Date post: | 25-Dec-2015 |
Category: |
Documents |
Upload: | phyllis-alexander |
View: | 213 times |
Download: | 0 times |
Audit – Proof Information Audit – Proof Information System Security System Security
ControlsControlsWednesday, August 18, 2010Wednesday, August 18, 2010
John R. RoblesJohn R. RoblesEmail: Email: [email protected]
Tel: 787-647-3961Tel: 787-647-3961
Puerto Rico Chapter
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
For those of you who took the CISSP For those of you who took the CISSP exam, an audit of your institution’s IS exam, an audit of your institution’s IS security controls is a real-life CISSP exam.security controls is a real-life CISSP exam.
If you pass the CISSP exam, you can get If you pass the CISSP exam, you can get certified.certified.
If you pass the audit examination, you get If you pass the audit examination, you get to keep your job.to keep your job.
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
So how can I pass an IS audit? And keep my So how can I pass an IS audit? And keep my job.job.• 11stst, Reduce your stress levels., Reduce your stress levels.• 22ndnd, Prepare for your audit, Prepare for your audit
Have documentation of everything related to IS security Have documentation of everything related to IS security controls.controls.
Be prepared to answer questions and provide Be prepared to answer questions and provide information.information.
• 3rd, Argue with the auditor only if you know you 3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions) are right and he/she is wrong. (Both conditions)
(If you are certified (CISA, CISM, CISSP), and he/she is (If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue)not, you might argue)
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Reduce your stress levelsReduce your stress levels Most likely, it’s not your first audit experienceMost likely, it’s not your first audit experience
• If you are the CISO, then you have already been If you are the CISO, then you have already been through an audit.through an audit.
• Your audit results should get better with time.Your audit results should get better with time.• If there were recommendations on your last audit, make If there were recommendations on your last audit, make
sure you have remedied the exceptionssure you have remedied the exceptions• Try to improve your evaluation scoreTry to improve your evaluation score
If it’s your 1If it’s your 1stst audit, audit,• And you are CISA, CISM, and/or CISSP, you know the And you are CISA, CISM, and/or CISSP, you know the
theory. Review that theory, again.theory. Review that theory, again.• 11stst timers, get an audit work program (FDIC, etc.) timers, get an audit work program (FDIC, etc.)
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Review and provide documentation of everything Review and provide documentation of everything related to IS security controlsrelated to IS security controls Institution’s organization chartInstitution’s organization chart Security dept. organization chartSecurity dept. organization chart
• Job descriptionsJob descriptions• Security training schedulesSecurity training schedules
Security dept. long- and short-range plansSecurity dept. long- and short-range plans Policies and proceduresPolicies and procedures List of all hardware and locationList of all hardware and location List of all software and locationList of all software and location
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Documentation (Cont.) Documentation (Cont.) List of vendors (hardware, software, security List of vendors (hardware, software, security
management services)management services) Network diagramsNetwork diagrams List of authorized persons per application and List of authorized persons per application and
system (Local and Remote)system (Local and Remote)• Identify root and admin usersIdentify root and admin users
IS Security configurations on PCs, servers, and IS Security configurations on PCs, servers, and networksnetworks
Business Continuity PlanBusiness Continuity Plan
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Lack of adequate documentation can impact the Lack of adequate documentation can impact the evaluation of your audit.evaluation of your audit. It could cause auditors to look in more detail at your It could cause auditors to look in more detail at your
security controls and find more exceptionssecurity controls and find more exceptions
Audit-proof security controls implies that all Audit-proof security controls implies that all security controls are documented.security controls are documented.
Audit-proof IS security controls are those that Audit-proof IS security controls are those that the auditor expects to review, analyze, and the auditor expects to review, analyze, and report on.report on.
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Try to visualize security controls as the auditor Try to visualize security controls as the auditor would, that is, as would, that is, as Preventive Security ControlsPreventive Security Controls Detective Security ControlsDetective Security Controls Corrective Security ControlsCorrective Security Controls
Those controls should address the CIA Those controls should address the CIA (Confidentiality, Integrity, Availability) of the (Confidentiality, Integrity, Availability) of the institution’s informationinstitution’s information
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Be prepared to answer questions and provide Be prepared to answer questions and provide information regarding how you maintain the information regarding how you maintain the ConfidentialityConfidentiality of information of information Review what is confidential information?Review what is confidential information?
• Show the categorization of informationShow the categorization of information If you know what is confidential and sensitive If you know what is confidential and sensitive
information, then you know what is not confidential and information, then you know what is not confidential and sensitivesensitive
• Show Information System Risk Assessment and Show Information System Risk Assessment and Risk Management programRisk Management program
John R. Robles John R. Robles Email: [email protected] Email: [email protected]
Tel: 787-647-3961Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
How do you protect the confidentiality?How do you protect the confidentiality?• Show / discuss policies related to Confidentiality Show / discuss policies related to Confidentiality
and ACLsand ACLs• Show / discuss Access Control Lists (ACLs) by Show / discuss Access Control Lists (ACLs) by
applicationapplication• Show / discuss Internet and remote access filtering Show / discuss Internet and remote access filtering
via routers and firewallsvia routers and firewalls• Show/ discuss procedures to provide, change, and Show/ discuss procedures to provide, change, and
delete from the ACLsdelete from the ACLs
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Confidentiality (Cont.)Confidentiality (Cont.) Show/ discuss security controls to detect the Show/ discuss security controls to detect the
violation of confidentialityviolation of confidentiality• Wrong passwords limit and resetWrong passwords limit and reset• Password structure and durationPassword structure and duration• Discuss logging of all access to all confidential informationDiscuss logging of all access to all confidential information• Discuss physical access restrictions and logsDiscuss physical access restrictions and logs• Discuss your router and firewall configurationsDiscuss your router and firewall configurations• Discuss the setup of the DMZDiscuss the setup of the DMZ• Discuss the security configuration of servers, PCs, Discuss the security configuration of servers, PCs,
routers, and firewallsrouters, and firewalls
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Detect Violation of Confidentiality (Cont.)Detect Violation of Confidentiality (Cont.)• Show/ discuss how access controls are tested to Show/ discuss how access controls are tested to
ensure violations are prevented, detected / ensure violations are prevented, detected / notified, and correctednotified, and corrected
• Incident Response program - Review this key Incident Response program - Review this key security control when violations are discovered and security control when violations are discovered and notifiednotified
Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT Discuss how violations notifications were handled or Discuss how violations notifications were handled or
NOTNOT Discuss how violations were analyzed and how changes Discuss how violations were analyzed and how changes
were implemented to ensure non-recurrencewere implemented to ensure non-recurrence
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls Be prepared to answer questions and provide Be prepared to answer questions and provide
information regarding how you maintain the information regarding how you maintain the IntegrityIntegrity of of information. information.
• Show /discuss the key security control of Change Show /discuss the key security control of Change Management to hardware, software, network, and security Management to hardware, software, network, and security parametersparameters
• Discuss Approval, Implementation, and Testing of Discuss Approval, Implementation, and Testing of changeschanges
• Discuss actual changes to:Discuss actual changes to: ACLsACLs Hardware, Application Software, and Operating SystemsHardware, Application Software, and Operating Systems Network hardware and software,Network hardware and software, Security settings on HW, SW, and NetworkSecurity settings on HW, SW, and Network
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Discuss how Changes to HW, Application SW, Discuss how Changes to HW, Application SW, Operating Systems, and Network are tested.Operating Systems, and Network are tested. Discuss approved requisitions,Discuss approved requisitions, Discuss Approved Tests of changes by User, IT Discuss Approved Tests of changes by User, IT
personnel, and Security personnelpersonnel, and Security personnel Discuss tests of approved updated security Discuss tests of approved updated security
configurationsconfigurations Update related documentationUpdate related documentation
• List of approved HW, SW, Network componentsList of approved HW, SW, Network components
• Network diagramNetwork diagram
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Detect Violations of IntegrityDetect Violations of Integrity• Show/ discuss how Change Management controls are Show/ discuss how Change Management controls are
tested to ensure integrity violations are prevented, tested to ensure integrity violations are prevented, detected / notified, and correcteddetected / notified, and corrected
Discuss IP mapping software to detect unauthorized HW.Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of non-approved Discuss prevention, detection, and removal of non-approved
hardware (wired, wireless, PC-based, Server-based)hardware (wired, wireless, PC-based, Server-based) Discuss Virus, Malware, and Spam prevention, detection, & Discuss Virus, Malware, and Spam prevention, detection, &
removalremoval Discuss the maintenance of Server, PC, and Network Discuss the maintenance of Server, PC, and Network
configuration documentationconfiguration documentation Discuss IPS (Intrusion Prevention) and IDS (Intrusion Discuss IPS (Intrusion Prevention) and IDS (Intrusion
Detection) elementsDetection) elements
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
• Look at previous security controls as Look at previous security controls as PreventivePreventive DetectiveDetective CorrectiveCorrective
• Use documented base-line inventories of HW, SW, Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)Network, and Security parameters (SW patches)
• Perform HW, SW, Network scans to determine Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, actual inventory of HW, SW, Network components, and security parameters.and security parameters.
• Compare documented base-line approved Compare documented base-line approved components against scanned components.components against scanned components.
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
• Review Incident Response program when integrity Review Incident Response program when integrity violations are discoveredviolations are discovered
Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT• Unauthorized hardwareUnauthorized hardware• Unauthorized software applications/ Lack of Unauthorized software applications/ Lack of
appropriate SW licensesappropriate SW licenses• Unauthorized?Unauthorized? Viruses, Malware, and Spam? Viruses, Malware, and Spam?• Unauthorized changes to security parameters and Unauthorized changes to security parameters and
hardware configurationshardware configurations Discuss how violations notifications were handled or Discuss how violations notifications were handled or
NOTNOT
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls Discuss how violations were analyzed and how Discuss how violations were analyzed and how
changes were implemented to ensure non-changes were implemented to ensure non-recurrence, e.g.recurrence, e.g. Computer Forensics – Activate/ secure all audit logsComputer Forensics – Activate/ secure all audit logs More frequent scanning to maintain an updated More frequent scanning to maintain an updated
documented base-line inventories of HW, SW, Network, documented base-line inventories of HW, SW, Network, and Security parameters (SW patches)and Security parameters (SW patches)
More frequent and aggressive independent patrolling More frequent and aggressive independent patrolling (prevention and detection) of the perimeter (DMZ) and (prevention and detection) of the perimeter (DMZ) and inside networksinside networks
A better-equipped and knowledgeable IS Security Dept.A better-equipped and knowledgeable IS Security Dept. Improved security training of institution personnelImproved security training of institution personnel
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
How do you Provide for the How do you Provide for the AvailabilityAvailability of of Hardware, Applications Software, System Hardware, Applications Software, System Software, and Network HW and SWSoftware, and Network HW and SW
• Show / Discuss Business Impact AnalysisShow / Discuss Business Impact Analysis• Show/ Discuss Critical IT ResourcesShow/ Discuss Critical IT Resources
Functions,Functions, Personnel,Personnel, HW, SW, Network,HW, SW, Network, Space,Space, VendorsVendors
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Security Controls to Prevent the UnavailabilitySecurity Controls to Prevent the Unavailability HWHW
• HW redundancy HW redundancy • Off site recovery site with required and minimal Off site recovery site with required and minimal
HWHW SWSW
• Backup of required software and dataBackup of required software and data Alternate routes to the outsideAlternate routes to the outside
• Dual telecom providers for voice and dataDual telecom providers for voice and data
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
The famous Business Continuity Plan (BCP)The famous Business Continuity Plan (BCP) Have it!Have it!
• If you don’t have one, give me a call!If you don’t have one, give me a call! Test it! (at least annually)Test it! (at least annually) Update it! (based on test results)Update it! (based on test results)
It should cover all critical functions of the It should cover all critical functions of the institutioninstitution
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Summary of Audit-Proof IS Security ControlsSummary of Audit-Proof IS Security Controls Provide a lot of documentation – the more, the betterProvide a lot of documentation – the more, the better Fix all previous audit issuesFix all previous audit issues Review Confidentiality security controlsReview Confidentiality security controls Review Integrity security controlsReview Integrity security controls Review Availability security controlsReview Availability security controls Define CIA security controls as:Define CIA security controls as:
• Preventive controlsPreventive controls• Detective controlsDetective controls• Corrective controlsCorrective controls
John R. Robles John R. Robles Email: [email protected] Email: [email protected]
Tel: 787-647-3961Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Thank You!Thank You!
John R. RoblesJohn R. RoblesEmail: Email: [email protected]
Tel: 787-647-396Tel: 787-647-396www.johnrrobles.comwww.johnrrobles.com