Overseeing Compliance of Security Operations ◾ 229
© 2011 by Taylor & Francis Group, LLC
a copy and the original certicate remains within the browser software. ere are
export options that provide the ability to make either a fully functioning copy or
a limited copy. When exporting a digital key, good business practice is to use the
high security setting to provide maximum protection for the private key. Make at
least one copy of your digital certicate(s) and store them on removable media in a
secure place. e ability to recover a corrupt private key is critical to ensure that you
can get to any encrypted messages or data using that private key.
Auditing
An audit is an evaluation of people, process, technology, and environment against a
prescribed baseline to ascertain the degree of adherence to that baseline. A nancial
audit may evaluate the level of adherence to generally accepted accounting prin-
ciples. A security audit may evaluate internal adherence to the enterprise security
standard (ESS). A legislative compliance audit may evaluate compliance with legis-
lation (e.g., a Sarbanes-Oxley compliance audit).
Security Audit Process
An audit ensures appropriate security preparation and practice. e audit process
generally consists of planning, discovery, analysis, reporting, and follow-up. Plan-
ning obtains management permission and identies the scope of the audit, the
focus of the audit, whether the audit will be an internal audit or an external audit,
and the standard of comparison for the audit. Audit planning also identies or
develops audit interview questions, and audit guide, checklist, and report templates
to ensure consistency among team members and completeness upon producing the
nal report. Audits take time and money and are intrusive to both enterprise data
and enterprise personnel; management approval is important to justify the audit
and to obtain cooperation from personnel during the audit process.
e scope of the audit describes the standard you are auditing against and the
part of the enterprise on which you are focusing. A security audit may focus on
the entire ESS or industry standard, or focus on just a part. e focus depends
entirely on the audit objectives. e audit may focus on all or parts of the enterprise,
including information technology, the physical environment, operations, a specic
software application, or administrative practices managing information and infor-
mation technology. One reason for a partial audit is cost management, e.g., a tech-
nical audit this scal year and a physical audit next year.
Another reason for a partial audit may be recent litigation that made the news.
For example, if a company is found to be liable for disclosing customer data because
of a weak password policy and practice, it may make sense to perform an audit on
password policy and practices to ensure that your organization adheres to the mini-
mal standards as expressed by the litigation ndings. is is a bit reactionary, but
the establishment of a litigation precedent is a good reason for a partial audit.
230 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
An internal audit is performed on the enterprise by the enterprise. An internal
audit may be preliminary to an external audit to discern and x obvious problems
prior to the external audit. An objective third party performs an external audit.
ese external auditors will attest to the depth and breadth of the audit, and the
accuracy of the results. For both internal and external audits, dene the scope and
stay within that scope.
Discovery is all the eld work that determines the physical location of people,
technology, and data (e.g., log les) and includes interviews, hands-on verication,
visual review for verication, and obtaining all relevant documentation. Log les
may be a very good source of data to view congurations, access, transactions, and
other activities; however, the volume of data in log les can be overwhelmingly
large and well beyond the capacity of manual analysis. ere are many commer-
cially available log analyzers to help consolidate and analyze log data.
Analysis evaluates all the data gathered during the discovery phase and com-
pares it to the security standard. e results of the analysis may be a subjective report
expressing an opinion or an objective report including statistics and graphs. e latter
is a bit more dicult to prepare for because there must be metrics assigned to the stan-
dard and to the discovery data. e report will include all ndings, highlight the most
important ndings in the opinion of the auditor, and express priorities in addressing
any gaps found between actual practice and practices expressed in the standard.
e follow-up activities result in changes to the enterprise’s people, process,
technology, and environment to bring current practices closer to adherence with
the standard. Follow-up activities may take years to accomplish depending on the
size of the gap, available resources for gap closure, and budget cycles to pay for labor
and materials necessary to close the gaps.
All audits should be subject to good project management practices that include
building a qualied team and establishing dates, work breakdown structure, depen-
dencies, milestones, and deliverables. Qualied team members should have the
appropriate certications (e.g., Certied Information System Security Professional
(CISSP), Information System Security Management Professional (ISSMP)), educa-
tion, experience, and personality. Knowledge of the organization provides insight
into processes and the overall big picture of organizational vision, mission, and
activities that fulll the mission.
Organizational knowledge includes the organizational hierarchy of depart-
ments, the expected products and services (both internally consumed [e.g., human
resources] and externally consumed [e.g., products sold to customers]), the func-
tions that produce these products and services, the people who perform the func-
tions, and the technology they use. Diagramming the organization will help the
auditor understand operations. One diagramming method is a Suppliers-Inputs-
Process-Outputs-Customers (SPIOC) diagram.
e auditor should have intimate knowledge of the security standard that is the
basis for the audit. If the standard is vague in any respect, clarify the standard by
writing an interpretation guide specic to the organization receiving the audit. is
Overseeing Compliance of Security Operations ◾ 231
© 2011 by Taylor & Francis Group, LLC
is especially important if multiple auditors or multiple auditing teams will work
independently and then attempt to consolidate their results into a single analysis
and ndings report.
Audits do fail, however, and they fail for some common reasons:
◾ e scope is ill dened.
◾ e scope is too large for the time allotted or available resources (e.g., auditors).
◾ Poor planning.
− No audit guide or checklist; inadequate audit guide or checklist.
◾ Poor execution.
− Failure to follow the guide and checklist; the auditors improvise instead
of executing the plan.
◾ Poor schedule management.
Security Audit Results
A Preliminary Audit Report Comment (PARC) communicates audit ndings to
the organization receiving the audit. Developing a PARC template during the plan-
ning phase will help guide the audit and expedite PARC generation. e PARC will
include ndings on noncompliance with policies, standards, procedures, and prac-
tice; include weaknesses in internal controls or missing internal controls; highlight
key ndings that may pose the highest risk; include ramications of noncompliance
like nes, jail time, loss of market share or goodwill, loss of assets, and other business
risks; highlight recommended priorities for addressing noncompliance; and gener-
ally include recommendations on correcting or improving the current situation.
Both a written report and a live presentation of results are likely. If you are
the auditor, prepare for hard questions during the presentation and to justify your
ndings. If you are on the receiving end of the audit report, then ask for the report
prior to the presentation and prepare hard questions and have the auditors justify
their ndings.
e most important part of the audit process is audit follow-up, i.e., those activ-
ities that occur subsequent to the audit that improve or correct noncompliance.
If there is noncompliance with legislative mandates, there may be a time limit to
take corrective action. ese should rank high on the priority list. Improvements
and corrective action take time and money; coordinating with management is nec-
essary to allocate appropriate budget and personnel for corrective action in balance
with maintaining acceptable operation levels.
Technology
In a given environment, people perform processes using technology to produce results.
Security operations technology that is subject to compliance or is supportive of
compliance management includes the following:
232 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
◾ Inventory management
◾ Access control
◾ Anti-malware
◾ Operating systems
Inventory Management
Inventory management, or inventory control, is the set of policies, standards, and
procedures to maintain optimum inventory levels, track the location of enterprise
assets, and schedule inventory replacement. From a technology perspective, inven-
tory management includes hardware, software, and congurations and all those
aspects necessary to provide eective and ecient business operations. From a secu-
rity perspective, the purpose of inventory management is to prevent the loss of
equipment (e.g., misplacement), facilitates the recovery of equipment in the event
of disaster or failed equipment, prevents the violation of software licensing agree-
ments, and prevents the unauthorized installation of hardware and software, and
unauthorized modications to conguration settings.
Eective inventory management addresses legislative compliance requirements,
e.g., the ability to track the location of systems with healthcare information or track
systems with corporate nancial data. Moreover, inventory management is addressed
in most industry security standards like ISO 27002 and NIST SP 800-53. Inventory
management addresses the possession and availability of core security principles.
Also, eective inventory management is critical for patch management. Upon
receiving notice of a newly discovered vulnerability and an accompanying patch
to x that vulnerability, inventory management shows you how many systems are
aected and their location. Such knowledge translates into resource planning,
scheduling, and cost for patch installation.
Hardware
e enterprise invests a lot of money in hardware, and the ability to track the loca-
tion and status of this investment is good business practice. More importantly, the
loss of the asset may not be nearly as costly as the loss of the business function that
the asset provides. Hardware tracking includes servers, PCs, and components like
network cards and video cards, networking equipment like routers and switches,
information technology security devices like rewalls and intrusion detection sys-
tems, and so on.
Inventory control may apply to all enterprise assets and not just information technol-
ogy. Useful details to track in an inventory management system include the following:
◾ Computer name
◾ Computer model
◾ Serial number
Overseeing Compliance of Security Operations ◾ 233
© 2011 by Taylor & Francis Group, LLC
◾ Supplier, so you know who to go to for questions, service, updates
◾ Date acquired, to track mean time between failure (MTBF)
◾ Warranty dates, to manage enterprise expense in the event of failure
◾ Location, to know where to go for problem response
◾ Function, including technical function and business function
◾ Assigned user
◾ Owner or accountability, to know who to call with questions or requests
◾ MAC address for automated inventory check
e Simple Network Management Protocol (SNMP) and Cisco Discovery
Protocol (CDP) are two examples of software that may retrieve MAC addresses and
validate against the inventory database. Missing MAC addresses prompt further
investigation to determine if the equipment is faulty, turned o, or missing. Having
an individual contact name and e-mail accountable for the hardware enables an
automated e-mail message with a copy to the Help Desk.
Software
Software inventory management enables tracking of how many of application X
are installed on enterprise systems, what this number is compared to the number of
licenses purchased, the location of original software installation media and license
keys, what versions are installed, whether these versions need patching to mitigate
the latest vulnerability notice, whether it is time to upgrade, etc.
Tracking software helps with adherence to licensing agreements and digital
rights management (DRM). An unauthorized copy of copyrighted software or
media in soft form opens the enterprise to liability issues. Knowing the con-
tents of PCs, servers, and portable media helps avoid potential litigation against
the enterprise.
Policies inform employees of the organization’s right to inventory software and
media contents for review. Additional policies should provide potential disciplinary
action for nding unauthorized software or media. Such unauthorized software
may introduce malware to the enterprise network as well as put the enterprise at
risk for hosting illegal material like illegal music or video les.
Many endpoint security solutions (those running on individual PCs) are bun-
dling anti-malware, personal rewall, and intrusion detection software. An addi-
tional feature includes the implementation and enforcement of whitelist, blacklist,
and greylist software applications. A whitelist is an enumeration of all permissible
applications; a blacklist enumerates all impermissible applications; and a greylist
enumerates applications that may be run under certain conditions. Maintaining a
blacklist could be quite an eort … a list of all those software programs not per-
mitted to execute on that platform. An easier approach is to list all those software
programs that may be run and exclude anything not on the list; this is the classic
anything not explicitly permitted is denied. Software inventory will check for the
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.