Security Audits

Auditing goals must be tightly coupled with the concept of IT governance. This ensures that auditing goals align with organizational business goals to be effective. Governance considers organizational relationships and processes that directly affect the entire enterprise. Before expensive resources are allocated to a task, the landscape is considered including industry best practices. Once the goal of the audit has been clearly identified, the controls required to meet the objective can be planned. A term commonly used to describe this is called the control objective.

Test Day Tip 

The material covered in this chapter prepares candidates for the SSCP exam presented by ISC2. Many of the audit concepts are also addressed in the Certified Information Systems Auditor (CISA) certification presented by the Information Systems Audit and Control Association (ISACA). The Control Objectives for Information and other related Technology (COBIT) is an ISACA tool that provides a framework for audit through relevant standards, guidelines, and control practices. Understanding this framework is a great way to further understand the auditing process but is not required to pass the ISC2 SSCP exam. COBIT breaks down IT governance into four major categories:

  • Planning and Organization (PO)

  • Acquisition and Implementation (AI)

  • Delivery and Support (DS)

  • Monitoring (M)

Section 5 of COBIT Delivery and Support (DS5) identifies "ensure system security" as a control objective. One of the first detailed control objectives lists "manage security measures" with an explanation that IT security should be managed such that security measures are in line with business requirements. This can include such items as translating risk assessment into the IT security plans, implementing the IT security plan, and updating the IT security plan to reflect changes in the IT configuration.

How is this control objective practically applied in the real world? An example might include a risk assessment of the threat of viruses and countermeasures to be deployed. The key in this detailed control objective is to make sure security measures are aligned with business requirements. Should the security department of an organization recommend that all incoming e-mail attachments be quarantined if a virus is suspected? This may be a good idea from a security perspective, but what if one of those attachments is a critical business document that must be received and reviewed that day to make an important financial decision affecting the organization's overall value? The consequences of a security control preventing an authorized user from performing a legitimate job function must be carefully weighed and considered when internal audit processes and technical audit controls are being designed. Is there a process in place that checks that same file against another vendor's antiviral signatures to see if a false positive is possible? Has anyone contacted the antivirus vendor to see if certain file attachments are more susceptible to false positive readings and would be quarantined unnecessarily? Is there an operational procedure in place to further vet the files that were mistakenly quarantined? A review of antiviral logs to determine the rate of false positives versus known incidents provides a risk assessment so appropriate countermeasures can be implemented in the IT security plan.

It is possible that the business units are not aware of how significant the threat of polymorphic viruses might be and the proper security measures and money required to protect against them. A Business Impact Analysis (BIA) can be conducted to determine how much money would be lost if a virus shut down an organization for a few hours versus a few days. Could it put the company out of business? What are the tangible effects that are immediately realized (loss of access to assets for operations) versus intangible long-term effects (loss of reputation due to exposure)? What would happen if the security measures deployed exceeded the risk? Security should be designed to provide access to authorized users and to prevent unauthorized access. This balance of functionality should not prevent or hinder authorized users from performing their job functions. Another example of this might be deployment of Single Sign-On (SSO) technology to reduce the likelihood of authorized users being denied legitimate access to data because they could not remember a dozen userid and password combinations. Once each of these assessments is complete, it is imperative to update the security plan to reflect the changes and to notify end users of the changes to maximize understanding and compliance.

Senior management must endorse auditing efforts to ensure success. If auditing goals are approached from the top down, there is a greater chance they will address enterprise business objectives and comply with industry regulations. This reinforces the governance concepts since senior management is expected to be familiar with organizational business goals and is actually held responsible for delivery of those goals. In addition, senior management is also expected to have an understanding of the industry in which they operate. For instance, many organizations have legal and regulatory constraints that determine auditing goals. An example of this in the healthcare industry is the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act. HIPAA calls for standardization of electronic patient health, administrative, and financial data. It is also designed to protect the confidentiality and integrity of individually identifiable health information. Healthcare organizations such as physician offices, insurers, clearinghouses, billing agencies, universities, and so on must comply with the HIPAA regulations or face severe penalties. Most organizations have up to 24 months from the date of the "final rule" to comply with these regulations. For example, the privacy regulations go into effect April 14, 2003, and has some of the following audit considerations associated:

  • Incidental Use and Disclosure   Are there reasonable safeguards, policies, and procedures in place to protect patient privacy?

  • Notice of Privacy Practice   Have patients been informed of the policies and procedures designed to safeguard their Protected Health Information (PHI)? Is it consistent with recent Office of Civil Rights (OCR) guidelines that were published to assist with Health and Human Services HIPAA interpretation?

  • Business Associates   Is there a person or entity that performs certain functions that involve the use or disclosure of PHI?

These questions and many more are currently being asked at healthcare organizations throughout the United States in preparation for the 2003 privacy rule deadlines. The auditor must be familiar with the regulations in order to perform the audit and must be able to determine materiality, or importance, of each of the findings in a format relevant to senior management. In this particular case, a CAAT could include large databases of questions that are used for interview purposes at many healthcare organizations to gather information, assess current privacy regulation readiness and compliance, and to determine how to close any gaps that might exist.

The goals of auditing in this environment must address internal security policy compliance and that policy must align with industry specific regulations including applicable laws governing financial, statutory, and tax reporting and other related matters. Employees are expected to use care and diligence to ensure that assets are secure, transactions are recorded completely, accurately, and on a timely basis, and that internal and external reports and communications are accurate and reported as prescribed by law, policy, or generally accepted principles. The security policy becomes an instrument to educate and change user behavior to achieve compliance. Auditing is the process that validates that security policy requirements are being met.

Test Day Tip 

Do not forget the hierarchical order of security controls: policies, standards, and guidelines. Best practices are essentially guidelines and are not mandatory. It is important to have standards that are mandatory and have derived from security policy. So, the top down order is:

  • Policies   The security policy is a living document consisting of rules, laws, and practices that adjusts to changes in the risk profile of the organization. It determines how an organization will implement, manage, and protect resources to meet organizational security objectives. The security policy may, and often does, consist of a number of specific subpolicies to address specific points like "workstation acceptable use policy." The security policy should define the range of threats to your organization and what procedures exist to manage these threats when they are encountered.

  • Standards   Standards are mandatory, procedure-specific requirements. Everyone must follow them and they typically contain very specific instruction on use and configuration. For example, the install procedures required to install a hardened operating system where unnecessary services have been removed.

  • Guidelines   Guidelines are synonymous with best practices and are meant to be suggestions that are not mandatory. For example, the concept of a layered approach to security where security controls are complementary and redundant is a good suggestion, but not mandatory.

Internal versus External Auditors

Internal auditors are employed by the organization in which the audit in question takes place. They examine the existing internal control structure for compliance to policies and help management accomplish objectives through a disciplined approach to governance, control, and risk mitigation.

External or independent auditors are not employed by the company they audit, and are often hired as external contractors to address specific regulatory requirements. Independent auditors must gain a sufficient understanding of internal controls and policy requirements in order to determine the scope of the testing that will be performed to substantiate the effectiveness of the controls in place.

Note 

Many personnel with the title of auditor come from a background other than IT, and cannot be expected to have an in-depth understanding of each type of information system on which an audit will be performed. Information systems personnel, such as those with the SSCP certification, will be expected to help information systems auditors to both gather the requisite information to fill out their audit criteria lists, as well as to understand the importance of and relation between relevant systems.

When dealing with external auditors, one must perform due care in the process of determining who will be performing the required auditing functions. The persons involved in an information systems audit or penetration test will be given information and possible access to the crown jewels of an organization, and as such proper control must be in place to ensure that these persons can be trusted with this information. Signing a non-disclosure agreement is often the first step in ensuring the privacy of this information. In very sensitive situations, having a background check from the Federal Bureau of Investigation (FBI) in the United States, the Royal Canadian Mounted Police (RCMP) in Canada, or a private investigator (PI) should be considered a minimum to mitigate the risk of hiring a person that may have inappropriately disclosed sensitive information in the past. Background checks should be performed to deter any motivation for illicit activity including purposely discrediting the reputation of an organization for political beliefs, gaining notoriety for the ability to subvert preventative controls (which a background check is considered), or obtaining financial gain from disclosure.

Organizations should check the credentials of the person being considered to conduct an audit or penetration test, ask for references, and perform legal review of the contract if a third party is hired to perform the test. The practice of knowingly hiring an external party to perform vulnerability assessments to improve organizational security posture is considered ethical hacking. Performing vulnerability tests on a regularly scheduled basis is a considered a best practice to discover and correct security exploits that might have otherwise gone undetected. Without going into an extensive discussion on the difference between white/black/gray hat hackers, crackers, script kiddies, and so forth, it is safe to say that there are people who consider ethical hacking a public service of sorts. If a software vendor releases code without thorough quality control and an ethical hacker discretely contacts the vendor about the issue, the vendor should then correct the problem within a reasonable timeframe depending on materiality, or importance of finding. If the problem has not been fixed in an extended period of time, some hackers take the problem public to the Internet community to force the company into fixing the bug. The hacker may argue that this is a form of social Darwinism. A capitalist society promotes the strongest companies with the best products that are able to react, adapt, and improve their products based on hacker scrutiny. Ethical hacking can improve the quality of products that are used every day if companies reap the benefit of an entire world of debuggers providing responsible feedback. Hacking is generally considered unethical when the motivation is for personal gain only, especially financial gain, with no redeeming attempt at correcting the flaw. If a software vendor is unaware of the problem and unauthorized access is the result and continues indefinitely, only the individual benefits. If a hacking incident has good intentions but yields unexpected bad results, is it unethical? An early example of a well-known hack was Robert Morris's worm virus that brought down a significant portion of the Internet in 1988. Did he make today's Internet stronger because he demonstrated a weakness that anyone could exploit? The debate continues…

Internal auditors or external auditors may be asked to perform an ethical hack known as a penetration test to see if security controls are effectively protecting valuable resources. It is imperative that senior management fully understands the benefits and risks of performing penetration tests before any tests are conducted. In addition, the party conducting the penetration needs to understand which processes are critical to the success of the organization and cannot be interrupted without financial impact. Penetration tests should be scheduled during off-hours or days of the month when business functions would be least impacted, if possible. In addition, adequate segregation of application development environments is important to limit possible negative side effects.

The challenge for companies with relatively mature System Development Life Cycle (SDLC) processes is to provide testing in a well-controlled environment that does not interfere with normal business operations and certainly does not have a negative impact on revenue. So, what is the best environment to perform these tests? If penetration testing is done in a development environment it may not truly resemble a production environment since the code would not typically match production code and results or assumptions would be flawed as a result. If tests are run against production, there is the risk of interfering with applications that cannot afford to be down. Ideally, a preproduction staging environment should be used for testing. The product code used in staging should be the same as production or one release ahead of production (assuming each code release requires testing and a move up into production from staging). This provides an ideal environment assuming that production servers and staging servers are hosted in the same environment. An administrator would not perform penetration testing against servers hosted inside their company and then ship those servers to a hosting service provider (HSP)and expect the results to be the same. That type of testing can be done to improve the security of the host in question but does not represent end-to-end security. If a HSP is used, it is better to make the proper legal and operational arrangements to perform penetration testing on a regular basis against the staging servers at the HSP location. However, each organization must consider factors unique to their environment to get the most out of penetration testing.

Auditing Process

The auditing process provides a well-defined set of procedures and protocols to measure compliance or deviation from applicable standards. When most people outside of the IT field think of an audit, they typically think of a financial audit. However, audits can be used to verify compliance with applicable laws and regulations, efficiency of organizational operation, and effectiveness achieving desired organizational goals. The auditing process should consist of regularly planned activities that maximize participation and consider resource allocation. For instance, it may not make sense to perform an audit during end-of-year holidays when it is difficult to meet with and collect information from key personnel.

The Department of Defense (DoD) provides the following detailed steps that are more particular to an IT audit:

  1. Plan the audit:

    • Understand the business context of the security audit

    • Obtain required approvals from senior management and legal representatives

    • Obtain historical information on previous audits, if possible

    • Research the applicable regulatory statutes

    • Assess the risk conditions inherent to the environment

  2. Determine the existing controls in place and the associated risk profile:

    • Evaluate the current security posture using risk-based approach

    • Evaluate the effectiveness of existing security controls

    • Perform detection risk assessment

    • Perform control risk assessment

    • Determine the total resulting risk profile

  3. Conduct compliance testing:

    • Determine the effectiveness of policies and procedures

    • Determine the effectiveness of segregation of duties

  4. Conduct substantive testing:

    • Verify that the security controls behave as expected

    • Test controls in practice

  5. Determine the materiality of weaknesses found:

    • If the security exploits found were to be executed, what would be the tangible impact to the business (in dollars) and the intangible impact (loss of reputation)

    • Determine if the security exploits found increase the organizational risk profile

  6. Present findings:

    • Prepare the audit report and the audit opinion

    • Create recommendations

The auditing process provides a means to ensure compliance with organizational security policy. Audit trail reports can be used to demonstrate compliance over a period of time. Audit trails should be able to reconstruct events, provide problem identification and resolution, and assign individual accountability. It is important that an "owner" is assigned and that owners know they are culpable for neglecting to protect information assets and that the audit trail must be protected from unauthorized modification as well. Accountability is significant but limited since it is a reactive control. It does not prevent activities from happening, but reports them once an event has occurred.

After the policy has been created, the maintenance activities monitor effectiveness and compliance. Monitoring can take the form of checking for the latest security vulnerabilities and applying patches as needed. However, applying patches as announcements are made on vulnerabilities is not enough. It is important to provide regularly scheduled penetration tests to discover exploits that may have resulted from a recent change in operating environment. The risk-based approach to protecting information assets should consider the importance of the assets that need to be protected and the frequency of review required to mitigate risk.



SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net