Your SlideShare is downloading. ×
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Information Systems Audit Report
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Information Systems Audit Report

3,761

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
3,761
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
322
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Audit Report – Group 1 Date: November 15, 2007 Audit Number: 001 Period Reviewed: October 25 – November 15, 2007 Scope of Audit: Network Topology Evaluation; Basic Audit Report Audit Team Members: Amy Steed & Pete Klabe Name of Audit: Case Study 1 EXECUTIVE SUMMARY: Audit Team 1 was commissioned on October 25, 2007 to investigate concerns regarding the network topology of Mandem Incorporated. Our report findings will address some critical, as well as unsatisfactory, issues regarding the internal Mandem network infrastructure. There are additional concerns regarding unmet regulatory requirements as well as various call center concerns, both in contract (SLA) and physical access that require immediate attention. These red flags will be reviewed in the following audit report. The initial investigation request needed to be slightly broadened in order to avoid oversight of a parochial nature in that mere issues of network security might only be addressed. The team found several unanswered questions regarding information protection, privacy governance, and information integrity that needed to be asked. The following taxonomy categorizes the findings into four areas impacting criticality, materiality and regulatory requirements: Critical (regulatory compliance issue/high risk to business materiality); Unsatisfactory (not as severe as critical, but needing to be addressed within the next 6 months); Dissatisfactory (not meeting IT governance benchmark process and policies); and Satisfactory (meeting required thresholds). Critical: - No Business Continuity Plan/Disaster Recovery Plan. - Asset protection to address minimum levels required by law and contract (PII information protection, confidentiality, integrity and assurance)
  • 2. Audit Report – Group 1 - Segregation of duties, access to critical areas by personnel conflicts with regulatory requirements of PII. - Physical controls and logical controls need to be verified and tested for compliance. Unsatisfactory: - Service License Agreement for Call Centers needs to be evaluated against business goals and regulatory requirements. - Proxy Server at Call Center maintained by Mandem needs to be evaluated for security of PII. - Need to address IT governance issues regarding IT policies, procedures and processes for in-house servers, firewalls, access controls and database. - IDS should be proactive, need to address possible use of IPS and HIDS on critical systems. - Passwords on DB2 server are not being used, authentication not encrypted, access on DB server needs to be validated and tested. - Backup cycle of system and offsite backup of server information. Dissatisfactory: -A need to clearly identify and inventory of Information Systems for IT audit -Direct access to Mandem internal network once authenticated with Call Center Server does not address 4 layer security benchmarks (network, platform, database and application). Satisfactory: - Patch management cycle needs to be verified (OS and application rollouts) - IT policy regarding access of terminated employees from both call center and Mandem. - IT policy and procedures adhered to be personnel THE AUDIT PROCESS: One of the most important assets of an enterprise is its information. The integrity and reliability of that information and the systems that generate it are crucial to an enterprise’s success. The first step in order to determine the integrity and reliability of Mandem’s most valuable assets is to identify those assets, determine their value, risk and vulnerabilities, then isolate those that are critical to Mandem’s business model. The following highlights the areas that need to be addressed in order to provide an effective IT Governance Policy and for an effective Audit Charter to be created: 1. Processes for evaluating and approving projects to ensure that projects commence only if there is sufficient business benefit 2. Mechanisms for project oversight that ensure the implementation of appropriate control processes, the management of risks to the realization of project outcomes and to the business, and the successful achievement of business benefits 3. Sound project management practices on a day-to-day basis to ensure that the project achieves its objectives 4. Appropriate feedback mechanisms to the executive and the board on progress in meeting business goals.
  • 3. Audit Report – Group 1 Corporate business objects need to be identified and clearly defined in order to provide a direction for IT governance. Effective IT governance helps ensure that IT supports business goals, optimizes business investment in IT, and appropriately manages IT-related risks and opportunities. IT governance is the responsibility of executives and the board of directors, and consists of the leadership, organizational structures and processes that ensure that the enterprise’s IT sustains and extends the organization’s strategies and objectives. Questions that should be asked are: How does the enterprise get IT under control such that it delivers the information the enterprise needs? How does it manage the risks and secure the IT resources on which it is so dependent? How does the enterprise ensure that IT achieves its objectives and supports the business? *Note: Information presented in this summary is taken from ISACA site and article on site. GENERAL AUDIT SCOPE: First, management needs control objectives that define the ultimate goal of implementing policies; plans and procedures; and organizational structures designed to provide reasonable assurance that a) business objectives are achieved and b) undesired events are prevented or detected and corrected Thus, IT governance provides a framework to ensure: • IT is aligned with the business • IT enables the business and maximizes benefits • IT resources are used responsibly • IT risks are managed appropriately The audit and IT Governance link directly to business requirements. Before any audit can be implemented, a thorough understanding of the business processes and needs must be realized. According to COSO, the three primary objectives of an internal control system are to ensure (1) efficient and effective operations, (2) accurate financial reporting, and (3) compliance with laws and regulations. The report also outlines five essential components of an effective internal control system: ° THE CONTROL ENVIRONMENT, which establishes the foundation for the internal control system by providing fundamental discipline and structure. ° RISK ASSESSMENT, which involves the identification and analysis by management—not the internal auditor—of relevant risks to achieving predetermined objectives. ° CONTROL ACTIVITIES, or the policies, procedures, and practices that ensure management objectives are achieved and risk mitigation strategies are carried out. ° INFORMATION AND COMMUNICATION, which support all other control components by communicating control responsibilities to employees and by providing information in a form and time frame that allows people to carry out their duties. ° MONITORING, covers the external oversight of internal controls by management or other parties outside the process; or the application of independent methodologies, like customized procedures or standard checklists, by employees within a process.
  • 4. Audit Report – Group 1 GENERAL AUDIT OBJECTIVES: Strategic alignment focuses on ensuring the linkage of business and IT plans; defining, maintaining and validating the IT value proposition; and aligning IT operations with enterprise operations. Value delivery is about executing the value proposition throughout the delivery cycle, ensuring that IT delivers the promised benefits against the strategy, concentrating on optimizing costs and proving the intrinsic value of IT. Risk management requires risk awareness by senior corporate officers, a clear understanding of the enterprise’s appetite for risk, understanding of compliance requirements, transparency about the significant risks to the enterprise and embedding of risk management responsibilities into the organization. Resource management is about the optimal investment in, and the proper management of, critical IT resources: applications, information, infrastructure and people. Key issues relate to the optimization of knowledge and infrastructure. Performance measurement tracks and monitors strategy implementation, project completion, resource usage, process performance and service delivery, using, for example, balanced scorecards that translate strategy into action to achieve goals measurable beyond conventional accounting. AUDIT WORK PROGRAM: For IT to be successful in delivering against business requirements, management should put an internal control system or framework in place. The control framework we will follow will first need to quantify and clarify the business mission, objectives, processes and the information processing requirements impacting availability, integrity and confidentially of data. This means that all information architectural requirements must be reviewed for their controls on critical data. These considerations must: • Making a link to the business requirements • Organizing IT activities into a generally accepted process model • Identifying the major IT resources to be leveraged • Defining the management control objectives to be considered The major elements of IS audit can be broadly classified and all these elements need to be addressed to present to management a clear assessment of the system: 1. Physical and environmental review. This includes physical security, power supply, air conditioning, humidity control and other environmental factors. 2. System administration review. This includes security review of the operating systems, database management systems, all system administration procedures and compliance.
  • 5. Audit Report – Group 1 AUDIT WORK PROGRAM: 3. Application software review. The business application could be payroll, invoicing, a web- based customer order processing system or an enterprise resource planning system that actually runs the business. Review of such application software includes access control and authorizations, validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally, a review of the system development lifecycle should be completed. 4. Network security review. Review of internal and external connections to the system, perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage. 5. Business continuity review. This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage, and documented and tested disaster recovery/business continuity plan. 6. Data integrity review. The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., CAAT).
  • 6. Risk Assessment Approach Mandem uses a number of information systems and applications at various geographical locations. Because of the vast number of systems, the auditor must address questions of what to audit, largely determined by materiality and when to audit, how frequently. In order to address Mandem’s most critical assets and infrastructure, we have decided to adopt a risk- based approach to delineate which systems and applications are most vital to the corporate goals and strategies. While our focus is on information security and assurance, assessing the effectiveness of the combination of controls is paramount in quantifying vulnerability and risk. Testing done will be based upon management’s goals and results provided will be based upon competent, objective evidence. While there are risks inherent to information systems, these risks impact different systems in different ways. For example, due to contractual obligations, Mandem runs the risk of non- availability of customer data which would impact a serious business compliance issue. An audit needs to address risk assessments in regards to processes, the organization, the technology implemented and used. It also needs to address the people involved in the business processes. Vulnerabilities to personal identifiable information require the immediate attention of business executives as well as the audit and IT teams. The technical environments on which the systems run also may affect the risk associated with the systems. The follow steps are to be followed for a risk-based approach in making an audit plan: - Inventory the information systems in use in the organization and categorize them. - Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate. - Assess what risks affect these systems and the severity of impact on the business. - Rank the systems based on the above assessment and decide the audit priority, resources, schedule and frequency. ASSIGNMENT OF A RISK RATING In order to approach assignment of value, of an asset, we would have to understand the business value and the industry probability of certain vulnerabilities. For example, the leading cause of information is employee access and exploit of PII. The Risk Rating would be calculated by identifying and multiplying: Value X Vulnerability X Threat = RISK METRIC Value assessment: Determine what is the weighted criticality to the organization? Vulnerability assessment: Determine what are the existing 'weaknesses' in the asset? Threat assessment: Determine what is the potential/probability that someone will likely exploit the vulnerability? The answers to these three questions would have to be part of the business value analysis which is beyond the scope of this project since we would not have information as to what the soft assets values are. Hardware assets can be merely calculated at replacement costs. How- ever, soft assets, such as the value of information aggregated, value of application software and
  • 7. ASSIGNMENT OF A RISK RATING configuration, or the value of data warehoused and categorized, cannot be quickly quantified by a team of auditors. It must be identified and quantified by the business model and management. Questions that need to be addressed in evaluating risk are: how much is this business worth should the entire organization collapse, what are the fines for non-compliance in various areas of threat mitigation, what is the business reputation worth (ie, how would the stock prices of the corporation be effected by a disclosed compromise of PII data), and what are the contractual obligations monetarily if uptime percentages are not met? All these questions equate to dollar amounts that are not easy to establish. Therefore, in lieu of proper figures, the team has decided that a range should be used to try to formulate what values could be possible given the parameters and metrics of each of the risks. The following is the risk management process step by step that we will follow: 1. identify physical inventory 2. naming conventions and data – named assets and data assignments, classification 3. value assessment – how is it critical to the organization 4. vulnerability assessment – what are the identified weaknesses 5. threat assessment – probability % that the assets will be targeted for exploit These steps are necessary to determine a risk metric rating for use in Business Impact Analysis and BCP (business continuity planning) should disaster recovery or failover be needed to maintain business processes and data access. Step 1: Physical Inventory Mandem DMZ for Call Centers: 2 Cisco 2600 Routers (2 x $1,400 - $4,000 ea) 2 Cisco Catalyst 2900 Switches (2 x $2,000 - $24,000 ea) 1 PIX 520 Firewall ($100-9,000) Web Servers [see Note 3] ($5,000-6,000 ea) FTP Servers [see Note 3] ($1,000-$3,000 ea) Mandem DMZ for Internet and remote users: 2 PIX Firewalls [internet facing and intranet facing] (2 x $13,000-14,000 ea) EWF Web Servers ($5,000-6,000 ea, Enhanced Write Filter software) Cisco Content Load Balancer ($4,000) SSL Server ($5,000-6,000) 1 Cisco 2600 Router ($1,400 - $4,000 ea) Mandem Internal Network: 4 Application Servers (4 x $4,400-5,000 ea) 1 Mainframe ($5,000- 20,000) 1 RS/6000 DB2 Server $14,000 - 20,000 4 Web Servers (4 x $5,000-6,000 ea) Mandem Call Center Equipment: 1 Proxy Server ($2,000-$5,000)
  • 8. ASSIGNMENT OF A RISK RATING Step 2: Naming Conventions and Data There were four specific categories we felt were a part of the Mandem business model. Those categories were the Mandem Overseas Call Centers (which includes all the supporting infrastructure, costs and contracts associated with the call centers); the Mandem Internal Network (which includes all the hardware and software to support the internal network infrastructure and keep the continuous business processes flowing); the Personal Identifiable Information contained in the Mandem Data Centers (which includes all database information, the controls and the hardware/software to support this data along with contractual obligations for access to this data); and finally the Mandem Internet Business and remote access to end users (which includes all web servers and support to ensure secure delivery of data and services). Each category is assigned a value based upon the hard and soft assets, the business criticality and materiality of those assets, as well as the subjective assessment of the value of the asset to the business continuity plan. If we base each of these on the value of revenue for the corporation, then a fixed percentage of that value can be assigned to evaluate what the materiality is to the business as well as a subjective criticality assessment. Step 3: Value Assessment Mandem Overseas Call Centers: ~840 million 2 Cisco 2600 Routers (2 x $1,400 - $4,000 ea) 2 Cisco Catalyst 2900 Switches (2 x $2,000 - $24,000 ea) 1 PIX 520 Firewall ($100-9,000) Web Servers [see Note 3] ($5,000-6,000 ea) FTP Servers [see Note 3] ($1,000-$3,000 ea) 1 Proxy Server ($2,000-$5,000) Business criticality (20% of $4.2 Billion) *assumed call centers do most of the volume Mandem Internal Network: ~1.25 billion 4 Application Servers (4 x $4,400-5,000 ea) 4 Web Servers (4 x $5,000-6,000 ea) Business criticality (30% of $4.2 Billion) Mandem Data Centers: ~1.89 billion (Protection and Business Process Data) 1 Mainframe ($5,000- 20,000) 1 RS/6000 DB2 Server $14,000 - 20,000 Business criticality (45% of $4.2 Billion) Mandem Internet Business: ~210 million 2 PIX Firewalls [internet facing and intranet facing] (2 x $13,000-14,000 ea) EWF Web Servers ($5,000-6,000 ea, Enhanced Write Filter software) Cisco Content Load Balancer ($4,000) SSL Server ($5,000-6,000) 1 Cisco 2600 Router ($1,400 - $4,000 ea) Business criticality (5% of $4.2 Billion)
  • 9. ASSIGNMENT OF A RISK RATING Step 4: Vulnerability Assessment The vulnerability of an asset is based upon the evaluation of the existing exploits, known and unknown that can be surmised by the use of an asset. The largest vulnerability to any organization is the assets it does not have direct control over yet those assets are liabilities to its existing business goals. Currently, the highest vulnerability is first, no Business Continuity Plan/Disaster Recovery Plan should the server crash or data/OS become corrupted by a virus exists. Additionally, there needs to be a strong policy for asset protection to address minimum levels required by law and SLA contracts (PII information protection, confidentiality, integrity and assurance). For example, the proxy server data is a non-compliance issue and is currently housed on an unprotected call center server. Other critical issues regarding compliance are related to the segregation of duties, access to critical areas by personnel and other conflicts with regulatory requirements of PII. To add to this category, the physical controls and logical controls need to be verified and tested for compliance. Mandem Overseas Call Centers: -vulnerability of proxy server -call center personnel collecting and storing of PII -call center turnover still having access to PII Mandem Internal Network: -monitoring of employees access, personnel collecting and storing PII -monitoring of outgoing email and traffic for PII information -limiting access to vital areas (physically and logically) -application exploits -operating system exploits -access lists not maintained Mandem Data Centers: -protection of PII data on servers and mainframe -use of software to test system controls -highest business value to the organization Mandem Internet Business: -need to maintain uptime requirements -vulnerable to DDoS attacks -vulnerable to hacking of internal network resources
  • 10. ASSIGNMENT OF A RISK RATING Step 5: Threat Assessment Threat assessment considers the percentage of probability of the vulnerabilities identified in Step 4. This is also subjective in that zero day exploits can be quickly used to obtain entrance into critical systems, therefore these types of events can only be theorized and not specifically defined. The likelihood, the assignment of probability and impact, to an identified risk (listed below) is a point-in-time process. The Probably rating is based upon 5 identified risks ratings and is highly subjective to the auditors experience and knowledge. Listed below are the ratings and the subjective or observed evaluation for those ratings. Since the audit team does not have access to this information, the ability to provide an accurate rating is less likely. However, based upon the understanding and skill set of the audit team, an evaluation is given in order to provide a baseline. Obviously, industry benchmarks for probably rating would’ve have been considered, provided they were available to the team. Probability Ratings: 1 – Very unlikely to occur 2 – Less likely to occur 3 – 50/50 chance of occurring 4 – More likely to occur than not 5 – Certain, already observed The Impact rating is based upon 5 identified risk ratings and is equally subjective to the auditor’s background and knowledge. Listed below are the ratings for this category that are additionally subjective and would require management input to determine. Since the audit team does not have access to Mandem management for this case study, we will formulate a rating based upon the information provided on Mandem incorporated. Impact Ratings: 0 – No impact 1 – Insignificant changes, re-planning may be required 2 – Small delay, small increased cost, but absorbable 3 – Delay, increased cost in excess of tolerance 4 – Substantial delay, key deliverable not met, increase costs 5 – Inability to deliver, business case/objective not viable Ratings will be assigned in the following format: (Probability rating * Impact rating = Risk Rating) Mandem Overseas Call Centers: -vulnerability of proxy server (5*3=15) -call center personnel collecting and storing of PII (3*3=9) -call center turnover still having access to PII (2*3=6) -call center authentication issues (3*3=9) -call center SLA to be evaluated (3*3=9)
  • 11. ASSIGNMENT OF A RISK RATING Mandem Internal Network: -monitoring of employees access, personnel collecting and storing PII (2*3=6) -monitoring of outgoing email and traffic for PII information (4*4=16) -limiting access to vital areas (physically and logically) (5*1=5) -application exploits (3*2=6) -operating system exploits (3*3=9) -access lists not maintained (3*4=12) Mandem Data Centers: -protection of PII data on servers and mainframe (4*5=20) -use of software to test system controls (3*2=6) Mandem Internet Business: -need to maintain uptime requirements (2*5=10) -vulnerable to DDoS attacks (2*1=2) -vulnerable to hacking of internal network resources (3*3=9) Risk Condition Risk Rating Risk Response Plan Recommendation Guideline GREEN Less than 8 Causes little disruption; manageable through policy and procedures internally implemented YELLOW 8-12 Causes disruption – potential cost of risk against potential impact to determine risk response. management to address in business case analysis. RED Greater than 12 Significant potential impact on business, potential disruption of business
  • 12. REGULATORY COMPLIANCE REQUIREMENTS NJ Assembly Bill No. 4001 (A4001 ACS) C.56:8-163 Disclosure of breach of security to customers. Sections 1-9, 11, 12 a, 13, 15 and 16 Applicable Any business that conducts business in New Jersey, or any public entity that compiles or maintains computerized records that include personal information, shall disclose any breach of security of those computerized records following discovery or notification of the breach to any customer who is a resident of New Jersey whose personal information was, or is reasonably believed to have been, accessed by an unauthorized person. ASSEMBLY, No. 4001 - The "Identity Theft Prevention Act" Sections 1-9 deal with the rights of customers, their credit information and their right to security freezes, and all about exceptions and rules that govern security freeze. Section 11: A business that has no business holding records (or that once held records and doesn't need to anymore) has got to destroy them. Section 12: If a business suspects a breach of security or disclosure of information must inform the customer of this ASAP... but IF AND ONLY IF THEY ARE A NJ RESIDENT! (other states have to protect their own residents. Only 34 states have similar laws, more can be seen in that first link in the previous post). Only exception - if the business or entity establishes if misuse of the information is not possible. I guess this is if a database of my favorite colors is hacked into and everyone finds out I like the color pink. This is the only example I can think of. Section 13: Business use of SSN, business can never print a SSN SOX Section 302 Says that a financial entity must establish a set of internal control procedures and maintain them CORPORATE RESPONSIBILITY FOR FINANCIAL REPORTS. (a) REGULATIONS REQUIRED.—The Commission shall, by rule, require, for each company filing periodic reports under section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m, 78o(d)), that the principal executive officer or officers and the principal financial officer or officers, or persons performing similar functions, certify in each annual or quarterly report filed or submitted under either such section of such Act that— (6 sections that describe the specifics of the report: the signing officer has reviewed the report; the report does not contain any untrue statement, or misleading wording; the financial statements are accurate and current; the signing officer has established and maintained controls, has evaluated it for over 90 days and have presented a report; all shortcomings and problems are reported; and strange circumstances changing the situation during the time of evaluation. SOX Section 404 Financial spreadsheets and reports need to be safeguarded from being falsified or accidentally or deliberately redistributed. Management must report the adequacy of their internal controls to Internal Control over Financial Reporting (ICFR). Also says that external auditors have to enforce this. MANAGEMENT ASSESSMENT OF INTERNAL CONTROLS. (a) RULES REQUIRED.—The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or
  • 13. 78o(d)) to contain an internal control report, which shall: (1) state the responsibility of management for establishing; and maintaining an adequate internal control structure and REGULATORY COMPLIANCE REQUIREMENTS procedures for financial reporting; and (2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (b) INTERNAL CONTROL EVALUATION AND REPORTING.—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. SOX Section 409 Real time disclosure of material that impacts a company’s finances must be reported within 48 hours. SOX Section 802 Guarantees that documents and records are not altered. SOX Section 1102 Corrupting, altering, mutilating, destroying or concealing records are violations. Those found guilty of obstructing an investigation or official proceeding will face 20 years in prison and fines. GLBA USC (United States Code) 6801 Customer/client confidentiality and security must be guaranteed. Records and information must be protected against any anticipated threats, hazards and unauthorized access. Gramm-Leach-Bliley Act; 15 USC, Subchapter I, Sec. 6801-6809 Disclosure of Nonpublic Personal Information Sections 6802-6803 are the important sections. Sec. 6802: Obligations with respect to disclosures of personal information (a) Notice requirements Except as otherwise provided in this subchapter, a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title. (b)-(e) go on more about official details and rules. Sec. 6803: Disclosure of institution privacy policy (a) Disclosure required At the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title. SEC Rules 17a-3 and 17a-4 All records related to securities transactions must be maintained for not less than 3 years, easily accessible during the first two.
  • 14. REGULATORY COMPLIANCE REQUIREMENTS The Health Insurance Portability and Accountability Act (HIPAA) This Act includes regulations that require all individually-identifiable health care information be protected to ensure privacy and confidentiality when electronically stored, maintained, or transmitted. While network firewalls and conventional security solutions can help secure content stored on the network, protecting that information once it has left the network requires an additional layer of security on the messages themselves. This security needs to be applied not only to communications between health care organizations and the client, but also between health care organizations themselves. In other words, whenever client-identifiable information is sent across the Internet, it needs to be secured in order to avoid the liabilities associated with unprotected and uncontrolled e-mail communication. ISO/IEC 27002. ISO/IEC 27002 provides best practice recommendations on information security management for use by those who are responsible for initiating, implementing or maintaining Information Security Management Systems (ISMS). Below are 12 sections on ISO standards for auditing: 1: Risk Assessment 2: Security policy - management direction 3: Organization of information security - governance of information security 4: Asset management - inventory and classification of information assets 5: Human resources security - security aspects for employees joining, moving and leaving an organization 6: Physical and environmental security - protection of the computer facilities 7: Communications and operations management - management of technical security controls in systems and networks 8: Access control - restriction of access rights to networks, systems, applications, functions and data 9: Information systems acquisition, development and maintenance - building security into Applications 10: Information security incident management - anticipating and responding appropriately to information security breaches 11: Business continuity management - protecting, maintaining and recovering business-critical processes and systems 12: Compliance - ensuring conformance with information security policies, standards, laws and regulations ISO/IEC 27002 is part of a growing family of ISO/IEC ISMS standards, the 'ISO/IEC 27000 series'. The others (most of which are in preparation) include: ISO/IEC 27000 - a standard vocabulary for the ISMS standards (in preparation) ISO/IEC 27001 - the certification standard against which organizations' ISMS may be certified ISO/IEC 27003 - a new ISMS implementation guide (in preparation) ISO/IEC 27004 - a standard for information security measurement and metrics (in preparation) ISO/IEC 27005 - a standard for risk management, potentially related to the current British Standard BS 7799 part 3 ISO/IEC 27006 - a guide to the certification/registration process (published in March 2007)
  • 15. ISO/IEC 27007 - a guideline for auditing information security management systems (in preparation) ISO/IEC 27799 - guidance on implementing ISO/IEC 27002 in the healthcare industry
  • 16. AUDIT FINDINGS AND DETERMINATIONS Page 1 of 11 BUSINESS ISSUE: Description: Inventory the information systems in use in the organization and categorize them. Inadequate identification of assets and data owners needs to be addressed for audit group to identify areas for auditing and processes to audit. Dependency Issue: Identification, collection, and communication of key metrics for evaluating performance of the area being audited depend upon identification of assets and categorization to the materiality of the business processes. Action Plan: Asset Inventory List and Classification List needs to be developed, areas to be addressed are: Inventory: •Determine who owns the data •Verify assets location •Create a naming convention for simple unique identification of assets •Assigning each asset to a security group based on role in organization •Determine value and risk classification for each asset Classification: •Who chooses the access levels and permissions granted to each user/group? •What types of approvals are needed to add, modify or delete access rights/levels? •Which individuals/groups will be authorized to access each asset, least privilege? •What level of access will be granted to each individual/group? Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: Service License Agreement (SLA) for Call Centers needs to be evaluated against the business case and controls. Evaluation of SLA should be reviewed for the following: Sub-issue 1: Users at call center authenticate with the call center server, they do not need to authenticate with Mandem’s system. Examine issues of login security and SLA for requirements with regulatory agencies. Sub-Issue 2: Review of SLA to determine if call centers must adhere to network securities requirements and policies of Mandem Incorporated (ie, WAP, rolling passwords, process of removal of terminated employees from the system). Sub-Issue 3: Review of SLA to determine if call centers are subject to independent auditing by Mandem staff or designated 3rd party audit agency. Sub-Issue 4: Proxy server contains cached values of PII and may be subject to violations in regulatory requirements. Proxy should only cache non-identifiable information like graphics, etc. Need to address regulations and configuration of Proxy server. Must address SLA on use of proxy server and its configuration
  • 17. Sub-Issue 5: PIX 520 Firewall is maybe outdated for call center protection coming into Mandem AUDIT FINDINGS AND DETERMINATIONS Page 2 of 11 Action Plan: SLA agreement needs to be reviewed for inconsistencies with corporate security goals. SLA may need to be modified to address network and information security vulnerabilities. Timing of Implementation: Intermediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: Proxy server may contain PII in a cached state on the server. SOX, HIPAA, SEC and GLBA regulatory requirements may be violated. IT must address issue of PII information breach and compliance to regulatory requirements to ensure data security, confidentiality, integrity and assurance. Action Plan: Immediate reconfiguration of the proxy server is required. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: High BUSINESS ISSUE: Description: Direct access into Mandem intranet is possible by anyone using call center network. Vulnerabilities to Mandem intranet maybe exploitable by this access point. How are violations prevented in a proactive methodology to ensure Mandem’s intranet infrastructure? Action Plan: Evaluate IDS’s method to determine, monitor and identify these connections and events. Timing of Implementation: Intermediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: Semi-private DMZ contains more than web content. Investigation needs to be conducted to determine if this in violation to corporate IT policies and if authorization has been provided for this content. Vulnerabilities cannot be assessed until it is known what data or applications are on these systems. Additional concerns are who has access to these
  • 18. applications, what is their level of access to the network and why is this information placed in a non-secure zone. AUDIT FINDINGS AND DETERMINATIONS Page 3 of 11 Action Plan: Assess corporate IT policy on this issue, determine if these servers are tested on a regular bases for application vulnerabilities and exploits. Determine if there is a authoritative chain in order to place applications in this environment. Timing of Implementation: Low Level Concern Responsible Managers: IT Policy and Procedures Critical Rating: Low BUSINESS ISSUE: Description: IT Policy issues need to be determined and delineated as to who has access and authority to open ports in the company firewalls and how is the ACL maintained. Mandem’s computer programmer is making modifications on the firewall which is a segregation of duties issues with IT Policies. Concerns addressing issues on how traffic (HTTP) from areas outside of Mandem’s intranet is being redirected to web servers becomes a criticality when vulnerabilities to these servers can be exploited. Concerns regarding how this traffic is monitored, by whom, how it is logged and who authorizes changes to the firewall must be addressed. Firewall allows a range of IP addresses which is controlled by various entities, who authorizes these ranges? Action Plan: Evaluate IT policy and procedures. Identify areas where authorization is not conducted. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: Services running on FTP server need to be addressed as well as monitoring and maintenance of files on the system. Monitoring of nefarious system applications can open vulnerabilities to those accessing the FTP server. Server needs to be monitored for problem usage (ie, bot-herders using IRC command center, spambots, etc). Action Plan: Evaluate IT policies and procedures. Timing of Implementation: Low Level Concern Responsible Managers: IT Policy and Procedures Critical Rating: Low
  • 19. AUDIT FINDINGS AND DETERMINATIONS Page 4 of 11 BUSINESS ISSUE: Description: Access for clients is unsecured via the Internet and Mandem’s firewall. This is a regulatory compliance violation. SSL must be used in providing clients secured PII information. Action Plan: Implement SSL layer communication when user attempts to authenticate with the system. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: High BUSINESS ISSUE: Description: System’s Analysts are using application servers for unmonitored programs. Ports may be opened or left opened, application vulnerabilities can be exploited by installing unpatched or untested applications. IT policies issues regarding authorization and use of servers must be addressed to mitigate risk. Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Intermediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: Intrusion Detection System use must be evaluated to address its application and adherence to corporate needs and business goals of securing data and information. IDS monitor logs need to be reviewed. Policy, procedure and authorization of IDS need to be evaluated to determine if they are adequately meeting regulatory requirements. Investigate to add additional IPS or HIDS to proactively protect critical corporate assets. Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures
  • 20. Critical Rating: Medium AUDIT FINDINGS AND DETERMINATIONS Page 5 of 11 BUSINESS ISSUE: Description: Passwords on DB2 server are not being used, password authentication to DB2 is not encrypted, packet transmission can be intercepted and forwarded leading to unauthorized access to the DB2 server and information on this server. Assumption of trust relationship with internal network users and web interface could lead to exploit of entire server and data. IT Policy does not address this important security issue. Regulatory compliance issue violation is possible. Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: High BUSINESS ISSUE: Description: DBA accessing data on server, PII compromise of data, violation of regulatory requirements. Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: DB access control need to be identified. Creation, edit, entry, drop, etc. rights need to be clearly delineated and defined. IT policy and procedures need to be reviewed in order to protect data (see concern of DBA accessing data for example of violation) Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern
  • 21. Responsible Managers: IT Policy and Procedures Critical Rating: Medium AUDIT FINDINGS AND DETERMINATIONS Page 6 of 11 BUSINESS ISSUE: Description: IT policy issues regarding OS deployed and their patch management cycle should be investigated. Application software that is not updated on a regular basis; use of non- authorized software on internet network can open vulnerabilities to system. Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Low Level Concern Responsible Managers: IT Policy and Procedures Critical Rating: Low BUSINESS ISSUE: Description: Segregation of duties regarding authorization, monitoring, application access rights, etc. needs to be identified, known and documented. Segregation of groups for system administrators to put people in: one that authorizes and another that is for end users/distributors. Access/privileges based upon ACL set by data owner. Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: Identification of various areas of controls, application as well as physical and logical need to be tested and validated, hard and soft controls needs to be conducted by the audit team. Use of CAAT in testing and acquisition of documentation of controls and trained personnel needs to be addressed. Action Plan: Audit team needs to work with management to determine which areas need to be addressed as a priority.
  • 22. Timing of Implementation: Primary Concern Responsible Managers: IT Policy and Procedures Critical Rating: High AUDIT FINDINGS AND DETERMINATIONS Page 7 of 11 BUSINESS ISSUE: Description: Corporate IT internal policies regarding wireless access devices and routers needs to be examined. Remote devices accessing the network need to be authorized and validated prior to use. Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Low Level Concern Responsible Managers: IT Policy and Procedures Critical Rating: Low BUSINESS ISSUE: Description: IT policy and procedures for removal of terminated employees, access to vital and critical areas, group policy procedures and authorization. Substantive testing of how often this is done and who monitors/authorizes/test these changes needs to be evaluated if it is in line with corporate IT guidelines (inter-department issues should be evaluated as far as turnaround time for removal of employees once HR has determined removal and how the department provides access to terminated employee’s data to managers) Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Low Level Concern Responsible Managers: IT Policy and Procedures Critical Rating: Low BUSINESS ISSUE: Description: Physical access to vital and critical areas (server room, backup data, etc) needs to be addressed to ensure access is limited to authorized personnel only. Vital and critical areas of the infrastructure need to be physically secured. Action Plan: Physical access needs to be evaluated.
  • 23. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: High AUDIT FINDINGS AND DETERMINATIONS Page 8 of 11 BUSINESS ISSUE: Description: IT Governance policy should be in place. Areas to address are outlined as IT Governance needs to be implemented by high level management executives. If a policy does exist, is it known? Is it followed by employees? How is it implemented into the organization? Action Plan: Address issues of IT Governance with corporate officers, need of IT Audit charter to outline responsibilities and authority. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: System backup procedures, schedule backup process and validation. How are backups protected from fire, unauthorized access, theft, etc. Who has access to these areas, are they secured? Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: Medium BUSINESS ISSUE: Description: Disaster recovery plans, is there a hot swappable site in place to meet contractual obligations? How often is it tested, back processes, availability to swap immediate live data, validity of data. This addresses business needs and contract obligations. Some regulatory compliance for data availability Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures
  • 24. Critical Rating: Medium AUDIT FINDINGS AND DETERMINATIONS Page 9 of 11 BUSINESS ISSUE: Description: Failover servers, servers need to be up 99.5%, therefore in order to fulfill contract, failover servers need to be used and maintained. Do they exist? How are they updated (duel written, backup on a schedule, etc) and is this tested on a compliance basis? Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: High BUSINESS ISSUE: Description: Penetration Testing conducted on a regular basis. How the findings are addressed, what is the turnaround time for critical findings to be resolved? Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Low Level Concern Responsible Managers: IT Policy and Procedures Critical Rating: Low BUSINESS ISSUE: Description: Collection, use, disclosure and destruction of PII needs to be evaluated and validated to align with government regulations of PII data Action Plan: IT policy and procedures must be reviewed to address business needs of information and application security. Timing of Implementation: Immediate Concern Responsible Managers: IT Policy and Procedures Critical Rating: High
  • 25. AUDIT FINDINGS AND DETERMINATIONS Page 10 of 11 AUDIT CRITICAL ISSUES: Determine which of the systems impact critical functions or assets, such as money, materials, customers, decision making, and how close to real time they operate. • Business Continuity Plan/Disaster Recovery Plan • Business needs to classify assets according to business model and interests • Asset protection address minimum levels required by law • Tests of controls Physical and logical controls? • Multiple logins from varying areas adds layers of security even though there are also layers in complexity. Four layers: -Network - Platform - Database - Application • Separation of duties, access to data blocked from admins or root, logs of data accesses Assess what risks affect these systems and the severity of impact on the business. THREATS External Internal Hackers Disgruntled Employees Call Center Support Personnel Corporate Fraud/Espionage Physical Break-in Call Center Support Personnel Rank the systems based on the above assessment and decide the audit priority, resources, schedule and frequency. - No Business Continuity Plan/Disaster Recovery Plan. - Asset protection to address minimum levels required by law and contract (PII information protection, confidentiality, integrity and assurance) - Segregation of duties, access to critical areas by personnel conflicts with regulatory requirements of PII. - Physical controls and logical controls need to be verified and tested for compliance. Unsatisfactory: - Service License Agreement for Call Centers needs to be evaluated against business goals and regulatory requirements. - Proxy Server at Call Center maintained by Mandem needs to be evaluated for security of PII. - Need to address IT governance issues regarding IT policies, procedures and processes for in-house servers, firewalls, access controls and database. - IDS should be proactive, need to address possible use of IPS and HIDS on critical systems. - Passwords on DB2 server are not being used, authentication not encrypted, access on DB server needs to be validated and tested. - Backup cycle of system and offsite backup of server information.
  • 26. Dissatisfactory: -A need to clearly identify and inventory of Information Systems for IT audit -Direct access to Mandem internal network once authenticated with Call Center Server does not address 4 layer security benchmarks (network, platform, database and application).
  • 27. AUDIT FINDINGS AND DETERMINATIONS Page 11 of 11 Asset Evaluation The team had difficulty determining the price of the assets, hard or soft. This pricing structure is complex and varied for both tangible and non-tangible assets. Since the evaluation of the actual replacement costs cannot be fully established with exact model numbers, ranges are provided to give a basic idea of the variance of cost. Vulnerability to Assets: Hard Assets RS/6000 DB2 server $14,000 - 20,000 Mainframe 4 web servers (4 x $5,000-6,000 ea) 4 application servers (4 x $4,400-5,000 ea) Router* 3 Cisco PIX Firewall (3 x $13,000-14,000 ea) EWF (Enhanced Write Filter)* Load Balancing Server ($4,000) 2 Cisco 2600 Routers (2 x $1,400 - $4,000 ea) 2 Catalyst 2900 Switches (2 x $2,000 - $24,000 ea) 1 PIX 520 Firewall ($100-9,000) MANDEM Box Proxy Server ($2,000-$5,000) *NOTE: nominal cost or no additional cost to server hardware **NOTE: All other machines/hardware/wires not mentioned. Costs do not include software OS and applications running on hardware. Soft Assets $4.2 billion Business Assets -Customer Information on DBS -Application Software -Web Server software and interface -All other Overhead costs Software and Applications ($10,000 - $250,000) Lost wages and overhead costs (highly variable) Business reputation (highly variable) Contract fines ($___? Per occurrence) Regulatory fines ($___? Per occurrence) Mailing and compliance costs ($____ ? per occurrence)

×