Download - 01 Information Security Controls 08-17-10
-
8/3/2019 01 Information Security Controls 08-17-10
1/23
Audit Proof InformationAudit Proof Information
System SecuritySystem Security
ControlsControlsWednesday, August 18, 2010Wednesday, August 18, 2010
John R. RoblesJohn R. Robles
Email:Email:[email protected]@coqui.net
Tel: 787-647-3961Tel: 787-647-3961
Puerto Rico Chapter
mailto:[email protected]:[email protected]:[email protected] -
8/3/2019 01 Information Security Controls 08-17-10
2/23
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
For those of you who took the CISSPFor those of you who took the CISSP
exam, an audit of your institutions ISexam, an audit of your institutions IS
security controls is a real-life CISSP exam.security controls is a real-life CISSP exam. If you pass the CISSP exam, you can getIf you pass the CISSP exam, you can get
certified.certified.
If you pass the audit examination, you getIf you pass the audit examination, you getto keep your job.to keep your job.
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
-
8/3/2019 01 Information Security Controls 08-17-10
3/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
So how can I pass an IS audit? And keep mySo how can I pass an IS audit? And keep my
job.job.
11stst, Reduce your stress levels., Reduce your stress levels.
22ndnd, Prepare for your audit, Prepare for your audit Have documentation of everything related to IS securityHave documentation of everything related to IS security
controls.controls.
Be prepared to answer questions and provideBe prepared to answer questions and provide
information.information.
3rd, Argue with the auditor only if you know you are3rd, Argue with the auditor only if you know you are
right and he/she is wrong. (Both conditions)right and he/she is wrong. (Both conditions) (If you are certified (CISA, CISM, CISSP), and he/she is(If you are certified (CISA, CISM, CISSP), and he/she is
not, you might argue)not, you might argue)
-
8/3/2019 01 Information Security Controls 08-17-10
4/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Reduce your stress levelsReduce your stress levels
Most likely, its not your first audit experienceMost likely, its not your first audit experience
If you are the CISO, then you have already beenIf you are the CISO, then you have already been
through an audit.through an audit. Your audit results should get better with time.Your audit results should get better with time.
If there were recommendations on your last audit,If there were recommendations on your last audit,
make sure you have remedied the exceptionsmake sure you have remedied the exceptions
Try to improve your evaluation scoreTry to improve your evaluation score
If its your 1If its your 1stst audit,audit,
And you are CISA, CISM, and/or CISSP, you knowAnd you are CISA, CISM, and/or CISSP, you know
the theory. Review that theory, again.the theory. Review that theory, again.
11stst timers, et an audit work ro ram FDIC, etc.timers, get an audit work program FDIC, etc.
-
8/3/2019 01 Information Security Controls 08-17-10
5/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Review and provide documentation of everythingReview and provide documentation of everything
related to IS security controlsrelated to IS security controls
Institutions organization chartInstitutions organization chart
Security dept. organization chartSecurity dept. organization chart Job descriptionsJob descriptions
Security training schedulesSecurity training schedules
Security dept. long- and short-range plansSecurity dept. long- and short-range plans Policies and proceduresPolicies and procedures
List of all hardware and locationList of all hardware and location
List of all software and locationList of all software and locationJohn R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
6/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Documentation (Cont.)Documentation (Cont.)
List of vendors (hardware, software, securityList of vendors (hardware, software, security
management services)management services)
Network diagramsNetwork diagrams List of authorized persons per application andList of authorized persons per application and
system (Local and Remote)system (Local and Remote)
Identify root and admin usersIdentify root and admin users IS Security configurations on PCs, servers,IS Security configurations on PCs, servers,
and networksand networks
Business Continuity PlanBusiness Continuity PlanJohn R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
7/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Lack of adequate documentation can impact theLack of adequate documentation can impact the
evaluation of your audit.evaluation of your audit. It could cause auditors to look in more detail at yourIt could cause auditors to look in more detail at your
security controls and find more exceptionssecurity controls and find more exceptions Audit-proof security controls implies that allAudit-proof security controls implies that all
security controls are documented.security controls are documented.
Audit-proof IS security controls are those thatAudit-proof IS security controls are those that
the auditor expects to review, analyze, andthe auditor expects to review, analyze, and
report on.report on.
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
8/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Try to visualize security controls as the auditorTry to visualize security controls as the auditorwould, that is, aswould, that is, as
Preventive Security ControlsPreventive Security Controls
Detective Security ControlsDetective Security Controls Corrective Security ControlsCorrective Security Controls
Those controls should address the CIAThose controls should address the CIA
(Confidentiality, Integrity, Availability) of the(Confidentiality, Integrity, Availability) of theinstitutions informationinstitutions information
-
8/3/2019 01 Information Security Controls 08-17-10
9/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Be prepared to answer questions and provideBe prepared to answer questions and provide
information regarding how you maintain theinformation regarding how you maintain the
ConfidentialityConfidentiality of informationof information
Review what is confidential information?Review what is confidential information? Show the categorization of informationShow the categorization of information
If you know what is confidential and sensitiveIf you know what is confidential and sensitive
information, then you know what is not confidential andinformation, then you know what is not confidential and
sensitivesensitive Show Information System Risk Assessment andShow Information System Risk Assessment and
Risk Management programRisk Management program
John R. RoblesJohn R. Robles
Email: [email protected]: [email protected]: 787-647-3961Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
10/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
How do you protect the confidentiality?How do you protect the confidentiality?
Show / discuss policies related to ConfidentialityShow / discuss policies related to Confidentiality
and ACLsand ACLs
Show / discuss Access Control Lists (ACLs) byShow / discuss Access Control Lists (ACLs) byapplicationapplication
Show / discuss Internet and remote access filteringShow / discuss Internet and remote access filtering
via routers and firewallsvia routers and firewalls
Show/ discuss procedures to provide, change, andShow/ discuss procedures to provide, change, anddelete from the ACLsdelete from the ACLs
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
11/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Confidentiality (Cont.)Confidentiality (Cont.)
Show/ discuss security controls to detect theShow/ discuss security controls to detect the
violation of confidentialityviolation of confidentiality
Wrong passwords limit and resetWrong passwords limit and reset
Password structure and durationPassword structure and duration
Discuss logging of all access to all confidentialDiscuss logging of all access to all confidential
informationinformation
Discuss physical access restrictions and logsDiscuss physical access restrictions and logs
Discuss your router and firewall configurationsDiscuss your router and firewall configurations
Discuss the setup of the DMZDiscuss the setup of the DMZ
Discuss the security configuration of servers, PCs,Discuss the security configuration of servers, PCs,routers, and firewallsrouters, and firewalls
-
8/3/2019 01 Information Security Controls 08-17-10
12/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Detect Violation of Confidentiality (Cont.)Detect Violation of Confidentiality (Cont.)
Show/ discuss how access controls are tested toShow/ discuss how access controls are tested to
ensure violations are prevented, detected / notified,ensure violations are prevented, detected / notified,
and correctedand corrected Incident Response program - Review this keyIncident Response program - Review this key
security control when violations are discovered andsecurity control when violations are discovered and
notifiednotified Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT
Discuss how violations notifications were handled orDiscuss how violations notifications were handled or
NOTNOT
Discuss how violations were analyzed and how changesDiscuss how violations were analyzed and how changes
were implemented to ensure non-recurrencewere implemented to ensure non-recurrence
-
8/3/2019 01 Information Security Controls 08-17-10
13/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Be prepared to answer questions and provideBe prepared to answer questions and provideinformation regarding how you maintain theinformation regarding how you maintain the
IntegrityIntegrity of information.of information.
Show /discuss the key security control of ChangeShow /discuss the key security control of Change
Management to hardware, software, network, andManagement to hardware, software, network, and
security parameterssecurity parameters
Discuss Approval, Implementation, and Testing ofDiscuss Approval, Implementation, and Testing of
changeschanges
Discuss actual changes to:Discuss actual changes to: ACLsACLs
Hardware, Application Software, and Operating SystemsHardware, Application Software, and Operating Systems
Network hardware and software,Network hardware and software,
Security settings on HW, SW, and NetworkSecurity settings on HW, SW, and Network
-
8/3/2019 01 Information Security Controls 08-17-10
14/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Discuss how Changes to HW, Application SW,Discuss how Changes to HW, Application SW,
Operating Systems, and Network are tested.Operating Systems, and Network are tested.
Discuss approved requisitions,Discuss approved requisitions,
Discuss Approved Tests of changes by User,Discuss Approved Tests of changes by User,IT personnel, and Security personnelIT personnel, and Security personnel
Discuss tests of approved updated securityDiscuss tests of approved updated security
configurationsconfigurations Update related documentationUpdate related documentation
List of approved HW, SW, Network componentsList of approved HW, SW, Network components
Network diagramNetwork diagram
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
15/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Detect Violations of IntegrityDetect Violations of Integrity
Show/ discuss how Change Management controlsShow/ discuss how Change Management controls
are tested to ensure integrity violations areare tested to ensure integrity violations are
prevented, detected / notified, and correctedprevented, detected / notified, and corrected Discuss IP mapping software to detect unauthorized HW.Discuss IP mapping software to detect unauthorized HW. Discuss prevention, detection, and removal of non-Discuss prevention, detection, and removal of non-
approved hardware (wired, wireless, PC-based, Server-approved hardware (wired, wireless, PC-based, Server-
based)based)
Discuss Virus, Malware, and Spam prevention,Discuss Virus, Malware, and Spam prevention,detection, & removaldetection, & removal
Discuss the maintenance of Server, PC, and NetworkDiscuss the maintenance of Server, PC, and Network
configuration documentationconfiguration documentation
Discuss IPS (Intrusion Prevention) and IDS (IntrusionDiscuss IPS (Intrusion Prevention) and IDS (Intrusion
Detection) elementsDetection) elements
-
8/3/2019 01 Information Security Controls 08-17-10
16/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Look at previous security controls asLook at previous security controls as PreventivePreventive
DetectiveDetective
CorrectiveCorrective
Use documented base-line inventories of HW, SW,Use documented base-line inventories of HW, SW,
Network, and Security parameters (SW patches)Network, and Security parameters (SW patches)
Perform HW, SW, Network scans to determinePerform HW, SW, Network scans to determine
actual inventory of HW, SW, Network components,actual inventory of HW, SW, Network components,
and security parameters.and security parameters.
Compare documented base-line approvedCompare documented base-line approved
components against scanned components.components against scanned components.
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
17/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Review Incident Response program when integrityReview Incident Response program when integrity
violations are discoveredviolations are discovered Discuss how major violations were detected or NOTDiscuss how major violations were detected or NOT
Unauthorized hardwareUnauthorized hardware
Unauthorized software applications/ Lack ofUnauthorized software applications/ Lack of
appropriate SW licensesappropriate SW licenses
Unauthorized?Unauthorized? Viruses, Malware, and Spam?Viruses, Malware, and Spam?
Unauthorized changes to security parameters andUnauthorized changes to security parameters and
hardware configurationshardware configurations
Discuss how violations notifications were handled orDiscuss how violations notifications were handled or
NOTNOT
-
8/3/2019 01 Information Security Controls 08-17-10
18/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Discuss how violations were analyzed and howDiscuss how violations were analyzed and howchanges were implemented to ensure non-changes were implemented to ensure non-
recurrence, e.g.recurrence, e.g. Computer Forensics Activate/ secure all audit logsComputer Forensics Activate/ secure all audit logs
More frequent scanning to maintain an updatedMore frequent scanning to maintain an updated
documented base-line inventories of HW, SW,documented base-line inventories of HW, SW,
Network, and Security parameters (SW patches)Network, and Security parameters (SW patches)
More frequent and aggressive independent patrollingMore frequent and aggressive independent patrolling
(prevention and detection) of the perimeter (DMZ) and(prevention and detection) of the perimeter (DMZ) and
inside networksinside networks
A better-equipped and knowledgeable IS SecurityA better-equipped and knowledgeable IS Security
Dept.Dept.
Improved security training of institution personnelImproved security training of institution personnel
-
8/3/2019 01 Information Security Controls 08-17-10
19/23
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
How do you Provide for theHow do you Provide for theAvailabilityAvailability ofof
Hardware, Applications Software, SystemHardware, Applications Software, System
Software, and Network HW and SWSoftware, and Network HW and SW
Show / Discuss Business Impact AnalysisShow / Discuss Business Impact Analysis Show/ Discuss Critical IT ResourcesShow/ Discuss Critical IT Resources
Functions,Functions,
Personnel,Personnel,
HW, SW, Network,HW, SW, Network, Space,Space,
VendorsVendors
-
8/3/2019 01 Information Security Controls 08-17-10
20/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Security Controls to Prevent the UnavailabilitySecurity Controls to Prevent the Unavailability
HWHW
HW redundancyHW redundancy
Off site recovery site with required and minimal HWOff site recovery site with required and minimal HW SWSW
Backup of required software and dataBackup of required software and data
Alternate routes to the outsideAlternate routes to the outside Dual telecom providers for voice and dataDual telecom providers for voice and data
-
8/3/2019 01 Information Security Controls 08-17-10
21/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
The famous Business Continuity Plan (BCP)The famous Business Continuity Plan (BCP)
Have it!Have it!
If you dont have one, give me a call!If you dont have one, give me a call!
Test it! (at least annually)Test it! (at least annually) Update it! (based on test results)Update it! (based on test results)
It should cover all critical functions of theIt should cover all critical functions of the
institutioninstitution
John R. Robles Email: [email protected] Tel: 787-647-3961John R. Robles Email: [email protected] Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
22/23
Summary of Audit-Proof IS Security ControlsSummary of Audit-Proof IS Security Controls Provide a lot of documentation the more, the betterProvide a lot of documentation the more, the better
Fix all previous audit issuesFix all previous audit issues
Review Confidentiality security controlsReview Confidentiality security controls Review Integrity security controlsReview Integrity security controls
Review Availability security controlsReview Availability security controls
Define CIA security controls as:Define CIA security controls as:
Preventive controlsPreventive controls
Detective controlsDetective controls
Corrective controlsCorrective controls
John R. RoblesJohn R. Robles
Email: [email protected]: [email protected]: 787-647-3961Tel: 787-647-3961
-
8/3/2019 01 Information Security Controls 08-17-10
23/23
Audit-Proof IS Security ControlsAudit-Proof IS Security Controls
Thank You!Thank You!
John R. RoblesJohn R. Robles
Email:Email:[email protected]@coqui.netTel: 787-647-396Tel: 787-647-396
www.johnrrobles.comwww.johnrrobles.com
mailto:[email protected]:[email protected]:[email protected]:[email protected]