Chapter 7: Auditing, Testing, and Monitoring

Personal Information Protection and Electronic Documents Act (PIPEDA)

A Canadian law that protects how organizations collect, use, or disclose personal information in e-commerce transactions

Examples of Non-real-time monitoring

Application logging- all applications that access or modify sensitive data should have logs that record who used or changes the data and when system logging- provides records of who accessed the system and what actions they performed on the system Activities you need to log: host-based activity. network and network devices

Audit checks whether controls are

Appropriate- is the level of security control suitable for the risk it addresses? Installed correctly- Is the security control in the right place and working well? Addressing their purpose- Is the security control effective in addressing the risk it was designed to address?

Security Monitoring tools and techniques

Baselines: understanding what normal looks like so you can compare it to what is happening (40 percent disk usage that suddenly doubles overnight) Alarms, alerts, and trends: responses to security eve3nts that notify personnel of a possible security incident (alert = door chime when you open the door / alarm = sound when alarm is set and door is opened) Closed-circuit TV: monitoring and recording what the TV cameras see Systems that spot irregular behavior: IDSs and honeypots- traps set to capture information about improper activity on a network

Audits generally contain at least 3 broad sections

Findings Recommendation: timelines for implementation, level of risk, management response Follow up

SOC 1

Internal controls over financial reporting (ICFR). Users and auditors. This is commonly implemented for organization that must comply with Sarbanes-Oxley (SOX) or the Gramm-Leach-Bliley Act (GLBA)

Real-Time monitoring examples

Intrusion detection system Host IDS- host intrusion detection system (HIDS) notices activity in a computer as the activity is happening System integrity monitoring- enables you to watch computer systems for unauthorizes changes and report them to administrators in near real time Data loss prevention (DLP)- use business rules to classify information to prevent unauthorized end user sfrom sharing it

Security Review elements

Monitor- review and measure all controls to capture actions and changes on the system Audit- Review the logs and overall environment to provide independent analysis of how well the security policy and controls work Improve- Include proposals to improve the security program and controls in the audit results. This step applies to the recommended changes as accepted by management Secure- Ensure that new, and existing, controls work together to protect the intended level of security

Most common permission levels

Promiscuous- Everything is allowed. used by many home users but makes it easier for attackers to succeed Permissive- Anything not specifically prohibited is OK. suitable for most public internet sites, some schools and libraries, and many training centers. Prudent- A reasonable list of things is permitted; all others are prohibited and carefully monitored. Suitable for most businesses Paranoid- Very few things are permitted; all others are prohibited and carefully monitored. Suitable for secure facilities

Real-time monitoring

Provides information on what is happening as it happens

Audit Data collection methods

Questionnaires- both managers and users Interviews- gathering insight into operations from all parties. often prove to be valuable sources of information and recommendations Observation- input used to differentiate between paper procedures and the way the job is really done Checklists- help ensure that the information gathering process covers all areas Reviewing documentation- assess currency, adherence, and completeness reviewing configurations- assessing change control procedures and the appropriateness of control, rules, and layout reviewing policy- assessing policy relevance, currency, and completeness performing security testing- along with vulnerability testing and penetration testing involves gathering technical information to determine whether vulnerabilities exist in the security components, networks, or applications

Federal laws or vendor standards that require internal and external audits

Sarbanes-Oxley Act (SOX) Health Insurance Portability and Accountability Act (HIPPA) Payment Card Industry Data Security Standard (PCI DSS)

SOC 2

Security (confidentiality, integrity, availability) and privacy controls). Management, regulators, stakeholders. This is commonly implemented for service providers, hosted data centers, and managed cloud computing providers.

SOC 3

Security (confidentiality, integrity, availability) and privacy controls). Public. This is commonly required for the customers of SOC 2 service providers to verify and validate that the organization is satisfying customers private data and compliance law requirements (such as HIPPA and GLBA)

Auditor planning and execution phases

Survey the site(S): understanding environment and connections between systems Review documentation- system documentation and configuration during planning and as part of the audit Review the risk analysis output- understand system criticality ratings Review server and application logs: examine logs to look for changes in programs, permissions, or configurations Review incident logs- review security incident logs to get a feel for problem trends Review results of penetration tests- helps prepare a list of weaknesses that were found. Auditor reviews this report to address all items

NIST Cybersecurity Framework (CSF)

a response to a US presidential executive order calling for increased cybersecurity (2014). Focuses on critical infrastructure components but applicable to many general systems. Road map for securing systems that can help auditors align business drivers and security requirements

COBIT (Control Objectives for Information and related Technology)

a set of best practices for IT management. Gives managers, auditors, and IT users a set of generally accepted measures, indicators, processes, and best practices.

ISO 27002

best-practices document that gives good guidelines for information security management. Organizations must perform an audit to verify that all provisions are satisfied in order to claim compliance

Service Organization Control (SOC)

defines the scope and contents of three levels of audit reports (SOC 1, SOC 2, SOC 3)

Statement on Standard for Attestation Engagements Number 16 (SSAE 16)

expanded the scope of SAS 70 and is the predominant auditing and reporting standard for service organizations

Particular industries that require internal and external audits

financial services organizations and any organization that handles personal medical records

Covert acts

hidden and secret

Network and network devices

include access, traffic type and patterns, malware, and performance

Host-based activity

includes changes to systems, access requests, performance, and startups and shutdowns

Non-real-time monitoring

keeps historical records of acitivity. can use when its not as critical to detect and respond to incidents immediately

Overt acts

obvious and intentional

Audit

provides management with an independent assessment of whether the best controls are in place and how well they work. Helps management understand and address the risks

ITIL (information technology infrastructure library)

set of concepts and policies for managing IT infrastructure, development, and operations. Give a detailed description of a number of important IT practices

Auditing Standards Number 70 (SAS 70)

the first standard of its kind and provided audit guidance for many service organizations (type 1 and type 2) type 1: encompasses the service auditor's assessment of the service organizations description and implementation of controls to achieve the environmental control objectives type 2: Type 1 as well as the service auditors assessment of whether or not the identified controls were implemented and operating effectively retired in June 2011

benchmark

the standard to which your system is compared to determine whether it is securely configured

COSO (Committee of Sponsoring Organizations)

volunteer run organization gives guidance to executive managements and governance entities on critical aspects of organization governance, business ethics, internal control, enterprise risk management, fraud, and financial reporting. established a common internal control model