Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Multilevel security wikipedia , lookup
Post-quantum cryptography wikipedia , lookup
Unix security wikipedia , lookup
Next-Generation Secure Computing Base wikipedia , lookup
Wireless security wikipedia , lookup
Distributed firewall wikipedia , lookup
Security printing wikipedia , lookup
Mobile security wikipedia , lookup
Airport security wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Puerto Rico Chapter Audit – Proof Information System Security Controls Wednesday, August 18, 2010 John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls For those of you who took the CISSP exam, an audit of your institution’s IS security controls is a real-life CISSP exam. If you pass the CISSP exam, you can get certified. If you pass the audit examination, you get to keep your job. John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls So how can I pass an IS audit? And keep my job. • 1st, Reduce your stress levels. • 2nd, Prepare for your audit Have documentation of everything related to IS security controls. Be prepared to answer questions and provide information. • 3rd, Argue with the auditor only if you know you are right and he/she is wrong. (Both conditions) (If you are certified (CISA, CISM, CISSP), and he/she is not, you might argue) Audit-Proof IS Security Controls Reduce your stress levels Most likely, it’s not your first audit experience • If you are the CISO, then you have already been through an audit. • Your audit results should get better with time. • If there were recommendations on your last audit, make sure you have remedied the exceptions • Try to improve your evaluation score If it’s your 1st audit, • And you are CISA, CISM, and/or CISSP, you know the theory. Review that theory, again. • 1st timers, get an audit work program (FDIC, etc.) Audit-Proof IS Security Controls Review and provide documentation of everything related to IS security controls Institution’s organization chart Security dept. organization chart • Job descriptions • Security training schedules Security dept. long- and short-range plans Policies and procedures List of all hardware and location List of all software and location John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls Documentation (Cont.) List of vendors (hardware, software, security management services) Network diagrams List of authorized persons per application and system (Local and Remote) • Identify root and admin users IS Security configurations on PCs, servers, and networks Business Continuity Plan John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls Lack of adequate documentation can impact the evaluation of your audit. It could cause auditors to look in more detail at your security controls and find more exceptions Audit-proof security controls implies that all security controls are documented. Audit-proof IS security controls are those that the auditor expects to review, analyze, and report on. John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls Try to visualize security controls as the auditor would, that is, as Preventive Security Controls Detective Security Controls Corrective Security Controls Those controls should address the CIA (Confidentiality, Integrity, Availability) of the institution’s information Audit-Proof IS Security Controls Be prepared to answer questions and provide information regarding how you maintain the Confidentiality of information Review what is confidential information? • Show the categorization of information If you know what is confidential and sensitive information, then you know what is not confidential and sensitive • Show Information System Risk Assessment and Risk Management program John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls How do you protect the confidentiality? • Show / discuss policies related to Confidentiality and ACLs • Show / discuss Access Control Lists (ACLs) by application • Show / discuss Internet and remote access filtering via routers and firewalls • Show/ discuss procedures to provide, change, and delete from the ACLs John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls Confidentiality (Cont.) Show/ discuss security controls to detect the violation of confidentiality • Wrong passwords limit and reset • Password structure and duration • Discuss logging of all access to all confidential information • Discuss physical access restrictions and logs • Discuss your router and firewall configurations • Discuss the setup of the DMZ • Discuss the security configuration of servers, PCs, routers, and firewalls Audit-Proof IS Security Controls Detect Violation of Confidentiality (Cont.) • Show/ discuss how access controls are tested to ensure violations are prevented, detected / notified, and corrected • Incident Response program - Review this key security control when violations are discovered and notified Discuss how major violations were detected or NOT Discuss how violations notifications were handled or NOT Discuss how violations were analyzed and how changes were implemented to ensure non-recurrence Audit-Proof IS Security Controls Be prepared to answer questions and provide information regarding how you maintain the Integrity of information. • Show /discuss the key security control of Change Management to hardware, software, network, and security parameters • Discuss Approval, Implementation, and Testing of changes • Discuss actual changes to: ACLs Hardware, Application Software, and Operating Systems Network hardware and software, Security settings on HW, SW, and Network Audit-Proof IS Security Controls Discuss how Changes to HW, Application SW, Operating Systems, and Network are tested. Discuss approved requisitions, Discuss Approved Tests of changes by User, IT personnel, and Security personnel Discuss tests of approved updated security configurations Update related documentation • List of approved HW, SW, Network components • Network diagram John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls Detect Violations of Integrity • Show/ discuss how Change Management controls are tested to ensure integrity violations are prevented, detected / notified, and corrected Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of nonapproved hardware (wired, wireless, PC-based, Serverbased) Discuss Virus, Malware, and Spam prevention, detection, & removal Discuss the maintenance of Server, PC, and Network configuration documentation Discuss IPS (Intrusion Prevention) and IDS (Intrusion Detection) elements Audit-Proof IS Security Controls • Look at previous security controls as Preventive Detective Corrective • Use documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) • Perform HW, SW, Network scans to determine actual inventory of HW, SW, Network components, and security parameters. • Compare documented base-line approved components against scanned components. John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls • Review Incident Response program when integrity violations are discovered Discuss how major violations were detected or NOT • Unauthorized hardware • Unauthorized software applications/ Lack of appropriate SW licenses • Unauthorized? Viruses, Malware, and Spam? • Unauthorized changes to security parameters and hardware configurations Discuss how violations notifications were handled or NOT Audit-Proof IS Security Controls Discuss how violations were analyzed and how changes were implemented to ensure nonrecurrence, e.g. Computer Forensics – Activate/ secure all audit logs More frequent scanning to maintain an updated documented base-line inventories of HW, SW, Network, and Security parameters (SW patches) More frequent and aggressive independent patrolling (prevention and detection) of the perimeter (DMZ) and inside networks A better-equipped and knowledgeable IS Security Dept. Improved security training of institution personnel Audit-Proof IS Security Controls How do you Provide for the Availability of Hardware, Applications Software, System Software, and Network HW and SW • Show / Discuss Business Impact Analysis • Show/ Discuss Critical IT Resources Functions, Personnel, HW, SW, Network, Space, Vendors John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls Security Controls to Prevent the Unavailability HW • HW redundancy • Off site recovery site with required and minimal HW SW • Backup of required software and data Alternate routes to the outside • Dual telecom providers for voice and data Audit-Proof IS Security Controls The famous Business Continuity Plan (BCP) Have it! • If you don’t have one, give me a call! Test it! (at least annually) Update it! (based on test results) It should cover all critical functions of the institution John R. Robles Email: [email protected] Tel: 787-647-3961 Summary of Audit-Proof IS Security Controls Provide a lot of documentation – the more, the better Fix all previous audit issues Review Confidentiality security controls Review Integrity security controls Review Availability security controls Define CIA security controls as: • Preventive controls • Detective controls • Corrective controls John R. Robles Email: [email protected] Tel: 787-647-3961 Audit-Proof IS Security Controls Thank You! John R. Robles Email: [email protected] Tel: 787-647-396 www.johnrrobles.com