01 information security controls 08-17-10

8/3/2019 01 Information Security Controls 08-17-10

1/23

Audit Proof InformationAudit Proof Information

System SecuritySystem Security

ControlsControlsWednesday, August 18, 2010Wednesday, August 18, 2010

John R. RoblesJohn R. Robles

Email:Email:[email protected]@coqui.net

Tel: 787-647-3961Tel: 787-647-3961

Puerto Rico Chapter
mailto:[email protected]:[email protected]:[email protected]


2/23

John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961

For those of you who took the CISSPFor those of you who took the CISSP

exam, an audit of your institutions ISexam, an audit of your institutions IS

security controls is a real-life CISSP exam.security controls is a real-life CISSP exam. If you pass the CISSP exam, you can getIf you pass the CISSP exam, you can get

certified.certified.

If you pass the audit examination, you getIf you pass the audit examination, you getto keep your job.to keep your job.

Audit-Proof IS Security ControlsAudit-Proof IS Security Controls


3/23


So how can I pass an IS audit? And keep mySo how can I pass an IS audit? And keep my

job.job.

11stst, Reduce your stress levels., Reduce your stress levels.

22ndnd, Prepare for your audit, Prepare for your audit Have documentation of everything related to IS securityHave documentation of everything related to IS security

controls.controls.

Be prepared to answer questions and provideBe prepared to answer questions and provide

information.information.

3rd, Argue with the auditor only if you know you are3rd, Argue with the auditor only if you know you are

right and he/she is wrong. (Both conditions)right and he/she is wrong. (Both conditions) (If you are certified (CISA, CISM, CISSP), and he/she is(If you are certified (CISA, CISM, CISSP), and he/she is

not, you might argue)not, you might argue)


4/23


Reduce your stress levelsReduce your stress levels

Most likely, its not your first audit experienceMost likely, its not your first audit experience

If you are the CISO, then you have already beenIf you are the CISO, then you have already been

through an audit.through an audit. Your audit results should get better with time.Your audit results should get better with time.

If there were recommendations on your last audit,If there were recommendations on your last audit,

make sure you have remedied the exceptionsmake sure you have remedied the exceptions

Try to improve your evaluation scoreTry to improve your evaluation score

If its your 1If its your 1stst audit,audit,

And you are CISA, CISM, and/or CISSP, you knowAnd you are CISA, CISM, and/or CISSP, you know

the theory. Review that theory, again.the theory. Review that theory, again.

11stst timers, et an audit work ro ram FDIC, etc.timers, get an audit work program FDIC, etc.


5/23


Review and provide documentation of everythingReview and provide documentation of everything

related to IS security controlsrelated to IS security controls

Institutions organization chartInstitutions organization chart

Security dept. organization chartSecurity dept. organization chart Job descriptionsJob descriptions

Security training schedulesSecurity training schedules

Security dept. long- and short-range plansSecurity dept. long- and short-range plans Policies and proceduresPolicies and procedures

List of all hardware and locationList of all hardware and location

List of all software and locationList of all software and locationJohn R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961


6/23


Documentation (Cont.)Documentation (Cont.)

List of vendors (hardware, software, securityList of vendors (hardware, software, security

management services)management services)

Network diagramsNetwork diagrams List of authorized persons per application andList of authorized persons per application and

system (Local and Remote)system (Local and Remote)

Identify root and admin usersIdentify root and admin users IS Security configurations on PCs, servers,IS Security configurations on PCs, servers,

and networksand networks

Business Continuity PlanBusiness Continuity PlanJohn R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961


7/23


Lack of adequate documentation can impact theLack of adequate documentation can impact the

evaluation of your audit.evaluation of your audit. It could cause auditors to look in more detail at yourIt could cause auditors to look in more detail at your

security controls and find more exceptionssecurity controls and find more exceptions Audit-proof security controls implies that allAudit-proof security controls implies that all

security controls are documented.security controls are documented.

Audit-proof IS security controls are those thatAudit-proof IS security controls are those that

the auditor expects to review, analyze, andthe auditor expects to review, analyze, and

report on.report on.



8/23


Try to visualize security controls as the auditorTry to visualize security controls as the auditorwould, that is, aswould, that is, as

Preventive Security ControlsPreventive Security Controls

Detective Security ControlsDetective Security Controls Corrective Security ControlsCorrective Security Controls

Those controls should address the CIAThose controls should address the CIA

(Confidentiality, Integrity, Availability) of the(Confidentiality, Integrity, Availability) of theinstitutions informationinstitutions information


9/23


Be prepared to answer questions and provideBe prepared to answer questions and provide

information regarding how you maintain theinformation regarding how you maintain the

ConfidentialityConfidentiality of informationof information

Review what is confidential information?Review what is confidential information? Show the categorization of informationShow the categorization of information

If you know what is confidential and sensitiveIf you know what is confidential and sensitive

information, then you know what is not confidential andinformation, then you know what is not confidential and

sensitivesensitive Show Information System Risk Assessment andShow Information System Risk Assessment and

Risk Management programRisk Management program


Email: [email protected]: [email protected]: 787-647-3961Tel: 787-647-3961


10/23


How do you protect the confidentiality?How do you protect the confidentiality?

Show / discuss policies related to ConfidentialityShow / discuss policies related to Confidentiality

and ACLsand ACLs

Show / discuss Access Control Lists (ACLs) byShow / discuss Access Control Lists (ACLs) byapplicationapplication

Show / discuss Internet and remote access filteringShow / discuss Internet and remote access filtering

via routers and firewallsvia routers and firewalls

Show/ discuss procedures to provide, change, andShow/ discuss procedures to provide, change, anddelete from the ACLsdelete from the ACLs



11/23


Confidentiality (Cont.)Confidentiality (Cont.)

Show/ discuss security controls to detect theShow/ discuss security controls to detect the

violation of confidentialityviolation of confidentiality

Wrong passwords limit and resetWrong passwords limit and reset

Password structure and durationPassword structure and duration

Discuss logging of all access to all confidentialDiscuss logging of all access to all confidential

informationinformation

Discuss physical access restrictions and logsDiscuss physical access restrictions and logs

Discuss your router and firewall configurationsDiscuss your router and firewall configurations

Discuss the setup of the DMZDiscuss the setup of the DMZ

Discuss the security configuration of servers, PCs,Discuss the security configuration of servers, PCs,routers, and firewallsrouters, and firewalls


12/23


Detect Violation of Confidentiality (Cont.)Detect Violation of Confidentiality (Cont.)

Show/ discuss how access controls are tested toShow/ discuss how access controls are tested to

ensure violations are prevented, detected / notified,ensure violations are prevented, detected / notified,

and correctedand corrected Incident Response program - Review this keyIncident Response program - Review this key

security control when violations are discovered andsecurity control when violations are discovered and

notifiednotified Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT

Discuss how violations notifications were handled orDiscuss how violations notifications were handled or

NOTNOT

Discuss how violations were analyzed and how changesDiscuss how violations were analyzed and how changes

were implemented to ensure non-recurrencewere implemented to ensure non-recurrence


13/23


Be prepared to answer questions and provideBe prepared to answer questions and provideinformation regarding how you maintain theinformation regarding how you maintain the

IntegrityIntegrity of information.of information.

Show /discuss the key security control of ChangeShow /discuss the key security control of Change

Management to hardware, software, network, andManagement to hardware, software, network, and

security parameterssecurity parameters

Discuss Approval, Implementation, and Testing ofDiscuss Approval, Implementation, and Testing of

changeschanges

Discuss actual changes to:Discuss actual changes to: ACLsACLs

Hardware, Application Software, and Operating SystemsHardware, Application Software, and Operating Systems

Network hardware and software,Network hardware and software,

Security settings on HW, SW, and NetworkSecurity settings on HW, SW, and Network


14/23


Discuss how Changes to HW, Application SW,Discuss how Changes to HW, Application SW,

Operating Systems, and Network are tested.Operating Systems, and Network are tested.

Discuss approved requisitions,Discuss approved requisitions,

Discuss Approved Tests of changes by User,Discuss Approved Tests of changes by User,IT personnel, and Security personnelIT personnel, and Security personnel

Discuss tests of approved updated securityDiscuss tests of approved updated security

configurationsconfigurations Update related documentationUpdate related documentation

List of approved HW, SW, Network componentsList of approved HW, SW, Network components

Network diagramNetwork diagram



15/23


Detect Violations of IntegrityDetect Violations of Integrity

Show/ discuss how Change Management controlsShow/ discuss how Change Management controls

are tested to ensure integrity violations areare tested to ensure integrity violations are

prevented, detected / notified, and correctedprevented, detected / notified, and corrected Discuss IP mapping software to detect unauthorized HW.Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of non-Discuss prevention, detection, and removal of non-

approved hardware (wired, wireless, PC-based, Server-approved hardware (wired, wireless, PC-based, Server-

based)based)

Discuss Virus, Malware, and Spam prevention,Discuss Virus, Malware, and Spam prevention,detection, & removaldetection, & removal

Discuss the maintenance of Server, PC, and NetworkDiscuss the maintenance of Server, PC, and Network

configuration documentationconfiguration documentation

Discuss IPS (Intrusion Prevention) and IDS (IntrusionDiscuss IPS (Intrusion Prevention) and IDS (Intrusion

Detection) elementsDetection) elements


16/23


Look at previous security controls asLook at previous security controls as PreventivePreventive

DetectiveDetective

CorrectiveCorrective

Use documented base-line inventories of HW, SW,Use documented base-line inventories of HW, SW,

Network, and Security parameters (SW patches)Network, and Security parameters (SW patches)

Perform HW, SW, Network scans to determinePerform HW, SW, Network scans to determine

actual inventory of HW, SW, Network components,actual inventory of HW, SW, Network components,

and security parameters.and security parameters.

Compare documented base-line approvedCompare documented base-line approved

components against scanned components.components against scanned components.



17/23


Review Incident Response program when integrityReview Incident Response program when integrity

violations are discoveredviolations are discovered Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT

Unauthorized hardwareUnauthorized hardware

Unauthorized software applications/ Lack ofUnauthorized software applications/ Lack of

appropriate SW licensesappropriate SW licenses

Unauthorized?Unauthorized? Viruses, Malware, and Spam?Viruses, Malware, and Spam?

Unauthorized changes to security parameters andUnauthorized changes to security parameters and

hardware configurationshardware configurations

Discuss how violations notifications were handled orDiscuss how violations notifications were handled or

NOTNOT


18/23


Discuss how violations were analyzed and howDiscuss how violations were analyzed and howchanges were implemented to ensure non-changes were implemented to ensure non-

recurrence, e.g.recurrence, e.g. Computer Forensics Activate/ secure all audit logsComputer Forensics Activate/ secure all audit logs

More frequent scanning to maintain an updatedMore frequent scanning to maintain an updated

documented base-line inventories of HW, SW,documented base-line inventories of HW, SW,

Network, and Security parameters (SW patches)Network, and Security parameters (SW patches)

More frequent and aggressive independent patrollingMore frequent and aggressive independent patrolling

(prevention and detection) of the perimeter (DMZ) and(prevention and detection) of the perimeter (DMZ) and

inside networksinside networks

A better-equipped and knowledgeable IS SecurityA better-equipped and knowledgeable IS Security

Dept.Dept.

Improved security training of institution personnelImproved security training of institution personnel


19/23



How do you Provide for theHow do you Provide for theAvailabilityAvailability ofof

Hardware, Applications Software, SystemHardware, Applications Software, System

Software, and Network HW and SWSoftware, and Network HW and SW

Show / Discuss Business Impact AnalysisShow / Discuss Business Impact Analysis Show/ Discuss Critical IT ResourcesShow/ Discuss Critical IT Resources

Functions,Functions,

Personnel,Personnel,

HW, SW, Network,HW, SW, Network, Space,Space,

VendorsVendors


20/23


Security Controls to Prevent the UnavailabilitySecurity Controls to Prevent the Unavailability

HWHW

HW redundancyHW redundancy

Off site recovery site with required and minimal HWOff site recovery site with required and minimal HW SWSW

Backup of required software and dataBackup of required software and data

Alternate routes to the outsideAlternate routes to the outside Dual telecom providers for voice and dataDual telecom providers for voice and data


21/23


The famous Business Continuity Plan (BCP)The famous Business Continuity Plan (BCP)

Have it!Have it!

If you dont have one, give me a call!If you dont have one, give me a call!

Test it! (at least annually)Test it! (at least annually) Update it! (based on test results)Update it! (based on test results)

It should cover all critical functions of theIt should cover all critical functions of the

institutioninstitution



22/23

Summary of Audit-Proof IS Security ControlsSummary of Audit-Proof IS Security Controls Provide a lot of documentation the more, the betterProvide a lot of documentation the more, the better

Fix all previous audit issuesFix all previous audit issues

Review Confidentiality security controlsReview Confidentiality security controls Review Integrity security controlsReview Integrity security controls

Review Availability security controlsReview Availability security controls

Define CIA security controls as:Define CIA security controls as:

Preventive controlsPreventive controls

Detective controlsDetective controls

Corrective controlsCorrective controls


Email: [email protected]: [email protected]: 787-647-3961Tel: 787-647-3961


23/23


Thank You!Thank You!


Email:Email:[email protected]@coqui.netTel: 787-647-396Tel: 787-647-396

www.johnrrobles.comwww.johnrrobles.com
mailto:[email protected]:[email protected]:[email protected]:[email protected]

01 information security controls 08-17-10

Documents