Security Audits Standards Inspections CSH 6 Chapter 54

  • Slides: 52
Download presentation
Security Audits, Standards, & Inspections CSH 6 Chapter 54 “Security Audits, Standards and Inspections”

Security Audits, Standards, & Inspections CSH 6 Chapter 54 “Security Audits, Standards and Inspections” Donald Glass, Chris Davis, John Mason, David Gursky, James Thomas, Wendy Carr, and Diane Levine 1 Copyright © 2020 M. E. Kabay. All rights reserved.

Topics ØIntroduction ØAuditing Standards ØSAS 70 Audits ØSarbanes-Oxley ØAddressing Multiple Regulations ØTechnical Frameworks for

Topics ØIntroduction ØAuditing Standards ØSAS 70 Audits ØSarbanes-Oxley ØAddressing Multiple Regulations ØTechnical Frameworks for IT Audits 2 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction (1) Ø Non-IT auditors q. Financial: accuracy/integrity accounting q. External: material, macro-level issues

Introduction (1) Ø Non-IT auditors q. Financial: accuracy/integrity accounting q. External: material, macro-level issues (e. g. , governance, reporting, legal compliance) q. Internal: transaction-level controls, protecting assets, validating systems Ø Recent legal/regulatory changes affect auditing q. Especially regulatory compliance q. Validating protection of mission-critical systems q. Ensuring that weaknesses in IT infrastructure/security do not affect other parties (who can sue for damages) 3 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction (2) Ø Management attitudes range from q. We have to do this –

Introduction (2) Ø Management attitudes range from q. We have to do this – part of cost of doing business q. Nice to have (but don’t spend much) Ø These attitudes ignore added value from audits q. QUESTION FOR CLASS: WHAT ARE SOME BENEFITS OF AUDITS BEYOND ASSURANCE OF COMPLIANCE? q. Auditing increasingly included in IA training programs & certifications 4 Copyright © 2020 M. E. Kabay. All rights reserved.

Auditing Standards ØIntroduction to ISO ØISO/IEC 27001 ØGramm-Leach Bliley Act ØAuditing Standards Conclusions 5

Auditing Standards ØIntroduction to ISO ØISO/IEC 27001 ØGramm-Leach Bliley Act ØAuditing Standards Conclusions 5 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to ISO 6 Ø International Organization for Standardization q. Nongovernmental cooperative q. Create,

Introduction to ISO 6 Ø International Organization for Standardization q. Nongovernmental cooperative q. Create, identify, publish industry standards q. Business & technology (not just IT) Ø Member committees work on specific standards q. Represent best practices q. E. g. , ISO 9000 standards have become worldrecognized for quality q. ISO 27000 increasingly accepted as international standard for information security management Ø See also CSH 6 Chapters q 44 “Security Policy Guidelines” q 65 “Role of the CISO” Copyright © 2020 M. E. Kabay. All rights reserved.

History of ISO Standards (1) Ø British Standard (BS) 7799 published Feb 1995 q.

History of ISO Standards (1) Ø British Standard (BS) 7799 published Feb 1995 q. Part 1: Best Practices for Information Security Management q. Part 2: Specifications for Information Security Management Systems q. Part 3: Guidelines for Information Security Risk Management 7 Copyright © 2020 M. E. Kabay. All rights reserved.

History of ISO Standards (2) Ø BS 7799 Part 1 became ISO 17799 (Dec

History of ISO Standards (2) Ø BS 7799 Part 1 became ISO 17799 (Dec 2000) with 10 domains: 1. Business continuity planning 2. Systems access control 3. System development & maintenance 4. Physical & environmental security 5. Compliance 6. Personnel security 7. Security organization 8. Computer & operations management 9. Asset classification & control 10. Security policy 8 Copyright © 2020 M. E. Kabay. All rights reserved.

History of ISO Standards (3) Ø Later converted ISO 17799 to ISO/IEC 17799: 2005

History of ISO Standards (3) Ø Later converted ISO 17799 to ISO/IEC 17799: 2005 q. IEC = International Electrochemical Commission (Geneva) q. Information Technology – Security Techniques – Code of Practice for Information Security Management Ø Added objectives, controls Ø Updated previous editions to include new technology q. E. g. , wireless networks Ø ISO/IEC 27000 goes beyond ISO/IEC 17799 (see next slides) 9 Copyright © 2020 M. E. Kabay. All rights reserved.

ISO/IEC 27001 (1) Ø ISO/IEC 27000: Fundamentals & Vocabulary Ø ISO/IEC 27001: 2005. ISMS

ISO/IEC 27001 (1) Ø ISO/IEC 27000: Fundamentals & Vocabulary Ø ISO/IEC 27001: 2005. ISMS – Requirements Ø ISO/IEC 27002: 2005. Code of Practice for Information Security Management Ø ISO/IEC 27003: 2010. ISMS Implementation Guidance Ø ISO/IEC 27004*. Information Security Management Measurement Ø ISO/IEC 27005*. Information Security Risk Management Ø ISO/IEC 27006: 2007. Requirements for Bodies Providing Audit and Certification of Information Security Management Systems 10 Notes: ISMS = information security management system * Under development as. E. Kabay. of March 2010 Copyright © 2020 M. All rights reserved.

ISO/IEC 27001 (2) Ø ISO/IEC 27001 q. Similar to OECD guidance on security of

ISO/IEC 27001 (2) Ø ISO/IEC 27001 q. Similar to OECD guidance on security of IS & NW q. Includes PDCA cycle üPlan-Do-Check-Act üInvented by W. Edwards Denning (1950 s) Ø Certification q. Indicates formal compliance with standards q. Business benefits (public visibility to stakeholders) q. Operational benefits (fewer errors, better response, greater resilience) 11 Copyright © 2020 M. E. Kabay. All rights reserved.

Gramm-Leach Bliley Act Financial Services Modernization Act of 1999 = GLBA* Ø Main proposers

Gramm-Leach Bliley Act Financial Services Modernization Act of 1999 = GLBA* Ø Main proposers were Phil Gramm, Jim Leach, and Thomas Bliley, Jr Ø Regulates security of consumers’ q. Personal financial information q. Nonpublic personal information (NPI) Ø Also governs q. Privacy requirements for information q. Disclosures to third parties q. Prevention of pretexts for informationgathering *See also CSH 6 Chapter 64: US Legal & Regulatory Issues 12 Copyright © 2020 M. E. Kabay. All rights reserved.

Auditing Standards Conclusions Ø May combine compliance, auditing, risk management into cooperative function Ø

Auditing Standards Conclusions Ø May combine compliance, auditing, risk management into cooperative function Ø Growing managerial acceptance of need for risk management Ø Benefits of regular audits include q. Threat identification q. Reduced costs through optimization of resource allocation & operations q. Support for internal information assurance q. Protection against lawsuits through certification & compliance with industry standards q. Supporting due diligence claims 13 Copyright © 2020 M. E. Kabay. All rights reserved.

SAS* 70 Audits ØIntroduction to SAS 70 ØCosts and Benefits of SAS 70 Audits

SAS* 70 Audits ØIntroduction to SAS 70 ØCosts and Benefits of SAS 70 Audits ØSAS 70 Audits Conclusion *Statement of Auditing Standards 14 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to SAS 70 (1) Ø SAS 70 = Statement on Auditing Standards 70

Introduction to SAS 70 (1) Ø SAS 70 = Statement on Auditing Standards 70 q. American Institute of Certified Public Accountants (AICPA) q. Reports on the Processing of Transactions Used by Service Organizations q. Full text available online http: //umiss. lib. olemiss. edu: 82/record=b 103809 3 Ø Terminology q. Service organization (provides outsourcing) q. Service auditor (works for outsourcer) q. User organization (client) q. Users’ auditors (works for client) 15 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to SAS 70 (2) Ø SAS 70 audits primary method of evaluating possible

Introduction to SAS 70 (2) Ø SAS 70 audits primary method of evaluating possible outsourcing supplier Ø Outsourcing growing q. Reduce costs q. Focus on mission-critical function internally q. Outsourced functions include üCustomer service, help desk üBack-office data processing üHuman resources management, benefits üWeb site hosting üClaims processing üFinance & accounting 16 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to SAS 70 (3) 17 Ø Type II audits include mandatory tests Ø

Introduction to SAS 70 (3) 17 Ø Type II audits include mandatory tests Ø Type I may not test controls Ø Therefore Type II more expensive but preferable for organizations desiring continuous process improvement Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to SAS 70 (4) Ø Process q. Initial assessment q. Evaluation of processing

Introduction to SAS 70 (4) Ø Process q. Initial assessment q. Evaluation of processing / transaction systems & controls q. Develop statement of work (SOW) q. Present SOW with estimated üCompletion date üDetails üCosts q. Interviews with management, technical administrators 18 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to SAS 70 (5) Ø Management of audit team q. Usually CPA in

Introduction to SAS 70 (5) Ø Management of audit team q. Usually CPA in charge of team q. Technical audit lead üEvaluation / testing systems & networks q. Application lead üEvaluation / testing application software üE. g. , databases, administrative software Ø Auditors evaluate compliance with internal & external standards Ø Report on deviations from expectation 19 Copyright © 2020 M. E. Kabay. All rights reserved.

Costs and Benefits of SAS 70 Audits Ø Initial SAS 70 audit costs between

Costs and Benefits of SAS 70 Audits Ø Initial SAS 70 audit costs between $25 K - $1 M Ø Small organization may not find it cost-effective Ø Larger organizations use SAS 70 to comply with GLBA and SOX (Sarbanes-Oxley Act) Ø SAS 70 uses COSO** standard q. Process for reviewing internal controls q. SOX § 404 uses COSO – see next section of these slides & § 54. 4 of text Ø See pro/cons of SAS 70 (Exhibit 54. 2 in CSH 6) q. Reformulated on following page 20 ** Committee of Sponsoring Organizations of the Treadway Commission Copyright © 2020 M. E. Kabay. All rights reserved.

Costs & Benefits of SAS 70 Audits (reformulated) Feature 21 For User Org For

Costs & Benefits of SAS 70 Audits (reformulated) Feature 21 For User Org For Service Org Independent assessment of controls + + Lower cost for evaluation of controls + - No additional review of controls required + - SAS 70 audits are forward looking (can refer to predictions) - - SAS 70 audits must be continuously reviewed & updated + - SAS 70 audits increase value of services + + Disruption to service organization reduced by eliminating need for user organization auditors to audit service organization + + SAS 70 audit can be used to build strong working relationship between service user organizations Copyright& © 2020 M. E. Kabay. All rights reserved. + +

SAS 70 Audits Conclusion Ø SAS 70 audit is not 100% guarantee of perfect

SAS 70 Audits Conclusion Ø SAS 70 audit is not 100% guarantee of perfect security Ø But viewed as high-level assurance for confidence Ø Particularly useful in ensuring compliance with SOX § 404 reporting q. See next section of slides 22 Copyright © 2020 M. E. Kabay. All rights reserved.

Sarbanes-Oxley (SOX) ØIntroduction to SOX ØSection 404 ØAchieving Compliance ØAudit and Certification ØSOX Conclusion

Sarbanes-Oxley (SOX) ØIntroduction to SOX ØSection 404 ØAchieving Compliance ØAudit and Certification ØSOX Conclusion 23 Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to SOX (1) 24 Ø Financial reporting act enacted July 2002 q. Guided

Introduction to SOX (1) 24 Ø Financial reporting act enacted July 2002 q. Guided by Paul S. Sarbanes & Michael G. Oxley Ø Response to scandals (Enron, World. Com) q. Enron üOct 2001 – executives hid $B in debt üShare prices crashed from $90 to $1 ü$11 B losses by shareholders üExecs went to prison for fraud üAuditors went bankrupt q. World. Com üFraudulent accounting started 1999 ü 2002: auditors proved $3. 8 B fraud (ultimately found $11 B fraud) Copyright © 2020 M. E. Kabay. All rights reserved.

Introduction to SOX (2) Ø Executive officers must q. Certify effective internal controls q.

Introduction to SOX (2) Ø Executive officers must q. Certify effective internal controls q. Accept personal responsibility/liability for failures Ø SOX provides for severe penalties q. Civil, criminal q. May include imprisonment of officials Ø Organizations must plan for repeatable demonstrations of compliance 25 Copyright © 2020 M. E. Kabay. All rights reserved.

SOX § 404 Ø Directly addresses IT in financial reporting Ø Requires attention to

SOX § 404 Ø Directly addresses IT in financial reporting Ø Requires attention to internal controls q. Adequacy q. Effectiveness Ø Widespread industry acceptance of need for constant, honest compliance 26 Copyright © 2020 M. E. Kabay. All rights reserved.

Achieving Compliance ØIntro to SOX Compliance ØControl Framework ØCOSO ØCobi. T ØTesting 27 Copyright

Achieving Compliance ØIntro to SOX Compliance ØControl Framework ØCOSO ØCobi. T ØTesting 27 Copyright © 2020 M. E. Kabay. All rights reserved.

Intro to SOX Compliance Ø Identify key processes in organization Ø Determine how processes

Intro to SOX Compliance Ø Identify key processes in organization Ø Determine how processes implemented & controlled Ø Determine methods for reporting success / failure Ø Provide coverage across entire system life cycle Ø Include projects, design, architecture, development, delivery, operations Ø Auditor will examine core processes, adequacy of controls, execution of controls 28 Copyright © 2020 M. E. Kabay. All rights reserved.

Control Framework Ø Securities & Exchange Commission (SEC) mandates COSO framework Ø Public Company

Control Framework Ø Securities & Exchange Commission (SEC) mandates COSO framework Ø Public Company Accounting & Oversight Board (PCAOB) q. Also supports COSO q. In Auditing Standard No. 2, üAn Audit of Internal Control over Financial Reporting Performed in Conjunction with an Audit of Financial Statements 29 Copyright © 2020 M. E. Kabay. All rights reserved.

COSO* Framework Ø See http: //www. coso. org Ø Core elements of internal control:

COSO* Framework Ø See http: //www. coso. org Ø Core elements of internal control: q. Control environment q. Risk assessment q. Control activities q. Information & communication q. Monitoring 30 * Committee of Sponsoring Organizations of the Treadway Commission Copyright © 2020 M. E. Kabay. All rights reserved.

Cobi. T (1) Ø ISACA* defined Control Objectives in Information Technology framework Ø 4

Cobi. T (1) Ø ISACA* defined Control Objectives in Information Technology framework Ø 4 domains, 34 IT processes, 215 control objectives Ø Recommends 12 specific processes for SOX compliance (see CSH 6 § 54. 4. 3. 3). Areas are: 1. Application software 2. Technology infrastructure 3. Operations 4. Solutions & changes (cont’d next slide) *Originally the Information Systems Audit and Control Association 31 Copyright © 2020 M. E. Kabay. All rights reserved.

Cobi. T (2) Ø Areas in Cobi. T for attention in SOX compliance (cont’d)

Cobi. T (2) Ø Areas in Cobi. T for attention in SOX compliance (cont’d) 5. Changes 6. Service levels 7. 3 rd party services 8. System security 9. Configuration 10. Problems & incidents 11. Data 12. Physical environment & operations 32 Copyright © 2020 M. E. Kabay. All rights reserved.

Testing Ø Issues q. Planning and scheduling tests q. Determining sample sizes Ø Must

Testing Ø Issues q. Planning and scheduling tests q. Determining sample sizes Ø Must balance resources & need for compliance q. Smaller samples cost less q. But reliability decreases Ø SOX compliance includes more than technical infrastructure q. Also include processes in meetings 33 Copyright © 2020 M. E. Kabay. All rights reserved.

Audit and Certification Ø Internal audit q. Culmination of SOX testing q. Final quality

Audit and Certification Ø Internal audit q. Culmination of SOX testing q. Final quality assurance checkpoint q. Verifies compliance q. Mandates correction of errors before external audit begins Ø External Audit q. Usually end of financial year q. Should have no gaps or failings – all will be reported as noncompliance in final report Ø Scheduling q. Some organizations certify quarterly or monthly 34 Copyright © 2020 M. E. Kabay. All rights reserved.

SOX Conclusion Ø SOX compliance integrated into wider riskmanagement program Ø Move to integration

SOX Conclusion Ø SOX compliance integrated into wider riskmanagement program Ø Move to integration in control culture q. Embedded q. Proactive q. Risk-aware q. Genuine üDon’t allow attitude that mere compliance acceptable üMust aim at exceeding current regulations üAdapt to changes (internal & regulatory) 35 Copyright © 2020 M. E. Kabay. All rights reserved.

Addressing Multiple Regulations ØHistory of US Govt Security Standards ØComprehensive Frameworks ØLegislative Requirements in

Addressing Multiple Regulations ØHistory of US Govt Security Standards ØComprehensive Frameworks ØLegislative Requirements in USA ØNIST SP 800 -53 ØFederal Information Systems Management Act (FISMA) ØRisk Framework ØMultiple Regulations and IS Audits Conclusion 36 Copyright © 2020 M. E. Kabay. All rights reserved.

History of US Government Security Standards 37 Ø Do. D Computer Security Center Rainbow

History of US Government Security Standards 37 Ø Do. D Computer Security Center Rainbow Series q. Began 1980 s q. Covers different colors Ø Best practices developed q. Standards q. Experiences q. Lessons learned Ø Many sources today q. ISACA, *Defense Information Systems Agency q. DISA-STIG* Security Technical Implementation Guides q. NSA, q. NIST Copyright © 2020 M. E. Kabay. All rights reserved.

Comprehensive Frameworks Ø Cobi. T – Control Objectives for Information and related Technology qhttp:

Comprehensive Frameworks Ø Cobi. T – Control Objectives for Information and related Technology qhttp: //www. isaca. org/Knowledge. Center/COBIT/Pages/Overview. aspx or http: //tinyurl. com/46 ul 39 f Ø ITIL – Information Technology Infrastructure Library qhttp: //www. itil-officialsite. com/ Ø National Institute of Standards & Technology q. NIST SP 800 -60: Guide for Mapping Types of Information and Information Systems to Security Categories. qhttp: //csrc. nist. gov/publications/Pubs. SPs. html 38 Copyright © 2020 M. E. Kabay. All rights reserved.

Legislative Requirements in USA Ø FISMA: Federal Information Security Management Act of 2002 Ø

Legislative Requirements in USA Ø FISMA: Federal Information Security Management Act of 2002 Ø SOX: Sarbanes Oxley Act of 2002 Ø HIPAA: Health Insurance Portability & Accountability Act of 1996 39 Copyright © 2020 M. E. Kabay. All rights reserved.

NIST SP 800 -53 Rev 4 Ø Recommended Security Controls for Federal Information Systems

NIST SP 800 -53 Rev 4 Ø Recommended Security Controls for Federal Information Systems q. Guidelines for selecting & specifying controls q. Revised 2012 -02 -28 q http: //csrc. nist. gov/publications/drafts/800 -53 -rev 4/sp 800 -53 - rev 4 -ipd. pdf Ø Benefits q. Consistent, comparable, repeatable approach to selecting security controls for IT systems q. Minimum security controls consistent with FIPS* 199, Standards for Security Categorization of Federal Information and Information Systems q. Stable/flexible catalog of controls q. Foundation for assessment methods *Federal Information 40 Processing Standard Copyright © 2020 M. E. Kabay. All rights reserved.

NIST SP 800 -53 Rev 1 (cont’d) Ø Applicable to all US federal information

NIST SP 800 -53 Rev 1 (cont’d) Ø Applicable to all US federal information systems except designated national security systems Ø Guidance for implementation of FIPS* 200, Minimum Security Requirements for Federal Information and Information Systems q. Also used by state, local, tribal governments q. Private-sector organizations in critical infrastructure Ø Extensive framework consistent with wide range of requirements (see p 54. 16) 41 *Federal Information Processing Standard Copyright © 2020 M. E. Kabay. All rights reserved.

Federal Information Systems Management Act (FISMA) Ø Passed into law as part of E-Government

Federal Information Systems Management Act (FISMA) Ø Passed into law as part of E-Government Act of 2002 Ø Requires every federal agency to q. Develop Agency-wide IA program q. Document to control information & systems q. Implement Ø Includes framework of minimum requirements q. See p 54. 17 42 Copyright © 2020 M. E. Kabay. All rights reserved.

OMB Circular A-130, Appendix III Ø Security of Federal Automated Information Resources Ø Supports

OMB Circular A-130, Appendix III Ø Security of Federal Automated Information Resources Ø Supports FISMA requirements Ø Mandates q. Planning for security q. Ensuring appropriate officials assigned security responsibility q. Periodic reviews of security controls q. Authorizing system processing before operations begin q. Periodic review of operations security 43 Copyright © 2020 M. E. Kabay. All rights reserved.

Risk Framework* 1. 2. 3. 4. 5. 6. 7. 8. Categorize systems & needs

Risk Framework* 1. 2. 3. 4. 5. 6. 7. 8. Categorize systems & needs Initial security controls Supplement for local conditions Document plan Implement controls Assess controls Authorize operations Monitor & assess continuously * § 54. 5. 3 44 Copyright © 2020 M. E. Kabay. All rights reserved.

Multiple Regulations and IS Audits Conclusion Ø NIST Computer Security Resources Center (CSRC) excellent

Multiple Regulations and IS Audits Conclusion Ø NIST Computer Security Resources Center (CSRC) excellent start for resources qhttp: //csrc. nist. gov/publications/Pubs. SPs. html Ø FISMA consistent with COSO Ø Excellent basis for adapting to local needs q. Even if more stringent than legal requirements for specific organization q. May forestall radical overhaul if regulations change 45 Copyright © 2020 M. E. Kabay. All rights reserved.

Technical Frameworks for IT Audits Ø Framework 1: People, Processes, Tools & Measures Ø

Technical Frameworks for IT Audits Ø Framework 1: People, Processes, Tools & Measures Ø Framework 2: STRIDE Ø Framework 3: PDIO Ø General Best Practices Ø Technical Frameworks Conclusion 46 Copyright © 2020 M. E. Kabay. All rights reserved.

Framework 1: People, Processes, Tools & Measures Ø PPTM good starting point for analysis

Framework 1: People, Processes, Tools & Measures Ø PPTM good starting point for analysis 1. People central to security 2. Processes must be validated 3. Tools (including physical controls) 4. Measures – metrics (how do we know we are OK? ) 47 Copyright © 2020 M. E. Kabay. All rights reserved.

Framework 2: STRIDE 1. 2. 3. 4. 5. 6. 48 Spoofing Tampering Repudiation Information

Framework 2: STRIDE 1. 2. 3. 4. 5. 6. 48 Spoofing Tampering Repudiation Information disclosure Denial of service Elevation of privilege Copyright © 2020 M. E. Kabay. All rights reserved.

Framework 3: PDIO 1. 2. 3. 4. 49 Plan Design Implement Operations Copyright ©

Framework 3: PDIO 1. 2. 3. 4. 49 Plan Design Implement Operations Copyright © 2020 M. E. Kabay. All rights reserved.

General Best Practices 1. 2. 3. 4. 5. 6. 7. 8. Defense in depth

General Best Practices 1. 2. 3. 4. 5. 6. 7. 8. Defense in depth Positive security model (deny by default) Fail safely Run with least privilege Avoid security by obscurity Keep security simple Detect intrusion & keep logs Never trust infrastructure & services without checking 9. Establish secure defaults 10. Use open standards, not proprietary methods 50 Copyright © 2020 M. E. Kabay. All rights reserved.

Optional Homework Ø Research any of the laws and frameworks discussed in chapter using

Optional Homework Ø Research any of the laws and frameworks discussed in chapter using Kreitzberg Library and Web searches Ø Upload URL of interesting article(s) to NUoodle q. Discuss interesting aspects relevant to audits and standards q. Support for points made in chapter q. Different perspectives on or contradiction of specific points q. Additional insights of interest to class 51 Copyright © 2020 M. E. Kabay. All rights reserved.

Now go and study 52 Copyright © 2020 M. E. Kabay. All rights reserved.

Now go and study 52 Copyright © 2020 M. E. Kabay. All rights reserved.