Upload
joseph-martin
View
216
Download
2
Tags:
Embed Size (px)
Citation preview
Surviving an IT Security Audit from a CISO Standpoint
September 9, 2009
A Presentation by: John R. Robles
www.johnrrobles.com
Puerto Rico Puerto Rico ChapterChapter
Puerto Rico Puerto Rico ChapterChapter
22
Agenda
Who and What Will be Audited
The Information Security Process
IS Security Controls Implementation
IT Auditor Responsibilities
CISO/ISO Responsibilities
Joint Responsibilities
Puerto Rico Puerto Rico ChapterChapter
33
Who and What Will Be Audited
The CISO/ISO will be audited to ensure that the his/her department ensures that Information System characteristics are maintained (the CIA)
Confidentiality of information Protection of the information from unauthorized access
Integrity of information Protection from unauthorized changes
Availability of the information Protect against intentional or accidental attempts to deny
legitimate users access to systems and data Accountability
Trace actions to their source . (Non-repudiation, intrusion prevention, security monitoring, recovery, legal aspects)
Puerto Rico Puerto Rico ChapterChapter
44
Information Security (IS) Processes
The CISO/ISO ensures CIA via the IS Processes which consists of the following and which will be audited to ensure effectiveness and efficiency
IS Risk Assessment IS Strategy Security Controls Implementation Security Monitoring (Controls Monitoring) Security Process Monitoring and Updating (Procedures)
Puerto Rico Puerto Rico ChapterChapter
55
IS Security Controls Implementation
FFIEC (Financial Institutions) IS Security Controls Standards Access Control Physical and Environmental Protection Encryption Malicious Code Prevention Systems Development, Acquisition, and Maintenance Personnel Security Data Security Service Provider Oversight Business Continuity Considerations Insurance
Puerto Rico Puerto Rico ChapterChapter
66
IS Security Controls Implementation
FFIEC (Financial Institutions) IS Security Controls Standards (Cont.)
Activity Monitoring Network Intrusion Detection Systems Host Intrusion Detection Systems Security Incidents Intrusion Response Outsourced Systems
Puerto Rico Puerto Rico ChapterChapter
77
IS Security Controls Implementation
ISO/IEC 27002 IS Standards (Best Practices) Risk Assessment Security Policy Organization of IS Asset Management Human Resources Security Physical and Environment Security Communications and operations management Access Control Information Systems Acquisition, & Maintenance Information Security Incident Management Business Continuity Compliance
Puerto Rico Puerto Rico ChapterChapter
88
Let’s Start the IS Security Audit!
Review Responsibilities Ensure Information Security is functioning
Effectively Efficiently
Add value of IS department, policies, and procedures to company/ agency
Improve IS processes Make information more secure and reliable
Puerto Rico Puerto Rico ChapterChapter
99
The IS Audit Process
The IS Audit Phases are as follows:
Plan the Audit Gather data Analyze data and test controls Conclude Prepare and present an audit report
Puerto Rico Puerto Rico ChapterChapter
1111
IT Auditor Responsibilites - Planning
During the planning phase, the IT Auditor should obtain audit instructions and meet with the CISO or ISO to discuss the upcoming audit.
Discuss reasons for the audit. It could be: Part of the Internal Audit process.
• Instructions from the General Auditor for an Internal Audit , • Instructions from the Audit Committee based on some security
concern(s). Preparation for an external audit,
• Federal (FFIEC, CMS, etc.)• Oficina del Contralor• Oficina del Comisionado de Instituciones Financieras• Oficina del Comisionado de Seguros (Possibly Rule 76 audit)
Puerto Rico Puerto Rico ChapterChapter
1212
IT Auditor Responsibilites - Planning
The IT Auditor should request from the CISO/ISO the following documentation: Organization chart of the organization or agency Organization chart of the Information Security (IS) Function List of applications by user areas List of servers and security appliances, and the corporate Network
diagram Determine which, if any, IS areas are outsourced
If outsourcing, get management and operational contact information at outsourcing companies
Previous audits reports. Internal, external, government
IS Committee (or other Governance committee) meeting minutes Policy Manuals and Operational Procedures Manuals Business Continuity Plan
Puerto Rico Puerto Rico ChapterChapter
1313
IT Auditor Responsibilites - Planning
The IT auditor should discuss with CISO/ISO what IS framework, standard, or implementation methodology is used:
Industry Specific – FFIEC Standard Industry specific – HIPAA Security Standards ISO/IEC27000 Series (previously ISO 17799) NIST SP800 Series Information Security Standards - ISF Standard of Good
Practice for Information Security Cobit – High Level Standard
Puerto Rico Puerto Rico ChapterChapter
1414
IT Auditor Responsibilites - Planning
The IT auditor should then proceed to:
Perform a mini Risk Analysis of the IS function to determine high risk areas
Based on the mini Risk Analysis determine the audit scope or areas to address in the audit
Determine personnel to interview Finalize the understanding of the Security environment Estimate time to audit Prepare Audit Work Program Prepare Audit Questionnaire Obtain approval of audit scope and time to audit from
requestor Start Data Gathering phase.
Puerto Rico Puerto Rico ChapterChapter
1515
CISO Responsibilities – Planning
During the audit planning period, the CISO should : Ensure that he/she has been formally notified in writing
by his/her superior that an IS Audit will be performed. Obtain name(s) of IT audit personnel Obtain dates of the audit Obtain scope of audit
Ensure that all IS Policy and Procedures Manuals are available and up-to-date
Be available for interviews with IT auditor in a timely manner
Be prepared to coordinate interviews of IT auditor with personnel in the IS department
Ensure that the audit period does not coincide with the vacation periods of key personnel
Puerto Rico Puerto Rico ChapterChapter
1616
CISO Responsibilities – Planning
During the audit planning period, the CISO should : Be prepared to coordinate meetings of the IT Auditor with
outsourcing management Outsourcing management will coordinate interviews with outsourcing
operational personnel Be prepared to discuss the IS Framework/Standards or Industry
Best Practices with the IT Auditor Provide desk space for the IT Auditor Inform IS department personnel, via an internal memo, that an IT
Security Audit will commence shortly and that full cooperation should be given to auditors
Ensure that the IT auditor fully understands the security environment and security practices
An IT auditor with insufficient information or wrong information could perform an unsatisfactory, incomplete, or erroneous audit
Puerto Rico Puerto Rico ChapterChapter
1818
IT Auditor Responsibilities – Gather Data
Data gathering consists of:
Requesting, obtaining, and reading IS department documentation, and
Interviewing: IS management and operational personnel, Governance committee members, and outsourcing management and operational personnel.
Puerto Rico Puerto Rico ChapterChapter
1919
The IT auditor should request, obtain, and read the following material: Organization charts Job Descriptions Policy Manuals Operational Procedure Manuals List of servers, security appliances, and network diagram Management and operational reports Outsourcing contracts and Service Level Agreements (SLAs) IS Committee or other Governance committee minutes Business Continuity Plan
The IT auditor should also review IS Framework, Standard, or Methodology in use by the CISO/ISO
IT Auditor Responsibilities – Gather Data
Puerto Rico Puerto Rico ChapterChapter
2020
IT Auditor Responsibilities – Gather Data
The IT auditor should interview the following personnel:
IS management personal and operational personnel to discuss
What IS functions are performed, Who performs those functions, When those functions are performed, and How those functions are performed.
Outsourcing management and operational personnel to discuss:
What IS functions are outsourced Who performs those functions at the outsourcer When those outsourced functions are performed, and How the outsourcer performs those function.
Puerto Rico Puerto Rico ChapterChapter
2121
IT Auditor Responsibilities – Gather Data
Governance Committee members to discuss:
How the Governance Committee performs oversight of the IS function
• Do they review the Risk Analysis and Risk Management documents• Do they approve and review IS Project implementations• Do they review security incidents• Do they review responses to security incidents• Do they review and approval IS policies and procedures• Do they review IS management and operational reports• Do they review outsourcing Service Level Agreements (SLAs)
User management and operational personnel to discuss: Status of IS user controls Security training of personnel
Puerto Rico Puerto Rico ChapterChapter
2323
CISO Responsibilities – Gather Data
Meet with IT auditor and obtain his/her list of documentation and manuals necessary for the audit
Make all requested manuals and documentation available to auditor
Ensure that sensitive information is not provided to auditors unless approved by higher management. For example, Do not provide a list of network IP addresses Restrict access to passwords or security tokens Restrict access to computer equipment, PCs, or security appliances
unless approved by higher management Restrict access to applications, unless accompanied by user or
security personnel Restrict access to restricted areas unless accompanied by user or
security personnel
Puerto Rico Puerto Rico ChapterChapter
2424
CISO Responsibilities – Gather Data
Cont. Restrict access to confidential information unless approved by higher
management If IT Auditor is external, ensure that person signs a Confidentiality
Agreement/ Non- Disclosure Document If requested by IT auditor, discuss the IS Framework/ Standards or
Industry Specific Best Practices in use. Ensure that IS management and operational personnel are able to
assist IT auditor in fully understanding the security environment, as well as, the security practices used. It should be assumed by all parties, however, that the IS department
will not teach the IT auditor concepts, theory, or implementation practices of Information Security.
It would help if the IT auditor is certified, (CISA, CISM, CISSP, or other valid certification)
Puerto Rico Puerto Rico ChapterChapter
2626
IT Auditor Responsibilities – Data Analysis
The specifics of what to analyze will depend on the audit program and the audit questionnaire. Normally on the questionnaire, a negative answer will result in an
audit recommendation The IT auditor will analyze, based on the documentation
received and interview notes, how effective the following is: What IS functions are performed or not performed Who performs the functions and the controls surrounding the
activities When the functions are performed or not performed How the functions are performed and the controls surrounding the
activities
Puerto Rico Puerto Rico ChapterChapter
2727
IT Auditor Responsibilities – Data Analysis
The analysis should included the following comparison:
A comparison between how IS functions are performed and how the procedures manual say they should be performed
A comparison between what IS functions are performed and what should be performed
(according to the Procedures manuals), or (the IS Framework/Standards, Best Practices), or (the opinion of the auditor based on his /her experience)
A comparison between each Policy statement and its implementation description in the procedures manual.
Each policy statement should be referenced in the procedures manual
A comparison between the policy manual and the IS Framework/ Standards, or Industry Best Practices
Puerto Rico Puerto Rico ChapterChapter
2828
IT Auditor Responsibilites – Data Analysis
The analysis should address the following: Determine how risk areas are determined and risk
management performed Determine how are security perimeters or barriers are
established? Access controls
• Application• OS (Server, PCs, Appliances)• Network
Determine what internal controls and security features are in place
Determine what internal controls and security features should be established.
Puerto Rico Puerto Rico ChapterChapter
2929
IT Auditor Responsibilities – Test Controls
During controls or functions testing phase, the IT Auditor could perform compliance testing or substantive testing During compliance testing, the IT auditor will ensure that
functions are performed but will not necessarily test how effective or efficient the functions are performed
During substantive testing, the IT auditor will determine if the IS functions are performed adequately, effectively and efficiently
The IT auditor will determine and document in the working papers whether to perform compliance or substantive testing and how extensive those tests will be
Puerto Rico Puerto Rico ChapterChapter
3131
CISO Responsibilities – Test Controls
Assist IT Auditor to perform his test of controls. Compliance Testing
Ensure that IT auditor can verify, through observations of procedures, that documented controls are in place
Substantive Testing Ensure that IT auditor can test, through selective testing of a
universe of elements or parameters, that security features are in place and that they are
• Adequate,• Effective, and • Efficient
Penetration Testing would fall in this category
Puerto Rico Puerto Rico ChapterChapter
3333
IT Auditor Responsibilities – Conclude
During the Conclude phase the IT auditor will determine the adequacy of the following: The staffing of the IS Department The job descriptions The Employee Security Training Program The Policy Manuals The Operational Procedures Manuals The outsourcing contracts and Service Level Agreements The IS or other governance committee meetings and its
oversight of the IS department The implementation of the IS Framework or Standards (controls)
This section is the most demanding, technically The IS management and operational reports
Puerto Rico Puerto Rico ChapterChapter
3434
IT Auditor Responsibilities – Conclude
The IT auditor will also document exceptions found during the testing phase. These exceptions could indicate the following: Implemented controls are
Inadequate Ineffective Inefficient
Controls (or the lack of controls) do not agree with: Procedures Policies IS Framework/ Standards or Industry Best Practices
Puerto Rico Puerto Rico ChapterChapter
3636
CISO Responsibilities – Conclude
During the Conclude phase, the CISO/ISO should be prepared to: Explain or discuss any inconsistencies observed by the IT auditor
between operations and the operational procedures manuals Explain or discuss any inconsistencies observed by the IT auditor
between Procedures Manuals and Policy Manuals. Explain or discuss any inconsistencies observed by the IT auditor
between observed security controls and features and the Security Framework/ Standards or Industry Best Practices
Explain or discuss any inconsistencies observed by the IT auditor that arose during the Compliance Tests and the Substantive Tests.
Try to reduce the number of findings or exceptions to a minimum
Puerto Rico Puerto Rico ChapterChapter
3737
The IS Audit Process
Prepare, Discuss, and Present the Audit Report
Puerto Rico Puerto Rico ChapterChapter
3838
IT Auditor Responsibilities – Report
During the Audit Report Preparation and Presentation phase, the IT Auditor will prepare his final report first as a preliminary report for discussion purposes only. The report will indicate control weaknesses and
recommendations to eliminate the weakness and improve the controls environment
The report should present findings and recommendations divided into the following risk areas
High risk findings Medium risk findings Low risk findings
The report is discussed with the CISO/ISO and he/she will make his/her comments.
Puerto Rico Puerto Rico ChapterChapter
3939
IT Auditor Responsibilities- Report
Differences in opinion could arise based on: The expertise of the CISO/ISO and the IT Auditor
The IT Auditor could modify his findings and recommendations based on the comments of the CISO/ISO or the presentation of additional information
The IT auditor will then prepare the final report taking into account the comments of the CISO/ISO and any additional information
The CISO/ISO should accept the final findings and recommendations
Puerto Rico Puerto Rico ChapterChapter
4141
CISO Responsibilities – Report
Discuss the preliminary report with the IT Auditor Try to refute or accept all findings and exceptions Ask for clarification of any confusing or illogical finding or
recommendation Provide additional information, if necessary If findings or exceptions cannot be refuted, clarified, or shown
to be erroneous, then they should be accepted. Accept the final and formal audit report and prepare an
implementation schedule for the recommendations
Puerto Rico Puerto Rico ChapterChapter
4242
Surviving the IS Audit
… and both the IT Auditor and the CISO/ISO should…
Puerto Rico Puerto Rico ChapterChapter
4343
Joint Responsibilities
It is important that the CISO/ISO and the IT auditor work as a team to ensure that the company or agency receives all the benefits of the security audit.
The IT auditor should not be arrogant, know-it-all, or act in an I-got-you mode
The CISO/ISO should not hide information or challenge maliciously the findings or recommendations of the IT auditor
If the CISO/ISO accepts the findings/recommendations, then the recommendations should be implemented in a timely manner.
Accepting the recommendations and then ignoring the implementation is not right and you could get caught.
***********************