Upload File

rothke patchlink

41
Anatomy of an Information Security Audit and How To Pass It Ben Rothke, CISSP CISM Senior Security Consultant INS

Upload: ben-rothke

Post on 22-Jan-2015

546 views

Category:

Technology


1 download

Report

DESCRIPTION

Anatomy of an Information Security Audit and How To Pass It. PAtchlink 360 conference. Ben Rothke

TRANSCRIPT

  • 1. Anatomy of an Information Security Audit and How To Pass It Ben Rothke, CISSP CISM Senior Security Consultant INS

2. About Me

  • Ben Rothke, CISSP CISM
  • Senior Security Consultant INS (Soon to be BT INS)
  • Previously with AXA Equitable, Baltimore Technologies, Ernst & Young, Citibank.
  • Have worked in the information technology sector since 1988 and information security since 1994
  • Frequent writer and speaker
  • Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006)

3. Agenda

  • This session is:
  • High level overview of what an audit is
  • What to know to prepare for & pass a information security audit
  • Based on my consulting experience at a large spectrum of Fortune 500 companies
  • This session is not:
  • Detailed walk-through of a information security audit
  • Review or recommendation of audit software tools
  • A monologue
    • Feel free to ask a question, make a comment, etc.

4. Definition - Audit

  • Systematic examination against defined criteria to determine whether activities and related results conform to planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve the companys policy and objectives.
  • Planned, independent and documented assessment to determine whether agreed upon requirements are being met.
  • Professional examination and verification performed by either an independent party or internal audit function of a company's accounting documents and supporting data.
    • Upon completion of the examination, the auditor will render an opinion as to the fairness, consistency, and conformity of the information.

5. Things to think about the audit process

  • Opportunity for an objective, skilled and impartial review of the program operations which can result in significant suggestions for improvement.
  • Bring out the best in the audit team and the security staff.

6. Audit and regulations

  • Information technology and information security - new on the regulatory scene.Other industries - lived and breathed with regulatory body for many years
    • Pharmaceutical FDA
    • Aviation FAA
    • Manufacturing OSHA
    • Securities SEC
  • Todays IT environments are not the IT shops of old
    • In the past, it was about keeping the hackers out
    • Now its about understanding and managingcontrolsto assign accountability and support audits
    • Penalties - fines up to $5 million and 20 years in jail

7. Security and compliance are not rocket science

  • While the mathematics of cryptography is rocket science, most aspects of information security, compliance and audit are not.
  • Computer security is simply attention to detail and good design, combined with good project management.

8. Frameworks

  • Base your security program on a security framework
  • Use 17799, CoBIT, etc. andnoton regulatory mandates
    • Myriad security and privacy regulations have roughly 85% commonality
    • SoX, GLBA, SEC 17-a and all of the countless new regulations are all dealing with fundamental issues of computer security and privacy.
    • Once the framework and associated controls are established, map them to current and future regulations, making adjustments where necessary.
    • If a security program is based on compliance mandates, it will have to be updated with every new regulation
    • Regulation typically addresses one particular type of risk (i.e. protecting personal information, protecting credit card numbers, etc.), but does not address business risk

9. Security vs. compliance

  • Which is better security or compliance?
    • Most effective method in which to deal with regulations is by creating an effective information security foundation and infrastructure.
    • By creating this security foundation, an organization can easily deal with any new regulation that comes into law.
  • Should security dollars be redirected towards compliance?

10. Management

  • Success or audit failure ultimately depends on how committed management is.
    • If management cares, you will pass the audit
    • If management does not care or is clueless, you will fail the audit.

11. Dont lie for management

  • Management has been known to ask an individual to sign-off or attest to an item that is not compliant.
  • You should never lie for management
    • Many audit issues are due to management incompetence and ineptitude, i.e., it istheirfault.
  • If management asks you to lie, or gives hints that your job may be at risk if they fail the audit, immediately seek legal counsel.
  • Decision time:
    • You cant be legally terminated for telling the truth
    • You can be terminated, decertified, fined, and subjected to prosecution and jail time if you lie to the auditors or falsify data.
    • Ask yourself: Is it worth it to lie?

12. Spafs Law

  • Professor Eugene Spafford, Phd, Purdue University
  • If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.

13. No surprises

  • If you are surprised by the negative audit results, something is likely wrong.
    • Akin to going to the doctor for a physical; you should have a relatively good understanding and know what to expect.

14. One minute pre-audit

  • Do you have a CISO/GISO/BISO in place?
  • Is there a formal business security program in place designed to protect corporate information assets?
  • Have short-term and long-term strategies toward mitigating risks and exposures relative your security program requirements been developed?
  • Do you focus on information security as a process, not a set ofproducts or regulatory items to be checked-off?
  • Have you identified all regulatory requirements you fall under?
    • Answeredyesto 4 or more Dont worry, you should easily pass the audit
    • Answeredyesto 1 or less Your management team is derelict in their duties

15. Getting serious about security

  • Got a 2 or less on the one-minute pre-audit?
    • Management needs to start getting serious about security.
  • Customers and clients expect management to run the business in a way that manages risk.
  • New security and privacy regulation impact all companies
    • Regulators are active globally and asking tougher questions of privacy, security, data management and control environments.
    • Regulators and law authorities have been aggressively inspecting and pursuing ID theft and privacy breaches and lack or failure of safeguards.

16. The Audit 17. Understanding the audit process - preparation

  • Be prepared
    • Preparation is crucial
      • Dont wait until the last minute to get ready for the audit
      • Think like a wedding planner
    • Know the depth of the audit
      • For a small set of systems and a single application; or much larger
      • Physical sites
      • Comprehensive to the entire global organization
    • Ensure appropriate staff members are available
      • And have adequate security levels to assist

18. Understanding the audit process - preparation

  • Rule #1 of compliance management
    • Know and understand the regulation
    • Understand how you are in compliance with each regulatory point
  • Huge mistake - not reading or interpreting the audit regulations.

19. Phases of an audit

  • Most audits contain the following 3 phases:
  • Planning
  • Examination and testing
  • Reporting

20. Know what to expect

  • Working together
    • Know your role in the audit process
    • Know the auditors role in the audit process
      • Auditors are human, they make mistakes
      • Dont be argumentative
      • If they document what you feel are erroneous comments, you will later have the opportunity to comment on the accuracy and relevancy of the finding.
  • Honesty is the best policy
    • Corollary auditors hate when you lie
    • Transparency

21. Communicating with the auditors

  • Respond honestly and in a timely fashion
  • Dont lie
  • Dont guess
  • Always follow through if unsure
  • Communicate openly and directly
  • Admit deficiencies
  • Discuss how to correct findings
  • Dont point the finger at others
  • Dont send auditors on a wild goose chase

22. Communicating with the auditors

  • Your relationship with the auditors should be based on a formal business focus
    • Keep it amicable and cordial
    • Auditors are not your buddies
    • They have friends, just not you.
  • Ok to share a clean joke, or discuss innocuous events
  • Dont try to be friends with the auditor
    • Overall, talk to the auditor as if you are speaking in a deposition
    • Attempting to use friendship, gifts or the like to influence the audit is imprudent at best, illegal at worst.

23. Communicating with the auditors

  • Dont fall into a subordinate relationship with the audit
    • You are assisting them, but you do not work for them
    • Dont depend on them for guidance
    • Dont depend on them for answers to regulatory questions

24. Things that makes auditors nervous

  • Wireless anything
  • Shared IDs
  • Shared passwords
  • Emailing of sensitive information
  • Personal email accounts (Hotmail, Gmail, etc.)
  • Stale policies, risk management plans
  • Passwords on PostIt notes
  • Passwords saved in cleartext on servers
  • Unsecured laptops
  • Files/backup tapes stored in car
    • This is not whatoff-sitemeans

25. Know what to expect - Policies

  • Auditors want to see your set of information system policies
  • Policies are:
    • codification of control objectives
    • define the way companies control their information use and access
    • written document that specifies how an organization will manage, protect, and distribute information.
    • Know which policies exist, what they do and dont cover
      • Have them easily available in both soft and hard copies

26. Know what to expect Controls

  • Controls
    • Processes, effected by an entitys board of directors and management, designed to provide reasonable assurance regarding the achievement of objectives in the following categories
      • Effectiveness and efficiency of operations
      • Reliability of financial reporting
      • Compliance with applicable laws and regulations
    • Must be documented, tested, and demonstrated to be either manually verified (which is acceptable to auditors) or automatically enforced (which auditors prefer)
    • Knowing how an auditor will evaluate controls is important
    • Controls must be applied in a consistent and sustainable manner

27. Control Objective / Practice Lists Control Objective General Control Practice Logical security tools and techniques are implemented, configured, and administered to enable restriction of access to data and programs. Network Firewalls restrict traffic into the internal network from all external sources to application that requirestrong authentication. Control Objective Application Control Practice Logical security tools and techniques are implemented, configured, and administered to enable restriction of access to data and programs.

  • Client/Server
  • FM-SYS
  • QTAR-8

Strong authentication is provided via Single-Sign-On. 28. Control Practice Description 29. Controls testing

  • Once the auditor has gathered the documentation, the testing phase of the audit will commence.
  • Testing goals
    • confirm compliance
    • validate internal documentation
    • verify effective organizational policy.
  • Testing can cover many systems programs (firewalls, IDS, etc.) and manual processes (adding a user, running a back-up)
    • Testing will invariably identify deficiencies or shortcomings

30. Audit defense

  • Defending your position
    • Auditors are human, not infallible: they make mistakes
      • Assumed that the auditor knows the company and its business activities
    • Requires you to be able to defend your position
    • Must understand the requirements of the audit and associated regulations
      • Read the regulations
      • Read the audit requirements
    • Understand your security infrastructure
      • Know who does what and where they execute it
    • In your reply to erroneous audit findings, stick with the facts
      • No name calling, insulting, etc.
      • Stay rational, not emotional

31. Program Management

  • Formal system of risk management
    • Show that the work has been adequately planned and supervised
    • Demonstrate that internal controls have been appropriately studied and evaluated
    • A few IDS sensors rolled-out over the previous weekend does not display that
    • Nor does security hardware and software systems deployed without proper policies, documentation, etc.
  • Cramming for risk compliance
    • Rather than cramming for compliance like a high-school student at finals, which will not satisfy the auditors, admit non-compliance.
    • Spend the time building a program, rather than developing bogus documentation for a set of risk management controls that dont work or exist.

32. Program Management

  • Risk analysis and assessments
    • Best compliance ROI is built on a comprehensive risk analysis
  • Polices and procedures
  • Adequate staff and budget

33. Documentation

  • Documentation - auditors best friend
    • Proof that you have done your due diligence.
    • Auditors use documentation in part to determine if your information security design and controls are adequate.
    • Auditors view documentation as an essential element of audit quality
  • If an auditor asks for additional information, give it to them in a timely manner.
    • Reluctance to share information can give the impression that you have something to hide.

34. Documentation

  • Network diagrams
    • Accurate network map listing all network elements down to the wiring closet level
    • Servers, switches, hubs, firewalls, routers, etc.
    • All connectivity must be known including type, terminating equipment, locations, etc.
    • A good auditor will not simply trust the diagrams to be the absolute truth: they will verify.
  • Policies
  • Procedures
  • Previous audit reports
  • Risk assessments

35. Documentation

  • Documentation should be written in a style a auditor can easily understand
    • Write your documentation like aFor Dummiesbook
    • Avoid technical jargon
    • Use diagrams and illustrations whenever possible
  • Documentation takes a lot of time
    • Plan ahead
    • Auditors can tell when documentation is rushed
  • The skill of an accountant can always be ascertained by an inspection of his working papers.
  • Robert Montgomery, Montgomerys Auditing, 1912

36. Staffing

  • An audit can be lengthy and can place significant stress on your internal resources.
  • You must assign staff to work with the auditors.
    • Dont insult the auditors by assigning a junior or inexperienced person to this task
  • Person must be able to effectively dialogue with the auditors.
    • Know the business
    • Know the organization
    • Know the security foundation and how it is implemented

37. The audit report

  • Often presented in a scorecard approach, which generally contains:
    • description of the audit scope
    • audit objectives
    • audit methodology
    • statement that the audit was conducted in accordance with accepted auditing standards
    • description of the findings
    • recommendations for corrective action
  • Use the report for the next audit
    • The audits will heavily reference it, and so should you

38. The audit report

  • You will generally be given 7-10 days to review a draft of the final report that includes all audit points.
  • If needed, request revisions.
    • If you dont like the wording or tone, ask the auditor to change it.
  • Negotiate agreement with the auditor on
    • Condition factually describes audit evidence and makes no judgments - just the facts
    • Criteria- objective standard as to why the audit point is valid
    • Cause- root cause is identified rather than some proximate cause
    • Effect- risk that the condition present to the business, not only to the computing environment.

39. Project plans for improvements

  • Failure is an option
    • Deficiencies are inevitable
    • There is no such thing as a perfect network.
  • If needed, let the audit process be a learning experience
  • Butyou must show how you will plans for improvement
  • You must commit to act on the findings and recommendations

40. Conclusion

  • An audit is simply a reflection of the entity being audited.
  • The audit process can be
    • A golden opportunity upon which to build an effective information systems security program
    • An excuse for management to deny responsibility by invoking Spafs law and terminating some information security staff
  • At its best, the audit can showcase the operational excellence of the information security staff, and be used as a guide book in which to navigate the dynamic world of risk management and information security.

41.

  • Q & A
  • Contact information
      • Ben Rothke, CISSP CISM
      • Senior Security Consultant
      • BT GS
      • [email_address]

Question and Answers


Rothke Info Security Canada 2007 Final

Ben Rothke RSA PK 2010

Ben Rothke - Effective Data Destruction Practices

Www.lumension.com © Copyright 2008 - Lumension Security Lumension Security PatchLink Enterprise Reporting™ 6.4 Overview and What’s New

Rothke rsa 2012 building a security operations center (soc)

Rothke secure360 building a security operations center (soc)

Rothke stimulating your career as an information security professional

HEAT PatchLink DataCenter for Microsoft System Center ... · PDF fileHEAT PatchLink DataCenter for Microsoft® System Center- 8 -Contacting HEAT Software Arizona 8660 East Hartford

Verderber Rothke What’s New With PCI

The Cloud is in the details webinar - Rothke

NetRunner Vertical Cable Managers4 RU: NM4 Front only 1 RU: NMF1 2 RU: NMF2 3 RU: NMF3 4 RU: NMF4 PatchLink™ Horizontal Cable Managers Front and rear, 2 RU: WMP1E Front and rear,

Rothke effective data destruction practices

Ben Rothke Getting A Handle On Wireless Security For Pci Dss Compliance

PatchLink Update v5.0 Deployment Guide...5.1 Installation on fresh Windows 2003 Server 33 5.2 Migration to Windows 2003 Server 35 . PatchLink Update 5.0 Deployment Guide Page 3 of

1 Privacy on the Internet HP World 2002 – Session 568 Ben Rothke, CISSP Senior Security Architect QinetiQ Trusted Information Management [email protected]

Ben Rothke - NBA for The Security Professional

Interop 2011 las vegas - session se31 - rothke

Powered by PatchLink Update Agent Installation Guide · Patch Management Server Agent Installation Guide. Agent Installation Guide i 02_017N-6.2.2b Novell, Inc. 1800 South Novell

E5 rothke - deployment strategies for effective encryption

Rothke Computer Forensics Show 2010 Deployment Strategies For Effective Encryption

Rothke rsa 2013 - deployment strategies for effective encryption

Rothke - A Pragmatic Approach To Purchasing Information Security Products

Infotec 2010 Ben Rothke - social networks and information security

Rothke rsa 2013 - the five habits of highly secure organizations

Rothke rsa 2012 what happens in vegas goes on youtube using social networks securely

Rothke computer forensics show 2010

Collecting and Sharing Security Metrics – the End of ... · PDF fileBased on actual data on an ongoing basis ... BMC Remedy Patch WSUS SCCM PatchLink ... common operational area