Surviving an IT Security Audit from a CISO Standpoint September 9, 2009 A Presentation by: John R. Robles 787-647-3961 [email protected] [email protected]

Surviving an IT Security Audit from a CISO Standpoint

September 9, 2009

A Presentation by: John R. Robles

[email protected]

[email protected]

www.johnrrobles.com

Puerto Rico Puerto Rico ChapterChapter

mailto:[email protected]

mailto:[email protected]


22

Agenda

Who and What Will be Audited

The Information Security Process

IS Security Controls Implementation

IT Auditor Responsibilities

CISO/ISO Responsibilities

Joint Responsibilities


33

Who and What Will Be Audited

The CISO/ISO will be audited to ensure that the his/her department ensures that Information System characteristics are maintained (the CIA)

Confidentiality of information Protection of the information from unauthorized access

Integrity of information Protection from unauthorized changes

Availability of the information Protect against intentional or accidental attempts to deny

legitimate users access to systems and data Accountability

Trace actions to their source . (Non-repudiation, intrusion prevention, security monitoring, recovery, legal aspects)


44

Information Security (IS) Processes

The CISO/ISO ensures CIA via the IS Processes which consists of the following and which will be audited to ensure effectiveness and efficiency

IS Risk Assessment IS Strategy Security Controls Implementation Security Monitoring (Controls Monitoring) Security Process Monitoring and Updating (Procedures)


55


FFIEC (Financial Institutions) IS Security Controls Standards Access Control Physical and Environmental Protection Encryption Malicious Code Prevention Systems Development, Acquisition, and Maintenance Personnel Security Data Security Service Provider Oversight Business Continuity Considerations Insurance


66


FFIEC (Financial Institutions) IS Security Controls Standards (Cont.)

Activity Monitoring Network Intrusion Detection Systems Host Intrusion Detection Systems Security Incidents Intrusion Response Outsourced Systems


77


ISO/IEC 27002 IS Standards (Best Practices) Risk Assessment Security Policy Organization of IS Asset Management Human Resources Security Physical and Environment Security Communications and operations management Access Control Information Systems Acquisition, & Maintenance Information Security Incident Management Business Continuity Compliance


88

Let’s Start the IS Security Audit!

Review Responsibilities Ensure Information Security is functioning

Effectively Efficiently

Add value of IS department, policies, and procedures to company/ agency

Improve IS processes Make information more secure and reliable


99

The IS Audit Process

The IS Audit Phases are as follows:

Plan the Audit Gather data Analyze data and test controls Conclude Prepare and present an audit report


1010

Surviving the IS Audit

The IS Audit Planning Phase


1111

IT Auditor Responsibilites - Planning

During the planning phase, the IT Auditor should obtain audit instructions and meet with the CISO or ISO to discuss the upcoming audit.

Discuss reasons for the audit. It could be: Part of the Internal Audit process.

• Instructions from the General Auditor for an Internal Audit , • Instructions from the Audit Committee based on some security

concern(s). Preparation for an external audit,

• Federal (FFIEC, CMS, etc.)• Oficina del Contralor• Oficina del Comisionado de Instituciones Financieras• Oficina del Comisionado de Seguros (Possibly Rule 76 audit)


1212


The IT Auditor should request from the CISO/ISO the following documentation: Organization chart of the organization or agency Organization chart of the Information Security (IS) Function List of applications by user areas List of servers and security appliances, and the corporate Network

diagram Determine which, if any, IS areas are outsourced

If outsourcing, get management and operational contact information at outsourcing companies

Previous audits reports. Internal, external, government

IS Committee (or other Governance committee) meeting minutes Policy Manuals and Operational Procedures Manuals Business Continuity Plan


1313


The IT auditor should discuss with CISO/ISO what IS framework, standard, or implementation methodology is used:

Industry Specific – FFIEC Standard Industry specific – HIPAA Security Standards ISO/IEC27000 Series (previously ISO 17799) NIST SP800 Series Information Security Standards - ISF Standard of Good

Practice for Information Security Cobit – High Level Standard


1414


The IT auditor should then proceed to:

Perform a mini Risk Analysis of the IS function to determine high risk areas

Based on the mini Risk Analysis determine the audit scope or areas to address in the audit

Determine personnel to interview Finalize the understanding of the Security environment Estimate time to audit Prepare Audit Work Program Prepare Audit Questionnaire Obtain approval of audit scope and time to audit from

requestor Start Data Gathering phase.


1515

CISO Responsibilities – Planning

During the audit planning period, the CISO should : Ensure that he/she has been formally notified in writing

by his/her superior that an IS Audit will be performed. Obtain name(s) of IT audit personnel Obtain dates of the audit Obtain scope of audit

Ensure that all IS Policy and Procedures Manuals are available and up-to-date

Be available for interviews with IT auditor in a timely manner

Be prepared to coordinate interviews of IT auditor with personnel in the IS department

Ensure that the audit period does not coincide with the vacation periods of key personnel


1616

CISO Responsibilities – Planning

During the audit planning period, the CISO should : Be prepared to coordinate meetings of the IT Auditor with

outsourcing management Outsourcing management will coordinate interviews with outsourcing

operational personnel Be prepared to discuss the IS Framework/Standards or Industry

Best Practices with the IT Auditor Provide desk space for the IT Auditor Inform IS department personnel, via an internal memo, that an IT

Security Audit will commence shortly and that full cooperation should be given to auditors

Ensure that the IT auditor fully understands the security environment and security practices

An IT auditor with insufficient information or wrong information could perform an unsatisfactory, incomplete, or erroneous audit


1717


The Data Gathering Phase


1818

IT Auditor Responsibilities – Gather Data

Data gathering consists of:

Requesting, obtaining, and reading IS department documentation, and

Interviewing: IS management and operational personnel, Governance committee members, and outsourcing management and operational personnel.


1919

The IT auditor should request, obtain, and read the following material: Organization charts Job Descriptions Policy Manuals Operational Procedure Manuals List of servers, security appliances, and network diagram Management and operational reports Outsourcing contracts and Service Level Agreements (SLAs) IS Committee or other Governance committee minutes Business Continuity Plan

The IT auditor should also review IS Framework, Standard, or Methodology in use by the CISO/ISO



2020


The IT auditor should interview the following personnel:

IS management personal and operational personnel to discuss

What IS functions are performed, Who performs those functions, When those functions are performed, and How those functions are performed.

Outsourcing management and operational personnel to discuss:

What IS functions are outsourced Who performs those functions at the outsourcer When those outsourced functions are performed, and How the outsourcer performs those function.


2121


Governance Committee members to discuss:

How the Governance Committee performs oversight of the IS function

• Do they review the Risk Analysis and Risk Management documents• Do they approve and review IS Project implementations• Do they review security incidents• Do they review responses to security incidents• Do they review and approval IS policies and procedures• Do they review IS management and operational reports• Do they review outsourcing Service Level Agreements (SLAs)

User management and operational personnel to discuss: Status of IS user controls Security training of personnel


2222


…and the CISO/ISO should…


2323

CISO Responsibilities – Gather Data

Meet with IT auditor and obtain his/her list of documentation and manuals necessary for the audit

Make all requested manuals and documentation available to auditor

Ensure that sensitive information is not provided to auditors unless approved by higher management. For example, Do not provide a list of network IP addresses Restrict access to passwords or security tokens Restrict access to computer equipment, PCs, or security appliances

unless approved by higher management Restrict access to applications, unless accompanied by user or

security personnel Restrict access to restricted areas unless accompanied by user or

security personnel


2424

CISO Responsibilities – Gather Data

Cont. Restrict access to confidential information unless approved by higher

management If IT Auditor is external, ensure that person signs a Confidentiality

Agreement/ Non- Disclosure Document If requested by IT auditor, discuss the IS Framework/ Standards or

Industry Specific Best Practices in use. Ensure that IS management and operational personnel are able to

assist IT auditor in fully understanding the security environment, as well as, the security practices used. It should be assumed by all parties, however, that the IS department

will not teach the IT auditor concepts, theory, or implementation practices of Information Security.

It would help if the IT auditor is certified, (CISA, CISM, CISSP, or other valid certification)


2525


Analyze Data and Test Controls


2626

IT Auditor Responsibilities – Data Analysis

The specifics of what to analyze will depend on the audit program and the audit questionnaire. Normally on the questionnaire, a negative answer will result in an

audit recommendation The IT auditor will analyze, based on the documentation

received and interview notes, how effective the following is: What IS functions are performed or not performed Who performs the functions and the controls surrounding the

activities When the functions are performed or not performed How the functions are performed and the controls surrounding the

activities


2727

IT Auditor Responsibilities – Data Analysis

The analysis should included the following comparison:

A comparison between how IS functions are performed and how the procedures manual say they should be performed

A comparison between what IS functions are performed and what should be performed

(according to the Procedures manuals), or (the IS Framework/Standards, Best Practices), or (the opinion of the auditor based on his /her experience)

A comparison between each Policy statement and its implementation description in the procedures manual.

Each policy statement should be referenced in the procedures manual

A comparison between the policy manual and the IS Framework/ Standards, or Industry Best Practices


2828

IT Auditor Responsibilites – Data Analysis

The analysis should address the following: Determine how risk areas are determined and risk

management performed Determine how are security perimeters or barriers are

established? Access controls

• Application• OS (Server, PCs, Appliances)• Network

Determine what internal controls and security features are in place

Determine what internal controls and security features should be established.


2929

IT Auditor Responsibilities – Test Controls

During controls or functions testing phase, the IT Auditor could perform compliance testing or substantive testing During compliance testing, the IT auditor will ensure that

functions are performed but will not necessarily test how effective or efficient the functions are performed

During substantive testing, the IT auditor will determine if the IS functions are performed adequately, effectively and efficiently

The IT auditor will determine and document in the working papers whether to perform compliance or substantive testing and how extensive those tests will be


3030


…and the CISO/ISO should …


3131

CISO Responsibilities – Test Controls

Assist IT Auditor to perform his test of controls. Compliance Testing

Ensure that IT auditor can verify, through observations of procedures, that documented controls are in place

Substantive Testing Ensure that IT auditor can test, through selective testing of a

universe of elements or parameters, that security features are in place and that they are

• Adequate,• Effective, and • Efficient

Penetration Testing would fall in this category


3232


Conclude


3333

IT Auditor Responsibilities – Conclude

During the Conclude phase the IT auditor will determine the adequacy of the following: The staffing of the IS Department The job descriptions The Employee Security Training Program The Policy Manuals The Operational Procedures Manuals The outsourcing contracts and Service Level Agreements The IS or other governance committee meetings and its

oversight of the IS department The implementation of the IS Framework or Standards (controls)

This section is the most demanding, technically The IS management and operational reports


3434

IT Auditor Responsibilities – Conclude

The IT auditor will also document exceptions found during the testing phase. These exceptions could indicate the following: Implemented controls are

Inadequate Ineffective Inefficient

Controls (or the lack of controls) do not agree with: Procedures Policies IS Framework/ Standards or Industry Best Practices


3535


… and the CISO/ISO should …


3636

CISO Responsibilities – Conclude

During the Conclude phase, the CISO/ISO should be prepared to: Explain or discuss any inconsistencies observed by the IT auditor

between operations and the operational procedures manuals Explain or discuss any inconsistencies observed by the IT auditor

between Procedures Manuals and Policy Manuals. Explain or discuss any inconsistencies observed by the IT auditor

between observed security controls and features and the Security Framework/ Standards or Industry Best Practices

Explain or discuss any inconsistencies observed by the IT auditor that arose during the Compliance Tests and the Substantive Tests.

Try to reduce the number of findings or exceptions to a minimum


3737


Prepare, Discuss, and Present the Audit Report


3838

IT Auditor Responsibilities – Report

During the Audit Report Preparation and Presentation phase, the IT Auditor will prepare his final report first as a preliminary report for discussion purposes only. The report will indicate control weaknesses and

recommendations to eliminate the weakness and improve the controls environment

The report should present findings and recommendations divided into the following risk areas

High risk findings Medium risk findings Low risk findings

The report is discussed with the CISO/ISO and he/she will make his/her comments.


3939

IT Auditor Responsibilities- Report

Differences in opinion could arise based on: The expertise of the CISO/ISO and the IT Auditor

The IT Auditor could modify his findings and recommendations based on the comments of the CISO/ISO or the presentation of additional information

The IT auditor will then prepare the final report taking into account the comments of the CISO/ISO and any additional information

The CISO/ISO should accept the final findings and recommendations


4040


… and the CISO/ISO should…


4141

CISO Responsibilities – Report

Discuss the preliminary report with the IT Auditor Try to refute or accept all findings and exceptions Ask for clarification of any confusing or illogical finding or

recommendation Provide additional information, if necessary If findings or exceptions cannot be refuted, clarified, or shown

to be erroneous, then they should be accepted. Accept the final and formal audit report and prepare an

implementation schedule for the recommendations


4242


… and both the IT Auditor and the CISO/ISO should…


4343

Joint Responsibilities

It is important that the CISO/ISO and the IT auditor work as a team to ensure that the company or agency receives all the benefits of the security audit.

The IT auditor should not be arrogant, know-it-all, or act in an I-got-you mode

The CISO/ISO should not hide information or challenge maliciously the findings or recommendations of the IT auditor

If the CISO/ISO accepts the findings/recommendations, then the recommendations should be implemented in a timely manner.

Accepting the recommendations and then ignoring the implementation is not right and you could get caught.

***********************


4444

Documents

Surviving an IT Security Audit from a CISO Standpoint September 9, 2009 A Presentation by: John R. Robles 787-647-3961 [email protected] [email protected]