Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rothke Patchlink


Published on

Anatomy of an Information Security Audit and How To Pass It. PAtchlink 360 conference. Ben Rothke

Published in: Technology
  • Be the first to comment

Rothke Patchlink

  1. 1. Anatomy of an Information Security Audit and How To Pass It Ben Rothke, CISSP CISM Senior Security Consultant INS
  2. 2. About Me <ul><li>Ben Rothke, CISSP CISM </li></ul><ul><li>Senior Security Consultant – INS (Soon to be BT INS) </li></ul><ul><li>Previously with AXA Equitable, Baltimore Technologies, Ernst & Young, Citibank. </li></ul><ul><li>Have worked in the information technology sector since 1988 and information security since 1994 </li></ul><ul><li>Frequent writer and speaker </li></ul><ul><li>Author of Computer Security: 20 Things Every Employee Should Know (McGraw-Hill 2006) </li></ul>
  3. 3. Agenda <ul><li>This session is: </li></ul><ul><li>High level overview of what an audit is </li></ul><ul><li>What to know to prepare for & pass a information security audit </li></ul><ul><li>Based on my consulting experience at a large spectrum of Fortune 500 companies </li></ul><ul><li>This session is not: </li></ul><ul><li>Detailed walk-through of a information security audit </li></ul><ul><li>Review or recommendation of audit software tools </li></ul><ul><li>A monologue </li></ul><ul><ul><li>Feel free to ask a question, make a comment, etc. </li></ul></ul>
  4. 4. Definition - Audit <ul><li>Systematic examination against defined criteria to determine whether activities and related results conform to planned arrangements and whether these arrangements are implemented effectively and are suitable to achieve the company’s policy and objectives. </li></ul><ul><li>Planned, independent and documented assessment to determine whether agreed upon requirements are being met. </li></ul><ul><li>Professional examination and verification performed by either an independent party or internal audit function of a company's accounting documents and supporting data. </li></ul><ul><ul><li>Upon completion of the examination, the auditor will render an opinion as to the fairness, consistency, and conformity of the information. </li></ul></ul>
  5. 5. Things to think about the audit process <ul><li>Opportunity for an objective, skilled and impartial review of the program operations which can result in significant suggestions for improvement. </li></ul><ul><li>Bring out the best in the audit team and the security staff. </li></ul>
  6. 6. Audit and regulations <ul><li>Information technology and information security - new on the regulatory scene. Other industries - lived and breathed with regulatory body for many years </li></ul><ul><ul><li>Pharmaceutical FDA </li></ul></ul><ul><ul><li>Aviation FAA </li></ul></ul><ul><ul><li>Manufacturing OSHA </li></ul></ul><ul><ul><li>Securities SEC </li></ul></ul><ul><li>Today’s IT environments are not the IT shops of old </li></ul><ul><ul><li>In the past, it was about keeping the hackers out </li></ul></ul><ul><ul><li>Now it’s about understanding and managing controls to assign accountability and support audits </li></ul></ul><ul><ul><li>Penalties - fines up to $5 million and 20 years in jail </li></ul></ul>
  7. 7. Security and compliance are not rocket science <ul><li>While the mathematics of cryptography is rocket science, most aspects of information security, compliance and audit are not. </li></ul><ul><li>Computer security is simply attention to detail and good design, combined with good project management. </li></ul>
  8. 8. Frameworks <ul><li>Base your security program on a security framework </li></ul><ul><li>Use 17799, CoBIT, etc. and not on regulatory mandates </li></ul><ul><ul><li>Myriad security and privacy regulations have roughly 85% commonality </li></ul></ul><ul><ul><li>SoX, GLBA, SEC 17-a and all of the countless new regulations are all dealing with fundamental issues of computer security and privacy. </li></ul></ul><ul><ul><li>Once the framework and associated controls are established, map them to current and future regulations, making adjustments where necessary. </li></ul></ul><ul><ul><li>If a security program is based on compliance mandates, it will have to be updated with every new regulation </li></ul></ul><ul><ul><li>Regulation typically addresses one particular type of risk (i.e. protecting personal information, protecting credit card numbers, etc.), but does not address business risk </li></ul></ul>
  9. 9. Security vs. compliance <ul><li>Which is better – security or compliance? </li></ul><ul><ul><li>Most effective method in which to deal with regulations is by creating an effective information security foundation and infrastructure. </li></ul></ul><ul><ul><li>By creating this security foundation, an organization can easily deal with any new regulation that comes into law. </li></ul></ul><ul><li>Should security dollars be redirected towards compliance? </li></ul>
  10. 10. Management <ul><li>Success or audit failure ultimately depends on how committed management is. </li></ul><ul><ul><li>If management cares, you will pass the audit </li></ul></ul><ul><ul><li>If management does not care or is clueless, you will fail the audit. </li></ul></ul>
  11. 11. Don’t lie for management <ul><li>Management has been known to ask an individual to sign-off or attest to an item that is not compliant. </li></ul><ul><li>You should never lie for management </li></ul><ul><ul><li>Many audit issues are due to management incompetence and ineptitude, i.e., it is their fault. </li></ul></ul><ul><li>If management asks you to lie, or gives hints that your job may be at risk if they fail the audit, immediately seek legal counsel. </li></ul><ul><li>Decision time: </li></ul><ul><ul><li>You can’t be legally terminated for telling the truth </li></ul></ul><ul><ul><li>You can be terminated, decertified, fined, and subjected to prosecution and jail time if you lie to the auditors or falsify data. </li></ul></ul><ul><ul><li>Ask yourself: Is it worth it to lie? </li></ul></ul>
  12. 12. Spaf’s Law <ul><li>Professor Eugene Spafford, Phd, Purdue University </li></ul><ul><li>“ If you have responsibility for security but have no authority to set rules or punish violators, your own role in the organization is to take the blame when something big goes wrong.” </li></ul>
  13. 13. No surprises <ul><li>If you are surprised by the negative audit results, something is likely wrong. </li></ul><ul><ul><li>Akin to going to the doctor for a physical; you should have a relatively good understanding and know what to expect. </li></ul></ul>
  14. 14. One minute pre-audit <ul><li>Do you have a CISO/GISO/BISO in place? </li></ul><ul><li>Is there a formal business security program in place designed to protect corporate information assets? </li></ul><ul><li>Have short-term and long-term strategies toward mitigating risks and exposures relative your security program requirements been developed? </li></ul><ul><li>Do you focus on information security as a process, not a set of products or regulatory items to be checked-off? </li></ul><ul><li>Have you identified all regulatory requirements you fall under? </li></ul><ul><ul><li>Answered yes to 4 or more – Don’t worry, you should easily pass the audit </li></ul></ul><ul><ul><li>Answered yes to 1 or less – Your management team is derelict in their duties </li></ul></ul>
  15. 15. Getting serious about security <ul><li>Got a 2 or less on the one-minute pre-audit? </li></ul><ul><ul><li>Management needs to start getting serious about security. </li></ul></ul><ul><li>Customers and clients expect management to run the business in a way that manages risk. </li></ul><ul><li>New security and privacy regulation impact all companies </li></ul><ul><ul><li>Regulators are active globally and asking tougher questions of privacy, security, data management and control environments. </li></ul></ul><ul><ul><li>Regulators and law authorities have been aggressively inspecting and pursuing ID theft and privacy breaches and lack or failure of safeguards. </li></ul></ul>
  16. 16. The Audit
  17. 17. Understanding the audit process - preparation <ul><li>Be prepared </li></ul><ul><ul><li>Preparation is crucial </li></ul></ul><ul><ul><ul><li>Don’t wait until the last minute to get ready for the audit </li></ul></ul></ul><ul><ul><ul><li>Think like a wedding planner </li></ul></ul></ul><ul><ul><li>Know the depth of the audit </li></ul></ul><ul><ul><ul><li>For a small set of systems and a single application; or much larger </li></ul></ul></ul><ul><ul><ul><li>Physical sites </li></ul></ul></ul><ul><ul><ul><li>Comprehensive to the entire global organization </li></ul></ul></ul><ul><ul><li>Ensure appropriate staff members are available </li></ul></ul><ul><ul><ul><li>And have adequate security levels to assist </li></ul></ul></ul>
  18. 18. Understanding the audit process - preparation <ul><li>Rule #1 of compliance management </li></ul><ul><ul><li>Know and understand the regulation </li></ul></ul><ul><ul><li>Understand how you are in compliance with each regulatory point </li></ul></ul><ul><li>Huge mistake - not reading or interpreting the audit regulations. </li></ul>
  19. 19. Phases of an audit <ul><li>Most audits contain the following 3 phases: </li></ul><ul><li>Planning </li></ul><ul><li>Examination and testing </li></ul><ul><li>Reporting </li></ul>
  20. 20. Know what to expect <ul><li>Working together </li></ul><ul><ul><li>Know your role in the audit process </li></ul></ul><ul><ul><li>Know the auditor’s role in the audit process </li></ul></ul><ul><ul><ul><li>Auditors are human, they make mistakes </li></ul></ul></ul><ul><ul><ul><li>Don’t be argumentative </li></ul></ul></ul><ul><ul><ul><li>If they document what you feel are erroneous comments, you will later have the opportunity to comment on the accuracy and relevancy of the finding. </li></ul></ul></ul><ul><li>Honesty is the best policy </li></ul><ul><ul><li>Corollary – auditors hate when you lie </li></ul></ul><ul><ul><li>Transparency </li></ul></ul>
  21. 21. Communicating with the auditors <ul><li>Respond honestly and in a timely fashion </li></ul><ul><li>Don’t lie </li></ul><ul><li>Don’t guess </li></ul><ul><li>Always follow through if unsure </li></ul><ul><li>Communicate openly and directly </li></ul><ul><li>Admit deficiencies </li></ul><ul><li>Discuss how to correct findings </li></ul><ul><li>Don’t point the finger at others </li></ul><ul><li>Don’t send auditors on a wild goose chase </li></ul>
  22. 22. Communicating with the auditors <ul><li>Your relationship with the auditors should be based on a formal business focus </li></ul><ul><ul><li>Keep it amicable and cordial </li></ul></ul><ul><ul><li>Auditors are not your buddies </li></ul></ul><ul><ul><li>They have friends, just not you. </li></ul></ul><ul><li>Ok to share a clean joke, or discuss innocuous events </li></ul><ul><li>Don’t try to be friends with the auditor </li></ul><ul><ul><li>Overall, talk to the auditor as if you are speaking in a deposition </li></ul></ul><ul><ul><li>Attempting to use friendship, gifts or the like to influence the audit is imprudent at best, illegal at worst. </li></ul></ul>
  23. 23. Communicating with the auditors <ul><li>Don’t fall into a subordinate relationship with the audit </li></ul><ul><ul><li>You are assisting them, but you do not work for them </li></ul></ul><ul><ul><li>Don’t depend on them for guidance </li></ul></ul><ul><ul><li>Don’t depend on them for answers to regulatory questions </li></ul></ul>
  24. 24. Things that makes auditors nervous <ul><li>Wireless anything </li></ul><ul><li>Shared IDs </li></ul><ul><li>Shared passwords </li></ul><ul><li>Emailing of sensitive information </li></ul><ul><li>Personal email accounts (Hotmail, Gmail, etc.) </li></ul><ul><li>Stale policies, risk management plans </li></ul><ul><li>Passwords on PostIt notes </li></ul><ul><li>Passwords saved in cleartext on servers </li></ul><ul><li>Unsecured laptops </li></ul><ul><li>Files/backup tapes stored in car </li></ul><ul><ul><li>This is not what off-site means </li></ul></ul>
  25. 25. Know what to expect - Policies <ul><li>Auditors want to see your set of information system policies </li></ul><ul><li>Policies are: </li></ul><ul><ul><li>codification of control objectives </li></ul></ul><ul><ul><li>define the way companies control their information use and access </li></ul></ul><ul><ul><li>written document that specifies how an organization will manage, protect, and distribute information. </li></ul></ul><ul><ul><li>Know which policies exist, what they do and don’t cover </li></ul></ul><ul><ul><ul><li>Have them easily available in both soft and hard copies </li></ul></ul></ul>
  26. 26. Know what to expect – Controls <ul><li>Controls </li></ul><ul><ul><li>Processes, effected by an entity’s board of directors and management, designed to provide reasonable assurance regarding the achievement of objectives in the following categories </li></ul></ul><ul><ul><ul><li>Effectiveness and efficiency of operations </li></ul></ul></ul><ul><ul><ul><li>Reliability of financial reporting </li></ul></ul></ul><ul><ul><ul><li>Compliance with applicable laws and regulations </li></ul></ul></ul><ul><ul><li>Must be documented, tested, and demonstrated to be either manually verified (which is acceptable to auditors) or automatically enforced (which auditors prefer) </li></ul></ul><ul><ul><li>Knowing how an auditor will evaluate controls is important </li></ul></ul><ul><ul><li>Controls must be applied in a consistent and sustainable manner </li></ul></ul>
  27. 27. Control Objective / Practice Lists Control Objective General Control Practice Logical security tools and techniques are implemented, configured, and administered to enable restriction of access to data and programs. Network Firewalls restrict traffic into the internal network from all external sources to application that require strong authentication. Control Objective Application Control Practice Logical security tools and techniques are implemented, configured, and administered to enable restriction of access to data and programs. <ul><li>Client/Server </li></ul><ul><li>FM-SYS </li></ul><ul><li>QTAR-8 </li></ul>Strong authentication is provided via Single-Sign-On.
  28. 28. Control Practice Description
  29. 29. Controls testing <ul><li>Once the auditor has gathered the documentation, the testing phase of the audit will commence. </li></ul><ul><li>Testing goals </li></ul><ul><ul><li>confirm compliance </li></ul></ul><ul><ul><li>validate internal documentation </li></ul></ul><ul><ul><li>verify effective organizational policy. </li></ul></ul><ul><li>Testing can cover many systems programs (firewalls, IDS, etc.) and manual processes (adding a user, running a back-up) </li></ul><ul><ul><li>Testing will invariably identify deficiencies or shortcomings </li></ul></ul>
  30. 30. Audit defense <ul><li>Defending your position </li></ul><ul><ul><li>Auditors are human, not infallible: they make mistakes </li></ul></ul><ul><ul><ul><li>Assumed that the auditor knows the company and its business activities </li></ul></ul></ul><ul><ul><li>Requires you to be able to defend your position </li></ul></ul><ul><ul><li>Must understand the requirements of the audit and associated regulations </li></ul></ul><ul><ul><ul><li>Read the regulations </li></ul></ul></ul><ul><ul><ul><li>Read the audit requirements </li></ul></ul></ul><ul><ul><li>Understand your security infrastructure </li></ul></ul><ul><ul><ul><li>Know who does what and where they execute it </li></ul></ul></ul><ul><ul><li>In your reply to erroneous audit findings, stick with the facts </li></ul></ul><ul><ul><ul><li>No name calling, insulting, etc. </li></ul></ul></ul><ul><ul><ul><li>Stay rational, not emotional </li></ul></ul></ul>
  31. 31. Program Management <ul><li>Formal system of risk management </li></ul><ul><ul><li>Show that the work has been adequately planned and supervised </li></ul></ul><ul><ul><li>Demonstrate that internal controls have been appropriately studied and evaluated </li></ul></ul><ul><ul><li>A few IDS sensors rolled-out over the previous weekend does not display that </li></ul></ul><ul><ul><li>Nor does security hardware and software systems deployed without proper policies, documentation, etc. </li></ul></ul><ul><li>Cramming for risk compliance </li></ul><ul><ul><li>Rather than cramming for compliance like a high-school student at finals, which will not satisfy the auditors, admit non-compliance. </li></ul></ul><ul><ul><li>Spend the time building a program, rather than developing bogus documentation for a set of risk management controls that don’t work or exist. </li></ul></ul>
  32. 32. Program Management <ul><li>Risk analysis and assessments </li></ul><ul><ul><li>Best compliance ROI is built on a comprehensive risk analysis </li></ul></ul><ul><li>Polices and procedures </li></ul><ul><li>Adequate staff and budget </li></ul>
  33. 33. Documentation <ul><li>Documentation - auditor’s best friend </li></ul><ul><ul><li>Proof that you have done your due diligence. </li></ul></ul><ul><ul><li>Auditors use documentation in part to determine if your information security design and controls are adequate. </li></ul></ul><ul><ul><li>Auditors view documentation as an essential element of audit quality </li></ul></ul><ul><li>If an auditor asks for additional information, give it to them in a timely manner. </li></ul><ul><ul><li>Reluctance to share information can give the impression that you have something to hide. </li></ul></ul>
  34. 34. Documentation <ul><li>Network diagrams </li></ul><ul><ul><li>Accurate network map listing all network elements down to the wiring closet level </li></ul></ul><ul><ul><li>Servers, switches, hubs, firewalls, routers, etc. </li></ul></ul><ul><ul><li>All connectivity must be known including type, terminating equipment, locations, etc. </li></ul></ul><ul><ul><li>A good auditor will not simply trust the diagrams to be the absolute truth: they will verify. </li></ul></ul><ul><li>Policies </li></ul><ul><li>Procedures </li></ul><ul><li>Previous audit reports </li></ul><ul><li>Risk assessments </li></ul>
  35. 35. Documentation <ul><li>Documentation should be written in a style a auditor can easily understand </li></ul><ul><ul><li>Write your documentation like a For Dummies book </li></ul></ul><ul><ul><li>Avoid technical jargon </li></ul></ul><ul><ul><li>Use diagrams and illustrations whenever possible </li></ul></ul><ul><li>Documentation takes a lot of time </li></ul><ul><ul><li>Plan ahead </li></ul></ul><ul><ul><li>Auditors can tell when documentation is rushed </li></ul></ul><ul><li>“ The skill of an accountant can always be ascertained by an inspection of his working papers.” </li></ul><ul><li>Robert Montgomery, Montgomery’s Auditing, 1912 </li></ul>
  36. 36. Staffing <ul><li>An audit can be lengthy and can place significant stress on your internal resources. </li></ul><ul><li>You must assign staff to work with the auditors. </li></ul><ul><ul><li>Don’t insult the auditors by assigning a junior or inexperienced person to this task </li></ul></ul><ul><li>Person must be able to effectively dialogue with the auditors. </li></ul><ul><ul><li>Know the business </li></ul></ul><ul><ul><li>Know the organization </li></ul></ul><ul><ul><li>Know the security foundation and how it is implemented </li></ul></ul>
  37. 37. The audit report <ul><li>Often presented in a scorecard approach, which generally contains: </li></ul><ul><ul><li>description of the audit scope </li></ul></ul><ul><ul><li>audit objectives </li></ul></ul><ul><ul><li>audit methodology </li></ul></ul><ul><ul><li>statement that the audit was conducted in accordance with accepted auditing standards </li></ul></ul><ul><ul><li>description of the findings </li></ul></ul><ul><ul><li>recommendations for corrective action </li></ul></ul><ul><li>Use the report for the next audit </li></ul><ul><ul><li>The audits will heavily reference it, and so should you </li></ul></ul>
  38. 38. The audit report <ul><li>You will generally be given 7-10 days to review a draft of the final report that includes all audit points. </li></ul><ul><li>If needed, request revisions. </li></ul><ul><ul><li>If you don’t like the wording or tone, ask the auditor to change it. </li></ul></ul><ul><li>Negotiate agreement with the auditor on </li></ul><ul><ul><li>Condition – factually describes audit evidence and makes no judgments - just the facts </li></ul></ul><ul><ul><li>Criteria - objective standard as to why the audit point is valid </li></ul></ul><ul><ul><li>Cause - root cause is identified rather than some proximate cause </li></ul></ul><ul><ul><li>Effect - risk that the condition present to the business, not only to the computing environment. </li></ul></ul>
  39. 39. Project plans for improvements <ul><li>Failure is an option </li></ul><ul><ul><li>Deficiencies are inevitable </li></ul></ul><ul><ul><li>There is no such thing as a perfect network. </li></ul></ul><ul><li>If needed, let the audit process be a learning experience </li></ul><ul><li>But…you must show how you will plans for improvement </li></ul><ul><li>You must commit to act on the findings and recommendations </li></ul>
  40. 40. Conclusion <ul><li>An audit is simply a reflection of the entity being audited. </li></ul><ul><li>The audit process can be </li></ul><ul><ul><li>A golden opportunity upon which to build an effective information systems security program </li></ul></ul><ul><ul><li>An excuse for management to deny responsibility by invoking Spaf’s law and terminating some information security staff </li></ul></ul><ul><li>At its best, the audit can showcase the operational excellence of the information security staff, and be used as a guide book in which to navigate the dynamic world of risk management and information security. </li></ul>
  41. 41. <ul><li>Q & A </li></ul><ul><li>Contact information </li></ul><ul><ul><ul><li>Ben Rothke, CISSP CISM </li></ul></ul></ul><ul><ul><ul><li>Senior Security Consultant </li></ul></ul></ul><ul><ul><ul><li>BT GS </li></ul></ul></ul><ul><ul><ul><li>[email_address] </li></ul></ul></ul>Question and Answers