Often referred to as Penetration Testing or Probe and Response verification, this activity is a critical part of ensuring all of the plans and procedures that should be in place are in place. Usually performed by an independent consulting or security organization to avoid undue political and management influence, system security verification often occurs upon a milestone event such as major software deployment or operating system upgrade. In the case of highly trusted information systems (DoD Orange Book categories B1, B2 and A) verifications occur on a random, but continuous basis to verify currency of software patches, closure of unneeded firewall ports, and password obsolescence, among other details.
Internal IT security organizations should plan routine audits as well to ensure system operational activities have not accidentally caused access exposures or opportunities. Hackers and crackers base many of their attacks on assumptions made by security professionals that software patches have been installed, unused modems have been removed, and terminated employee passwords have been deleted.
Findings from verification audits are grouped into high , medium and low categories based on criticality of resolution. High findings are responded to and resolved immediately, medium as soon as practical and low as part of ongoing security development or deployment activities.
IT executives and senior managers should become familiar with the findings from verification audits and ask for the details on what was done to respond to every security finding. Scheduling and chairing monthly security briefings is an excellent approach to take to understand what is happening (or not happening) and why. There is an obvious investment of money and management time in holding these meetings ” which should result in high value security activities being completed or planned. Given the continuous nature of security attacks and ways to respond to and repel them, it would be rare to not have several active items to discuss at both the technical and management levels of the organization.
Best Practice | Criticality | Frequency | Participants | Activity Results |
---|---|---|---|---|
Verify all systems have current software security patches installed and activated | High | As needed | Security, system admins | Updated software patches on all systems as soon as practical |
Assess and verify that operating system and application security settings on all production systems can only be changed by system administrators | High | Monthly | Security, system admins | Access for changes restricted to admins only |
Locate and confirm data obsolescence policy and verify it is being followed | High | Quarterly | Management, security | Data are being retired with adequate safeguards |
Test all data backup and recovery systems and verify operational practices are working to restore data | High | Monthly | Security, system admins | Confirmed ability to save and recover data |
Locate and confirm receipt of all software licenses to ensure accurate license fees are being paid | Medium | Quarterly | Management, finance, system admins | Compliance with software license terms and conditions |
Locate and verify that processes to provide system access are reasonable and that undue security exposure has been avoided | Medium | Quarterly | Management, finance, system admins | Confidence that access is being provided to the correct people per policy |
Verify that wireless access points have at least 64-bit encryption and have been located away from insecure areas | High | When installed; check quarterly | Security, system admins | Reduced exposure to wireless attack and unauthorized access |
Disable Broadcast SSID features from wireless access points | High | When installed; check quarterly | Security, system admins | Reduced exposure to wireless attack and unauthorized access |
Determine if implementing a biometric or SmartCard access method is appropriate, based on the value of information and number of users/customers that could be impacted | Medium | Quarterly | Management, finance, system admins | Determine if security methods should be upgraded due to changing business conditions |