Prioritizing an Audit ProgramUsing the Consensus AuditGuidelines (CAG)                                                    ...
Issue Statement #1  Traditionally the focus of audit groups has not been to   audit for information security  Historical...
Issue Statement #2                                                                 3           © 2010 James Tarala - Prior...
Other Issues to Consider   Today there are no “Generally Accepted” practices for IS    Audit   It is difficult to find a...
One Reason This is Important  Here are some data breaches that were reported in 2009   (most were not)  Just a small sam...
Another Reason This is Important  The threats are becoming more serious and more   difficult to stop                     ...
How Do the 20 Critical Controls Fit?   For auditors:     – They prioritize critical controls     – They instruct how to t...
A Few of the Document Contributors  Blue team members inside the Department of Defense  Blue team members who provide se...
The 20 Critical Controls  Inventory of Authorized and Unauthorized             Continuous Vulnerability Assessment   Dev...
CAG Core Evaluation Steps  Defined in the latest version of the 20 Critical Controls   (after version 2.1)  One or two t...
Sample Test for Control #1   Place ten unauthorized devices on various portions of    the organization’s network unannoun...
Sample Metrics for Control #1 ID                  Testing / Reporting Metric                                  Response 1a ...
Case Study: Large Retirement Fund  We have already started using the controls as   the foundation of an assurance audit p...
Where to Learn More:  Center for Strategic & International Studies   (http://csis.org/program/commission-cybersecurity-44...
Upcoming SlideShare
Loading in …5
×

Prioritizing an audit program using the 20 critical controls

1,967 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,967
On SlideShare
0
From Embeds
0
Number of Embeds
300
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Prioritizing an audit program using the 20 critical controls

  1. 1. Prioritizing an Audit ProgramUsing the Consensus AuditGuidelines (CAG) James Tarala © 2010 James Tarala - Prioritizing an Audit Program 1
  2. 2. Issue Statement #1  Traditionally the focus of audit groups has not been to audit for information security  Historical progression of audit focuses: – Accounting – Fraud – Compliance – Security / Assurance* 2 © 2010 James Tarala - Prioritizing an Audit Program 2
  3. 3. Issue Statement #2 3 © 2010 James Tarala - Prioritizing an Audit Program 3
  4. 4. Other Issues to Consider  Today there are no “Generally Accepted” practices for IS Audit  It is difficult to find agreement on what’s important to audit as well as how to perform an audit  Risk measurements are mostly subjective in organizations  Metrics are not generally used when evaluating IS security  We are too reliant on “paperwork reviews” to evaluate information security programs 4 © 2010 James Tarala - Prioritizing an Audit Program 4
  5. 5. One Reason This is Important  Here are some data breaches that were reported in 2009 (most were not)  Just a small sample (organization/records breached): – Heartland Payment Systems (130+ million – 1/2009) – Oklahoma Dept of Human Services (1 million – 4/2009) – Oklahoma Housing Finance Agency (225,000 – 4/2009) – University of California (160,000 – 5/2009) – Network Solutions (573,000 – 7/2009) – U.S. Military Veterans Administration (76 million – 10/2009) – BlueCross BlueShield Assn. (187,000 – 10/2009) 5 © 2010 James Tarala - Prioritizing an Audit Program 5
  6. 6. Another Reason This is Important  The threats are becoming more serious and more difficult to stop 6 © 2010 James Tarala - Prioritizing an Audit Program 6
  7. 7. How Do the 20 Critical Controls Fit?  For auditors: – They prioritize critical controls – They instruct how to truly audit for information assurance – They help set audit strategy – They can automate testing – They can facilitate meaningful reporting  For auditors, they answer the question, what’s really important 7 © 2010 James Tarala - Prioritizing an Audit Program 7
  8. 8. A Few of the Document Contributors  Blue team members inside the Department of Defense  Blue team members who provide services for non-DoD government agencies  Red & blue teams at the US National Security Agency  US-CERT and other non-military incident response teams  DoD Cyber Crime Center (DC3)  Military investigators who fight cyber crime  The FBI and other police organizations  US Department of Energy laboratories  US Department of State  Army Research Laboratory  US Department of Homeland Security  Plus over 100 other contributors 8 © 2010 James Tarala - Prioritizing an Audit Program 8
  9. 9. The 20 Critical Controls  Inventory of Authorized and Unauthorized  Continuous Vulnerability Assessment Devices and Remediation  Inventory of Authorized and Unauthorized  Account Monitoring and Control Software  Malware Defenses  Secure Configurations for Hardware and  Limitation and Control of Network Software on Laptops, Workstations, and Ports, Protocols, and Services Servers  Wireless Device Control  Secure Configurations for Network Devices such as Firewalls, Routers, and Switches  Data Loss Prevention  Boundary Defense  Secure Network Engineering  Maintenance, Monitoring, and Analysis of  Penetration Tests and Red Team Audit Logs Exercises  Application Software Security  Incident Response Capability  Controlled Use of Administrative Privileges  Data Recovery Capability  Controlled Access Based on Need to Know  Security Skills Assessment and Appropriate Training to Fill Gaps 9 © 2010 James Tarala - Prioritizing an Audit Program 9
  10. 10. CAG Core Evaluation Steps  Defined in the latest version of the 20 Critical Controls (after version 2.1)  One or two tests which can be performed to determine if the business goal of the control has been met  Mental Goal: – It’s all about meeting a business goal – Don’t over-think the controls as a technician  Each test is technical in nature (no paperwork reviews) 10 © 2010 James Tarala - Prioritizing an Audit Program 10
  11. 11. Sample Test for Control #1  Place ten unauthorized devices on various portions of the organization’s network unannounced to see how long it takes for them to be detected – They should be placed on multiple subnets – Two should be in the asset inventory database – Devices should be detected within 24 hours – Devices should be isolated within 1 hour of detection – Details regarding location, department should be recorded 11 © 2010 James Tarala - Prioritizing an Audit Program 11
  12. 12. Sample Metrics for Control #1 ID Testing / Reporting Metric Response 1a How long does it take to detect new devices added to the Time in Minutes organization’s network? 1b How long does it take the scanners to alert the Time in Minutes organization’s administrators that an unauthorized device is on the network? 1c How long does it take to isolate / remove unauthorized Time in Minutes devices from the organization’s network? 1d Are the scanners able to identify the location, department, Yes/No and other critical details about the unauthorized system that is detected? 12 © 2010 James Tarala - Prioritizing an Audit Program 12
  13. 13. Case Study: Large Retirement Fund  We have already started using the controls as the foundation of an assurance audit program  Large financial services company 13 © 2010 James Tarala - Prioritizing an Audit Program 13
  14. 14. Where to Learn More:  Center for Strategic & International Studies (http://csis.org/program/commission-cybersecurity-44th- presidency)  The SANS Institute (http://www.sans.org/critical-security-controls/)  James Tarala – E-mail: james.tarala@enclavesecurity.com – Twitter: @isaudit & @jamestarala – Blog: http://enclavesecurity.com/blogs/ 14 © 2010 James Tarala - Prioritizing an Audit Program 14

×