to protect your organization's information is, for example, order details The company's expenditures employee salary information, password information network officer, etc. Where this information is located on the Database Server or other servers in the protection and security of data are related to the security of the computer hosting and networking. In addition to these important data. If hackers did something else that seems important, but rarely have the hackers can apply that information to improve performance in attack/control systems, resulting in more data, it should be to protect them as well. For example, a network diagram, model/brand of each device, data, name/surname date/month/year of birth of the employee and the officers do networking, etc.
Control access to sensitive data from a distance would require risk assessment finds vulnerabilities and vulnerability protection, for example, found that the incidence of skipping through a rights monitoring SQL Injection, which can remove the hand in the Database have protected the XSS attacks can steal the Cookie/Session ID of the Webmaster, and then log on to the Web site with the permission of the Webmaster, Webmaster often manage information in the Database via the Web.
In addition to protecting corporate information and need to protect customer data, such as customer credit card information in the Database of the website e-commerce. Various

2.4 training
The training includes both a general and a baepoprom certificate (Certificate) in the section certificate exam with multiple can be divided as follows:
The basics, CCSA, CWNA, i-Net +, Security +, CIW, CCSPA CCSE intermediate Security Analyst, CWSP. High level of Solaris 9 Security, CCSP, CCSE Plus, CCMSE, CISSP, SSCP.

2.5 verification (Audit)
The current auditor IS/IT Auditor or information system is a career that requires. Specialists working party examines party system development and operation. The information that a big problem is a shortage of information systems auditor. The world at the moment, many people still understand that "internal auditors" refers to "information systems auditor" say this isn't wrong, but it does not mean that the information system Auditors are divided into two categories: internal information system Auditor (Internal Auditor IS/IT) and not exposed to information system auditor.Yonok (IS IT/External Auditor), the difference is that the internal information system Auditors, it is the Organization's own staff do not come from people outside the normal internal information system auditor will audit department belongs. Internal information system which reports to Board of director is responsible for monitoring. The overall information system in the organization is free from the control of the party system.
Information or free from the control of the CIO best external information system auditor.Information or free from the control of the CIO best external information system auditor องค์กรมักจะทําการจัดจ้างหน่วยงานมืออาชีพภายนอก (3rd Party Security Audit Firm)มาทําหน้าที่เป็นผู้ตรวจสอบ

ระบบสารสนเทศในมุมมองของคน นอกองค์กร ซึ่งความแตกต่างที่เห็นได้ชัดเจน คือ ความเป็นมืออาชีพ และความเป็น อิสระของ IT External Auditor กล่าวโดยสรุปคือ ทั้ง IT Internal Auditor และ IT External Auditor ล้วนมีบทบาทสําคัญในการตรวจสอบระบบสารสนเทศขององค์กร แต่ อาจอยู่ในมมมองุ และ หน้าที่ที่แตกต่างกัน โดย IT Internal Auditor จะเน้นที่การ ตรวจสอบเป็นระยะๆ ตามตารางการตรวจสอบประจําปี
จุดม่งหมายจะเน้นไปที่ความปลอดภัยของระบบสารสนเทศในมุมมองของผู้เชี่ยวชาญุ ด้านความปลอดภัยข้อมูล โดยรูปแบบและเทคนิคของการตรวจสอบแบ่งออกเป็น 3 ระดับขั้นดังนี้

ขั้นตอนที่1Best Practices Checklist or Interview Techniques
ขั้นตอนนี้เป็นขั้นตอนพื้นฐานที่ควรทําในเบื้องต้นก่อน บางครั้งเรานิยมเรียกว่า
“Gap Analysis” โดยใช้ISO/IEC 27001 Best Practice หรือ CobiT Framework

นํามาประยุกต์เป็น Audit Checklist เพื่อนําไปสัมภาษณ์(Interview session) การ ตรวจสอบในขั้นตอนนี้มุ่งเน้นไปที่PP (People and Process) ใน PPT (People, Process and Technology) Concept กล่าวคือ ทําให้ผู้ตรวจสอบระบบสารสนเทศได้ เข้าใจแนวคิดและความตระหนักเรื่องความปลอดภัยข้อมูลของผู้บริหารองค์กร ผู้ดูแล ระบบสารสนเทศ ตลอดจน ผู้ใช้งานคอมพิวเตอร์ทั่วไปที่อยู่ในตารางการสัมภาษณ์ (Interview Schedule) ซึ่งปกติไม่ควรเกิน 10 คน ซึ่งแต่ละคนไม่ควรสัมภาษณ์เกิน 1 ชั่วโมง และทําให้ผู้ตรวจสอบระบบสารสนเทศได้เห็นว่า องค์กรได้นํา Information Security Best Practice หรือ Framework มาประยุกต์ใช้ในองค์กรหรือไม่ซึ่งทาง องค์กรอาจจะยังไม่“Comply” ตาม Best Practice ดังกล่าวในบางหัวข้อ ทําให้องค์กร ได้รับทราบจุดอ่อนของตนเอง เพื่อเป็นแนวทางในการตรวจสอบในขั้นตอนต่อไป
ขั้นตอนที่2Vulnerability Assessment Techniques

ขั้นตอนนี้มุ่งเน้นการตรวจสอบในมุมมองของ T (Technology) ใน PPT (People, Process and Technology) Concept เป็นการตรวจสอบทางเทคนิคที่ลึกกว่า การสัมภาษณ์โดยใช้Best Practices Checklist (ในขั้นตอนที่1) ซึ่งจะช่วยให้ผู้ ตรวจสอบระบบสารสนเทศได้เจาะลึกถึงช่องโหว่(Vulnerability) หรือ จุดอ่อนของ ระบบสารสนเทศที่สามารถตรวจสอบโดยใช้Vulnerability Scanner เช่น Nessus (Opensource Scanner) เพื่อให้ผู้ดูแลระบบสารสนเทศเกิดความตระหนักและเห็นถึง ปัญหาที่เกิดจากช่องโหว่ของระบบที่ยังไม่ได้รับการแก้ไข โดยควรนําเสนอในรูปแบบของ ระดับความเสี่ยงเช่น High Risk, Medium Risk หรือ Low Risk เป็นต้น ผู้ตรวจสอบสารสนเทศจึงจําเป็นต้องมีความรู้พื้นฐานด้าน Information Security ในระดับหนึ่ง และควรมีทักษะในการใช้Vulnerability Scanner ซึ่งถือเป็น “Tool” หรือเครื่องมือในการตรวจสอบ ที่ผู้ตรวจสอบฯ จําเป็นต้องมีไว้ใช้งาน การแปล ผลจาก Vulnerability Scanner และนําเสนอผลในรูปแบบที่เข้าใจง่ายเป็นจุดสําคัญของ การทํา VA หรือ Vulnerability Assessment เพราะหากแปลผลผิด เช่น ไม่ยึดตาม มาตรฐาน SANS TOP 20 หรือ OWASP Web Application Security Standard ก็จะ ทําให้ผิดวัตถุประสงค์ในการอ้างอิงกับมาตรฐานสากล ดังนั้นการแปลผลจาก Vulnerability Scanner ควรนํามาตรฐานต่างๆ มาช่วยในการนําเสนอในรูปแบบ PowerPoint ที่ผู้บริหารสามารถเข้าใจได้ง่าย เห็นภาพปัญหาที่อาจเกิดขึ้นกับระบบ สารสนเทศได้อย่างชัดเจน

The main information you need to protect your organization 's information is for example, order details, The company s expenditures.' Employee, salary information password information network, officer etc. Where this information is located on the Database. Server or other servers in the protection and security of data are related to the security of the computer hosting and networking.In addition to these important data. If hackers did something else that seems important but rarely, have the hackers can. Apply that information to improve performance in attack / control systems resulting in, more data it should, be to protect. Them as well. For example a, network, diagram model / brand of each device data,,Name / surname date / month / year of birth of the employee and the officers, do networking etc.
Control access to sensitive. Data from a distance would require risk assessment finds vulnerabilities and vulnerability protection for example found,,, That the incidence of skipping through a rights monitoring, SQL InjectionWhich can remove the hand in the Database have protected the XSS attacks can steal the Cookie / Session ID of, the Webmaster. And then log on to the Web site with the permission of the Webmaster Webmaster often, manage information in the Database. Via the Web.
In addition to protecting corporate information and need to protect, customer dataSuch as customer credit card information in the Database of the website e-commerce. Various


2.4 training The training. Includes both a general and a baepoprom Certificate (Certificate) in the section certificate exam with multiple can be divided. As follows:
The basics CCSA CWNA,,,,,, i-Net Security CIW CCSPA CCSE intermediate, Security Analyst CWSP. High level. Of Solaris 9 Security CCSP,,,,, CCSE Plus CCMSE CISSP SSCP.

2.5 verification (Audit)
The current auditor IS / IT Auditor or information system is a. Career that requires. Specialists working party examines party system development and operation. The information that a. Big problem is a shortage of Information Systems Auditor. The world at, the momentMany people still understand that "internal auditors" refers to "Information Systems Auditor" say this isn ', t wrong but. It does not mean that the information system Auditors are divided into two categories: internal information system Auditor. (Internal Auditor IS / IT) and not exposed to information system auditor.Yonok (IS IT / External Auditor),The difference is that the internal information, system Auditors it is the Organization 's own staff do not come from people. Outside the normal internal information system auditor will audit department belongs. Internal information system which. Reports to Board of director is responsible for monitoring.The overall information system in the organization is free from the control of the party system.
Information or free from. The control of the CIO best external information system auditor.Information or free from the control of the CIO best external information system auditor organizations often make procurement agency professional outside. (3rd Party Security Audit Firm) to serve as the inspector

.Information system in view of people outside the enterprise, which the difference obviously is the professionalism and the freedom of IT External. Auditor conclusion is both IT Internal Auditor IT External and Auditor.But may be in ~ two radio and functions that vary by IT Internal Auditor will focus on monitoring periodically scheduled annual inspection
.Aim to focus on the security of information system in the view of experts, the security information. The styles and techniques of inspection is divided into 3 level as follows:

step 1Best Practices Checklist or Interview Techniques
.This procedure is a basic step should be done in the introduction. Sometimes we often called
"Gap Analysis" by ISO / IEC 27001 Best Practice or CobiT Framework

.Be applied as Audit Checklist to interview (Interview session). Check at this stage focus on PP (People. And Process), PPT (PeopleProcess and Technology) Concept namely, make information system auditor. Understand the concept and awareness of safety of executive supervisor information system as well.(Interview Schedule) which normally should not exceed 10 people. Each person should not exceed 1 interview hours. And make the information system auditor that the organization has brought Information Security Best Practice or Framework applied in the enterprise? Which way.According to Best Practice such in a certain topic, make the enterprise get to know their weaknesses. As the guideline to check the next step!The second step Vulnerability Assessment Techniques

this stage focus on monitoring, in view of the T (Technology), PPT (PeopleProcess and Technology) Concept examines technical deeper interview by Best Practices Checklist (in step 1). Which will help people. Check the information system data vulnerability (Vulnerability) or weakness.Scanner such as Nessus (Opensource Scanner) to the administrator information increase awareness and see. Problems arising from the risk that has not been resolved by should be presented in the form of higher risks such as High, RiskMedium Risk or Low Risk etc. the information is required to have basic knowledge Information Security at level one. And should have the skills to use Vulnerability Scanner which is considered as the "Tool" or a tool to check the inspectors test.Translation results from Vulnerability Scanner and present results in a form easy to understand is the key point of making VA or Vulnerability Assessment. Because if translated wrong results, such as not based on standard SANS TOP 20 or OWASP Web Application Security Standard will.So the interpretation of Vulnerability Scanner should take various standards to help in the presentations in the form PowerPoint that managers can understand easily. See the problems that may occur with information system clearly
.