Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles...

Audit – Proof Information Audit – Proof Information System Security System Security

ControlsControlsWednesday, August 18, 2010Wednesday, August 18, 2010

John R. RoblesJohn R. RoblesEmail: Email: [email protected]

Tel: 787-647-3961Tel: 787-647-3961

Puerto Rico Chapter

John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961

For those of you who took the CISSP For those of you who took the CISSP exam, an audit of your institution’s IS exam, an audit of your institution’s IS security controls is a real-life CISSP exam.security controls is a real-life CISSP exam.

If you pass the CISSP exam, you can get If you pass the CISSP exam, you can get certified.certified.

If you pass the audit examination, you get If you pass the audit examination, you get to keep your job.to keep your job.

Audit-Proof IS Security ControlsAudit-Proof IS Security Controls


So how can I pass an IS audit? And keep my So how can I pass an IS audit? And keep my job.job.• 11stst, Reduce your stress levels., Reduce your stress levels.• 22ndnd, Prepare for your audit, Prepare for your audit

Have documentation of everything related to IS security Have documentation of everything related to IS security controls.controls.

Be prepared to answer questions and provide Be prepared to answer questions and provide information.information.

• 3rd, Argue with the auditor only if you know you 3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions) are right and he/she is wrong. (Both conditions)

(If you are certified (CISA, CISM, CISSP), and he/she is (If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue)not, you might argue)


Reduce your stress levelsReduce your stress levels Most likely, it’s not your first audit experienceMost likely, it’s not your first audit experience

• If you are the CISO, then you have already been If you are the CISO, then you have already been through an audit.through an audit.

• Your audit results should get better with time.Your audit results should get better with time.• If there were recommendations on your last audit, make If there were recommendations on your last audit, make

sure you have remedied the exceptionssure you have remedied the exceptions• Try to improve your evaluation scoreTry to improve your evaluation score

If it’s your 1If it’s your 1stst audit, audit,• And you are CISA, CISM, and/or CISSP, you know the And you are CISA, CISM, and/or CISSP, you know the

theory. Review that theory, again.theory. Review that theory, again.• 11stst timers, get an audit work program (FDIC, etc.) timers, get an audit work program (FDIC, etc.)


Review and provide documentation of everything Review and provide documentation of everything related to IS security controlsrelated to IS security controls Institution’s organization chartInstitution’s organization chart Security dept. organization chartSecurity dept. organization chart

• Job descriptionsJob descriptions• Security training schedulesSecurity training schedules

Security dept. long- and short-range plansSecurity dept. long- and short-range plans Policies and proceduresPolicies and procedures List of all hardware and locationList of all hardware and location List of all software and locationList of all software and location



Documentation (Cont.) Documentation (Cont.) List of vendors (hardware, software, security List of vendors (hardware, software, security

management services)management services) Network diagramsNetwork diagrams List of authorized persons per application and List of authorized persons per application and

system (Local and Remote)system (Local and Remote)• Identify root and admin usersIdentify root and admin users

IS Security configurations on PCs, servers, and IS Security configurations on PCs, servers, and networksnetworks

Business Continuity PlanBusiness Continuity Plan



Lack of adequate documentation can impact the Lack of adequate documentation can impact the evaluation of your audit.evaluation of your audit. It could cause auditors to look in more detail at your It could cause auditors to look in more detail at your

security controls and find more exceptionssecurity controls and find more exceptions

Audit-proof security controls implies that all Audit-proof security controls implies that all security controls are documented.security controls are documented.

Audit-proof IS security controls are those that Audit-proof IS security controls are those that the auditor expects to review, analyze, and the auditor expects to review, analyze, and report on.report on.



Try to visualize security controls as the auditor Try to visualize security controls as the auditor would, that is, as would, that is, as Preventive Security ControlsPreventive Security Controls Detective Security ControlsDetective Security Controls Corrective Security ControlsCorrective Security Controls

Those controls should address the CIA Those controls should address the CIA (Confidentiality, Integrity, Availability) of the (Confidentiality, Integrity, Availability) of the institution’s informationinstitution’s information


Be prepared to answer questions and provide Be prepared to answer questions and provide information regarding how you maintain the information regarding how you maintain the ConfidentialityConfidentiality of information of information Review what is confidential information?Review what is confidential information?

• Show the categorization of informationShow the categorization of information If you know what is confidential and sensitive If you know what is confidential and sensitive

information, then you know what is not confidential and information, then you know what is not confidential and sensitivesensitive

• Show Information System Risk Assessment and Show Information System Risk Assessment and Risk Management programRisk Management program

John R. Robles John R. Robles Email: [email protected] Email: [email protected]

Tel: 787-647-3961Tel: 787-647-3961


How do you protect the confidentiality?How do you protect the confidentiality?• Show / discuss policies related to Confidentiality Show / discuss policies related to Confidentiality

and ACLsand ACLs• Show / discuss Access Control Lists (ACLs) by Show / discuss Access Control Lists (ACLs) by

applicationapplication• Show / discuss Internet and remote access filtering Show / discuss Internet and remote access filtering

via routers and firewallsvia routers and firewalls• Show/ discuss procedures to provide, change, and Show/ discuss procedures to provide, change, and

delete from the ACLsdelete from the ACLs



Confidentiality (Cont.)Confidentiality (Cont.) Show/ discuss security controls to detect the Show/ discuss security controls to detect the

violation of confidentialityviolation of confidentiality• Wrong passwords limit and resetWrong passwords limit and reset• Password structure and durationPassword structure and duration• Discuss logging of all access to all confidential informationDiscuss logging of all access to all confidential information• Discuss physical access restrictions and logsDiscuss physical access restrictions and logs• Discuss your router and firewall configurationsDiscuss your router and firewall configurations• Discuss the setup of the DMZDiscuss the setup of the DMZ• Discuss the security configuration of servers, PCs, Discuss the security configuration of servers, PCs,

routers, and firewallsrouters, and firewalls


Detect Violation of Confidentiality (Cont.)Detect Violation of Confidentiality (Cont.)• Show/ discuss how access controls are tested to Show/ discuss how access controls are tested to

ensure violations are prevented, detected / ensure violations are prevented, detected / notified, and correctednotified, and corrected

• Incident Response program - Review this key Incident Response program - Review this key security control when violations are discovered and security control when violations are discovered and notifiednotified

Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT Discuss how violations notifications were handled or Discuss how violations notifications were handled or

NOTNOT Discuss how violations were analyzed and how changes Discuss how violations were analyzed and how changes

were implemented to ensure non-recurrencewere implemented to ensure non-recurrence

Audit-Proof IS Security ControlsAudit-Proof IS Security Controls Be prepared to answer questions and provide Be prepared to answer questions and provide

information regarding how you maintain the information regarding how you maintain the IntegrityIntegrity of of information. information.

• Show /discuss the key security control of Change Show /discuss the key security control of Change Management to hardware, software, network, and security Management to hardware, software, network, and security parametersparameters

• Discuss Approval, Implementation, and Testing of Discuss Approval, Implementation, and Testing of changeschanges

• Discuss actual changes to:Discuss actual changes to: ACLsACLs Hardware, Application Software, and Operating SystemsHardware, Application Software, and Operating Systems Network hardware and software,Network hardware and software, Security settings on HW, SW, and NetworkSecurity settings on HW, SW, and Network


Discuss how Changes to HW, Application SW, Discuss how Changes to HW, Application SW, Operating Systems, and Network are tested.Operating Systems, and Network are tested. Discuss approved requisitions,Discuss approved requisitions, Discuss Approved Tests of changes by User, IT Discuss Approved Tests of changes by User, IT

personnel, and Security personnelpersonnel, and Security personnel Discuss tests of approved updated security Discuss tests of approved updated security

configurationsconfigurations Update related documentationUpdate related documentation

• List of approved HW, SW, Network componentsList of approved HW, SW, Network components

• Network diagramNetwork diagram



Detect Violations of IntegrityDetect Violations of Integrity• Show/ discuss how Change Management controls are Show/ discuss how Change Management controls are

tested to ensure integrity violations are prevented, tested to ensure integrity violations are prevented, detected / notified, and correcteddetected / notified, and corrected

Discuss IP mapping software to detect unauthorized HW.Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of non-approved Discuss prevention, detection, and removal of non-approved

hardware (wired, wireless, PC-based, Server-based)hardware (wired, wireless, PC-based, Server-based) Discuss Virus, Malware, and Spam prevention, detection, & Discuss Virus, Malware, and Spam prevention, detection, &

removalremoval Discuss the maintenance of Server, PC, and Network Discuss the maintenance of Server, PC, and Network

configuration documentationconfiguration documentation Discuss IPS (Intrusion Prevention) and IDS (Intrusion Discuss IPS (Intrusion Prevention) and IDS (Intrusion

Detection) elementsDetection) elements


• Look at previous security controls as Look at previous security controls as PreventivePreventive DetectiveDetective CorrectiveCorrective

• Use documented base-line inventories of HW, SW, Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)Network, and Security parameters (SW patches)

• Perform HW, SW, Network scans to determine Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, actual inventory of HW, SW, Network components, and security parameters.and security parameters.

• Compare documented base-line approved Compare documented base-line approved components against scanned components.components against scanned components.



• Review Incident Response program when integrity Review Incident Response program when integrity violations are discoveredviolations are discovered

Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT• Unauthorized hardwareUnauthorized hardware• Unauthorized software applications/ Lack of Unauthorized software applications/ Lack of

appropriate SW licensesappropriate SW licenses• Unauthorized?Unauthorized? Viruses, Malware, and Spam? Viruses, Malware, and Spam?• Unauthorized changes to security parameters and Unauthorized changes to security parameters and

hardware configurationshardware configurations Discuss how violations notifications were handled or Discuss how violations notifications were handled or

NOTNOT

Audit-Proof IS Security ControlsAudit-Proof IS Security Controls Discuss how violations were analyzed and how Discuss how violations were analyzed and how

changes were implemented to ensure non-changes were implemented to ensure non-recurrence, e.g.recurrence, e.g. Computer Forensics – Activate/ secure all audit logsComputer Forensics – Activate/ secure all audit logs More frequent scanning to maintain an updated More frequent scanning to maintain an updated

documented base-line inventories of HW, SW, Network, documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)and Security parameters (SW patches)

More frequent and aggressive independent patrolling More frequent and aggressive independent patrolling (prevention and detection) of the perimeter (DMZ) and (prevention and detection) of the perimeter (DMZ) and inside networksinside networks

A better-equipped and knowledgeable IS Security Dept.A better-equipped and knowledgeable IS Security Dept. Improved security training of institution personnelImproved security training of institution personnel



How do you Provide for the How do you Provide for the AvailabilityAvailability of of Hardware, Applications Software, System Hardware, Applications Software, System Software, and Network HW and SWSoftware, and Network HW and SW

• Show / Discuss Business Impact AnalysisShow / Discuss Business Impact Analysis• Show/ Discuss Critical IT ResourcesShow/ Discuss Critical IT Resources

Functions,Functions, Personnel,Personnel, HW, SW, Network,HW, SW, Network, Space,Space, VendorsVendors


Security Controls to Prevent the UnavailabilitySecurity Controls to Prevent the Unavailability HWHW

• HW redundancy HW redundancy • Off site recovery site with required and minimal Off site recovery site with required and minimal

HWHW SWSW

• Backup of required software and dataBackup of required software and data Alternate routes to the outsideAlternate routes to the outside

• Dual telecom providers for voice and dataDual telecom providers for voice and data


The famous Business Continuity Plan (BCP)The famous Business Continuity Plan (BCP) Have it!Have it!

• If you don’t have one, give me a call!If you don’t have one, give me a call! Test it! (at least annually)Test it! (at least annually) Update it! (based on test results)Update it! (based on test results)

It should cover all critical functions of the It should cover all critical functions of the institutioninstitution


Summary of Audit-Proof IS Security ControlsSummary of Audit-Proof IS Security Controls Provide a lot of documentation – the more, the betterProvide a lot of documentation – the more, the better Fix all previous audit issuesFix all previous audit issues Review Confidentiality security controlsReview Confidentiality security controls Review Integrity security controlsReview Integrity security controls Review Availability security controlsReview Availability security controls Define CIA security controls as:Define CIA security controls as:

• Preventive controlsPreventive controls• Detective controlsDetective controls• Corrective controlsCorrective controls

John R. Robles John R. Robles Email: [email protected] Email: [email protected]

Tel: 787-647-3961Tel: 787-647-3961


Thank You!Thank You!

John R. RoblesJohn R. RoblesEmail: Email: [email protected]

Tel: 787-647-396Tel: 787-647-396www.johnrrobles.comwww.johnrrobles.com

Date post:	25-Dec-2015
Category:	Documents
Upload:	phyllis-alexander
View:	213 times
Download:	0 times

Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles...

Documents