Auditing in the New Millennium:

Similar documents
External Penetration Assessment and Database Access Review

Information Technology Security Review April 16, 2012

U.S. Department of Energy Office of Inspector General Office of Audits and Inspections

Oregon Employment Department: Computer Programs for Unemployment Tax Returns and Claims Need Attention

Practical Guidance for Auditing IT General Controls. September 2, 2009

Application Security in the Software Development Lifecycle

Information Security Services

Managing IT Security with Penetration Testing

July 6, Mr. Michael L. Joseph Chairman of the Board Roswell Park Cancer Institute Elm & Carlton Streets Buffalo, NY 14263

Information System Audit. Arkansas Administrative Statewide Information System (AASIS) General Controls

University System of Maryland University of Maryland, College Park Division of Information Technology

Information Technology General Controls And Best Practices

Audit Report. Management of Naval Reactors' Cyber Security Program

Software as a Service: Guiding Principles

Put into test the security of an environment and qualify its resistance to a certain level of attack.

Critical Controls for Cyber Security.

STATEMENT OF JOHN E. MCCOY II DEPUTY ASSISTANT INSPECTOR GENERAL FOR AUDITS U.S. DEPARTMENT OF HOMELAND SECURITY BEFORE THE

U.S. ELECTION ASSISTANCE COMMISSION OFFICE OF INSPECTOR GENERAL

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

ETHICAL HACKING APPLICATIO WIRELESS110 00NETWORK APPLICATION MOBILE MOBILE0001

External Supplier Control Requirements

Patch and Vulnerability Management Program

Looking at the SANS 20 Critical Security Controls

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense

Hanh Do, Director, Information System Audit Division, GAA. SUBJECT: Review of HUD s Information Technology Contingency Planning and Preparedness

SECURITY CONSIDERATIONS FOR LAW FIRMS

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

4 Testing General and Automated Controls

Chapter 1 The Principles of Auditing 1

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Cybersecurity and internal audit. August 15, 2014

PeopleSoft IT General Controls

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Disaster Recovery and Business Continuity Plan

ISO Controls and Objectives

Better secure IT equipment and systems

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

FEDERAL FAMILY EDUCATION LOAN PROGRAM (FFELP) SYSTEM

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

PCI-DSS Penetration Testing

Network and Security Controls

Preparing for the HIPAA Security Rule

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Four Top Emagined Security Services

Federal Communications Commission Office of Inspector General. FY 2003 Follow-up on the Audit of Web Presence Security

POSTAL REGULATORY COMMISSION

Audit Report. The Social Security Administration s Compliance with the Federal Information Security Management Act of 2002 for Fiscal Year 2013

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

GE Measurement & Control. Cyber Security for NEI 08-09

Network Security Audit. Vulnerability Assessment (VA)

Effectively Assessing IT General Controls

VENDOR MANAGEMENT. General Overview

Two Approaches to PCI-DSS Compliance

Understanding Vulnerability Management Life Cycle Functions

HITRUST CSF Assurance Program

Network Security: Policies and Guidelines for Effective Network Management

Feedback Ferret. Security Incident Response Plan

Third Party Risk Management 12 April 2012

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

UF Risk IT Assessment Guidelines

Compliance. Review. Our Compliance Review is based on an in-depth analysis and evaluation of your organization's:

Why SaaS (Software as a Service) and not COTS (Commercial Off The Shelf software)?

An Overview of Information Security Frameworks. Presented to TIF September 25, 2013

Information Technology Internal Controls Part 2

Defending the Database Techniques and best practices

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

Ayla Networks, Inc. SOC 3 SysTrust 2015

CRISC Glossary. Scope Note: Risk: Can also refer to the verification of the correctness of a piece of data

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Risk Management of Outsourced Technology Services. November 28, 2000

OPERATIONAL CAPABILITY TECHNOLOGY QUESTIONNAIRE

BUILDING AN OFFENSIVE SECURITY PROGRAM BUILDING AN OFFENSIVE SECURITY PROGRAM

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Industrial Cyber Security. Complete Solutions to Protect Availability, Safety and Reliability of Industrial Facilities

Information Technology Operational Audit DEPARTMENT OF STATE. Florida Voter Registration System (FVRS) Report No July 2015

Transcription:

: Information Technology Controls and Network Vulnerability Assessments Ernie Barany, CPA, CPT, CEH Principal Auditor Dan Altobelli, CPA, CISA, CEH Principal Auditor 1

When you think of IT auditing, is this what you think of? 2

When you think of IT auditing, is this what you think of? 3

Why you have to know some IT: - Most controls are handled by the application - Everyone has a web application now - Why steal, when you can get the computer to do it for you? - Information is one of the most valuable assets - Those pesky auditing standards 4

Overview 1. The OSA IT Controls Framework 2. What the heck is a network vulnerability assessment (NVA)? 3. The purpose of information security 4. Scope and objectives of a NVA 5

Overview 5. Criteria/benchmarks 6. Audit procedures and testing 7. Reporting the results 8. Audit Findings 6

OSA IT Controls Framework Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 7

Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 8

Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations - Documenting of the business processes and controls the organization uses. General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Used to help in determining risk areas - Testing of controls focused only on the business processes in the audit scope. Application Controls - Includes manual and automated controls and their interaction. Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 9

Integrated Audit Approach Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) - General controls audit work is limited by the scope of the audit - Agency vs OIT - Third-party vendors - Authorization is limited to controls that appear in the business process being audited. - No OS or network 10

Application Audit Network Security Controls Perimeter Security Internal Network Operations - ALL business processes are in the scope of the audit General Controls - Testing of system controls will include point-in-time as well as past transactions Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Often will utilize a test environment - Focuses on the automated controls: is the application operating as intended Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 11

Application Audit Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) - All general controls are covered, unless previously audited - Does not matter who is responsible for the control - Authorization is a complete review of all users and their access - May touch on server configuration and some network as they relate to the application and its data. 12

Network Vulnerability Assessment Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) Business Process Controls (Manual and/or Automated) 13

Network Vulnerability Assessment Network Security Controls Perimeter Security Internal Network Operations General Controls Logical Access: Authentication (if pass-through) Security Management Change Management Contingency Planning Physical Security - Focus is on network security controls Application Controls Logical Access: Authorization and Authentication (if authentication is application specific) - General controls are selected based on preliminary work for impact on the network not all general controls are included. Business Process Controls (Manual and/or Automated) - Logical access = network logon, and falls in the Internal Operations area. 14

What is a Vulnerability Assessment? The process of identifying and quantifying vulnerabilities in a system. The system being studied could be a physical facility like a nuclear power plant, a computer system, or a larger system (for example the communications infrastructure or water infrastructure of a region). Our focus is on computer networks, though infrastructure and facility do come into play 15

Vulnerability Assessment vs. Penetration Test List-oriented (NVA) vs. goal-oriented (PT) Auditing in the New Millennium A Network Vulnerability Assessment is designed to yield a prioritized list of vulnerabilities For an organization that is not sure where they are Verify results and report may not exploit Prioritize vulnerabilities by risk and provide remediation 16

Vulnerability Assessment vs. Penetration Test List-oriented (NVA) vs. goal-oriented (PT) Auditing in the New Millennium Penetration Test has the goal of breaching security. For organization comfortable with security posture Report every instance where security was breached May not identify and exploit all weaknesses 17

The Purpose of Information Security It s all about loss. Reputation, financial assets, citizen goodwill, operations uptime, computing resources, personnel productivity, intellectual property, liability protection Personally Identifiable Information (PII) of citizens would open the liability of lawsuits and expose the state to excessive costs Confidential Information (CI) of state operations could expose any number of risks 18

The Purpose of Information Security Public entities are charged with protecting their information assets from unauthorized disclosure, modification, or loss. To this end, state entities spend taxpayer dollars on information technology security infrastructure, personnel, training, etc. Our reviews assess the effectiveness and efficiency of that infrastructure in achieving its goals. 19

Possible scope items: NVA Scope All entity information technology resources and other resources that the entity has stewardship over, both on the perimeter and internal. IT strategic planning and other aspects of Security Management like policies and procedures. The change control process of the entity, focused on network configuration changes. 20

Possible scope items: NVA Scope Business Continuity/Disaster Recovery plans in place in the event of processing disruptions. Physical security in place to protect the entity s IT infrastructure. 21

Audit Objectives Overall: To determine the adequacy of security controls over the entity s computer network by: 1. Evaluating the security planning and management process of the entity. 2. Determining the risk of unauthorized logical access to devices on the network. 22

Audit Objectives 3. Evaluating the adequacy of the entity s business continuity plan to ensure continued operations. 4. Verifying that changes to the network and its devices are properly implemented and documented. 5. Evaluating the adequacy of physical security controls that protect network devices. 23

Criteria and Benchmarks There is no one agreed upon standard for performing NVAs this makes it the hardest part of evaluating. We have developed a standard which is a combination of OSSTMM, PTES, FISCAM, CObIT, Yellow Book standards, etc (ABCDEFGHIJKLM..) Private companies performing these services do not have the audit documentation requirements that we do. 24

Criteria and Benchmarks OSA process to determine criteria for an NVA: Is it a credible/ adequate standard? Y Measure performance vs their standard Report deficiencies in performance Document policies and practices in place Does the entity follow a standard? N Y Do their policies and practices satisfy industry standards? N Y N Report deficiencies in standard Report deficiencies in policies Measure performance vs industry standards 25

Audit Procedures and Testing Preliminary Work Survey Work Risk Assessment Audit Testing and Discussion with IT Management Conclusion Finding Development 26

Audit Procedures Approach - We re from the government, and we re here to help - Have continued communication with auditee during testing - High-level issues are brought to management s attention immediately for remediation - Review with auditee prior to finalizing the work to see the status of remediation efforts 27

Public Report Reporting the Results Summarizes sensitive findings in less detail than will be reported in the Management Letter. Detailed findings in non-sensitive areas. Auditee response in the sensitive areas is also generalized (detailed remediation is provided separately) 28

Management Letter Reporting the Results Not a public document due to the sensitive nature of the contents (vulnerability detail) Used internally by IT management. Because the management letter items are included in summary in the report, they are included in follow up compliance. 29

Audit Findings Most Common Audit Findings - Unnecessary ports and services - Unpatched or obsolete software or hardware - Improperly configured devices - Insecure coding - Secure Socket Layer (SSL) issues 30

Audit Findings Most Common Audit Findings - Information disclosure - Insecure wireless networks - Network ID maintenance issues - Outdated, untested, or missing disaster recovery documentation - Inadequate policies and procedures 31

Questions 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information