Mais conteúdo relacionado
Semelhante a It Security Audit Process (20)
Mais de Ram Srivastava (20)
It Security Audit Process
- 1. What is a Security Audit?
A security audit is a specified process designed to assess the security risks facing a business and the
controls or countermeasures adopted by the business to mitigate those risks. It is typically a human
process, managed by a team of “auditors” with technical and business knowledge of the company’s
information technology assets and business processes. As part of any audit, these teams will
interview key personnel, conduct vulnerability assessments, catalog existing security policies and
controls, and examine IT assets covered by the scope of the audit. In most cases, they rely heavily
on technology tools to perform the audit.
Often, security audits are best understood by focusing on the specific questions they are designed to
answer. For example:
How difficult are passwords to crack?
Do network assets have access control lists?
Do access logs exist that record who accesses what data?
Are personal computers regularly scanned for adware or malware?
Who has access to backed-up media in the organization?
These are just a small sample of the questions that any security audit should attempt to answer.
It is important to understand that a security audit is a continuous process that should deliver
continuous improvement to any business. Some commentators have argued that audits should only
focus on assessing compliance with existing security policies. Insead, an audit should not only
assess compliance, but also assess the very nature and quality of the policies and controls
themselves. In many cases, security policies become rapidly obsolete with the release of new
technologies or process overhauls. Security audits are the most effective tool for determining the
validity of those policies.
The Security Audit Process
While there are certainly planning and consensus building steps that any team would be wise to
take before beginning an audit (for example, making sure that senior management supports the
project), the following steps are essential to the audit itself:
1. Define the physical scope of the audit: The audit team should define the security perimeter
within which the audit will take place. The perimeter may be physically organized around
logical asset groups such as a datacenter specific LAN or around business processes such as
financial reporting. Either way, the physical scope of the audit allows the auditors to focus
on assets, processes, and policies in a manageable fashion.
Copyright © 2007, Tippit, Inc., All Rights Reserved
- 2. 2. Define the process scope of the audit: This is often where the rubber hits the road on
security audits, as overly broad process scoping can stall audits. At the same time, overly
narrow scoping can result in an inconclusive assessment of security risks and controls. This
document describes how to effectively scope the security processes or areas that should be
included in an audit. It is critical that any business, regardless of size, put limits on the
security processes or areas that will be the focus of the audit.
3. Conduct historical due diligence: An oft-forgotten step in security audits is pre-audit due
diligence. This due diligence should focus on historical events such as known
vulnerabilities, damage-causing security incidents, as well as recent changes to IT
infrastructure and business processes. It should include an assessment of past audits.
Furthermore, auditors should compile a complete inventory of the assets located within the
physical scope of the audit and a complete list of specified security controls relevant to
those assets.
4. Develop the audit plan: An effective audit is almost always guided by a detailed audit plan
that provides a specific project plan for conducting the audit. This should include a specific
description of the scope of the audit, critical dates/milestones, participants, and
dependencies.
5. Perform security risk assessment: Once the audit team has an effective plan in place, they
can begin the core of the audit – the risk assessment. The risk assessment should cover the
following steps:
A. Identify and locate the exact assets located within the security perimeter and
prioritize those assets according to value to the business. For example, a cluster of
web servers supporting the order entry application is more important than a web
server supporting the IT department’s internal blog.
B. Identify potential threats against the assets covered by the audit. The definition of a
threat is something that has the potential to exploit a vulnerability in an asset.
C. Catalog vulnerabilities or deficiencies for each asset class or type. Vulnerabilities
exist for specific types of assets and present opportunities for threats to create risk.
D. Identify the security controls currently in place for each asset class. These controls
must exist and be used on a regular basis. Anything short of this should be noted and
not counted towards existing controls. Controls include technologies such as
firewalls, processes such as data backup procedures, and personnel such as the
systems administrator that manages the relevant assets.
E. Determine probabilities of specific risks. Audit teams must make a qualitative
assessment of how likely it is that each threat/vulnerability will occur for a specific
asset class. The probability calculation should account for the ability of existing
controls to mitigate risk. This probability should be articulated on a numerical scale.
F. Determine the potential harm or impact of a threat. Auditors must again make a
qualitative assessment of the likely extent of the harm for a specific asset class.
Again this qualitative assessment should be represented on a numerical scale.
Copyright © 2007, Tippit, Inc., All Rights Reserved
- 3. G. Perform the risk calculation. Auditors should use the multiply the two values above
(probability x harm) to calculate risk (probability x harm = risk). These calculations
should be performed on an asset class by asset class basis and will yield a priority
list for risk mitigation efforts and specific security controls that need to be
implemented.
6. Document the results of the audit: It should go without saying that the results captured
above should be documented in detail and proactively presented to decisionmakers for
review. The document should include an executive summary, audit determinations, required
updates/corrections, and supporting data in the form of exhibits. The team should also turn
the document into a powerpoint presentation.
7. Specify and implement new/updated controls: The ultimate benefit of a security audit is that
it should yield specific recommendations for improving business security. These
recommendations should take the form of controls that the business can adopt, the deadline
for adoption, and the party responsible for adoption. Do not forget to specify deadlines and
specific ownership responsibilities.
Security Process Scoping
Many businesses have an easy time defining the physical security perimeter that encloses the audit.
It is relatively easy for an audit team to limit an audit to a physical location (like a datacenter) or
logical grouping of assets (all production storage devices).
What is more difficult, and frankly more valuable, is scoping the audit around security processes or
areas. To do this effectively, it is imperative that businesses prioritize security processes by the
amount of risk that they pose to the organization. For example, the process of business continuity
may pose a minimal security risk to the business, whereas the process of identity management
poses a severe risk. Under this sample scenario, the identity management process would be
included in the audit, while business continuity would not.
Many industry consultants and analysts have strong opinions on where the majority of security
threats will come from in the coming years. Gartner Group estimates that businesses will be able to
prevent 80% of all damaging security events by adopting effective policies in four key areas:
Network access controls: This process checks the security of a user or system that is
attempting to connect to the network. It is the first security process that any user or system
encounters when trying to connect to any IT asset within the business’ network. Network
access controls should also track the security of users and systems that are already
connected to the network. In some cases, this process will also look to correct or mitigate
risk based on detected threats and user or system profiles or identities.
Intrusion prevention: As a process, intrusion prevention covers much more than traditional
intrusion detection. In fact, it is more closely in line with access control as it is the first
security layer that blocks users and systems from attempting to exploit known
vulnerabilities. This process should also enforce policies and controls to minimize the scope
of an attack across the network. While intrusion detection systems are an obvious, non-
negotiable component of this process so are other technologies such as firewalls.
Copyright © 2007, Tippit, Inc., All Rights Reserved
- 4. Identity and access management: This process controls who can access what when.
Authentication and authorization are the usual pillars of this process, but robust policy
management and storage are also critical components.
Vulnerability management: The vulnerability management process manages baseline
security configurations across the full range of asset classes. It also identifies and mitigates
risks by performing root cause analysis and taking corrective measures against specific
risks.
Case Study: Auditing the Network Access Control Process
Network access controls are often the first line of defense against security risks. Businesses should
focus on the following basic steps when conducting an audit of network access controls:
1. Define and inventory the network, including all devices and protocols used on the network.
The most useful tool for doing this is usually an existing network diagram that displays all
routes and nodes on the network. Networks often change daily so a security based auto
inventory tool can be helpful here. The audit team should also prioritize critical assets or
segments of the network and draw a line of demarcation between internal and external
network assets if applicable. This step should form the “record of truth” of any NAC audit
and should be referred to continuously during the audit process.
2. Identify which systems and users have access to the network, including internal and external
parties. Audit teams should also specify where constituent groups access the network from
(e.g. the office only, home, remote location). This is an extension of defining the network
from an asset perspective and really represents the objects that interact with and use the
network.
3. Identify and catalog specific threats that could pose a risk to the network, as well as
deficiencies on the network itself. A virus or intrusion is an example of a threat, while a
configuration error on a router is a deficiency.
4. Develop specific controls and policies to mitigate the risks identified in step number three.
There are a range of security controls that are directly applicable to the network access
control process, including but certainly not limited to: authentication mechanisms for all
users and systems; access controls that limit access by specific systems or users; and
enforced network routing that ensures only specified network routes are used.
While most businesses would do well to focus their security audits on these four specific process
areas exclusively, some businesses, particularly large enterprises, may choose to make a more
extensive investment in their security audit. A good framework for a more extensive audit is the
standard encapsulated in ISO 17799. In a nutshell, ISO 17799 focuses on the following security
areas:
Security Policy: In a relatively thin portion of the standard, ISO 17799 requires businesses
to maintain a written security policy, as well as a process and forum for ongoing review and
revision.
Organizational Security: This section focuses on the infrastructure supporting information
Copyright © 2007, Tippit, Inc., All Rights Reserved
- 5. security; security issues concerning access by third parties; and security issues created by
outsourcing of certain tasks.
Asset Classification and Control: Asset classification and control helps businesses classify
assets into different classes or types that have appropriate security controls associated with
them.
Personnel Security: This portion of the standard addresses human security issues such as
training, how personnel respond to specific security incidents, and treating security
requirements as a priority in hiring considerations.
Physical and Environmental Security: This section covers the security of physical locations
such as datacenters and specifies controls for secure areas, as well as securing equipment.
Communications and Operations Management: One of the more useful sections of ISO
17799, this section specifies a range of processes and controls in areas such as system
planning/acceptance; malware protection; data backups; network management; and media
management.
Access Control: The access control portion of the standard includes information on controls
for user access and responsibilities, network access control, application access control, and
mobile computing control.
System Development and Maintenance: This section provides particulars regarding specific
security controls that can be used in the following areas: systems; applications;
cryptography; file systems; and development/support processes.
Business Continuity Management: This portion of the standard specifies specific measures
to prevent the disruption of core business processes due to failures or disasters.
Compliance: The compliance portion of ISO 17799 is somewhat lacking in specificity, but
does offer guidance on how organizations can adopt security policies that comply with
legal, regulatory, and business requirements.
Regardless of the approach, a security audit will yield significant benefits to most businesses by
lowering security risks, increasing operational predictability, and reducing classic IT firefighting.
Copyright © 2007, Tippit, Inc., All Rights Reserved