Communication Infrastructure Convergence & The need of IS Audit Compliance. Ninad M. Desai

Similar documents
Introduction. Industry Changes

Chapter 1 Introduction

How To Create An Intelligent Infrastructure Solution

Cisco Integrated Video Surveillance Solution: Expand the Capabilities and Value of Physical Security Investments

PHYSICAL SECURITY OVER INFORMATION TECHNOLOGY

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Cyber Threats in Physical Security Understanding and Mitigating the Risk

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

PCI Solution for Retail: Addressing Compliance and Security Best Practices

A Systems Approach to HVAC Contractor Security

Network & Information Security Policy

Security Issues with Integrated Smart Buildings

Solution Overview. Smarter Video Surveillance with NETGEAR

The evolution of data connectivity

Conducting Security System Site Surveys

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Data Security Concerns for the Electric Grid

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

HANDBOOK 8 NETWORK SECURITY Version 1.0

CCTV on IP Network. How Cisco IT Deploys Closed- Circuit TV Cameras over the Secure IP Network. A Cisco on Cisco Case Study: Inside Cisco IT

Server Room, Data Centre Management and Monitoring Solutions

Department of Education. Network Security Controls. Information Technology Audit

Deploying Firewalls Throughout Your Organization

Music Recording Studio Security Program Security Assessment Version 1.1

IP Telephony Basics. Part of The Technology Overview Series for Small and Medium Businesses

Network Security Guidelines. e-governance

Information Technology Security Procedures

TCP/IP Network Communication in Physical Access Control

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Seamless Mobile Security for Network Operators. Build a secure foundation for winning new wireless services revenue.

Recommended IP Telephony Architecture

IP Camera Network Installations are More Difficult than Analog Camera Installations? Not So!

Interfacing ISONAS Access Control to an IVC-controlled Video Surveillance System

IT Networking and Security

Video Architectures Eyes on the Future: The Benefits of Wireless Technology for Fixed Video Surveillance

THE TOP 4 CONTROLS.

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Supplier Security Assessment Questionnaire

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

White paper: Information Rights Management for IBM FileNet. Page 1

SECURING ENTERPRISE NETWORK 3 LAYER APPROACH FOR BYOD

IP Video Surveillance

Security & Surveillance Cabling Systems

12 Security Camera System Best Practices - Cyber Safe

Information Security: A Perspective for Higher Education

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Benefits of Standardizing the Video Security System

IMS [Integrated Management System] Surveillance Solution Segment Focus: Gaming Industry

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Power over Ethernet (PoE) Power Requirements FAQ

State-of-the-Art Headquarters Includes Centralized Physical Security

Injazat s Managed Services Portfolio

EARTHLINK BUSINESS. Simplify the Complex

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

A better way to secure your business. Vodafone Power to you. White paper: M2M for business security. m2m.vodafone.com

EXECUTIVE SUMMARY Audit of information and communications technology governance and security management in MINUSTAH

VIDEO MONITORING & ALARM VERIFICATION NASKAM SECURITY SERVICES PTY LTD

Convergent Security Risks in Physical Security Systems and IT Infrastructures

Information Technology General Controls Review (ITGC) Audit Program Prepared by:

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

Wireless Remote Video Monitoring

Leveraging the Cloud for Video Surveillance Solutions From the Small Business to the Enterprise Organization. March 30, 2011

CONTENTS. PCI DSS Compliance Guide

visit us on the web at:

RC:

Products. Technology. Services. Delivered Globally. ANIXTER IPASSURED SM FOR SECURITY APPLICATIONS

Course 2823B: Implementing and Administering Security in a Microsoft Windows Server 2003 Network

SIP Security Controllers. Product Overview

Table of Contents Table of Contents...2 Introduction...3 Mission of IT...3 Primary Service Delivery Objectives...3 Availability of Systems...

Managing IT Security with Penetration Testing

Vizocom focuses in Innovative Solutions to match your needs

ADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT

External Supplier Control Requirements

IP Surveillance. Presentation for BICSI Regional Conference Troy, Michigan March 15, Tom Jones, PE, RCDD / NTS Field Sales Engineer, D-Link

Electronic Health Records Are You Ready?

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Axis network cameras A wide portfolio of products for professional video surveillance.

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Integrated Physical Security and Incident Management

ADDENDUM 12 TO APPENDIX 8 TO SCHEDULE 3.3

Web Foundations Series Internet Business Associate

PCI PA - DSS. Point ipos Implementation Guide. Version VeriFone Vx820 using the Point ipos Payment Core

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

MANAGED FIREWALL SERVICE. Service definition

White Paper Secure Reverse Proxy Server and Web Application Firewall

Linexcom Sdn Bhd. ict Group of Companies ver1.2

Transcription:

Communication Infrastructure Convergence & The need of IS Audit Compliance. Ninad M. Desai RCDD CISA CFOT Consulting Specialist Communication Cabling. Auditor Information Systems & Technology.

Convergence and compliance the way ahead. In today s interconnected and global operating environment, it seems nearly impossible to follow developments in technology or business without encountering the word Convergence. Enterprises around the world are moving decisively to converged networks. Nearly half of senior executives in a global survey say that convergence has been implemented in all or most of their business, nearly double the number recorded in the same 2005 survey. Companies however face tough challenges along the migration path, as network security issues emerge as the top convergence challenge

IT Strategic Objectives & Convergence, Where do we stand today. Source : Economist Intelligence Unit The vast majority of survey respondents 84% view convergence as critical or important to achieving their strategic IT and business goals, compared with 45% in the 2005 survey.

Convergence in cabling infrastructure Example 1. Convergence has led to a unified cabling infrastructure for data & voice thereby increasing the flexibility and in turn the security constraints.

Convergence in cabling infrastructure Example 2. Similarly due to the introduction of baluns and adapters its now possible to converge traditional CATV & CCTV systems on to the data communication infrastructure.

Infrastructure Convergence and IS audit compliance the road blocks. This convergence design approach brings together the various communication infrastructures to work closely on a unified and sometimes shared cabling platform possibly resulting in a security breach involving the IT systems, the conventional systems or both. Increasingly, as a means of reducing costs, increasing efficiencies or making better use of technology investments, organizations are integrating physical security devices for access control, monitoring and process control into the IT infrastructure. The differences in design, functionality, implementation, maintenance and management can present administration and security conflicts. Security conflicts arise from the integration of standalone systems in the organisations IT infrastructure without taking into account the changed implementaion scenario and context. Specific applications using the TCP/IP technology converged on to the network can pose a major threat to every organization s information assets without the proper monitoring tools in place.

Convergent Infrastructure and compliance The Questions asked. Network controls Whether the network is adequately managed and controlled, to protect from threats, and to maintain security for the systems and applications using the network, including the information in transit. Whether controls were implemented to ensure the security of the information in networks, and the protection of the connected services from threats, such as unauthorized access.

Convergent Infrastructure and compliance The Questions asked. Security of network services Whether security features, service levels and management requirements, of all network services, are identified and included in any network services agreement. Whether the ability of the network service provider, to manage agreed services in a secure way, is determined and regularly monitored, and the right to audit is agreed upon. Policy on use of network services Whether users are provided with access only to the services that they have been specifically authorized to use. Whether there exists a policy that does address concerns relating to networks and network services.

Convergent Infrastructure and compliance The Questions asked. Segregation in networks Whether groups of information services, users and information systems are segregated on networks. Whether the network (where business partner s and/ or third parties need access to information system) is segregated using perimeter security mechanisms such as firewalls. Whether consideration is made to segregation of wireless networks from internal and private networks. Network connection control Whether there exists an access control policy which states network connection control for shared networks, especially for those which extend across organization s boundaries.

Convergence Infrastructure & compliance Or Did I mean Non Compliance? Example 1 : An organisation having conventional CCTV network intended to convert the existing cameras to IP-based cameras, add cameras for better coverage and add an image server/database infrastructure. The intent was for this system to be added to the existing general service network, using the existing CAT-5 wiring. The department extended cabling to camera locations and placed client-side software on desktop systems so the cameras could be viewed from designated guard stations and certain desktop systems. Security Compliance Issues: The concerns that arose were related to the security of the image and information system. The image data transferred from the camera and stored on a video capture server were flowing over the general service network. Although the data were proprietary to the vendor, the system vendor s software was freely available from the web site of the software vendor that created it. The security methodology used to protect the server and data was weak.

Convergence Infrastructure & compliance Or Did I mean Non Compliance? Example 2 : The system was initially a digital CCTV monitoring systems in a financial institution. The concept is that connection across the company network would be infrequent and based on short periods of use. The office undergoes a maintenance cycle, which takes the local alarm systems offline. Management asked the central monitoring station to actively use the CCTV to remotely protect the site until the local alarms could be reconnected. As such, the throughput generated by constant surveillance of the office generated network impacts. The network staff, responding to what appears to be a negative impact to other customers of the network, shut down the connection to mitigate impacts to other users, thereby shutting down the surveillance. Compliance Issues: The site was unprotected for the duration of troubleshooting to determine the cause of the shutdown and what to do about it. The throughput of continuous connections was beyond the capacity of the available network bandwidth.

Specific areas to which security issues need to be addressed. Electronic access control devices. Closed circuit television (CCTV). Environmental system controls.

Access Control security issues. Access can be gained through the panel switch. From there, data can be downloaded or modified, granting unauthorized access to protected areas. Ideally each panel needs to be identified as a specific device to the system and authorized for certain activities. Operators can open doors, leaving no record of who entered, because they may not have to swipe a card and may not have to sign in. Access devices can store 4,000 entries that may not be encrypted are security concerns. The problem of enrollment on first read persists.

Closed circuit television (CCTV) security issues. Sophisticated video storage and archiving systems that create pressure on IT for storage and hence security of data. Vendors of control room equipment have no idea what ports on their systems are open or the implications for the potential of being attacked and compromised. Systems may not even provide an opportunity to close open ports that are not needed. Video DVR records what data have been accessed but not viewed one can see all information on the hard drive; there is no limitation on access. Access controls and audit information for physical access may not be established for video systems.

Environmental control security issues. Control systems in which individuals can control the temperature for their area potentially pose many risks. For example, can someone who is not authorized gain control and change environmental settings? These issues can have implications for areas in which environmental requirements are important.

Conclusions. Security risks to systems and devices designed to provide physical security and process control are growing because systems are increasingly being connected to organizations networks. Systems and devices are increasingly being deployed in a manner that exposes them to external and access from the Internet, some of which may be business-critical. Systems and devices on the network are becoming more sophisticated and diverse, making security increasingly difficult to control. Systems and devices are frequently deployed on the common network infrastructure but managed outside of the influence of information systems and security professionals.

Recommendations. Establish a governance framework for managing security-related risks convergent cabling network systems. in Understand the technology better & Analyze and understand security-related cost-benefit trade-offs. Critical systems converged on the organizations network need to be treated as critical and included in the business continuity plans. Expand the audit function to cover network integrated systems and devices.

Any Audit Remarks? Ninad M. Desai RCDD CISA CFOT optinextindia@yahoo.co.in

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information