VPN Security Audit Assurance Program Icq Eng 1012

VPN Security Audit/Assurance Program

VPN Security Audit/Assurance Program Audit/Assurance Program About ISACA With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org (www.isaca.org ) is a leading global provider o !no"ledge, certiications, certiications, communit#, advocac# and education on inormation s#stems (IS) assurance and securit#, securit#, enterprise governance and management o I$, and I$%relat I$%related ed ris! and compliance& 'ounded in 1, the nonproit, independent ISACA hosts international conerences, publishes the ISACA the ISACA® Journal , and develops international IS auditing and control standards, "hich help its constituents ensure trust in, and value rom, inormation s#stems& It also advances and attests I$ s!ills and !no"ledge through the globall# respected Certiied Inormation S#stems Auditor ® (CISA®), Certiied Inormation Securit# *anager ® (CIS*®), Certiied in the +overnance o nterprise I$ ® (C+I$ ®) and Certiied in -is! and Inormation S#stems Control. (C-ISC.) designations&

ISACA continuall# continuall# updates and e/pands the practical guidance and product amil# based on the CI$® rame"or!& CI$ helps I$ proessionals and enterprise leaders ulill their I$ governance and management responsibilities, particularl# in in the areas o assurance, assurance, securit#, securit#, ris! and control, control, and deliver deliver value to the business& business& Disclaimer ISACA has designed and created VPN Security Audit/Assurance Program (the 2Wor!3) primaril# primaril# as an educational resource or governance and assurance proessionals& ISACA ma!es ma!es no claim that use o an# o the Wor! "ill assure a successul outcome& $he Wor! Wor! should not be considered inclusive o all proper inormation, procedures and tests or e/clusive o other inormation, procedures and tests that are reasonabl# directed to obtaining the same results& In determining the propriet# o an# speciic inormation, procedure or test, governance and assurance proessionals should appl# their o"n proessional 4udgment to the speciic circumstances circumstances presented presented b# the particular particular s#stems or inormation technolog# technolog# environment& environment& Reservation of Rights 5 6016 ISACA& All rights reserved& 7o part o this publication ma# be used, copied, reproduced, modiied, distributed, displa#ed, stored in a retrieval s#stem or transmitted in an# orm b # an# means (electronic, mechanical, photocop#ing, recording or other"ise) "ithout the prior "ritten authoriation o ISACA& -eproduction -eproduction and use o all or portions o this publication are permitted solel# solel# or academic, academic, internal and noncommercial noncommercial use use and or consulting9advisor# consulting9advisor# engagements, engagements, and must include ull attribution o the material:s source& 7o other right or permission is granted "ith respect to this "or!& ISACA ;<01 Algon=uin -oad, Suite 1010 -olling *eado"s, I> 0008 ?SA @hone B1&8<&6D;&1DD

VPN Security Audit/Assurance Program Audit/Assurance Program ISACA wishes to recognize: Author Norm Kelson, CISA, CGEIT, CPA, C@ Interactive, Inc&, ?SA Expert Reiewers Michael Castro, CISA, ResMor Trust Co, Canada Joanne De Vito Vito De Palma, Palma, CMM, CMM, The Ardent Ardent Grou! Grou! ""C, #SA Russell K$ %airchild, CISA, CRISC, CISSP, PMP, SecureIsle, #SA Ale& Gelden'er(, Gelden'er(, CISA, CRISC, CISSP, MSMM, #SA %rancis Kaitano, CISA, CISM, CISSP, ITI", MCAD$Net, MCSD, Contact Ener(), Ne* +ealand Kamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Ara'ia "il) M$ Shue, CISA, CISM, CGEIT, CRISC, "MS Associates ""C, #SA a'u Srinias, CISA, CISM, SP AusNet, Australia Daid A$ -illiams, CRISC, PMP, .cean%irst an&, #SA ISACA Board of Directors

Gre(or) T$ Grochols&i, CISA, The Do* Chemical Co$, #SA, International President Allan oardman, CISA, CISM, CGEIT, CRISC, ACA, CA /SA0, CISSP, Mor(an Stanle), #K, Vice President Juan "uis Carselle, Carselle, CISA, CGEIT, CRISC, -al1Mart, -al1Mart, Me2ico, Me2ico, Vice Vice President President Christos K$ Dimitriadis, Ph$D$, CISA, CISM, CRISC, INTRA".T S$A$, Greece, Vice President Ramses Galle(o, CISM, CGEIT, CCSK, CISSP, SCPM, 3 Si(ma, 4uest So5t*are, S!ain, Vice President Ton) Ton) 6a)es, CGEIT, A%C6SE, A%C6SE, C6E, %ACS, %ACS, %CPA, %CPA, %IIA, 4ueensland Goernment, Goernment, Australia, Australia, Vice President Je7 S!ie), CRISC, CPP, PSP, Securit) Securit) Ris& Mana(ement Mana(ement Inc$, Inc$, #SA, Vice Vice President President Marc Vael, Ph$D$, CISA, CISM, CGEIT, CISSP, Valuendo, el(ium, Vice President Kenneth "$ Vander -al, CISA, CPA, Ernst 8 9oun( ""P /retired0, #SA, Past International President Emil D:An(elo, CISA, CISM, an& o5 To&)o1Mitsu'ishi #%J "td$ /retired0, #SA, Past International President John 6o Chi, CISA, CISA, CISM, CRISC, CRISC, CCP, CCP, C%E, Ernst Ernst 8 9oun( 9oun( ""P, Sin(a!ore, Sin(a!ore, Director Director Kr)sten McCa'e, CISA, The 6ome De!ot, #SA, Director Jo Ste*art1Rattra), Ste*art1Rattra), CISA, CISM, CGEIT, CGEIT, CRISC, CSEPS, CSEPS, RM 6oldich, 6oldich, Australia, Australia, Dir

VPN Security Audit/Assurance Program Institute o5 Mana(ement Accountants Inc$ ISACA cha!ters ITGI %rance ITGI Ja!an Nor*ich #niersit) Socitum Per5ormance Mana(ement Grou! Sola) russels School o5 Economics and Mana(ement Strate(ic Technolo() Mana(ement Institute /STMI0 o5 the National #niersit) o5 Sin(a!ore #niersit) o5 Ant*er! Mana(ement School ASIS International 6e*lett1Pac&ard IM S)mantec Cor!$


able of Contents I& Introduction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&D II& ?sing $his Gocument&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&  III& Controls *aturit# Anal#sis&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8 IH& Assurance and Control 'rame"or!&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 10 H& /ecutive Summar# o Audit9Assurance 'ocus&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&11 HI& Audit9Assurance @rogram&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 1; 1& @lanning and Scoping the Audit&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1; 6& @reparator# Steps&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&1D ;& +overnance&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 1 & @olic#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 1< D& Coniguration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1 & *aintenance and *onitoring&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6 HII& *aturit# Assessment&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68 HIII& *aturit# Assessment vs& $arget Assessment&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&;;

I% Introduction

!eriew ISACA has developed the I' Assurance (ramework $* (I$A'$*) as a comprehensive and good practice%setting model& I$A' provides standards that are designed to be mandator#, and are the guiding principles under "hich the I$ audit and assurance proession operates& $he guidelines provide inormation and direction or the practice o I$ audit and assurance& $he tools and techni=ues provide methodologies, tools and templates to provide direction in the application o I$ audit and assurance processes&

VPN Security Audit/Assurance Program audit and assurance rame"or!& Since CS is "idel# used, it has been selected or inclusion in this audit9assurance program& $he revie"er ma# delete or rename these columns to align "ith the enterprise:s control rame"or!&

%oernance& Ris$ and Contro" o' I( +overnance, ris! and control o I$ are critical in the perormance o an# assurance management process& +overnance o the process under revie" "ill be evaluated as part o the policies and management oversight controls& -is! pla#s an important role in evaluating "hat to audit and ho" management approaches and manages ris!& oth issues "ill be evaluated as steps in the audit9assurance program& Controls are the primar# evaluation point in the process& $he audit9assurance program "ill identi# the control ob4ectives and the steps to determine control design and eectiveness&

Responsi)i"ities o' I( Audit and Assurance Pro'essiona"s I$ audit and assurance proessionals are e/pected to customie this document to the environment in "hich the# are perorming an assurance process& $his document is to be used as a revie" tool and starting point& It ma# be modiied b# the I$ audit and assurance proessionalJ it is not intended to be a chec!list or =uestionnaire& It is assumed that the I$ audit and assurance proessional has the necessar# sub4ect matter e/pertise re=uired to conduct the "or! and is supervised b# a proessional "ith the CISA designation and9or necessar# sub4ect matter e/pertise to ade=uatel# revie" the "or! perormed&

II% &sing his Document $his audit9assurance program "as developed to assist the audit and assurance proessional in designing and e/ecuting a revie"& Getails regarding the ormat and use o the document ollo"&

*or$ Program Steps

VPN Security Audit/Assurance Program document because it is standard or the audit9assurance unction and should be identiied else"here in the enterprise:s standards&

C!+I( ,-. Crossre'erence $he CI$ cross%reerence provides the audit and assurance proessional "ith the abilit# to reer to the speciic CI$ &1 control ob4ective that supports the audit9assurance step& $he CI$ control ob4ective should be identiied or each audit9assurance step in the section& *ultiple cross%reerences are not uncommon& Subprocesses in the "or! program are too granular to be cross%reerenced to CI$& $he audit9assurance program is organied in a manner to acilitate an evaluation through a structure parallel to the development process& CI$ provides in%depth control ob4ectives and suggested control practices at each level& As proessionals revie" each control, the# should reer to CI$ &1 or the I' Assurance )uide" *sing C#+I' or good%practice control guidance&

C!S! Components As noted in the introduction, CS and similar rame"or!s have become increasingl# popular among audit and assurance proessionals& $his ties the assurance "or! to the enterprise:s control rame"or!& While the I$ audit9assurance unction has CI$ as a rame"or!, operational audit and assurance proessionals use the rame"or! established b# the enterprise& Since CS is the most prevalent internal control rame"or!, it has been included in this document and is a bridge to align I$ audit9assurance "ith the rest o the audit9assurance unction& *an# audit9assurance enterprises include the CS control components "ithin their report and summarie assurance activities to the audit committee o the board o directors& 'or each control, the audit and assurance proessional should indicate the CS component(s) addressed& It is possible but generall# not necessar#, to e/tend this anal#sis to the speciic audit step level& $he original CS internal control rame"or! contained ive components& In 600, CS issued the ,nter!rise isk anagement ,0 Integrated (ramework1 "hich includes eight components& $he -* rame"or! has a business decision ocus "hen compared to the 2334 Internal Control5Integrated (ramework &

VPN Security Audit/Assurance Program (igure ')Com$arison of C*S* Internal Control and +R, Integrated (rameworks Internal Control—Integrated Framework ERM Integrated Framework

Control Activities Control activities are the policies and procedures that help ensure management directives are carried out& $he# help ensure that necessar# actions are ta!en to address ris!s to achievement o the entit#Ks ob4ectives& Control activities occur throughout the organiation, at all levels and in all unctions& $he# include a range o activities as diverse as approvals, authoriations, veriications, reconciliations, revie"s o operating perormance, securit# o assets and segregation o duties& Information and Communication  Inormation s#stems pla# a !e# role in internal control s#stems as the# produce reports, including operational, inancial and compliance%related inormation that ma!e it possible to run and control the business& In a broader sense, eective communication must ensure inormation lo"s do"n, across and up the organiation& ective communication should also be ensured "ith e/ternal parties, such as customers, suppliers, regulators and shareholders& ,onitoring Internal control s#stems need to be monitoreda process that assesses the =ualit# o the s#stem:s perormance over time& $his is acc omplished through ongoing monitoring activities or separate evaluations& Internal control deiciencies detected through these monitoring activities should be reported upstream and corrective actions should be ta!en to ensure continuous improvement o the s#stem&

Risk Res$onse- *anagement selects ris! responsesavoiding, accepting, reducing, or sharing ris!developing a set o actions to align ris!s "ith the entit#:s ris! tolerances and ris! appetite& Control Activities- @olicies and procedures are established and implemented to help ensure the ris! responses are eectivel# carried out&

Information and Communication- -elevant inormation is identiied, captured, and communicated in a orm and timerame that enable people to carr# out their responsibilities& ective communication also occurs in a broader sense, lo"ing do"n, across, and up the entit#&

,onitoring- $he entiret# o enterprise ris! management is monitored and modiications made as necessar#& *onitoring is accomplished through ongoing management activities, separate evaluations, or b oth&

Inormation or figure ' "as obtained rom the CS "eb site www.coso.org/a$outus.tm .

$he 16 Internal Control5Integrated (ramework addresses the needs o the I$ audit and assurance proessional control environment, ris! assessment, control activities, inormation and communication, and monitoring& As such, ISACA has elected to include them as a reerence in this document& When completing the CS component columns, consider the deinitions o the components as described in figure '&

Re'erence/0yper"in$ +ood practices re=uire the audit and assurance proessional to create a "or! paper that describes the "or!

VPN Security Audit/Assurance Program is based on a method o evaluating the organiation, so it can be rated rom a maturit# level o non%e/istent (0) to optimied (D)& $his approach is derived rom the maturit# model that the Sot"are ngineering Institute (SI) o Carnegie *ellon ?niversit# deined or the maturit# o sot"are development& $he I' Assurance )uide *sing C#+I' , Appendi/ HII*aturit# *odel or Internal Control ( figure 0) provides a generic maturit# model sho"ing the status o the internal control environment and the establishment o internal controls in an enterprise& It sho"s ho" the management o internal control, and an a"areness o the need to establish better internal controls, t#picall# develops rom an ad oc to an optimied level& $he model provides a high%level guide to help CI$ users appreciate "hat is re=uired or eective internal controls in I$ and to help position their enterprise on the maturit# scale&

,aturit/ 1evel 0 7on%e/istent

1 Initial9ad oc

6 -epeatable but Intuitive

; Geined

 *anaged and *easurable

(igure 0),aturit/ ,odel for Internal Control Status of the Internal Control +nvironment +stablishment of Internal Controls $here is no recognition o the need or internal control& Control is not part o the organisation:s culture or mission& $here is a high ris! o control deiciencies and incidents& $here is some recognition o the need or internal control& $he approach to ris! and control re=uirements is ad oc and disorganised, "ithout communication or monitoring& Geiciencies are not identiied& mplo#ees are not a"are o their responsibilities& Controls are in place but a re not documented& $heir operation is dependent on the !no"ledge and motivation o individuals& ectiveness is not ade=uatel# evaluated& *an# control "ea!nesses e/ist and are not ade=uatel# addressedJ the impact can be severe& *anagement actions to resolve control issues are not prioritised or consistent& mplo#ees ma# not be a"are o their responsibilities& Controls are in place and ade=uatel# documented& perating eectiveness is evaluated on a periodic basis and there is an average number o issues& Lo"ever, the evaluation process is not documented& While management is able to deal predictabl# "ith most control issues, some control "ea!nesses persist and impacts could still be severe& mplo#ees are a"are o their re sponsibilities or control& $here is an eective internal control and ris! management environment& A ormal, documented evaluation o controls

$here is no intent to assess the need or internal control& Incidents are dealt "ith as the# arise& $here is no a"areness o the need or assessment o "hat is needed in terms o I$ c ontrols& When perormed, it is onl# on an ad oc basis, at a high level and in reaction to signiicant incidents& Assessment addresses onl# the actual incident& Assessment o control needs occurs onl# "hen needed or selected I$ processes to determine the current level o control maturit#, the target level that should be reached and the gaps that e/ist& An inormal "or!shop approach, involving I$ managers and the team involved in the process, is used to deine an ade=uate approach to controls or the process and to motivate an a greed%upon action plan& Critical I$ processes are identiied based on value and ris! drivers& A detailed anal#sis is perormed to identi# control re=uirements and the root cause o gaps and to develop improvement opportunities& In addition to acilitated "or!shops, tools are used and intervie"s are perormed to support the anal#sis and ensure that an I$ process o"ner o"ns and drives the assessment and improvement process& I$ process criticalit# is regularl# deined "ith ull support and agreement rom the relevant business process o"ners&

VPN Security Audit/Assurance Program auditor& $hereore, an auditor should obtain the concerned sta!eholder:s concurrence beore submitting the inal report to the management& At the conclusion o the revie", once all indings and recommendations are completed, the proessional assesses the current state o the CI$ control rame"or! and assigns it a maturit# level using the si/%level scale& Some practitioners utilie decimals (/&6D, /&D, /&
I2% Assurance and Control (ramework

ISACA I( Assurance #ramewor$ and Standards $he ollo"ing sections in I$A' are relevant to virtual private net"or! (H@7) Securit# • • • • •

;D0I$ @rocesses ;0I$ Support o -egulator# Compliance ;;0&Inormation S#stems perations ;;0&<Inormation Securit# *anagement ;;0&117et"or! *anagement and Controls

VPN Security Audit/Assurance Program •

•

•

•

•

GSD&< Protection of security tecnology *a!e securit#%related technolog# resistant to tampering, and do not disclose securit# documentation unnecessaril#& GSD&8 Cry!togra!ic key management Getermine that policies and procedures are in place to organise the generation, change, revocation, destruction, distribution, certiication, storage, entr#, use and archiving o cr#ptographic !e#s to ensure the protection o !e#s against modiication and unauthorised disclosure& GSD& alicious software !re6ention1 detection and correction @ut preventive, detective and corrective measures in place (especiall# up%to%date securit# patches and virus control) across the organisation to protect inormation s#stems and technolog# rom mal"are (e&g&, viruses, "orms, sp#"are, spam)& GSD&10 Network security ?se securit# techni=ues and related management procedures (e&g&, ire"alls, securit# appliances, net"or! segmentation, intrusion detection) to authorise access and control inormation lo"s rom and to net"or!s& GS&6 Identification and maintenance of configuration items stablish coniguration procedures to support management and logging o all changes to the coniguration repositor#& Integrate these procedures "ith change management, incident management and problem management procedures&

-eer to the I$ +overnance Institute:s C#+I' Control Practices" )uidance to Acie6e Control #$7ecti6es for Successful I' )o6ernance1 2 nd ,dition, published in 600<, or the related control practice value and ris! drivers&

2% +3ecutive Summar/ of Audit4Assurance (ocus A virtual private net"or! (H@7) is a technolog# to protect data as the# travel through public net"or!s& $he Internet has modiied the manner in "hich enterprises interconnect their inormation net"or!s& Access can be over the Internet (public access) or over an e/tranet (trusted parties, e&g&, suppliers, customers, partners)& @reviousl#, an enterprise "ould lease dedicated communications lines bet"een sites or trusted business partners& $he Internet permits ubi=uitous connectivit#J ho"ever, an# data traversing a public net"or! can be captured b# unintended parties, thereb# potentiall# disclosing data& A H@7 provides a means to encr#pt data bet"een communicating parties&


+usiness Impact and Ris$ $he impact on the business transmitting data through public net"or!s and the accompan#ing ris! are signiicant& Gepending on the industr#, enterprises ma# e/perience outages and intrusion attempts or inancial gain, to obtain intellectual propert#, to create business disruption, to obtain sensitive private inormation, or to compromise national securit#& $he perpetrators o an intrusion can be e/ternal or internal, private government sponsored& $his activit# ma# increase the enterprise:s ris! o @ublic relations issues "ith the customers or the public (reputational ris!) • Inabilit# to compl# "ith regulator# processing re=uirements (regulator# and inancial ris!) • Inabilit# to perorm critical business unctions (operational and inancial ris!) • Inabilit# to maintain pa#roll and e mplo#ee privac# (regulator# and reputational ris!) • >oss o ph#sical or inormational assets (reputational and inancial ris!) • Inabilit# to meet contractual service level agreements (S>As) "ith third parties or customers (contractual • ris!) H@7 technolog#, i properl# conigured, "ill reduce the ris! associated "ith privileged data traversing a public net"or!&

!)1ectie and Scope *b.ective) $he ob4ective o the audit9assurance revie" is to provide management "ith an independent assessment o the H@7 implementation and ongoing monitoring9maintenance o the eectiveness o the supporting technolog#& Sco$e) $he audit9assurance revie" "ill ocus on H@7 standards, guidelines and procedures as "ell as the implementation and governance o these activities& $he revie" "ill rel# upon other operational audits o the incident management process, coniguration management and securit# o net"or!s and servers, securit# management and a"areness, business continuit# management, inormation securit# management, governance


2I% Audit4Assurance Program C*S*

C*BI Cross5 reference

Audit4Assurance Program Ste$

.- P"anning and Scoping the Audit 1&1 Define audit4assurance ob.ectives% $he audit9assurance ob4ectives are high level and describe the overall audit goals& 1&1&1 -evie" the audit9assurance ob4ectives in the introduction to this audit9assurance program& 1&1&6 *odi# the audit9assurance ob4ectives to align "ith the audit9assurance universe, annual plan and charter& 1&6 Define boundaries of review% $he revie" must have a deined scope& $he revie"er must understand the operating environment and prepare a proposed scope, sub4ect to a later ris! assessment& 1&6&1 @erorm a high%level "al!%through o the net"or! architecture using H@7%technolog#& 1&6&6 stablish initial boundaries o the audit9assurance revie"& 1&6&6&1 Identi# limitations and9or constraints aecting the audit& 1&; Define assurance% $he revie" re=uires t"o sources o standards& $he corporate standards deined in the polic# and procedure documentation establish the corporate e/pectations& At minimum, corporate standards should be implemented& $he second source, a good%practice reerence, establishes industr# standards& nhancements should be proposed to address gaps bet"een the t"o& 1&;&1 Getermine i CI$ and the appropriate securit# incident management rame"or! "ill be used as a good%practice reerence&

5 6016 ISACA& All rights reserved& @age 1;

t n e m n o r i v n , l o r t n o C

t n e m s s e s s A ! s i -

s e i t i v i t c A l o r t n o C

Reference Issue 6/$er5 Cross5 Comments link reference g n i r o t i n o *

VPN Security Audit/Assurance Program C*S*



1& Identif/ and document risk% $he ris! assessment is necessar # to evaluate "here audit resources should be ocused& $he ris!%based approach assures utiliation o audit resources in the most eective manner& 1&&1 Identi# the business ris! associated "ith the ailure to implement H@7 technologies and the ailure to implement H@7 technologies securel#& 1&&6 Identi# the technolog# ris! associated "ith the ailure to implement H@7 technologies and the ailure to implement H@7 technologies securel#& 1&&; Getermine i a H@7 architecture threat assessment and modeling processing process has been established and implemented& 1&& ased on ris! assessment, identi# changes to the scope& 1&&D Giscuss the ris! "ith I$, business and operational audit management, and ad4ust the ris! assessment& 1&D Define the change $rocess% $he initial audit approach is based on the revie"er:s understanding o the operating environment and associated ris!& As urther research and anal#sis are perormed, changes to the scope and approach "ill result& 1&D&1 Identi# the senior I$ audit9assurance resource responsible or the revie"& 1&D&6 stablish the process or suggesting and implementing changes to the audit9assurance program, and the authoriations re=uired& 1& Define assignment success% $he success actors need to be identiied& Communication among the I$ audit9assurance team, other assurance teams and the enterprise is essential& 1&&1 Identi# the drivers or a successul revie" (this should e/ist in the audit9assurance unction:s standards and procedures)& 1&&6 Communicate success attributes to the process o"ner or sta!eholder, and obtain agreement& 5 6016 ISACA& All rights reserved& @age 1








1&< Define audit4assurance resources re7uired% $he resources re=uired are deined in the introduction to this audit9assurance program& 1&<&1 Getermine the audit9assurance s!ills necessar# or the revie"& 1&<&6 Getermine the estimated total resources (hours) and time rame (start and end dates) re=uired or the revie"& 1&8 Define deliverables% Geliverables are not limited to the inal report& Communication bet"een the audit9assurance teams and the process o"ner is essential to assignment success& 1&8&1 Getermine the interim deliverables, including initial indings, status reports, drat reports, due dates or responses and the inal r eport& 1& Communicate% $he audit9assurance process is clearl# communicated to the customer9client& 1&&1 Conduct an opening conerence to discuss the revie" ob4ectives "ith the e/ecutive responsible or operating s#stems and inrastructure&

3- Preparatory Steps 6&1 *btain and review the current organi8ation chart for the s/stem and network administration areas& 1& Identi# the !e# net"or! administration sta, the securit# manager and the !e# net"or! user sta!eholders& 6& btain a cop# o the latest net"or! securit# ris! anal #sis, including an# inormation on s#stem, data and service classiications& ;& btain and revie" a cop# o the enterprise:s • • •

Securit# polic# Securit# strateg# or strategies Securit# procedures and standards 5 6016 ISACA& All rights reserved& @age 1D








• • • • • •

7et"or! architecture documentation 7et"or! inventor# or schematic o ph#sical net"or! components 7et"or! problem trac!ing, resolution and escalation procedures H@7%related documentation and vendor contracts Copies o signed user securit# and a"areness documents 7e" emplo#ee training materials relating to securit# -

•

elevant legal and regulator# inormation related to securit# and inormation access H@7 supplier contracts, S>As • Supplier due diligence selection criteria, process • usiness impact anal#sis (IA), business continuit# plans • (C@s),disaster recover# plans (G-@s) and all continuit# o operations plans Luman resources (L-) onboarding9oboarding procedures and standards • Inormation securit# remote access policies, procedures and standards • Inormation securit# mobile computing policies, procedures and • standards Inormation securit# "ireless net"or!ing standards • Inormation securit# acceptable use policies, procedures and standards • ncr#ption policies, procedures and standards • Incident response policies, procedures, standards • *onitoring and audit policies, procedures, standards • & Intervie" the senior securit# oicer and the I$ securit# administrator regarding H@7 implementation& D& Intervie" the technical support team leader or e=uivalent responsible or H@7 architecture, design, implementation, and maintenance processes and procedures&

4- %oernance ;&1 +3ecutive S$onsor Audit9Assurance b4ective $he H@7 implementation and maintenance is assigned to an 5 6016 ISACA& All rights reserved& @age 1












e/ecutive sponsor, "ho is responsible or its eective implementation and operations& & /ecutive -esponsibilit# and Accountabilit# o H@7%related @rocesses Control A senior e/ecutive "ithin the I$ organiation is responsible or the H@7 implementation, maintenance and oversight&

@& *1&D *6&D *&1

=

= = =

=

= = =

;&1&1&1 Identi# the senior e/ecutive responsible or the H@7 program& ;&1&1&6 btain the position description o the e/ecutive responsible or the H@7 program& ;&1&1&; Getermine i the position has cross%reporting to the business units and I$ management (securit#, administration, etc&) ;&1&1& btain meeting minutes and other documentation to support the responsibilities and accountabilit# o the e/ecutive sponsor& ;&6 Senior ,anagement Involvement in 2P9 Programs Audit9Assurance b4ective Senior management participates in !e# decisions related to H@7 programs& <& Senior *anagement versight o H@7 @rograms Control Senior management provides oversight o the H@7 programs, including revie" and approval o policies aecting their respective operations&

*1&D

;&6&1&1 Getermine i business units aected b# H@7 implementation participate in the revie" o policies aecting their business units& ;&6&1&6 Getermine i support unctions (e&g&, L-, corporate communications, compliance, inormation securit#) aected b# H@7 implementation participate in the revie" o H@7 policies&

5 6016 ISACA& All rights reserved& @age 1<








,- Po"icy &1 6R Policies Aligned :ith and Su$$ort 2P9 Policies Audit9Assurance b4ective H@7 policies align "ith and are integrated into L- policies& 8& L- @olicies Include -elated H@7 @olicies Control L- policies include H@7 disclosures, usage re=uirements as part o initial PonboardingP process and the annual emplo#ee ac!no"ledgement o use policies&

@&; @&

=

@&8 *;&1 *;&;

= = =

&1&1&1 btain a selection o L- policies relating to H@7 usage& &1&1&6 Getermine i H@7 usage policies are incorporated in the L- policies& &6 2P9 Policies in Com$liance :ith Cor$orate Policies Audit9Assurance b4ective H@7 policies align "ith corporate compliance policies& & H@7 @olicies Are in Compliance With Corporate Compliance and -elated @olicies Control Corporate compliance (inancial reporting, regulator# and statutor#) unctions revie" H@7 policies prior to implementation to assure adherence to appropriate re=uirements& &6&1&1 btain the corporate compliance policies relating to data securit# and privac#& &6&1&6 Getermine i H@7 re=uirements are a component o the policies& &6&1&; btain a selection o H@7 polic# proposals or modiications& &6&1& Getermine i corporate compliance representatives have revie"ed and provided documented approval o H@7 policies& &; 2P9 Policies in Com$liance :ith 1egal and Reg ulator/ Policies and Re7uirements Audit9Assurance b4ective H@7 policies align "ith legal and regulator# policies and re=uirements& 10& H@7 @olicies Are in Compliance With >egal -egulator# -e=uirements Control H@7 technologies are deined to satis# legal and regulator# re=uirements "ithin the enterpriseKs industr#&

@&8 *;&1 *;&6

&;&1&1 btain a selection o H@7 polic# proposals or modiications& &;&1&6 Getermine i the enterprise:s legal representatives have revie"ed and provided 5 6016 ISACA& All rights reserved& @age 18

= = =








documented approval o H@7 policies& & 2P9 Policies Align :ith Information Securit/ Audit9Assurance b4ective H@7 policies are in compliance "ith inormation securit# policies 11& H@7 @olicies Are Approved b# the Inormation Securit# 'unction Control $he inormation securit# unction assures compliance "ith inormation securit# polic# b# revie"ing inormation securit#%related H@7 policies prior to their adoption and implementation&

@&; @& GSD&1 *6&D *;&

=

@6&;

=

&&1&1 btain a selection o H@7 polic# proposals or modiications& &&1&6 Getermine i inormation securit# representatives have revie"ed and provided documented approval o H@7 policies& &D 2P9 Polic/ Integrated :ith +nter$rise;s Data Classification Polic/ Audit9Assurance b4ective Gata Classiication @olic# includes H@7 usage and coniguration re=uirements& 16& Gata Classiication @olic# H@7 -e=uirements Control $he data classiication polic# identiies H@7 re=uirements and coniguration or each data classiication& &D&1&1 btain the data classiication polic#& &D&1&6 Getermine i the data classiication polic# includes H@7 coniguration and usage re=uirements& &D&1&; Getermine i the H@7 coniguration and usage polic# includes speciic applications or data elements re=uiring H@7 usage& &D&1& Getermine i H@7 coniguration and usage polic# identiies unctions that must be e/ecuted using a H@7, and unctions that must be e/cluded rom e/ecution, "ith or "ithout a H@7&

5 6016 ISACA& All rights reserved& @age 1

=








5- Con6guration D&1 2P9 Architecture Audit9Assurance b4ective est securit# practices are implemented or the various H@7 architectures& @6&1 GSD& GSD&10

1;& dge -outers 1

=

1& dge -outer $ermination Control dge routers terminate at the net"or! ire"all and an eective ire"all coniguration applies appropriate iltering& D&1&1&1&1 Identi# edge routers "ithin the net"or! architecture& D&1&1&1&6 Getermine that the edge router terminates (a) at or in ront o the G*Q or (b) at an inline Intrusion @revention S#stem (I@S) deplo#ed bet"een the edge router and the ire"all& D&1&1&1&; Select a sample o edge routers& D&1&1&1& Getermine i the edge routers selected terminate at the ire"all or in the G*Q& 1D& dge -outer ncr#ption Control dge routers use as#mmetric !e#s supported b# a @ublic Ee# Inrastructure or alternativel#, one o the t"o standard s#mmetric !e# technologies, ;GS or AS 6 D&1&1&1&D Select a sample o edge routers&

= GSD&8 GSD&

D&1&1&1& Identi# the encr#ption coniguration in use to protect the data& D&1&1&1&< Getermine the eectiveness o the control o !e#s and digital certiicates&

1 $hese are deined as untrusted site%to%site connected net"or!s& 6 Consider perorming an audit o the @EI implementation using the ISACA ,-commerce and Pu$lic 8ey Infrastructure P8I0 Audit/Assurance Program & ncr#ption controls, including !e# storage, !e# maintenance, securit#, etc&, should be revie"ed& 5 6016 ISACA& All rights reserved& @age 60







D&1&1&1&8 Getermine i an untrusted partner "ould have the abilit# to compromise the private !e# structure& 1& $rusted -outers ; 1<& $rusted -outer $ermination Control $rusted routers terminate in a trusted G*Q or "ithin the net"or!, sub4ect to appropriate ire"all iltering & D&1&1&1& Identi# trusted router terminations "ithin the net"or! architecture&

GSD& GSD&10 GS&6

=

GSD&< GSD&8

=

@D& @&6 GSD&;

=

D&1&1&1&10 Getermine that the trusted router terminates in a designated G*Q designed "ith ire"all iltering appropriate to the data classiication o the data traversing the net"or! segment& D&1&1&1&11 Getermine that the designated G*Q is designed "ith ire"all iltering appropriate to the data classiication o the data traversing the net"or! segment& 18& $rusted -outer ncr#ption Control $rusted routers use s#mmetric !e#s supported b# appropriate !e# length, securit# o !e# storage and, "here appropriate, contracts9agreements  D&1&1&1&16 Select a sample o trusted router net"or!s& D&1&1&1&1; Identi# the encr#ption coniguration in use to protect the data& D&1&1&1&1 Getermine the eectiveness o the control o !e#s& D&1&1&1&1D Getermine i appropriate S>As, contracts and other legal remedies have been e/ecuted bet"een nonrelated parties& D&1&1&1&1 Getermine i a trusted partner "ould have the abilit# to compromise the !e# structure& 1& SS> H@7 60& Secure SS> H@7 Coniguration Control SS> H@7 is installed "ith a secure coniguration "hich mitigates its inherent "ea!nesses&

; $hese are deined as site%to%site net"or!s integrated into a "ide%area local area net"or! (>A7)&  $his generall# applies to e/tranets and non%o"ned net"or!s& 5 6016 ISACA& All rights reserved& @age 61





GSD& GSD&10 &1&1&1< btain the SS> H@7 Coniguration @olic#& D&1&1&1&18 Getermine i strong user authentication has been implemented& Consider $"o%actor authentication • @ass"ord A7G hard"are to!ens • Gigital certiicates • Smart cards • D&1&1&1&1 Getermine i user computer identit# veriication has been implemented ?ser computer validated to be in compliance "ith enterprise • securit# re=uirements and policies prior to connection& Halidation o user computer identit# and c oniguration includes • @ersonal ire"all coniguration Antivirus9mal"are coniguration and currenc# o pattern iles -e=uired securit# patches >imitation o split tunneling D valuation o registr# entries D&1&1&1&60 Getermine i a secure des!top solution or 2sandbo/ing3 has been implemented or connections not satis#ing or unable to validate computer identit# veriication& D&1&1&1&61 Getermine i the SS> H@7 provides or deletion o all session data rom the client:s cache, including ro"ser histor# • Internet temporar# iles • Coo!ies • Gocuments •

D $his enables net"or! traic to traverse separate net"or!s via the same net"or! connection& 5 6016 ISACA& All rights reserved& @age 66








@ass"ords • D&1&1&1&66 Getermine i the SS> H@7 provides a !e#stro!e logger detection s"eep prior to completing a connection& D&1&1&1&6; Getermine i session time%outs are implemented and "hat the time%out period is and determine i it complies "ith securit# policies, standards and procedures& D&1&1&1&6 Getermine i SS> veriication is re=uired prior to connection and denied i the SS> version level is at a lo"er level that securit# polic# dictates& D&1&1&1&6D Getermine i server certiicate support has been implemented and "ill onl# permit connection "ith a valid, authenticated certiicate& D&1&1&1&6 Getermine i resource availabilit#, s#stem unctionalit#, and application access are limited based on satis#ing the coniguration parameters considered above& D&1&1&1&6< Getermine i public computers (e&g&, Internet caRs, !ios!s, etc&) are permitted to connect to the SS> H@7& D&1&1&1&68 Getermine i client%side certiicates are re=uired, and i so, connection is contingent upon client%side certiicate veriication and authentication& 61& SS> H@7 A"areness @rogram Control ?ser education and securit# a"areness is provided on a regular basis and participation b# all users o the enterpriseKs H@7 acilities is re=uired&

GS1& GS<




D&1&1& valuate ho" the ollo"%up process is maintained to assure user participation& D&1&1&D Getermine i participation is documented in logs or sign%in sheets& 66& H@7 Appliances GS&6

5 6016 ISACA& All rights reserved& @age 6;

g n i r o t i n o *

= = =

D&1&1&6 Getermine that H@7 a"areness and securit# programs are routinel# and regularl# oered& D&1&1&; Getermine i the securit# a"areness program addresses H@7 use polic#&

6;& H@7 Appliance Coniguration and Hendor Support Control H@7 appliances are maintained "ith the most current coniguration,

Reference Issue 6/$er5 Cross5 Comments link reference

=







and support is readil# available rom the vendor& D&1&1&D&1 Heri# that the most current coniguration o the H@7 appliance has been applied& D&1&1&D&6 Getermine that a vendor support contract or vendor support option is available& 6& H@7 Appliance Coniguration est @ractices Control Hendor%suggested and other best practices are applied to H@7 appliance coniguration&

GSD&< GSD& GSD&10 GS&6

=

GSD& GSD&D GS&6 GS10

=

D&1&1&D&; Getermine i the H@7 appliance vendor oers best practice guidance& D&1&1&D& Getermine i the H@7 appliance coniguration is in compliance "ith vendor guidance& 6D& H@7 Clients Installed on Speciic Computers 6& H@7 Clients Are Securel# Conigured Control H@7 clients are conigured using vendor%suggested and other best practices in compliance "ith organiation securit# policies & D&1&1&D&D Getermine i strong user authentication has been implemented $"o%actor authentication • @ass"ord A7G hard"are to!ens, digital certiicates or smart • cards D&1&1&D& Getermine i user computer identit# veriication has been implemented ?ser computer is in compliance "ith organiation securit# • re=uirements and policies Halidation o user computer identit# and coniguration • @ersonal ire"all coniguration Antivirus9mal"are coniguration and currenc# o pattern iles -e=uired securit# patches 5 6016 ISACA& All rights reserved& @age 6





>imitation o split tunnelingD valuation o registr# entries D&1&1&D&< Getermine i resource availabilit#, s#stem unctionalit# and application access are limited to authoried individuals, based on satis#ing the coniguration parameters considered above& 6<& H@7 Clients Are Installed ased on Fob 'unctional 7eed Control H@7 clients are installed on user computers based on data classiication polic# o applications installed on computer or on another re=uest& D&1&1&D&8 Getermine i the data classiication polic# re=uires a H@7 be installed as a condition o accessing speciic sensitive data& D&1&1&D& Select a sample o computers "ith the H@7 installed and determine i the data classiication polic#9H@7 polic# is practiced& 68& H@7s Installed on 2 ring Oour "n Gevice3 Adhere to Inormation Securit# @olic# Control H@7s installed on non%enterprise o"ned e=uipment subscribe to minimum securit# standards& D&1&1&D&10 Getermine i user computer identit# veriication has been implemented ?ser computer in compliance "ith enterprise securit# • re=uirements and policies Halidation o user computer identit# and coniguration • @ersonal ire"all coniguration Antivirus9mal"are coniguration and currenc# o pattern iles -e=uired securit# patches >imitation o split tunnelingD valuation o -egistr# entries 6& H@7 Access Is -emoved ?pon $ermination or $ranser Control H@7 access is terminated or removed as part o the user deprovisioning process& D&1&1&D&11 btain the deprovisioning procedure&




@6&; GS&6

=

GSD& GSD&10 GS&6

=

GSD& GSD&10

=

5 6016 ISACA& All rights reserved& @age 6D








D&1&1&D&16 Getermine that the H@7 deactivation is part o the deprovisioning process& D&1&1&D&1; btain a sample o recent user terminations and determine that the H@7 privileges or the terminated users have been deactivated& ;0& H@7 Installation >ist -evie" Control $he list o installed H@7s is revie"ed at least annuall#& ;1& Getermine i a list o computers or users "ith H@7s installed e/ists& ;6& I the list e/ists, determine i the list is revie"ed at least annuall# to ensure that onl# authoried users have access to and have an installed H@7& D&6 2P9 Architecture Audit9Assurance b4ective $he H@7 architecture is revie"ed on a regular basis to ensure the solution is current and addresses the ris! and vulnerabilit# issues identiied in ris! assessments& ;;& H@7 Architecture -evie" Control H@7 architecture revie" is conducted on a regular basis& D&6&1&1 Getermine i the H@7 architecture revie" process is documented&

@6&1 @;

D&6&1&6 Getermine the date o the most re cent H@7 architecture revie"& D&6&1&; valuate the eectiveness o the most recent revie"& D&6&1& Getermine i a vulnerabilit# e/ists due to out%o%date technolog#&

7- 2aintenance and 2onitoring &1 Patch ,anagement Audit9Assurance b4ective H@7 technolog# is included in the routine patch management process& ;& @atch *anagement Administration Control @atch management o H@7 technolog# is included in the coniguration change management processes&

AI AI< GS&6

&1&1&1 Scan the change management s#stem or coniguration changes aecting the H@7 technologies& 5 6016 ISACA& All rights reserved& @age 6










&1&1&6 Getermine i the change management process implemented or H@7 maintenance is in compliance "ith the installation change management procedure& &6 Integration of 2P9 echnologies :ith the 6el$ Desk Audit9Assurance b4ective H@7 support re=uests are processed routinel# through the help des!& ;D& H@7 Support Is @rovided b# the Lelp Ges! Control H@7 support is a help des! tas! "ith appropriate controls and procedures&

GS8 GS10



GS;



&6&1&1 btain the help des! procedures& &6&1&6 Getermine i H@7 support tas!s are included in the help des! @rocedures& &6&1&; Getermine i H@7 issues are reported in the incident reporting9issue monitoring s#stem& &6&1& Select H@7 related incidents in the help des!, Incident -eporting, and9or Issue *onitoring S#stem& &6&1&D Getermine that the issues "ere closed on a timel# basis in an eective manner& &; 2P9 Ca$acit/ Planning Audit9Assurance b4ective H@7 utiliation and resources re=uirements are integrated into the installation capacit# plan& ;& H@7 Capacit# @lanning Control $he capacit# plan incorporated H@7 re=uired resources and such resources are activel# monitored& &;&1&1 btain the installation capacit# plan& &;&1&6 Getermine that H@7 technologies are included in the plan& &;&1&; valuate capacit# reports to determine that H@7 resource utiliation is monitored and the necessar# ad4ustments are implemented in a timel# manner&

5 6016 ISACA& All rights reserved& @age 6<









& 2P9 ,onitoring Audit9Assurance b4ective @rocesses e/ist to monitor H@7 usage and identi# unauthoried activities and H@7 usage& ;<& H@7 *onitoring Control H@7 usage is monitored or unauthoried use&

GSD&D

&&1&1 Getermine the process or revie"ing H@7 usage&  &&1&6 Select a sample o H@7 usage violations& Getermine ho" the violations "ere investigated and the actions ta!en&

 Gue to high volume, logging should be automated and unusual activities should be deined in an automated e/tract process& 5 6016 ISACA& All rights reserved& @age 68


2II% ,aturit/ Assessment $he maturit# assessment is an opportunit# or the revie"er to assess the maturit# o the processes revie"ed& ased on the results o audit9assurance revie"s, and the revie"er:s observations, assign a maturit# level to each o the ollo"ing CI$ &1 control practices& When completing this assessment, ocus the evaluation on ho" the H@7 implementation relates to each o the issues identiied in the ollo"ing table&

C*BI <%' Control Practice

Assessed ,aturit/

DS5.3 Identity Management 1& stablish and communicate policies and procedures to uni=uel# identi#, authenticate and authorise access mechanisms and access rights or all users on a need%to%!no"9need%to%have basis, based on predetermined and preapproved roles& Clearl# state accountabilit# o an# user or an# action on an# o the s#stems and9or applications involved& 6& nsure that roles and access authorisation criteria or assigning user access rights ta!e into account Sensitivit# o inormation and applications involved (data classiication) @olicies or inormation protection and dissemination (legal, regulator#, internal policies and contractual re=uirements) -oles and responsibilities as deined "ithin the enterprise $he need%to%have access rights associated "ith the unction Standard but individual user access proiles or common 4ob roles in the organisation -e=uirements to guarantee appropriate segregation o duties ;& stablish a m ethod or authenticating and authorising users to establish responsibilit# and enorce access rights in line "ith sensitivit# o inormation and unctional application re=uirements and inrastructure components, and in compliance "ith applicable la"s, regulations, internal policies and contractual agreements& & Geine and implement a procedure or identi#ing ne" users and recording, approving and maintaining access rights& $his needs to be re=uested b# user management, approved b# the s#stem o"ner and implemented b# the responsible securit# person& D& nsure that a timel# inormation lo" is in place that reports changes in 4obs (i&e&, people in, people out, people change)& +rant, revo!e and adapt user access rights in co%ordination "ith human resources and user departments or users "ho are ne", "ho have let the organisation, or "ho have changed roles or 4obs& • •

• • • •

5 6016 ISACA All rights reserved& @age 6

arget ,aturit/

Reference 6/$er5 link

Comments



Assessed ,aturit/

DS5.4 User Ao!nt Management 1& nsure that access control procedures include but are not limited to ?sing uni=ue user IGs to enable users to be lin!ed to and held accountable or their actions A"areness that the use o group IGs results in the loss o individual accountabilit# and are permitted onl# "hen 4ustiied or business or operational reasons and compensated b# mitigating controls& +roup IGs must be approved and documented Chec!ing that the user has authorisation rom the s#stem o"ner or the use o the inormation s#stem or service, and the level o access granted is appropriate to the business purpose and consistent "ith the organisational securit# polic# A procedure to re=uire users to understand and ac!no"ledge their access rights and the conditions o such access nsuring that internal and e/ternal service providers do not provide access until authorisation procedures have been completed *aintaining a ormal record, including access levels, o all persons registered to use the service A timel# and regular revie" o user IGs and access rights 6& nsure that management revie"s or reallocates user access rights at regular intervals using a ormal process& ?ser access rights should be revie"ed or reallocated ater an# 4ob changes, such as transer, promotion, demotion or termination o emplo#ment& Authorisations or special privileged access rights should be revie"ed independentl# at more re=uent intervals& • •

•

•

•

•

•

DS5.5 Se!rity "esting# S!r$eillane and Monitoring 1& Implement monitoring, testing, revie"s and other controls to @romptl# prevent9detect errors in the results o processing @romptl# identi# attempted, successul and unsuccessul securit# breaches and incidents Getect securit# events and thereb# prevent securit# incidents b# using detection and prevention technologies Getermine "hether the actions ta!en to resolve a breach o securit# are eective 6& Conduct eective and eicient securit# testing procedures at regular intervals to Heri# that identit# management procedures are eective Heri# that user a ccount management is eective Halidate that securit#%relevant s#stem parameter settings are deined correctl# and are in compliance "ith the inormation securit# baseline Halidate that net"or! securit# controls9settings are conigured properl# and are in compliance "ith the inormation securit# baseline Halidate that securit# monitoring procedures are "or!ing properl# Consider, "here necessar#, obtaining e/pert revie"s o the securit# perimeter • • •

•

• • •

•

• •

5 6016 ISACA All rights reserved& @age ;0

arget ,aturit/


Comments



Assessed ,aturit/

DS5.% &rotetion o' Se!rity "e(nology 1& nsure that all hard"are, sot"are and  acilities related to the securit# unction and controls, e&g&, securit# to!ens and encr#ptors, are tamperproo& 6& Secure securit# documentation and speciications to prevent unauthorised access& Lo"ever, do not ma!e securit# o s#stems reliant solel# on sec rec# o securit# speciications& ;& *a!e the securit# design o dedicated securit# technolog# (e&g&, encr#ption algorithms) strong enough to resist e/posure, even i the securit# design is made available to unauthorised individuals& & valuate the protection mechanisms on a regular basis (at least annuall#) and perorm updates to the protection o the securit# technolog#, i necessar#& DS5.) Cry*togra*(i +ey Management 1& nsure that there are appropriate procedures and practices in place or the generation, storage and rene"al o the root !e#, including dual custod# and observation b# "itnesses& 6& *a!e sure that procedures are in place to determine "hen a root !e# rene"al is re=uired (e&g&, the root !e# is compromised or e/pired)& ;& Create and maintain a "ritten certiication practice statement that describes the practices that have been implemented in the certiication authorit#, registration authorit# and director# "hen using a public%!e#%based encr#ption s#stem& & Create cr #ptographic !e#s in a secure manner& When possible, enable onl# individuals not involved "ith the operational use o the !e#s to create the !e #s& Heri# the credentials o !e# re=uestors (e&g&, registration authorit#)& D& nsure that cr#ptographic !e#s are distributed in a secure manner (e& g&, oline mechanisms) and stored securel#, that is In an encr#pted orm regardless o the storage media used (e&g&, "rite%once dis! "ith encr#ption) With ade=uate ph#sical protection (e&g&, sealed, dual custod# vault) i stored on paper & Create a process that identiies and revo!es compromised !e#s& 7oti# all sta!eholders as soon as possible o the compromised !e#& <& Heri# the authenticit# o the counterpart# beore establishing a trusted path& •

•


arget ,aturit/


Comments



Assessed ,aturit/

DS5., Maliio!s So'tware &re$ention# Detetion and Corretion 1& stablish, document, communicate and enorce a malicious sot"are prevention polic# in the organisation& nsure that people in the organisation are a"are o the need or protection against malicious sot"are, and their responsibilities relative to same& 6& Install and activate malicious sot"are protection tools on all processing acilities, "ith malicious sot"are deinition iles that are updated as re=uired (automaticall# or semi% automaticall#)& ;& Gistribute all protection sot"are centrall# (version and patch%level) using centralised coniguration and change management& & -egularl# revie" and evaluate inormation on ne" potential threats& D& 'ilter incoming traic, such as email and do"nloads, to protect against unsolicited inormation (e&g&, sp#"are, phishing emails)& DS5.- /etwork Se!rity 1& stablish, maintain, communicate and enorce a net"or! securit# polic# (e&g&, provided services, allo"ed traic, t#pes o connections permitted) that is revie"ed and updated on a regular basis (at least annuall#)& 6& stablish and regularl# update the standards and procedures or administering all net"or!ing components (e&g&, core routers, G*Q, H@7 s"itches, "ireles s)& ;& @roperl# secure net"or! devices "ith special mechanisms and tools (e&g&, authentication or device management, secure communications, strong authentication mechanisms)& Implement active monitoring and pattern recognition to protect devices rom attac!& & Conigure operating s#stems "ith minimal eatures enabled (e&g&, eatures that are necessar# or unctionalit# and are hardened or securit# applications)& -emove all unnecessar# services, unctionalities and interaces (e&g&, graphical user interace M+?IN)& Appl# all relevant securit# patches and ma4or updates to the s #stem in a timel# manner& D& @lan the net"or! securit# architecture (e&g&, G*Q arc hitectures, internal and e/ternal net"or!, IGS placement and "ireless) to address processing and securit# re=uirements& nsure that documentation contains inormation on ho" traic is e/changed through s#stems and ho" the structure o the organisation:s internal net"or! is hidden rom the outside "orld& & Sub4ect devices to revie"s b# e/perts "ho are independent o the implementation or maintenance o the devices&


arget ,aturit/


Comments



Assessed ,aturit/

arget ,aturit/

DS,.0 Identi'iation and Maintenane o' Con'ig!ration Items 1& Geine and implement a polic# re=uiring all coniguration items and their attributes and versions to be identiied and maintained& 6& $ag ph#sical assets according to a deined polic#& Consider using an automated mechanism, such as barcodes& ;& Geine a polic# that integrates incident, change and problem management procedures "ith the maintenance o the coniguration repositor#& & Geine a process to record ne", modiied and deleted coniguration items and their relative attributes and versions& Identi# and m aintain the relationships bet"een coniguration items in the coniguration repositor#& D& stablish a process to maintain an audit trail or all changes to coniguration items& & Geine a process to identi# critical coniguration items in relationship to business unctions (component ailure impact anal#sis)& <& -ecord all assetsincluding ne" hard"are and sot"are, procured or internall# developed "ithin the coniguration management data repositor#& 8& Geine and implement a process to ensure that valid licences are in place to prevent the inclusion o unauthorised sot"are&

2III% ,aturit/ Assessment vs% arget Assessment $his spider graph is an e/ample o the assessment results and maturit# target or a H@7 securit# assessment&

5 6016 ISACA All rights reserved& @age ;;


Comments

VPN Security Audit Assurance Program Icq Eng 1012

Recommend Documents