Forging Partnerships Between Auditors and Security Managers


Published on

Forging Partnerships Between Auditors and Security Managers

Published in: Economy & Finance, Sports
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Forging Partnerships Between Auditors and Security Managers

    1. 1. Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 [email_address] 540-231-9523 JCSC 2000
    2. 8. The Auditor’s Goals <ul><li>Ensure Assets are protected according to company, local,state and federal regulatory policies. </li></ul><ul><li>Determine what needs to be done to ensure the protection of the above assets. </li></ul><ul><li>Make life miserable for sysadmins…:-) </li></ul><ul><ul><li>Not really. They can save a sysadmin if a problem occurs. </li></ul></ul>
    3. 9. The Sysadmin’s Goals <ul><li>Keep the systems up. </li></ul><ul><li>Keep users happy and out of our hair. </li></ul><ul><li>Keep auditors at arms’ length. </li></ul><ul><li>Get more resources to do the job properly. </li></ul><ul><li>Wear jeans or shorts to work when everyone else has to wear suits……. </li></ul>
    4. 10. The Sysadmin’s Audit Strategy <ul><li>Turn a perceived weakness (the audit) into a strength (security checklists). </li></ul><ul><li>Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures. </li></ul><ul><li>The above info can be used to help develop your incident response plan. </li></ul>
    5. 11. The Committee <ul><li>Management and Technical Personnel from the major areas of IS </li></ul><ul><ul><li>University Libraries </li></ul></ul><ul><ul><li>Educational Technologies </li></ul></ul><ul><ul><li>University Network Management Group </li></ul></ul><ul><ul><li>University Computing Center </li></ul></ul><ul><ul><li>Administrative Information Systems </li></ul></ul>
    6. 12. The Committee’s Scope <ul><li>Information Systems Division only </li></ul><ul><li>Identified and prioritized Assets </li></ul><ul><ul><li>RISKS associated with those ASSETS </li></ul></ul><ul><ul><li>CONTROLS that may applied to the ASSETS to mitigate the RISKS </li></ul></ul><ul><li>Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect </li></ul>
    7. 13. The Committee’s Charge <ul><li>From our VP for Information Systems </li></ul><ul><li>“ Establish whether IS units are taking all reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service” </li></ul><ul><li>“ Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.” </li></ul>
    8. 14. Identifying the Assets <ul><li>Compiled a list of IS assets (+100 systems) </li></ul><ul><li>Categorize them as critical, essential, normal </li></ul><ul><ul><li>Critical - VT can’t operate w/o this asset for even a short period of time. </li></ul></ul><ul><ul><li>Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap </li></ul></ul><ul><ul><li>Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives. </li></ul></ul>
    9. 15. Prioritizing the Assets <ul><li>The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical. </li></ul><ul><li>X assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote. </li></ul>
    10. 16. Identifying the Risks <ul><li>A RISK was selected if it caused an incident that would: </li></ul><ul><ul><li>Be extremely expensive to fix </li></ul></ul><ul><ul><li>Result in the loss of a critical service </li></ul></ul><ul><ul><li>Result in heavy, negative publicity especially outside the university </li></ul></ul><ul><ul><li>Have a high probability of occurring. </li></ul></ul><ul><li>Risks were prioritized using matrix prioritization technique. </li></ul>
    11. 17. Mapping Risks and Assets <ul><li>We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not </li></ul><ul><ul><li>A particular risk actually applied to the asset </li></ul></ul><ul><ul><li>Controls exist and/or already in place. </li></ul></ul><ul><li>The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually. </li></ul>
    12. 18. Identifying Controls <ul><li>Specific controls identified by the committee were put in a matrix </li></ul><ul><li>The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset. </li></ul>
    13. 19. Recommendations <ul><li>The process recommends a general order which IS should apply scarce resources to perform a cost benefit analysis for the various assets & risks. </li></ul><ul><li>For each asset, as directed by mgt, appropriate staff should: </li></ul><ul><ul><li>Review the risks & controls </li></ul></ul><ul><ul><li>Add any further risks/controls not identified </li></ul></ul><ul><ul><li>Assess the potential cost of an incident </li></ul></ul><ul><ul><li>Assess the cost of control purchases and deployment </li></ul></ul><ul><ul><li>Analyze cost vs. benefit for each asset </li></ul></ul><ul><ul><li>Submit results to mgt which retains the responsibility to weigh investments and make implementation decisions </li></ul></ul>
    14. 20. References <ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li> </li></ul>
    15. 21. APPENDIX 1 <ul><li>The following matrices are examples of your matrix reports </li></ul><ul><ul><li>Exhibit A (ASSET Matrix) </li></ul></ul><ul><ul><li>Exhibit B (ASSET WEIGHT Matrix) </li></ul></ul><ul><ul><li>Exhibit C (RISKS Matrix) </li></ul></ul><ul><ul><li>Exhibit D (RISK WEIGHT Matrix) </li></ul></ul><ul><ul><li>Exhibit E (ASSET-RISK Matrix) </li></ul></ul><ul><ul><li>Exhibit F (CONTROLS Matrix) </li></ul></ul>
    16. 22. APPENDIX 2 <ul><ul><ul><li>The following spreadsheets are the compliance reports. </li></ul></ul></ul><ul><ul><ul><li>Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors. </li></ul></ul></ul><ul><ul><ul><li>Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific. </li></ul></ul></ul><ul><ul><ul><li>Controls Matrix lists what controls are in place for a given system. </li></ul></ul></ul><ul><ul><ul><li>Individual Action Matrix lists the details of an audit for each node. Did the system comply? </li></ul></ul></ul>
    17. 23. APPENDIX 3 <ul><li>The following checklist gives the detailed commands to be performed in the “audit”. </li></ul><ul><li>The categories are based on the Risk Matrices in Appendix 1. </li></ul><ul><li>The results of the checklist commands are inserted in the Compliance matrices of Appendix 2. </li></ul><ul><li>This checklist and the matrices form the overall audit/security checklist package. </li></ul>
    18. 24. APPENDIX 4 <ul><li>Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain. </li></ul><ul><li>There are 2 strategies: </li></ul><ul><ul><li>Protect and Proceed </li></ul></ul><ul><ul><li>Pursue and Prosecute </li></ul></ul>
    19. 25. Incident Handling: Protect and Proceed? - Which strategy should your organization follow to handle an incident? This dictates the level of record keeping needed to fulfill the strategy. (RFC2196) - the protection and preservation of site facilities - return to normal operations as soon as possible - actively interfere with intruder attempts - begin immediate damage assessment and recovery Use if: - assets are not well protected - continued penetration could result in financial risk - possibility or willingness to prosecute is not present - user community is unknown - unsophisticated users and their work is vulnerable - the site is vulnerable to lawsuits from users if their resources are undermined
    20. 26. Incident Handling: Pursue and Prosecute? - allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies - Use if: - system assets are well protected - good backups are available - Asset risks are outweighed by risk of future penetrations - it's a concentrated and frequent attack - the site has a natural attraction to intruders, e.g. university, bank - the site is willing to spend the money and risk to catch the guy - intruder access can be controlled - well-developed monitoring tools are available - you have a technically competent support staff - management is willing to prosecute - system administrators know in general what evidence will aid in prosecution - there is established contact with law enforcement agencies - the site has involved their legal staff