Communication Infrastructure Convergence & The need of IS Audit Compliance. Ninad M. Desai

Transcription

1 Communication Infrastructure Convergence & The need of IS Audit Compliance. Ninad M. Desai RCDD CISA CFOT Consulting Specialist Communication Cabling. Auditor Information Systems & Technology.

2 Convergence and compliance the way ahead. In today s interconnected and global operating environment, it seems nearly impossible to follow developments in technology or business without encountering the word Convergence. Enterprises around the world are moving decisively to converged networks. Nearly half of senior executives in a global survey say that convergence has been implemented in all or most of their business, nearly double the number recorded in the same 2005 survey. Companies however face tough challenges along the migration path, as network security issues emerge as the top convergence challenge

3 IT Strategic Objectives & Convergence, Where do we stand today. Source : Economist Intelligence Unit The vast majority of survey respondents 84% view convergence as critical or important to achieving their strategic IT and business goals, compared with 45% in the 2005 survey.

4 Convergence in cabling infrastructure Example 1. Convergence has led to a unified cabling infrastructure for data & voice thereby increasing the flexibility and in turn the security constraints.

5 Convergence in cabling infrastructure Example 2. Similarly due to the introduction of baluns and adapters its now possible to converge traditional CATV & CCTV systems on to the data communication infrastructure.

6 Infrastructure Convergence and IS audit compliance the road blocks. This convergence design approach brings together the various communication infrastructures to work closely on a unified and sometimes shared cabling platform possibly resulting in a security breach involving the IT systems, the conventional systems or both. Increasingly, as a means of reducing costs, increasing efficiencies or making better use of technology investments, organizations are integrating physical security devices for access control, monitoring and process control into the IT infrastructure. The differences in design, functionality, implementation, maintenance and management can present administration and security conflicts. Security conflicts arise from the integration of standalone systems in the organisations IT infrastructure without taking into account the changed implementaion scenario and context. Specific applications using the TCP/IP technology converged on to the network can pose a major threat to every organization s information assets without the proper monitoring tools in place.

7 Convergent Infrastructure and compliance The Questions asked. Network controls Whether the network is adequately managed and controlled, to protect from threats, and to maintain security for the systems and applications using the network, including the information in transit. Whether controls were implemented to ensure the security of the information in networks, and the protection of the connected services from threats, such as unauthorized access.

8 Convergent Infrastructure and compliance The Questions asked. Security of network services Whether security features, service levels and management requirements, of all network services, are identified and included in any network services agreement. Whether the ability of the network service provider, to manage agreed services in a secure way, is determined and regularly monitored, and the right to audit is agreed upon. Policy on use of network services Whether users are provided with access only to the services that they have been specifically authorized to use. Whether there exists a policy that does address concerns relating to networks and network services.

9 Convergent Infrastructure and compliance The Questions asked. Segregation in networks Whether groups of information services, users and information systems are segregated on networks. Whether the network (where business partner s and/ or third parties need access to information system) is segregated using perimeter security mechanisms such as firewalls. Whether consideration is made to segregation of wireless networks from internal and private networks. Network connection control Whether there exists an access control policy which states network connection control for shared networks, especially for those which extend across organization s boundaries.

10 Convergence Infrastructure & compliance Or Did I mean Non Compliance? Example 1 : An organisation having conventional CCTV network intended to convert the existing cameras to IP-based cameras, add cameras for better coverage and add an image server/database infrastructure. The intent was for this system to be added to the existing general service network, using the existing CAT-5 wiring. The department extended cabling to camera locations and placed client-side software on desktop systems so the cameras could be viewed from designated guard stations and certain desktop systems. Security Compliance Issues: The concerns that arose were related to the security of the image and information system. The image data transferred from the camera and stored on a video capture server were flowing over the general service network. Although the data were proprietary to the vendor, the system vendor s software was freely available from the web site of the software vendor that created it. The security methodology used to protect the server and data was weak.

11 Convergence Infrastructure & compliance Or Did I mean Non Compliance? Example 2 : The system was initially a digital CCTV monitoring systems in a financial institution. The concept is that connection across the company network would be infrequent and based on short periods of use. The office undergoes a maintenance cycle, which takes the local alarm systems offline. Management asked the central monitoring station to actively use the CCTV to remotely protect the site until the local alarms could be reconnected. As such, the throughput generated by constant surveillance of the office generated network impacts. The network staff, responding to what appears to be a negative impact to other customers of the network, shut down the connection to mitigate impacts to other users, thereby shutting down the surveillance. Compliance Issues: The site was unprotected for the duration of troubleshooting to determine the cause of the shutdown and what to do about it. The throughput of continuous connections was beyond the capacity of the available network bandwidth.

12 Specific areas to which security issues need to be addressed. Electronic access control devices. Closed circuit television (CCTV). Environmental system controls.

13 Access Control security issues. Access can be gained through the panel switch. From there, data can be downloaded or modified, granting unauthorized access to protected areas. Ideally each panel needs to be identified as a specific device to the system and authorized for certain activities. Operators can open doors, leaving no record of who entered, because they may not have to swipe a card and may not have to sign in. Access devices can store 4,000 entries that may not be encrypted are security concerns. The problem of enrollment on first read persists.

14 Closed circuit television (CCTV) security issues. Sophisticated video storage and archiving systems that create pressure on IT for storage and hence security of data. Vendors of control room equipment have no idea what ports on their systems are open or the implications for the potential of being attacked and compromised. Systems may not even provide an opportunity to close open ports that are not needed. Video DVR records what data have been accessed but not viewed one can see all information on the hard drive; there is no limitation on access. Access controls and audit information for physical access may not be established for video systems.

15 Environmental control security issues. Control systems in which individuals can control the temperature for their area potentially pose many risks. For example, can someone who is not authorized gain control and change environmental settings? These issues can have implications for areas in which environmental requirements are important.

16 Conclusions. Security risks to systems and devices designed to provide physical security and process control are growing because systems are increasingly being connected to organizations networks. Systems and devices are increasingly being deployed in a manner that exposes them to external and access from the Internet, some of which may be business-critical. Systems and devices on the network are becoming more sophisticated and diverse, making security increasingly difficult to control. Systems and devices are frequently deployed on the common network infrastructure but managed outside of the influence of information systems and security professionals.

17 Recommendations. Establish a governance framework for managing security-related risks convergent cabling network systems. in Understand the technology better & Analyze and understand security-related cost-benefit trade-offs. Critical systems converged on the organizations network need to be treated as critical and included in the business continuity plans. Expand the audit function to cover network integrated systems and devices.

18 Any Audit Remarks? Ninad M. Desai RCDD CISA CFOT