264
A Practical Guide to Security Assessments
to mitigate those risks. Existence of an IT audit function means that there
is probably some focus on information security. The audit group’s reports,
if available, are worth reviewing because they typically identify control
and security issues discovered during audits.
Client Response:
13. Is information security a separate item on the budget?
Guidance:
Whether security is budgeted for separately or whether it is in-
cluded in a general IT or other budget line item may indicate the client’s
commitment to security. If it is a separate line item, it is more likely that
money will be spent on security. If security initiatives are part of another
more general budget line item, it will be prioritized against other initia-
tives. The risk is that in times (like currently) where budgets are being
slashed, security might not be a top priority. When compared to other IT
initiatives that directly enhance business processes or enable revenue, it
can be difficult to justify spending on security.
Client Response:
GENERAL INFORMATION TECHNOLOGY
14. Describe your current environment.
• Number of:
– Servers by location
– Desktops by location
– Other systems by location
• What operating systems (and versions) are you running?
– What network operating system (and versions) are you running?
– Critical applications
Guidance:
The answers to the question above provide some demographic
information on what the IT environment looks like and an indication of
where the significant IT operations might be. This information will dem-
onstrate how up to date the client is on technology, which is an important
aspect in assessing risk. If the client is running old systems with known
vulnerabilities, this should be a red flag. A related question when drilling
down into the details is whether the client has kept up with security patch
AU1706_book.fm Page 264 Wednesday, July 28, 2004 11:06 AM
Appendix A
265
levels, which is particularly important considering recent virus outbreaks.
This information will also help in the determining the specific tasks of the
assessment and how to prioritize the work.
Client Response:
15. Do you have a process for ensuring that security patches are applied to
systems on a timely basis?
Guidance:
Many security vulnerabilities that are exploited today are a re-
sult of patches not being kept up to date. This is something that you will
probably end up verifying by doing scans during the Technology Review
phase.
Client Response:
16. Do you have standards for hardware and software? Are there standard
builds that are used for computers?
Guidance:
Security systems will have a better chance of being secure with
strong hardware and software standards in which security is part of the
standard. Also, with similar systems, it is easier to implement security
recommendations.
Client Response:
17. Is there an asset management process in place?
Guidance:
All IT assets should have assigned owners to ensure that they
are accounted for and protected. IT assets should be tied into the personnel
hire and termination process to help ensure assets are properly accounted
for and returned when an employee is terminated. A good asset manage-
ment process also facilitates obtaining an accurate inventory of IT assets
and is tied into the personnel hire and termination processes.
Client Response:
AU1706_book.fm Page 265 Wednesday, July 28, 2004 11:06 AM
266
A Practical Guide to Security Assessments
18. Describe your remote access environment.
•How many remote access users do you have?
• What percentage are home users and how many travel?
•How are the users obtaining remote access — e.g., virtual private
network (VPN), dial-up
• What resources are users accessing remotely?
• Do third parties remotely access your systems?
• What technology is being used for remote access?
• Are there any planned changes for remote access?
Guidance:
The workforce is becoming more mobile than ever. Telecom-
muting is becoming very common, as employees work from home, allow-
ing companies to save money and have some flexibility in their hiring
practices. Employees are traveling and remotely accessing internal network
resources to do their jobs. Understanding the nature of these other connec-
tions and what they are accessing remotely can help scope some of the
technical parts of the security assessment. Some security concerns related
to remote access are related to:
•
Availability
— Availability is a major issue because some employees,
such as telecommuters, might be totally dependent on remote access
to do their jobs.
•
Access Control
— Similar to access control in a regular network envi-
ronment, users’ access should be limited to what they need to do their jobs.
At this stage, you may not receive answers to all of the remote access ques-
tions, as some of them are a little detailed.
Client Response:
19. Do you have any business-to-business (B2B) partner arrangements?
Guidance:
B2B arrangements pose a whole new set of security risks be-
cause other companies are accessing the company’s systems. Ensuring that
business partners can only access what they need access to is a challenge
that requires cooperation between both the client and the business partner.
The technology and processes must be in place to ensure the confidential-
ity and integrity of information and the availability of the B2B connection.
If the client is engaged in B2B activities, a separate, more detailed evalu-
ation should be done that reviews the nature of the relationship, supporting
IT infrastructure, applications, and any other aspects of the IT environment.
There is a separate questionnaire for B2B activities later in Appendix K.
AU1706_book.fm Page 266 Wednesday, July 28, 2004 11:06 AM
Appendix A
267
Client Response:
20. Do you engage in any electronic commerce activities and offer products
and services over the Internet? Do you conduct any financial transactions
over the Internet?
Guidance:
E-commerce activities where financial transactions are taking
place are a prime target for hackers and the like. Companies engaged in e-
commerce are very concerned with guarding consumers’ personal infor-
mation and the availability of the companies’ Web sites. Some of the poten-
tial risks they face are damage to their reputation and consumers not being
able to access their site — both of which can lead to a loss of revenue and
a permanent loss of customers. Similar to B2B, if the client is engaged in
e-commerce activities, a more detailed evaluation should be done of the
supporting IT infrastructure, applications, and other aspects of the IT envi-
ronment. There is a separate questionnaire later in the Appendices devoted
to e-commerce activities.
Client Response:
21. Do you outsource any of your business functions?
Guidance:
Many companies outsource various business functions such as
payroll, certain accounting functions, and information technology for a
number of reasons including cost, to concentrate on core competencies and
others. Outsourcing potentially introduces significant security concerns
because the function is mostly out of the client’s control. The risk will vary
based on what is outsourced and the related internal control and security
environment. Companies that outsource IT and security need to be very
vigilant in ensuring that their information receives an adequate level of se-
curity. Regardless of what is outsourced, the company is still ultimately ac-
countable. If the company is outsourcing security functions, you can drill
down further using the Managed Security questionnaire in Appendix D.
Client Response:
AU1706_book.fm Page 267 Wednesday, July 28, 2004 11:06 AM
268
A Practical Guide to Security Assessments
SECURITY
22. Do you have any security policies in place and are they readily accessible
by employees?
Guidance:
Security policies are the foundation of any information securi-
ty program. Policies provide the basis for everything that is done to secure
the enterprise. Some companies will have a full set of security policies, but
others will have the basic acceptable use or Internet usage policy and noth-
ing else. A lack of security policies has the following effects:
• It makes it difficult to enforce security; there are no documented secu-
rity policies to enforce.
• Security-related roles and responsibilities are not clear; employees do
not know what is expected of them in terms of security.
• There is a risk that security is a set of point solutions that do not
necessarily address the risks the company is facing.
If a client does not have a set of policies, it should be flagged as a finding.
Client Response:
23. Do you have security policies for the following at a minimum?
• Acceptable use
• Data classification
• Data retention
• User ID administration
• Obtaining initial access
•Termination of access
• Periodic review of user access lists
• Backup and recovery
• Incident handling
• Business continuity and disaster recovery
• Change management
•Physical security
Guidance:
The policies listed above are a basic set of policies that most
companies should probably have because they address common security
processes. If these policies do not exist, it is possible that the client is not per-
forming these processes in a consistently secure manner. As stated in the
earlier question, security policies are the foundation of an information secu-
rity program. It is important to note that clients should be able to show doc-
umented policies — not a policy that is verbally known to people. Policies
or process in people’s heads do not do any good—they must be documented.
AU1706_book.fm Page 268 Wednesday, July 28, 2004 11:06 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.