CUSTOMER Information Security Audit Report



Similar documents
HIPAA HITECH ACT Compliance, Review and Training Services

Personal Data Security Breach Management Policy

Chapter 7 Business Continuity and Risk Management

Systems Support - Extended

POLICY 1390 Information Technology Continuity of Business Planning Issued: June 4, 2009 Revised: June 12, 2014

CASSOWARY COAST REGIONAL COUNCIL POLICY ENTERPRISE RISK MANAGEMENT

GUIDANCE FOR BUSINESS ASSOCIATES

COPIES-F.Y.I., INC. Policies and Procedures Data Security Policy

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

Information Services Hosting Arrangements

Risk Management Policy AGL Energy Limited

Change Management Process

Version: Modified By: Date: Approved By: Date: 1.0 Michael Hawkins October 29, 2013 Dan Bowden November 2013

Internal Audit Charter and operating standards

Data Protection Act Data security breach management

System Business Continuity Classification

Session 9 : Information Security and Risk

VCU Payment Card Policy

POSITION DESCRIPTION. Classification Higher Education Worker, Level 7. Responsible to. I.T Manager. The Position

HIPAA Compliance 101. Important Terms. Pittsburgh Computer Solutions

expertise hp services valupack consulting description security review service for Linux

Key Steps for Organizations in Responding to Privacy Breaches

System Business Continuity Classification

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

Hillsborough Board of Education Acceptable Use Policy for Using the Hillsborough Township Public Schools Network

The Importance Advanced Data Collection System Maintenance. Berry Drijsen Global Service Business Manager. knowledge to shape your future

Support Services. v1.19 /

Request for Resume (RFR) CATS II Master Contract. All Master Contract Provisions Apply

Research Report. Abstract: Advanced Malware Detection and Protection Trends. September 2013

ENTERPRISE RISK MANAGEMENT ENTERPRISE RISK MANAGEMENT POLICY

OITS Service Level Agreement

Remote Working (Policy & Procedure)

Phi Kappa Sigma International Fraternity Insurance Billing Methodology

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

PENETRATION TEST OF THE INDIAN HEALTH SERVICE S COMPUTER NETWORK

Service Level Agreement (SLA) Hosted Products. Netop Business Solutions A/S

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

Privacy Breach and Complaint Protocol

PURPOSE The purpose of this Position Description (PD) is to assist the employee in the following areas:

CMS Eligibility Requirements Checklist for MSSP ACO Participation

Research Report. Abstract: The Emerging Intersection Between Big Data and Security Analytics. November 2012

Online Learning Portal best practices guide

Help Desk Level Competencies

CHANGE MANAGEMENT STANDARD

Creating an Ethical Culture and Protecting Your Bottom Line:

Accident Investigation

Symantec User Authentication Service Level Agreement

Data Protection Policy & Procedure

A96 CALA Policy on the use of Computers in Accredited Laboratories Revision 1.5 August 4, 2015

Christchurch Polytechnic Institute of Technology Access Control Security Standard

nbn is committed to identifying hazards, preventing workplace accidents and minimising dangerous health safety and environment incidents.

Network Security Trends in the Era of Cloud and Mobile Computing

First Global Data Corp.

Process of Setting up a New Merchant Account

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

MSB FINANCIAL CORP. MILLINGTON BANK AUDIT COMMITTEE CHARTER

WHAT YOU NEED TO KNOW ABOUT. Protecting your Privacy

Corporate Standards for data quality and the collation of data for external presentation

TO: Chief Executive Officers of all National Banks, Department and Division Heads, and all Examining Personnel

Succession Planning & Leadership Development: Your Utility s Bridge to the Future

TITLE: Supplier Contracting Guidelines Process: FIN_PS_PSG_050 Replaces: Manual Sections 6.4, 7.1, 7.5, 7.6, 7.11 Effective Date: 10/1/2014 Contents

LINCOLNSHIRE POLICE Policy Document

Resident Assistant Application JOB DESCRIPTION

IT Help Desk Service Level Expectations Revised: 01/09/2012

Online Banking Agreement

BackupAssist SQL Add-on

ISO Management Systems. Guidance on understanding the benefits of an ISO Management System

AuditNet Survey of Bring your own Device (BYOD) - Control, Risk and Audit

IT CHANGE MANAGEMENT POLICY

Business Plan Overview

UNIVERSITY OF CALIFORNIA MERCED PERFORMANCE MANAGEMENT GUIDELINES

The ADVANTAGE of Cloud Based Computing:

Purpose Statement. Objectives

EJttilb Health. The University of Texas Medical Branch Audit Services. Audit Report. Epic In-Basket Management Audit. Engagement Number

Customer Support & Software Enhancements Policy

In addition to assisting with the disaster planning process, it is hoped this document will also::

Electronic and Information Resources Accessibility Compliance Plan

SOFTWARE DEVELOPER POSITION BY RIOMED LTD. SAFE. EFFICIENT. QUALITY WORLD CLASS HEALTHCARE SOLUTION

Process for Responding to Privacy Breaches

Transcription:

CUSTOMER Infrmatin Security Audit Reprt Versin 1.0 Date Wednesday, 18 January 2006 SafeCms Internet: www.safecms.cm Email: mailt:inf@safecms.cm 2001 Chartered Square Building. 20 th Fl, 152 Nrth Sathrn rd. Bangrak, Bangkk 10500, Thailand Telephne: +66(02) 634 5465 Fax: +66(02) 634 5467

CUSTOMER Infrmatin Security Audit Reprt 18 January 2006 Acknwledgments Authrs: Reviewers: Publisher: Yannick Thevent CTO, SafeCms Jared Dandridge COO, SafeCms Bernard Cllin CEO, SafeCms SafeCms, 2001 Chartered Square Building Bangkk Cpyright 2006 SafeCms All rights reserved. This dcument is prduced fr the exclusive usage f the custmer and shuld nt be disclsed t unauthrised viewers. The distributin f this dcument is limited t the Management f the Custmer, the staff invlved in evaluating the recmmendatins and the staff implementing them. Distributin utside f this grup is nt authrised. Page 2 f 12

Table f Cntents EXECUTIVE SUMMARY. 4 CUSTOMER S CORE ASSETS AND RISKS 4 MANAGEMENT ATTITUDE, KNOWLEDGE AND AWARENESS 4 SUMMARY OF PRIMARY SECURITY THREATS.. 4 COMPILED RECOMMENDATIONS.. 8 SCOPE. 10 METHODOLOGY. 10 RISK SCORE CALCULATIONS:.. 10 NOTE ON SAFECOMS APPROACH:.. 11 CURRENT STATE 12 FINDINGS, RISKS, AND RECOMMENDATIONS 12 1. SECURITY POLICY 13 2. ORGANIZATION OF INFORMATION SECURITY 14 3. ASSET MANAGEMENT.. 16 4. HUMAN RESOURCES SECURITY.. 18 5. PHYSICAL AND ENVIRONMENTAL SECURITY 23 6. COMMUNICATIONS AND OPERATIONS MANAGEMENT 26 7. ACCESS CONTROL. 36 8. INFORMATION SYSTEMS ACQUISITION, DEVELOPMENT AND MAINTENANCE 45 9. INFORMATION SECURITY INCIDENT MANAGEMENT. 47 10. BUSINESS CONTINUITY MANAGEMENT 49 11. COMPLIANCE 51 Page 3 f 12

Executive Summary CUSTOMER s Cre Assets and Risks CUSTOMER s business depends heavily n reputatin and credibility in the industry. prducts frm clients are valuable, and must be handled apprpriately. Risks include: <Risk 1> <Risk 2> The cre prductin applicatin system is the nervus system f the entire CUSTOMER peratins. Cre activities include <mitted>. Risks include: <Risk 1> <Risk 2> <Risk 3> Peple, the prcesses they perfrm, and the expertise they acquire is critical t CUSTOMER (cmmunicatin, prject cntrls, delivery, etc). Risks include: <Risk 1> <Risk 2> Management Attitude, Knwledge and Awareness COMPANY Directrs have expressed firm cmmitment t implementing security in the rganizatin. There are slid intentins t secure the business and its peratins, and this cmmitment has served the cmpany well. <mitted> During the business and peratins analysis, there was a cmplacent feeling frm sme management and staff that we interviewed abut the security risks and liabilities at CUSTOMER. There is a mixed understanding f security and f security plicies and prcedures amngst the staff and management at CUSTOMER. The rganizatin wuld certainly benefit frm a sessin r wrkshp n security awareness. Managers need t review security risks in relatin t their divisin and respnsibilities. Summary f primary security threats A summary f the primary security threats, alng with their risk scres (1 lw t 45 high*), is utlined in the chart n the fllwing page. (*) The calculatins used t rate these threats is explained in Risk Scre Calculatins. Page 4 f 12

Scre Risk Level Issue 18 Medium Prir t Emplyment Emplyees are nt frmally ntified f their rle in infrmatin security, nr are they made aware f the ptential penalties fr nt cnfrming t cmpany standards. This becmes a liability t the cmpany, if any security incidents ccur 18 Medium Operatinal Prcedures and Respnsibilities Withut a list f standard sftware fr PC s and servers, bth staff and IT persnnel d nt have a clear understanding f what is cnsidered acceptable applicatins, and cnfusin and misunderstanding will fllw. Fr the weak cntrl n patching and change management, security vulnerabilities and unexpected results frm applicatins culd ccur withut the cntrl r knwledge f IT 18 Medium Backup Incnsistent prcedures fr backups culd lead t crrupted data, lst tapes, r the inability t restre lst data. It is nt knwn whether email can be restred, as it has never been tested. Fr ther files, nly test files are restred, and n trial f prductin data is attempted 18 Medium Business Requirements fr Access Cntrl The lack f an access cntrl plicy leaves rm fr errr f bth users and IT staff. As there are n guidelines, changes t staffing r systems culd result in a security breach. This is already apparent in hw t many file servers are being established. This issue als cmpunds ther factrs such as server licenses (cst), patching issues (server management), and cnfiguratin and access issues (user management). <mitted> 36 High Infrmatin Security Plicy & Awareness Prgram As many staff are unaware f the wide range f ptential security issues, varius breaches in security culd ccur, and g un-nticed r un-reprted. The ptential level f damage t the cmpany culd be severe (e.g. lss f revenue, custmers, r reputatin). 36 High Internal Organizatin f Infrmatin Security A false sense f security with n directin r substance will cntinue, until a majr security event ccurs, r active steps are taken t implement security awareness in the rganizatin. The security crdinatr has nt had any frmal security training, and currently she nly has limited knwledge as t all the areas that her psitin is respnsible fr. 45 High Reprting Infrmatin Security Events and Weaknesses If emplyees are nt prperly trained, security incidents culd g unreprted and/r unnticed, causing increased risk fr the cmpany. Fr example, passwrds written n paper next t a mnitr, cnfidential dcuments left in a cpier, r ther blatant security breaches are items that shuld be alerted t the security crdinatr. Page 5 f 12

Cmpiled Recmmendatins A Prtect Cre Systems and Critical Data frm Ptential Hackers Objective Prevent unauthrized access and defend against pssible data manipulatin r lss. Due t mis-cnfiguratin f the firewall, gateway antivirus, and missing patches, there is a lgical path fr intruders t access cre systems and critical data. We believe this requires utmst attentin. Actin: Review all plicies and apprpriately recnfigure the firewall Recnfigure the Virus gateway scanner Recnfigure the spam filter Ensure all servers have all apprpriate patches applied Remve any unnecessary / unused shares Requirement - Immediate <mitted> D Gain Cntrl f Data & Defend Against Pssible Disasters Objective Guarantee that any incident culd be recvered frm, including virus, fire, and accidents n manipulatin f server, disks r data, prgrams, r HD crash. Ensure that infrmatin is apprpriately cntrlled, handled, and secured, by classifying and rganizing infrmatin in a structured manner. Actin: Implement a business cntinuity plan Step A Step B Step C Develp f a plicy fr infrmatin classificatin Step A Step B Step C Cntrl f effective backup and restre peratins Step A Step B Step C Encryptin shuld be applied t the backup f sensitive data Use f vault fr temprary strage befre transfer ff site Install an apprpriate cmputer rm fire suppressin system Requirement Immediate Page 6 f 12

Scpe CUSTOMER required that SafeCms perfrm an audit f their IT infrastructure. The audit must cver all aspects f the IT functin at CUSTOMER, including: IT plicy and prcedure Business cntinuity f the IT functin Physical security arund IT assets Hst-based security n IT assets Results f the audit shuld prvide CUSTOMER with an understanding f their infrmatin security psitining, as well as prviding recmmendatins n hw t imprve areas that have been identified as being high security risks t CUSTOMER. Methdlgy SafeCms cnducted its audit in cnfrmity with IS0-17799 Infrmatin Technlgy Cde f practice fr infrmatin security management. The basis fr this is that ISO-17799 standard prvides a cmmn basis fr develping rganizatinal security standards and effective security management practice as well as prviding cnfidence in interrganizatinal dealings. The audit cnsisted f an interview f the Management Team and sme key staff. We als bserved the IT practice and reviewed apprpriate dcumentatin when available. Selected Wrkstatins and Servers were analyzed, and system sftware and anti-virus signatures cntrlled. A full vulnerability scan was cnducted, n all servers (bth public and private) in use at CUSTOMER. Reprts are attached. Varius recmmendatins in plicies and prcedures, including hardening recmmendatins, will be issued t imprve the verall security at CUSTOMER. Risk Scre Calculatins: In this dcument, yu will see ratings indicating the risk level f ur findings. There are tw variables used t determine risk, which are Business Impact and Level f Cntrl. Business Impact Hw bad culd it be? The first bx f rankings is an indicatin f benchmarks, industry standards, and the level f imprtance placed n this item, as identified during interviews with yur staff. T calculate the Business Impact f a given risk, the tw scres fr the Ptential Impact and the Prbability f Occurrence are multiplied tgether: Ptential Impact (The level f impact t the business, f a security breach) 3 High 2 Medium 1 Lw Prbability f Occurrence (The likelihd that a security breach might ccur) 3 High 2 Medium 1 Lw Page 7 f 12

Business Impact (The verall assessment f hw impacting this item culd be) By multiplying the abve items, we will get the result f the Business Impact. (Ptential Impact x Prbability f Occurrence = Business Impact) 7 ~ 9 High 3 ~ 6 Medium 1 ~ 2 Lw Level f Cntrl Hw much are yu ding t prevent it? Based n the findings frm the audit, a scre is assigned t identify what the business is ding t address and prevent security breaches frm this item. The amunt f cntrls r measures in place t mitigate the security breach are ranked as: 5 Nthing Being Dne 4 N Cntrls 3 Weak Cntrls 2 Nt Cnsistent 1 High Cntrl Risk Scre (*) What is the yur ver-all rating fr this item? By cmbining the ptential business impact with the cmpany s level f cntrl fr that item, we can identify the risk fr that item. Therefre: Business Impact x Level f Cntrl = Risk Scre; Risk Scre is divided int three pssible categries, as fllws: 31 ~ 45 High Risk 16 ~ 30 Medium Risk 1 ~ 15 Lw Risk Fr each finding abve, the fllwing table is used t represent the Risk Scre f that item: Indicatr Scre Lw Risk High Risk Business Impact PI x PO = BI (Level) 1 2 3 4 5 6 7 8 9 Level f Cntrl LC (Level) 1 2 3 4 5 Risk Scre RS (Level) 1~15 16~30 31~45 (*) T be issued a certificate f cmpliance, the cmpany must nly Rate in the Lw Risks. Nte n SafeCms apprach: IT Security is nt an abslute; that is t say that n rganisatin can be cmpletely secure. Further measures can always be taken t imprve the security f an rganisatin, and t minimise the risk t that rganizatin f an IT security breach. Hwever nt all security measures represent a gd investment f IT resurces. IT security is therefre a risk management prcess, which aims t reach a delicate balance between required functinality, security and cst. The SafeCms apprach t cnducting IT security audits is based n this philsphy. Page 8 f 12

Current State CUSTOMER has many services such as <mitted> that are handled by a cmputerized cntrl system. In additin, service time is ffered 24 hurs a day and 365 days a year t supprt the custmer needs. CUSTOMER gal is t be ne f the best service prviders in Asia with advanced technlgy and well-maintained facilities such as <mitted> n the Wrld Wide Web in rder t ensure that custmers will be able t access directly t receive real time infrmatin. Currently, there are a number f significant applicatins n the cmputer systems such as <mitted> that are running n UNIX and Windws Server 2003, respectively. Recgnizing the criticality f rle f the cmputer systems in the peratin f the cmpany, CUSTOMER management is cncerned with adequacy f cntrls t ensure accuracy, integrity and reliability f the cmputer systems. Findings, Risks, and Recmmendatins In cmpliance with ISO-17799, the audit results at CUSTOMER are rganized int the eleven security cntrl clauses f the ISO standard. Within each f the ISO-17799 clauses, the identified items are represented with their assciated findings, risks, and recmmendatins. The 11 security cntrl clauses are as fllws: 1. Security Plicy 2. Organizatin f Infrmatin Security 3. Asset Management 4. Human Resurces Security 5. Physical and Envirnmental Security 6. Cmmunicatins and Operatins Management 7. Access Cntrl 8. Infrmatin Systems Acquisitin, Develpment and Maintenance 9. Infrmatin Security Incident Management 10. Business Cntinuity Management 11. Cmpliance Nte: The rder f the clauses des nt imply their imprtance. Depending n the circumstances, all clauses culd be imprtant, therefre SafeCms will identify applicable clauses, hw imprtant these are and their applicatin t individual business prcesses. Page 9 f 12

1. Security Plicy Infrmatin Security Plicy Business Impact Objective: T prvide management directin and supprt fr infrmatin security in accrdance with business requirements and relevant laws and regulatins. Management shuld set a clear plicy directin in line with business bjectives and demnstrate supprt fr, and cmmitment t, infrmatin security thrugh the issue and maintenance f an infrmatin security plicy acrss the rganizatin. Indicatr Scre Lw Risk High Risk Ptential Impact High 1 2 3 Prbability f Occurrence High 1 2 3 Business Impact High 1 2 3 4 5 6 7 8 9 Cntrl Infrmatin security plicy dcument An infrmatin security plicy dcument shuld be apprved by management, and published and cmmunicated t all emplyees and relevant external parties. <mitted> Finding There is n frmal, dcumented security plicy in existence at CUSTOMER. During interviews, sme staff assumed a plicy was in place, due t their understanding that security was nly abut passwrds. In the prcedure manuals, we fund that <mitted> Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl N Cntrls 1 2 3 4 5 Risk As many staff are unaware f the wide range f ptential security issues, varius breaches in security culd ccur, and g un-nticed r un-reprted. The ptential level f damage t the cmpany culd be severe (e.g. lss f revenue, custmers, r reputatin). Indicatr Scre Lw Risk High Risk Risk Scre 36 - High 1~15 16~30 31~45 Recmmendatin Immediate actin shuld be taken t develp and implement a cmprehensive infrmatin security plicy that will define and cmmunicate the management s cmmitment t infrmatin security t the entire rganizatin. Page 10 f 12

Secure Areas Business Impact 5. Physical and Envirnmental Security Objective: T prevent unauthrized physical access, damage, and interference t the rganizatin s premises and infrmatin. Critical r sensitive infrmatin prcessing facilities shuld be hused in secure areas, prtected by defined security perimeters, with apprpriate security barriers and entry cntrls. They shuld be physically prtected frm unauthrized access, damage, and interference. The prtectin prvided shuld be cmmensurate with the identified risks. Indicatr Scre Lw Risk High Risk Ptential Impact High 1 2 3 Prbability f Occurrence Medium 1 2 3 Business Impact Medium 1 2 3 4 5 6 7 8 9 Cntrl Physical security perimeter Security perimeters (barriers such as walls, card cntrlled entry gates r manned receptin desks) shuld be used t prtect areas that cntain infrmatin and infrmatin prcessing facilities. <mitted> Prtecting against external and envirnmental threats Physical prtectin against damage frm fire, fld, earthquake, explsin, civil unrest, and ther frms f natural r man-made disaster shuld be designed and applied. Finding <mitted> A primary cncern is the fact that there is n fire suppressin system in the cmputer rm. Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl Weak 1 2 3 4 5 Risk A fire in the cmputer rm culd destry all current supprt activities, as well as destry the servers f the ther cmpany hsted in the CUSTOMER cmputer rm. CUSTOMER culd be liable fr damages incurred t bth cmpanies, including lst assets and time t recver frm the lss. Indicatr Scre Lw Risk High Risk Risk Scre 18 - Medium 1~15 16~30 31~45 Recmmendatin Cntinue regular maintenance n the perimeter, entry cntrls, and facilities. An apprpriate cmputer rm fire suppressin system shuld be installed as sn as pssible t prevent a fire disaster. <mitted> Page 11 f 12

7. Access Cntrl Netwrk Access Cntrl Business Impact Objective: T prevent unauthrized access t netwrked services. Access t bth internal and external netwrked services shuld be cntrlled. User access t netwrks and netwrk services shuld nt cmprmise the security f the netwrk services by ensuring: a) apprpriate interfaces are in place between the rganizatin s netwrk and netwrks wned by ther rganizatins, and public netwrks; b) apprpriate authenticatin mechanisms are applied fr users and equipment; c) cntrl f user access t infrmatin services is enfrced. Indicatr Scre Lw Risk High Risk Ptential Impact High 1 2 3 Prbability f Occurrence High 1 2 3 Business Impact High 1 2 3 4 5 6 7 8 9 Cntrl Plicy n use f netwrk services Users shuld nly be prvided with access t the services that they have been specifically authrized t use. <mitted> Netwrk ruting cntrl Ruting cntrls shuld be implemented fr netwrks t ensure that cmputer cnnectins and infrmatin flws d nt breach the access cntrl plicy f the business applicatins. Finding Custmers and suppliers are able t access CUSTOMER data/applicatin. There is n cntrl r lgs mnitring n what they d remtely. PC Anywhere was still pened n a server during the audit when the supplier had requested t access during a previus timeframe. <mitted> Security breach pssible During an external scan, we fund that the Virus scanning interface is pen and available withut the need f a username r passwrd. We have access t cntrl this service. In additin, we believe that with a small amunt f effrt, we culd penetrate this machine and thereby gain access t the CORE system via a hle identified in the firewall. Indicatr Scre Lw Risk High Risk CUSTOMER s Level f Cntrl N Cntrls 1 2 3 4 5 Risk Prductin systems are vulnerable t attack and security breaches frm multiple channels (Internet and Wireless) and there is n true cntrl r knwledge f what is passing thrugh the netwrk n a daily basis. Indicatr Scre Lw Risk High Risk Risk Scre 36 - High 1~15 16~30 31~45 Recmmendatin <mitted> Page 12 f 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information