- 1. Anatomy of an Information Security Audit and How To Pass It
Ben Rothke, CISSP CISM Senior Security Consultant INS
2. About Me
- Senior Security Consultant INS (Soon to be BT INS)
- Previously with AXA Equitable, Baltimore Technologies, Ernst
& Young, Citibank.
- Have worked in the information technology sector since 1988 and
information security since 1994
- Frequent writer and speaker
- Author of Computer Security: 20 Things Every Employee Should
Know (McGraw-Hill 2006)
3. Agenda
- High level overview of what an audit is
- What to know to prepare for & pass a information security
audit
- Based on my consulting experience at a large spectrum of
Fortune 500 companies
- Detailed walk-through of a information security audit
- Review or recommendation of audit software tools
-
- Feel free to ask a question, make a comment, etc.
4. Definition - Audit
- Systematic examination against defined criteria to determine
whether activities and related results conform to planned
arrangements and whether these arrangements are implemented
effectively and are suitable to achieve the companys policy and
objectives.
- Planned, independent and documented assessment to determine
whether agreed upon requirements are being met.
- Professional examination and verification performed by either
an independent party or internal audit function of a company's
accounting documents and supporting data.
-
- Upon completion of the examination, the auditor will render an
opinion as to the fairness, consistency, and conformity of the
information.
5. Things to think about the audit process
- Opportunity for an objective, skilled and impartial review of
the program operations which can result in significant suggestions
for improvement.
- Bring out the best in the audit team and the security
staff.
6. Audit and regulations
- Information technology and information security - new on the
regulatory scene.Other industries - lived and breathed with
regulatory body for many years
- Todays IT environments are not the IT shops of old
-
- In the past, it was about keeping the hackers out
-
- Now its about understanding and managingcontrolsto assign
accountability and support audits
-
- Penalties - fines up to $5 million and 20 years in jail
7. Security and compliance are not rocket science
- While the mathematics of cryptography is rocket science, most
aspects of information security, compliance and audit are not.
- Computer security is simply attention to detail and good
design, combined with good project management.
8. Frameworks
- Base your security program on a security framework
- Use 17799, CoBIT, etc. andnoton regulatory mandates
-
- Myriad security and privacy regulations have roughly 85%
commonality
-
- SoX, GLBA, SEC 17-a and all of the countless new regulations
are all dealing with fundamental issues of computer security and
privacy.
-
- Once the framework and associated controls are established, map
them to current and future regulations, making adjustments where
necessary.
-
- If a security program is based on compliance mandates, it will
have to be updated with every new regulation
-
- Regulation typically addresses one particular type of risk
(i.e. protecting personal information, protecting credit card
numbers, etc.), but does not address business risk
9. Security vs. compliance
- Which is better security or compliance?
-
- Most effective method in which to deal with regulations is by
creating an effective information security foundation and
infrastructure.
-
- By creating this security foundation, an organization can
easily deal with any new regulation that comes into law.
- Should security dollars be redirected towards compliance?
10. Management
- Success or audit failure ultimately depends on how committed
management is.
-
- If management cares, you will pass the audit
-
- If management does not care or is clueless, you will fail the
audit.
11. Dont lie for management
- Management has been known to ask an individual to sign-off or
attest to an item that is not compliant.
- You should never lie for management
-
- Many audit issues are due to management incompetence and
ineptitude, i.e., it istheirfault.
- If management asks you to lie, or gives hints that your job may
be at risk if they fail the audit, immediately seek legal
counsel.
-
- You cant be legally terminated for telling the truth
-
- You can be terminated, decertified, fined, and subjected to
prosecution and jail time if you lie to the auditors or falsify
data.
-
- Ask yourself: Is it worth it to lie?
12. Spafs Law
- Professor Eugene Spafford, Phd, Purdue University
- If you have responsibility for security but have no authority
to set rules or punish violators, your own role in the organization
is to take the blame when something big goes wrong.
13. No surprises
- If you are surprised by the negative audit results, something
is likely wrong.
-
- Akin to going to the doctor for a physical; you should have a
relatively good understanding and know what to expect.
14. One minute pre-audit
- Do you have a CISO/GISO/BISO in place?
- Is there a formal business security program in place designed
to protect corporate information assets?
- Have short-term and long-term strategies toward mitigating
risks and exposures relative your security program requirements
been developed?
- Do you focus on information security as a process, not a set
ofproducts or regulatory items to be checked-off?
- Have you identified all regulatory requirements you fall
under?
-
- Answeredyesto 4 or more Dont worry, you should easily pass the
audit
-
- Answeredyesto 1 or less Your management team is derelict in
their duties
15. Getting serious about security
- Got a 2 or less on the one-minute pre-audit?
-
- Management needs to start getting serious about security.
- Customers and clients expect management to run the business in
a way that manages risk.
- New security and privacy regulation impact all companies
-
- Regulators are active globally and asking tougher questions of
privacy, security, data management and control environments.
-
- Regulators and law authorities have been aggressively
inspecting and pursuing ID theft and privacy breaches and lack or
failure of safeguards.
16. The Audit 17. Understanding the audit process -
preparation
-
-
- Dont wait until the last minute to get ready for the audit
-
-
- Think like a wedding planner
-
- Know the depth of the audit
-
-
- For a small set of systems and a single application; or much
larger
-
-
- Comprehensive to the entire global organization
-
- Ensure appropriate staff members are available
-
-
- And have adequate security levels to assist
18. Understanding the audit process - preparation
- Rule #1 of compliance management
-
- Know and understand the regulation
-
- Understand how you are in compliance with each regulatory
point
- Huge mistake - not reading or interpreting the audit
regulations.
19. Phases of an audit
- Most audits contain the following 3 phases:
20. Know what to expect
-
- Know your role in the audit process
-
- Know the auditors role in the audit process
-
-
- Auditors are human, they make mistakes
-
-
- If they document what you feel are erroneous comments, you will
later have the opportunity to comment on the accuracy and relevancy
of the finding.
- Honesty is the best policy
-
- Corollary auditors hate when you lie
21. Communicating with the auditors
- Respond honestly and in a timely fashion
- Always follow through if unsure
- Communicate openly and directly
- Discuss how to correct findings
- Dont point the finger at others
- Dont send auditors on a wild goose chase
22. Communicating with the auditors
- Your relationship with the auditors should be based on a formal
business focus
-
- Keep it amicable and cordial
-
- Auditors are not your buddies
-
- They have friends, just not you.
- Ok to share a clean joke, or discuss innocuous events
- Dont try to be friends with the auditor
-
- Overall, talk to the auditor as if you are speaking in a
deposition
-
- Attempting to use friendship, gifts or the like to influence
the audit is imprudent at best, illegal at worst.
23. Communicating with the auditors
- Dont fall into a subordinate relationship with the audit
-
- You are assisting them, but you do not work for them
-
- Dont depend on them for guidance
-
- Dont depend on them for answers to regulatory questions
24. Things that makes auditors nervous
- Emailing of sensitive information
- Personal email accounts (Hotmail, Gmail, etc.)
- Stale policies, risk management plans
- Passwords on PostIt notes
- Passwords saved in cleartext on servers
- Files/backup tapes stored in car
-
- This is not whatoff-sitemeans
25. Know what to expect - Policies
- Auditors want to see your set of information system
policies
-
- codification of control objectives
-
- define the way companies control their information use and
access
-
- written document that specifies how an organization will
manage, protect, and distribute information.
-
- Know which policies exist, what they do and dont cover
-
-
- Have them easily available in both soft and hard copies
26. Know what to expect Controls
-
- Processes, effected by an entitys board of directors and
management, designed to provide reasonable assurance regarding the
achievement of objectives in the following categories
-
-
- Effectiveness and efficiency of operations
-
-
- Reliability of financial reporting
-
-
- Compliance with applicable laws and regulations
-
- Must be documented, tested, and demonstrated to be either
manually verified (which is acceptable to auditors) or
automatically enforced (which auditors prefer)
-
- Knowing how an auditor will evaluate controls is important
-
- Controls must be applied in a consistent and sustainable
manner
27. Control Objective / Practice Lists Control Objective General
Control Practice Logical security tools and techniques are
implemented, configured, and administered to enable restriction of
access to data and programs. Network Firewalls restrict traffic
into the internal network from all external sources to application
that requirestrong authentication. Control Objective Application
Control Practice Logical security tools and techniques are
implemented, configured, and administered to enable restriction of
access to data and programs.
Strong authentication is provided via Single-Sign-On. 28.
Control Practice Description 29. Controls testing
- Once the auditor has gathered the documentation, the testing
phase of the audit will commence.
-
- validate internal documentation
-
- verify effective organizational policy.
- Testing can cover many systems programs (firewalls, IDS, etc.)
and manual processes (adding a user, running a back-up)
-
- Testing will invariably identify deficiencies or
shortcomings
30. Audit defense
-
- Auditors are human, not infallible: they make mistakes
-
-
- Assumed that the auditor knows the company and its business
activities
-
- Requires you to be able to defend your position
-
- Must understand the requirements of the audit and associated
regulations
-
-
- Read the audit requirements
-
- Understand your security infrastructure
-
-
- Know who does what and where they execute it
-
- In your reply to erroneous audit findings, stick with the
facts
-
-
- No name calling, insulting, etc.
-
-
- Stay rational, not emotional
31. Program Management
- Formal system of risk management
-
- Show that the work has been adequately planned and
supervised
-
- Demonstrate that internal controls have been appropriately
studied and evaluated
-
- A few IDS sensors rolled-out over the previous weekend does not
display that
-
- Nor does security hardware and software systems deployed
without proper policies, documentation, etc.
- Cramming for risk compliance
-
- Rather than cramming for compliance like a high-school student
at finals, which will not satisfy the auditors, admit
non-compliance.
-
- Spend the time building a program, rather than developing bogus
documentation for a set of risk management controls that dont work
or exist.
32. Program Management
- Risk analysis and assessments
-
- Best compliance ROI is built on a comprehensive risk
analysis
- Adequate staff and budget
33. Documentation
- Documentation - auditors best friend
-
- Proof that you have done your due diligence.
-
- Auditors use documentation in part to determine if your
information security design and controls are adequate.
-
- Auditors view documentation as an essential element of audit
quality
- If an auditor asks for additional information, give it to them
in a timely manner.
-
- Reluctance to share information can give the impression that
you have something to hide.
34. Documentation
-
- Accurate network map listing all network elements down to the
wiring closet level
-
- Servers, switches, hubs, firewalls, routers, etc.
-
- All connectivity must be known including type, terminating
equipment, locations, etc.
-
- A good auditor will not simply trust the diagrams to be the
absolute truth: they will verify.
35. Documentation
- Documentation should be written in a style a auditor can easily
understand
-
- Write your documentation like aFor Dummiesbook
-
- Use diagrams and illustrations whenever possible
- Documentation takes a lot of time
-
- Auditors can tell when documentation is rushed
- The skill of an accountant can always be ascertained by an
inspection of his working papers.
- Robert Montgomery, Montgomerys Auditing, 1912
36. Staffing
- An audit can be lengthy and can place significant stress on
your internal resources.
- You must assign staff to work with the auditors.
-
- Dont insult the auditors by assigning a junior or inexperienced
person to this task
- Person must be able to effectively dialogue with the
auditors.
-
- Know the security foundation and how it is implemented
37. The audit report
- Often presented in a scorecard approach, which generally
contains:
-
- description of the audit scope
-
- statement that the audit was conducted in accordance with
accepted auditing standards
-
- description of the findings
-
- recommendations for corrective action
- Use the report for the next audit
-
- The audits will heavily reference it, and so should you
38. The audit report
- You will generally be given 7-10 days to review a draft of the
final report that includes all audit points.
- If needed, request revisions.
-
- If you dont like the wording or tone, ask the auditor to change
it.
- Negotiate agreement with the auditor on
-
- Condition factually describes audit evidence and makes no
judgments - just the facts
-
- Criteria- objective standard as to why the audit point is
valid
-
- Cause- root cause is identified rather than some proximate
cause
-
- Effect- risk that the condition present to the business, not
only to the computing environment.
39. Project plans for improvements
-
- Deficiencies are inevitable
-
- There is no such thing as a perfect network.
- If needed, let the audit process be a learning experience
- Butyou must show how you will plans for improvement
- You must commit to act on the findings and recommendations
40. Conclusion
- An audit is simply a reflection of the entity being
audited.
-
- A golden opportunity upon which to build an effective
information systems security program
-
- An excuse for management to deny responsibility by invoking
Spafs law and terminating some information security staff
- At its best, the audit can showcase the operational excellence
of the information security staff, and be used as a guide book in
which to navigate the dynamic world of risk management and
information security.
41.
-
-
- Senior Security Consultant
Question and Answers