vpn security audit assurance program icq eng 1012
TRANSCRIPT
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
1/34
VPN Security Audit/Assurance Program
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
2/34
VPN Security Audit/Assurance ProgramAbout ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org ) is a leading global provider o !no"ledge,
certiications, communit#, advocac# and education on inormation s#stems (IS) assurance and securit#, enterprise
governance and management o I$, and I$%related ris! and compliance& 'ounded in 1, the nonproit, independent ISACAhosts international conerences, publishes the ISACA® Journal , and develops international IS auditing and control standards,
"hich help its constituents ensure trust in, and value rom, inormation s#stems& It also advances and attests I$ s!ills and
!no"ledge through the globall# respected Certiied Inormation S#stems Auditor ® (CISA®), Certiied Inormation Securit#
*anager ® (CIS*®), Certiied in the +overnance o nterprise I$® (C+I$®) and Certiied in -is! and Inormation S#stemsControl. (C-ISC.) designations&
ISACA continuall# updates and e/pands the practical guidance and product amil# based on the CI$® rame"or!&
CI$ helps I$ proessionals and enterprise leaders ulill their I$ governance and management responsibilities,
particularl# in the areas o assurance, securit#, ris! and control, and deliver value to the business&
Disclaimer
ISACA has designed and created VPN Security Audit/Assurance Program (the 2Wor!3) primaril# as an educational resourceor governance and assurance proessionals& ISACA ma!es no claim that use o an# o the Wor! "ill assure a successul
outcome& $he Wor! should not be considered inclusive o all proper inormation, procedures and tests or e/clusive o other
inormation, procedures and tests that are reasonabl# directed to obtaining the same results& In determining the propriet# o
an# speciic inormation, procedure or test, governance and assurance proessionals should appl# their o"n proessional 4udgment to the speciic circumstances presented b# the particular s#stems or inormation technolog# environment&
Reservation of Rights
5 6016 ISACA& All rights reserved& 7o part o this publication ma# be used, copied, reproduced, modiied, distributed,
displa#ed, stored in a retrieval s#stem or transmitted in an# orm b# an# means (electronic, mechanical, photocop#ing,
recording or other"ise) "ithout the prior "ritten authoriation o ISACA& -eproduction and use o all or portions o this
publication are permitted solel# or academic, internal and noncommercial use and or consulting9advisor# engagements,and must include ull attribution o the material:s source& 7o other right or permission is granted "ith respect to this "or!&
ISACA
;
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
3/34
VPN Security Audit/Assurance Program
ISACA wishes to recognize:
AuthorNorm Kelson, CISA, CGEIT, CPA, C@ Interactive, Inc&, ?SA
Expert ReiewersMichael Castro, CISA, ResMor Trust Co, Canada
Joanne De Vito De Palma, CMM, The Ardent Grou! ""C, #SARussell K$ %airchild, CISA, CRISC, CISSP, PMP, SecureIsle, #SAAle& Gelden'er(, CISA, CRISC, CISSP, MSMM, #SA%rancis Kaitano, CISA, CISM, CISSP, ITI", MCAD$Net, MCSD, Contact Ener(), Ne* +ealandKamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Ara'ia"il) M$ Shue, CISA, CISM, CGEIT, CRISC, "MS Associates ""C, #SAa'u Srinias, CISA, CISM, SP AusNet, AustraliaDaid A$ -illiams, CRISC, PMP, .cean%irst an&, #SA
ISACA Board of Directors
Gre(or) T$ Grochols&i, CISA, The Do* Chemical Co$, #SA, International PresidentAllan oardman, CISA, CISM, CGEIT, CRISC, ACA, CA /SA0, CISSP, Mor(an Stanle), #K, VicePresident
Juan "uis Carselle, CISA, CGEIT, CRISC, -al1Mart, Me2ico, Vice President
Christos K$ Dimitriadis, Ph$D$, CISA, CISM, CRISC, INTRA".T S$A$, Greece, Vice PresidentRamses Galle(o, CISM, CGEIT, CCSK, CISSP, SCPM, 3 Si(ma, 4uest So5t*are, S!ain, Vice President
Ton) 6a)es, CGEIT, A%C6SE, C6E, %ACS, %CPA, %IIA, 4ueensland Goernment, Australia, VicePresident
Je7 S!ie), CRISC, CPP, PSP, Securit) Ris& Mana(ement Inc$, #SA, Vice PresidentMarc Vael, Ph$D$, CISA, CISM, CGEIT, CISSP, Valuendo, el(ium, Vice PresidentKenneth "$ Vander -al, CISA, CPA, Ernst 8 9oun( ""P /retired0, #SA, Past International PresidentEmil D:An(elo, CISA, CISM, an& o5 To&)o1Mitsu'ishi #%J "td$ /retired0, #SA, Past InternationalPresident
John 6o Chi, CISA, CISM, CRISC, CCP, C%E, Ernst 8 9oun( ""P, Sin(a!ore, DirectorKr)sten McCa'e, CISA, The 6ome De!ot, #SA, Director
Jo Ste*art1Rattra), CISA, CISM, CGEIT, CRISC, CSEPS, RM 6oldich, Australia, Director
K l d B d
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
4/34
VPN Security Audit/Assurance ProgramInstitute o5 Mana(ement Accountants Inc$ISACA cha!tersITGI %ranceITGI Ja!anNor*ich #niersit)Socitum Per5ormance Mana(ement Grou!Sola) russels School o5 Economics and Mana(ementStrate(ic Technolo() Mana(ement Institute /STMI0 o5 the National #niersit) o5 Sin(a!ore#niersit) o5 Ant*er! Mana(ement School
ASIS International6e*lett1Pac&ard
IMS)mantec Cor!$
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
5/34
VPN Security Audit/Assurance Program
able of Contents
I& Introduction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&D
II& ?sing $his Gocument&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
III& Controls *aturit# Anal#sis&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8
IH& Assurance and Control 'rame"or!&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 10
H& /ecutive Summar# o Audit9Assurance 'ocus&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&11
HI& Audit9Assurance @rogram&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1;
1& @lanning and Scoping the Audit&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1;6& @reparator# Steps&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&1D
;& +overnance&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 1& @olic#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 1<
D& Coniguration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1
& *aintenance and *onitoring&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6
HII& *aturit# Assessment&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68
HIII& *aturit# Assessment vs& $arget Assessment&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&& &;;
I% Introduction
!eriew
ISACA has developed the I' Assurance (ramework $* (I$A'$*) as a comprehensive and good practice%setting
model& I$A' provides standards that are designed to be mandator#, and are the guiding principles under "hich
the I$ audit and assurance proession operates& $he guidelines provide inormation and direction or the practice
o I$ audit and assurance& $he tools and techni=ues provide methodologies, tools and templates to providedirection in the application o I$ audit and assurance processes&
Purpose
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
6/34
VPN Security Audit/Assurance Programaudit and assurance rame"or!& Since CS is "idel# used, it has been selected or inclusion in this
audit9assurance program& $he revie"er ma# delete or rename these columns to align "ith the enterprise:s control
rame"or!&
%oernance& Ris$ and Contro" o' I(
+overnance, ris! and control o I$ are critical in the perormance o an# assurance management process&
+overnance o the process under revie" "ill be evaluated as part o the policies and management oversight
controls& -is! pla#s an important role in evaluating "hat to audit and ho" management approaches and manages
ris!& oth issues "ill be evaluated as steps in the audit9assurance program& Controls are the primar# evaluation
point in the process& $he audit9assurance program "ill identi# the control ob4ectives and the steps to determine
control design and eectiveness&
Responsi)i"ities o' I( Audit and Assurance Pro'essiona"s
I$ audit and assurance proessionals are e/pected to customie this document to the environment in "hich the#
are perorming an assurance process& $his document is to be used as a revie" tool and starting point& It ma# be
modiied b# the I$ audit and assurance proessionalJ it is not intended to be a chec!list or =uestionnaire& It is
assumed that the I$ audit and assurance proessional has the necessar# sub4ect matter e/pertise re=uired to
conduct the "or! and is supervised b# a proessional "ith the CISA designation and9or necessar# sub4ect mattere/pertise to ade=uatel# revie" the "or! perormed&
II% &sing his Document
$his audit9assurance program "as developed to assist the audit and assurance proessional in designing and
e/ecuting a revie"& Getails regarding the ormat and use o the document ollo"&
*or$ Program Steps
$he irst column o the program describes the steps to be perormed& $he numbering scheme used provides built%
in "or! paper numbering or ease o cross%reerence to the speciic "or! paper or that section& $he ph#sical
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
7/34
VPN Security Audit/Assurance Programdocument because it is standard or the audit9assurance unction and should be identiied else"here in the
enterprise:s standards&
C!+I( ,-. Crossre'erence
$he CI$ cross%reerence provides the audit and assurance proessional "ith the abilit# to reer to the speciic
CI$ &1 control ob4ective that supports the audit9assurance step& $he CI$ control ob4ective should be
identiied or each audit9assurance step in the section& *ultiple cross%reerences are not uncommon&
Subprocesses in the "or! program are too granular to be cross%reerenced to CI$& $he audit9assurance
program is organied in a manner to acilitate an evaluation through a structure parallel to the development
process& CI$ provides in%depth control ob4ectives and suggested control practices at each level& As
proessionals revie" each control, the# should reer to CI$ &1 or the I' Assurance )uide" *sing C#+I' orgood%practice control guidance&
C!S! Components
As noted in the introduction, CS and similar rame"or!s have become increasingl# popular among audit and
assurance proessionals& $his ties the assurance "or! to the enterprise:s control rame"or!& While the I$
audit9assurance unction has CI$ as a rame"or!, operational audit and assurance proessionals use the
rame"or! established b# the enterprise& Since CS is the most prevalent internal control rame"or!, it has been included in this document and is a bridge to align I$ audit9assurance "ith the rest o the audit9assurance
unction& *an# audit9assurance enterprises include the CS control components "ithin their report andsummarie assurance activities to the audit committee o the board o directors&
'or each control, the audit and assurance proessional should indicate the CS component(s) addressed& It is
possible but generall# not necessar#, to e/tend this anal#sis to the speciic audit step level&
$he original CS internal control rame"or! contained ive components& In 600, CS issued the
,nter!rise isk anagement ,0 Integrated (ramework1 "hich includes eight components& $he -*rame"or! has a business decision ocus "hen compared to the 2334 Internal Control5Integrated (ramework &
>arge enterprises are in the process o adopting -*& $he t"o rame"or!s are compared in figure '&
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
8/34
VPN Security Audit/Assurance Program(igure ')Com$arison of C*S* Internal Control and +R, Integrated (rameworks
Internal Control—Integrated Framework ERM Integrated Framework Risk Res$onse- *anagement selects ris! responsesavoiding,
accepting, reducing, or sharing ris!developing a set o actions toalign ris!s "ith the entit#:s ris! tolerances and ris! appetite&
Control Activities Control activities are the policies and proceduresthat help ensure management directives are carried out& $he# help
ensure that necessar# actions are ta!en to address ris!s to achievement
o the entit#Ks ob4ectives& Control activities occur throughout the
organiation, at all levels and in all unctions& $he# include a range o
activities as diverse as approvals, authoriations, veriications,reconciliations, revie"s o operating perormance, securit# o assets
and segregation o duties&
Control Activities- @olicies and procedures are established andimplemented to help ensure the ris! responses are eectivel# carried
out&
Information and Communication Inormation s#stems pla# a !e#
role in internal control s#stems as the# produce reports, includingoperational, inancial and compliance%related inormation that ma!e it
possible to run and control the business& In a broader sense, eective
communication must ensure inormation lo"s do"n, across and up
the organiation& ective communication should also be ensured "ith
e/ternal parties, such as customers, suppliers, regulators andshareholders&
Information and Communication- -elevant inormation is
identiied, captured, and communicated in a orm and timerame thatenable people to carr# out their responsibilities& ective
communication also occurs in a broader sense, lo"ing do"n, across,
and up the entit#&
,onitoring Internal control s#stems need to be monitoreda
process that assesses the =ualit# o the s#stem:s perormance overtime& $his is accomplished through ongoing monitoring activities or
separate evaluations& Internal control deiciencies detected through
these monitoring activities should be reported upstream and corrective
actions should be ta!en to ensure continuous improvement o thes#stem&
,onitoring- $he entiret# o enterprise ris! management is monitored
and modiications made as necessar#& *onitoring is accomplishedthrough ongoing management activities, separate evaluations, or both&
Inormation or figure ' "as obtained rom the CS "eb site www.coso.org/a$outus.tm .
$he 16 Internal Control5Integrated (ramework addresses the needs o the I$ audit and assurance
proessional control environment, ris! assessment, control activities, inormation and communication, andmonitoring& As such, ISACA has elected to include them as a reerence in this document& When completing the
CS component columns, consider the deinitions o the components as described in figure '&
Re'erence/0yper"in$ +ood practices re=uire the audit and assurance proessional to create a "or! paper that describes the "or!
perormed, issues identiied, and conclusions or each line item& $he reerence9h#perlin! is to be used to cross%
th dit9 t t th ! th t t it $h b i t thi d t
http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
9/34
VPN Security Audit/Assurance Programis based on a method o evaluating the organiation, so it can be rated rom a maturit# level o non%e/istent (0) to
optimied (D)& $his approach is derived rom the maturit# model that the Sot"are ngineering Institute (SI) o
Carnegie *ellon ?niversit# deined or the maturit# o sot"are development&
$he I' Assurance )uide *sing C#+I' , Appendi/ HII*aturit# *odel or Internal Control (figure 0) provides
a generic maturit# model sho"ing the status o the internal control environment and the establishment o internal
controls in an enterprise& It sho"s ho" the management o internal control, and an a"areness o the need to
establish better internal controls, t#picall# develops rom an ad oc to an optimied level& $he model provides a
high%level guide to help CI$ users appreciate "hat is re=uired or eective internal controls in I$ and to help
position their enterprise on the maturit# scale&
(igure 0),aturit/ ,odel for Internal Control,aturit/ 1evel Status of the Internal Control +nvironment +stablishment of Internal Controls0 7on%e/istent $here is no recognition o the need or internal control&
Control is not part o the organisation:s culture or mission&
$here is a high ris! o control deiciencies and incidents&
$here is no intent to assess the need or internal control&Incidents are dealt "ith as the# arise&
1 Initial9ad oc $here is some recognition o the need or internal control&$he approach to ris! and control re=uirements is ad oc and
disorganised, "ithout communication or monitoring&
Geiciencies are not identiied& mplo#ees are not a"are o
their responsibilities&
$here is no a"areness o the need or assessment o "hat isneeded in terms o I$ controls& When perormed, it is onl# on
an ad oc basis, at a high level and in reaction to signiicant
incidents& Assessment addresses onl# the actual incident&
6 -epeatable but
Intuitive
Controls are in place but are not documented& $heir operation
is dependent on the !no"ledge and motivation o individuals&ectiveness is not ade=uatel# evaluated& *an# control
"ea!nesses e/ist and are not ade=uatel# addressedJ the
impact can be severe& *anagement actions to resolve controlissues are not prioritised or consistent& mplo#ees ma# not be
a"are o their responsibilities&
Assessment o control needs occurs onl# "hen needed or
selected I$ processes to determine the current level o controlmaturit#, the target level that should be reached and the gaps
that e/ist& An inormal "or!shop approach, involving I$
managers and the team involved in the process, is used todeine an ade=uate approach to controls or the process and
to motivate an agreed%upon action plan&
; Geined Controls are in place and ade=uatel# documented& peratingeectiveness is evaluated on a periodic basis and there is an
average number o issues& Lo"ever, the evaluation process is
not documented& While management is able to deal
predictabl# "ith most control issues, some control
"ea!nesses persist and impacts could still be severe&
mplo#ees are a"are o their responsibilities or control&
Critical I$ processes are identiied based on value and ris!drivers& A detailed anal#sis is perormed to identi# control
re=uirements and the root cause o gaps and to develop
improvement opportunities& In addition to acilitated
"or!shops, tools are used and intervie"s are perormed to
support the anal#sis and ensure that an I$ process o"ner
o"ns and drives the assessment and improvement process& *anaged and
*easurable
$here is an eective internal control and ris! management
environment& A ormal, documented evaluation o controlsoccurs re=uentl#& *an# controls are automated and regularl#
revie"ed& *anagement is li!el# to detect most control issues,
I$ process criticalit# is regularl# deined "ith ull support
and agreement rom the relevant business process o"ners&Assessment o control re=uirements is based on polic# and
the actual maturit# o these processes, ollo"ing a thorough
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
10/34
VPN Security Audit/Assurance Programauditor& $hereore, an auditor should obtain the concerned sta!eholder:s concurrence beore submitting the inal
report to the management&
At the conclusion o the revie", once all indings and recommendations are completed, the proessional assesses
the current state o the CI$ control rame"or! and assigns it a maturit# level using the si/%level scale& Some
practitioners utilie decimals (/&6D, /&D, /&
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
11/34
VPN Security Audit/Assurance Program
• GSD&
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
12/34
VPN Security Audit/Assurance Program
+usiness Impact and Ris$
$he impact on the business transmitting data through public net"or!s and the accompan#ing ris! are signiicant&
Gepending on the industr#, enterprises ma# e/perience outages and intrusion attempts or inancial gain, to
obtain intellectual propert#, to create business disruption, to obtain sensitive private inormation, or to
compromise national securit#& $he perpetrators o an intrusion can be e/ternal or internal, private government
sponsored& $his activit# ma# increase the enterprise:s ris! o
• @ublic relations issues "ith the customers or the public (reputational ris!)
• Inabilit# to compl# "ith regulator# processing re=uirements (regulator# and inancial ris!)
• Inabilit# to perorm critical business unctions (operational and inancial ris!)
• Inabilit# to maintain pa#roll and emplo#ee privac# (regulator# and reputational ris!)
• >oss o ph#sical or inormational assets (reputational and inancial ris!)
• Inabilit# to meet contractual service level agreements (S>As) "ith third parties or customers (contractual
ris!)
H@7 technolog#, i properl# conigured, "ill reduce the ris! associated "ith privileged data traversing a public
net"or!&
!)1ectie and Scope
*b.ective) $he ob4ective o the audit9assurance revie" is to provide management "ith an independent
assessment o the H@7 implementation and ongoing monitoring9maintenance o the eectiveness o the
supporting technolog#&
Sco$e) $he audit9assurance revie" "ill ocus on H@7 standards, guidelines and procedures as "ell as the
implementation and governance o these activities& $he revie" "ill rel# upon other operational audits o the
incident management process, coniguration management and securit# o net"or!s and servers, securit#management and a"areness, business continuit# management, inormation securit# management, governance
and management practices o I$ and business units, and relationships "ith third parties&
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
13/34
VPN Security Audit/Assurance Program
2I% Audit4Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o r i n g
.- P"anning and Scoping the Audit
1&1 Define audit4assurance ob.ectives%
$he audit9assurance ob4ectives are high level and describe the overall audit goals&
1&1&1 -evie" the audit9assurance ob4ectives in the introduction to this audit9assurance
program&
1&1&6 *odi# the audit9assurance ob4ectives to align "ith the audit9assurance universe,
annual plan and charter&
1&6 Define boundaries of review%
$he revie" must have a deined scope& $he revie"er must understand the operating
environment and prepare a proposed scope, sub4ect to a later ris! assessment&
1&6&1 @erorm a high%level "al!%through o the net"or! architecture using H@7%technolog#&
1&6&6 stablish initial boundaries o the audit9assurance revie"&
1&6&6&1 Identi# limitations and9or constraints aecting the audit&
1&; Define assurance%
$he revie" re=uires t"o sources o standards& $he corporate standards deined in the polic#
and procedure documentation establish the corporate e/pectations& At minimum, corporate
standards should be implemented& $he second source, a good%practice reerence, establishes
industr# standards& nhancements should be proposed to address gaps bet"een the t"o&
1&;&1 Getermine i CI$ and the appropriate securit# incident management rame"or!
"ill be used as a good%practice reerence&
5 6016 ISACA& All rights reserved& @age 1;
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
14/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
1& Identif/ and document risk%
$he ris! assessment is necessar# to evaluate "here audit resources should be ocused& $he
ris!%based approach assures utiliation o audit resources in the most eective manner&
1&&1 Identi# the business ris! associated "ith the ailure to implement H@7 technologies
and the ailure to implement H@7 technologies securel#&
1&&6 Identi# the technolog# ris! associated "ith the ailure to implement H@7
technologies and the ailure to implement H@7 technologies securel#&
1&&; Getermine i a H@7 architecture threat assessment and modeling processing process
has been established and implemented&
1&& ased on ris! assessment, identi# changes to the scope&
1&&D Giscuss the ris! "ith I$, business and operational audit management, and ad4ust the
ris! assessment&
1&D Define the change $rocess%
$he initial audit approach is based on the revie"er:s understanding o the operating
environment and associated ris!& As urther research and anal#sis are perormed, changes to
the scope and approach "ill result&
1&D&1 Identi# the senior I$ audit9assurance resource responsible or the revie"&
1&D&6 stablish the process or suggesting and implementing changes to the audit9assurance
program, and the authoriations re=uired&
1& Define assignment success%
$he success actors need to be identiied& Communication among the I$ audit9assurance team,
other assurance teams and the enterprise is essential&
1&&1 Identi# the drivers or a successul revie" (this should e/ist in the audit9assurance
unction:s standards and procedures)&
1&&6 Communicate success attributes to the process o"ner or sta!eholder, and obtain
agreement&5 6016 ISACA& All rights reserved& @age 1
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
15/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
1&< Define audit4assurance resources re7uired%
$he resources re=uired are deined in the introduction to this audit9assurance program&
1&
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
16/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
• 7et"or! architecture documentation
• 7et"or! inventor# or schematic o ph#sical net"or! components
• 7et"or! problem trac!ing, resolution and escalation procedures
• H@7%related documentation and vendor contracts
• Copies o signed user securit# and a"areness documents
• 7e" emplo#ee training materials relating to securit#
• -
elevant legal and regulator# inormation related to securit# and inormation access• H@7 supplier contracts, S>As
• Supplier due diligence selection criteria, process
• usiness impact anal#sis (IA), business continuit# plans
(C@s),disaster recover# plans (G-@s) and all continuit# o operations plans
• Luman resources (L-) onboarding9oboarding procedures and standards
• Inormation securit# remote access policies, procedures and standards
• Inormation securit# mobile computing policies, procedures and
standards
• Inormation securit# "ireless net"or!ing standards
• Inormation securit# acceptable use policies, procedures and standards
•ncr#ption policies, procedures and standards
• Incident response policies, procedures, standards
• *onitoring and audit policies, procedures, standards
& Intervie" the senior securit# oicer and the I$ securit# administrator regarding H@7
implementation&
D& Intervie" the technical support team leader or e=uivalent responsible or H@7
architecture, design, implementation, and maintenance processes and procedures&
4- %oernance
;&1 +3ecutive S$onsor
Audit9Assurance b4ective $he H@7 implementation and maintenance is assigned to an
5 6016 ISACA& All rights reserved& @age 1
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
17/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
e/ecutive sponsor, "ho is responsible or its eective implementation and operations&
& /ecutive -esponsibilit# and Accountabilit# o H@7%related @rocesses
Control A senior e/ecutive "ithin the I$ organiation is responsible or the H@7
implementation, maintenance and oversight&
@&
*1&D
*6&D
*&1
= = = =
;&1&1&1 Identi# the senior e/ecutive responsible or the H@7 program&
;&1&1&6 btain the position description o the e/ecutive responsible or the H@7
program&
;&1&1&; Getermine i the position has cross%reporting to the business units and I$
management (securit#, administration, etc&)
;&1&1& btain meeting minutes and other documentation to support the responsibilities
and accountabilit# o the e/ecutive sponsor&
;&6 Senior ,anagement Involvement in 2P9 Programs
Audit9Assurance b4ective Senior management participates in !e# decisions related to H@7
programs&
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
18/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
,- Po"icy
&1 6R Policies Aligned :ith and Su$$ort 2P9 Policies
Audit9Assurance b4ective H@7 policies align "ith and are integrated into L- policies&
8& L- @olicies Include -elated H@7 @olicies
Control L- policies include H@7 disclosures, usage re=uirements as part o initial
PonboardingP process and the annual emplo#ee ac!no"ledgement o use policies&
@&;
@&=
&1&1&1 btain a selection o L- policies relating to H@7 usage&
&1&1&6 Getermine i H@7 usage policies are incorporated in the L- policies&
&6 2P9 Policies in Com$liance :ith Cor$orate Policies
Audit9Assurance b4ective H@7 policies align "ith corporate compliance policies&
& H@7 @olicies Are in Compliance With Corporate Compliance and -elated @olicies
Control Corporate compliance (inancial reporting, regulator# and statutor#)
unctions revie" H@7 policies prior to implementation to assure adherence to
appropriate re=uirements&
@&8
*;&1
*;&;
= = =
&6&1&1 btain the corporate compliance policies relating to data securit# and privac#&
&6&1&6 Getermine i H@7 re=uirements are a component o the policies&
&6&1&; btain a selection o H@7 polic# proposals or modiications&
&6&1& Getermine i corporate compliance representatives have revie"ed and provided
documented approval o H@7 policies&
&; 2P9 Policies in Com$liance :ith 1egal and Regulator/ Policies and Re7uirements
Audit9Assurance b4ective H@7 policies align "ith legal and regulator# policies and
re=uirements&
10& H@7 @olicies Are in Compliance With >egal -egulator# -e=uirements
Control H@7 technologies are deined to satis# legal and regulator# re=uirements
"ithin the enterpriseKs industr#&
@&8
*;&1
*;&6= = =
&;&1&1 btain a selection o H@7 polic# proposals or modiications&
&;&1&6 Getermine i the enterprise:s legal representatives have revie"ed and provided5 6016 ISACA& All rights reserved& @age 18
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
19/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
documented approval o H@7 policies&
& 2P9 Policies Align :ith Information Securit/
Audit9Assurance b4ective H@7 policies are in compliance "ith inormation securit#
policies
11& H@7 @olicies Are Approved b# the Inormation Securit# 'unction
Control $he inormation securit# unction assures compliance "ith inormation
securit# polic# b# revie"ing inormation securit#%related H@7 policies prior to their
adoption and implementation&
@&;
@&
GSD&1
*6&D*;&
= =
&&1&1 btain a selection o H@7 polic# proposals or modiications&
&&1&6 Getermine i inormation securit# representatives have revie"ed and provided
documented approval o H@7 policies&
&D 2P9 Polic/ Integrated :ith +nter$rise;s Data Classification Polic/
Audit9Assurance b4ective Gata Classiication @olic# includes H@7 usage and coniguration
re=uirements&
16& Gata Classiication @olic# H@7 -e=uirements
Control $he data classiication polic# identiies H@7 re=uirements and
coniguration or each data classiication&@6&; =
&D&1&1 btain the data classiication polic#&&D&1&6 Getermine i the data classiication polic# includes H@7 coniguration and
usage re=uirements&
&D&1&; Getermine i the H@7 coniguration and usage polic# includes speciic
applications or data elements re=uiring H@7 usage&
&D&1& Getermine i H@7 coniguration and usage polic# identiies unctions that must
be e/ecuted using a H@7, and unctions that must be e/cluded rom e/ecution,
"ith or "ithout a H@7&
5 6016 ISACA& All rights reserved& @age 1
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
20/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
5- Con6guration
D&1 2P9 Architecture
Audit9Assurance b4ective est securit# practices are implemented or the various H@7
architectures&
1;& dge -outers1 @6&1
GSD&
GSD&10=
1& dge -outer $ermination
Control dge routers terminate at the net"or! ire"all and an eective ire"all
coniguration applies appropriate iltering&
D&1&1&1&1 Identi# edge routers "ithin the net"or! architecture&
D&1&1&1&6 Getermine that the edge router terminates (a) at or in ront o the
G*Q or (b) at an inline Intrusion @revention S#stem (I@S) deplo#ed
bet"een the edge router and the ire"all&
D&1&1&1&; Select a sample o edge routers&
D&1&1&1& Getermine i the edge routers selected terminate at the ire"all or in
the G*Q&
1D& dge -outer ncr#ption
Control dge routers use as#mmetric !e#s supported b# a @ublic Ee#Inrastructure or alternativel#, one o the t"o standard s#mmetric !e#
technologies, ;GS or AS6
GSD&8GSD&
=
D&1&1&1&D Select a sample o edge routers&
D&1&1&1& Identi# the encr#ption coniguration in use to protect the data&
D&1&1&1&< Getermine the eectiveness o the control o !e#s and digital
certiicates&
1 $hese are deined as untrusted site%to%site connected net"or!s&
6 Consider perorming an audit o the @EI implementation using the ISACA ,-commerce and Pu$lic 8ey Infrastructure P8I0 Audit/Assurance Program&
ncr#ption controls, including !e# storage, !e# maintenance, securit#, etc&, should be revie"ed&5 6016 ISACA& All rights reserved& @age 60
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
21/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
D&1&1&1&8 Getermine i an untrusted partner "ould have the abilit# to
compromise the private !e# structure&
1& $rusted -outers;
1
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
22/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A c t i v i t i e s
* o n i t o
r i n g
GSD&
GSD&10
&1&1&1< btain the SS> H@7 Coniguration @olic#&
D&1&1&1&18 Getermine i strong user authentication has been implemented&
Consider
• $"o%actor authentication
• @ass"ord A7G hard"are to!ens
• Gigital certiicates
• Smart cards
D&1&1&1&1 Getermine i user computer identit# veriication has been
implemented
• ?ser computer validated to be in compliance "ith enterprise
securit# re=uirements and policies prior to connection&
• Halidation o user computer identit# and coniguration includes
@ersonal ire"all coniguration
Antivirus9mal"are coniguration and currenc# o pattern
iles
-e=uired securit# patches
>imitation o split tunneling D
valuation o registr# entriesD&1&1&1&60 Getermine i a secure des!top solution or 2sandbo/ing3 has been
implemented or connections not satis#ing or unable to validate
computer identit# veriication&
D&1&1&1&61 Getermine i the SS> H@7 provides or deletion o all session data
rom the client:s cache, including
• ro"ser histor#
• Internet temporar# iles
• Coo!ies
• Gocuments
D $his enables net"or! traic to traverse separate net"or!s via the same net"or! connection&5 6016 ISACA& All rights reserved& @age 66
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
23/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v
i r o n m e n t
- i s ! A s s e
s s m e n t
C o n t r o l A
c t i v i t i e s
* o n i t o r i n g
• @ass"ords
D&1&1&1&66 Getermine i the SS> H@7 provides a !e#stro!e logger detection
s"eep prior to completing a connection&
D&1&1&1&6; Getermine i session time%outs are implemented and "hat the
time%out period is and determine i it complies "ith securit#
policies, standards and procedures&
D&1&1&1&6 Getermine i SS> veriication is re=uired prior to connection and
denied i the SS> version level is at a lo"er level that securit#
polic# dictates&D&1&1&1&6D Getermine i server certiicate support has been implemented and
"ill onl# permit connection "ith a valid, authenticated certiicate&
D&1&1&1&6 Getermine i resource availabilit#, s#stem unctionalit#, and
application access are limited based on satis#ing the coniguration
parameters considered above&
D&1&1&1&6< Getermine i public computers (e&g&, Internet caRs, !ios!s, etc&) are
permitted to connect to the SS> H@7&
D&1&1&1&68 Getermine i client%side certiicates are re=uired, and i so,
connection is contingent upon client%side certiicate veriication and
authentication&
61& SS> H@7 A"areness @rogram
Control ?ser education and securit# a"areness is provided on a regular basis and
participation b# all users o the enterpriseKs H@7 acilities is re=uired&
GS1&GS<
= = =
D&1&1&6 Getermine that H@7 a"areness and securit# programs are routinel# and
regularl# oered&
D&1&1&; Getermine i the securit# a"areness program addresses H@7 use polic#&
D&1&1& valuate ho" the ollo"%up process is maintained to assure user participation&
D&1&1&D Getermine i participation is documented in logs or sign%in sheets&
66& H@7 Appliances
6;& H@7 Appliance Coniguration and Hendor Support
Control H@7 appliances are maintained "ith the most current coniguration,
GS&6
=
5 6016 ISACA& All rights reserved& @age 6;
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
24/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A
c t i v i t i e s
* o n i t o r i n g
and support is readil# available rom the vendor&
D&1&1&D&1 Heri# that the most current coniguration o the H@7 appliance has
been applied&
D&1&1&D&6 Getermine that a vendor support contract or vendor support option
is available&
6& H@7 Appliance Coniguration est @ractices
Control Hendor%suggested and other best practices are applied to H@7
appliance coniguration&
GSD&<
GSD&
GSD&10GS&6
=
D&1&1&D&; Getermine i the H@7 appliance vendor oers best practice
guidance&
D&1&1&D& Getermine i the H@7 appliance coniguration is in compliance
"ith vendor guidance&
6D& H@7 Clients Installed on Speciic Computers
6& H@7 Clients Are Securel# Conigured
Control H@7 clients are conigured using vendor%suggested and other best
practices in compliance "ith organiation securit# policies&
GSD&
GSD&D
GS&6
GS10
=
D&1&1&D&D Getermine i strong user authentication has been implemented
• $"o%actor authentication• @ass"ord A7G hard"are to!ens, digital certiicates or smart
cards
D&1&1&D& Getermine i user computer identit# veriication has been
implemented
• ?ser computer is in compliance "ith organiation securit#
re=uirements and policies
• Halidation o user computer identit# and coniguration
@ersonal ire"all coniguration
Antivirus9mal"are coniguration and currenc# o pattern
iles
-e=uired securit# patches
5 6016 ISACA& All rights reserved& @age 6
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
25/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A
c t i v i t i e s
* o n i t o r i n g
>imitation o split tunnelingD
valuation o registr# entries
D&1&1&D&< Getermine i resource availabilit#, s#stem unctionalit# and
application access are limited to authoried individuals, based on
satis#ing the coniguration parameters considered above&
6
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
26/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A
c t i v i t i e s
* o n i t o r i n g
D&1&1&D&16 Getermine that the H@7 deactivation is part o the deprovisioning
process&
D&1&1&D&1; btain a sample o recent user terminations and determine that the
H@7 privileges or the terminated users have been deactivated&
;0& H@7 Installation >ist -evie"
Control $he list o installed H@7s is revie"ed at least annuall#&
;1& Getermine i a list o computers or users "ith H@7s installed e/ists&
;6& I the list e/ists, determine i the list is revie"ed at least annuall# to ensure thatonl# authoried users have access to and have an installed H@7&
D&6 2P9 Architecture
Audit9Assurance b4ective $he H@7 architecture is revie"ed on a regular basis to ensure the
solution is current and addresses the ris! and vulnerabilit# issues identiied in ris!
assessments&
;;& H@7 Architecture -evie"
Control H@7 architecture revie" is conducted on a regular basis&
@6&1
@;
D&6&1&1 Getermine i the H@7 architecture revie" process is documented&
D&6&1&6 Getermine the date o the most recent H@7 architecture revie"&
D&6&1&; valuate the eectiveness o the most recent revie"&
D&6&1& Getermine i a vulnerabilit# e/ists due to out%o%date technolog#&
7- 2aintenance and 2onitoring
&1 Patch ,anagement
Audit9Assurance b4ective H@7 technolog# is included in the routine patch management
process&
;& @atch *anagement Administration
Control @atch management o H@7 technolog# is included in the coniguration
change management processes&
AI
AI<
GS&6
&1&1&1 Scan the change management s#stem or coniguration changes aecting the
H@7 technologies&
5 6016 ISACA& All rights reserved& @age 6
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
27/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A
c t i v i t i e s
* o n i t o r i n g
&1&1&6 Getermine i the change management process implemented or H@7 maintenance
is in compliance "ith the installation change management procedure&
&6 Integration of 2P9 echnologies :ith the 6el$ Desk
Audit9Assurance b4ective H@7 support re=uests are processed routinel# through the help
des!&
;D& H@7 Support Is @rovided b# the Lelp Ges!
Control H@7 support is a help des! tas! "ith appropriate controls and procedures&
GS8
GS10
&6&1&1 btain the help des! procedures&
&6&1&6 Getermine i H@7 support tas!s are included in the help des! @rocedures&
&6&1&; Getermine i H@7 issues are reported in the incident reporting9issue monitoring
s#stem&
&6&1& Select H@7 related incidents in the help des!, Incident -eporting, and9or Issue
*onitoring S#stem&
&6&1&D Getermine that the issues "ere closed on a timel# basis in an eective manner&
&; 2P9 Ca$acit/ Planning
Audit9Assurance b4ective H@7 utiliation and resources re=uirements are integrated into
the installation capacit# plan&
;& H@7 Capacit# @lanningControl $he capacit# plan incorporated H@7 re=uired resources and such resources
are activel# monitored&
GS;
&;&1&1 btain the installation capacit# plan&
&;&1&6 Getermine that H@7 technologies are included in the plan&
&;&1&; valuate capacit# reports to determine that H@7 resource utiliation is monitored
and the necessar# ad4ustments are implemented in a timel# manner&
5 6016 ISACA& All rights reserved& @age 6<
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
28/34
VPN Security Audit/Assurance Program
Audit4Assurance Program Ste$
C*BI
Cross5
reference
C*S* Reference
6/$er5
link
Issue
Cross5
reference
Comments
C o n t r o l , n v i r o n m e n t
- i s ! A s s e s s m e n t
C o n t r o l A
c t i v i t i e s
* o n i t o r i n g
& 2P9 ,onitoring
Audit9Assurance b4ective @rocesses e/ist to monitor H@7 usage and identi# unauthoried
activities and H@7 usage&
;
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
29/34
VPN Security Audit/Assurance Program
2II% ,aturit/ Assessment
$he maturit# assessment is an opportunit# or the revie"er to assess the maturit# o the processes revie"ed& ased on the results o audit9assurance
revie"s, and the revie"er:s observations, assign a maturit# level to each o the ollo"ing CI$ &1 control practices& When completing this assessment,
ocus the evaluation on ho" the H@7 implementation relates to each o the issues identiied in the ollo"ing table&
C*BI
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
30/34
VPN Security Audit/Assurance Program
C*BI
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
31/34
VPN Security Audit/Assurance Program
C*BI
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
32/34
VPN Security Audit/Assurance Program
C*BI
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
33/34
VPN Security Audit/Assurance Program
C*BI
-
8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012
34/34
VPN Security Audit/Assurance Program
8S5-4 Identity 2anagement
8S5-, 9ser Account 2anagement
8S5-5 Security (esting& Surei""ance and 2onitoring
8S5-: Protection o' Security (echno"ogy
8S5-; Cryptographic