Excerpt from Network Security Auditing

Planning Phase: Audit Subject, Objective, and Scope

The first and most important phase of auditing is in determining the overall strategy of the audit. What is the purpose of the audit? If the audit is in response to regulatory compliance requirements, the auditor must compare processes and procedures with those mandated by law. Alternatively, an audit of a newly installed firewall would have a different objective and be specific to one particular control. To figure out the degree and depth of the audit, there is a bit of work that needs to be done before sending the first test packet or stepping foot on site:

Research Phase: Planning, Audit Procedures, and Evaluation Criteria

Once you determine what the goal of the audit is, the next step is to formulate a plan for accomplishing the objectives of the audit. This phase will include:

• Identify the resources needed: skills and technologies.
• Identify the organizational structure, process, and data flow.
• Determine who in the organization under audit should be interviewed or involved.
• Identify logistics information, such as which facilities or locations need to be reviewed.
• The procedures used to test controls must also be identified, including what types of tools will be used.
• Measurement and evaluation criteria should be selected (for example, COBIT, ISO27001, or PCI Technology Standards).
• Review corporate policies and procedures.
• Build auditing checklists.

Data Gathering Phase: Checklists, Tools, and Evidence

Data gathering is the phase in which the auditor conducts the actual audit itself. The checklist that was created in the research phase is used to measure compliance with the standards and practices that were selected as benchmarks. The checklist acts as a guide that directs the auditor on where to look and what to expect. Many tools might be used to test the various controls to determine functionality and to generate the evidence that is used later in the analysis phase. The auditor looks to find “proof” or evidence of compliance with policy and standards. The auditor does the following:

• Examine system documentation.
• Conduct surveys on the effectiveness of policies and procedures.
• Conduct interviews of key personnel.
• Observation of systems and process in action.
• Review previous audits to look for trends.
• Review logs and reports.
• Inspect technical control configuration.
• Statistical sampling of data transaction.
• Run security analysis tools to verify technical control effectiveness.

Data Analysis Phase: Analyze, Map, and Recommend

After the auditor has gathered all of the evidence, the next phase involves analyzing what is discovered. This analysis requires an auditor’s experience and professional knowledge to determine how to prioritize any deficiencies identified. If the audit is done in response to regulatory compliance requirements or industry standards, then the auditor should also map the observed controls to the applicable standard or law to identify if anything is missing or incomplete. Finally, most audits also have an opinion component where the auditor must state his professional opinion regarding the effectiveness of the organization’s controls, and recommend solutions about how to improve the quality of the control to reduce risk. The actions in this phase are:

• Categorize and identify evidence gathered during the audit.
• Analyze policies and procedures for effectiveness.
• Prioritize risks and rank according to severity.
• Map identified controls to industry standards or regulatory compliance requirements.
• If required, make recommendations on policy, procedure, and technology improvements.

Audit Report Phase: Write, Present, and File the Audit Report

Authoring the audit report and presenting it to management is one of the most critical phases of the audit. Articulating the deficiencies found and recommendations about how to reduce risk are the primary reasons why the auditor is engaged in the first place. The report should include an executive summary and detailed findings about how the deficiencies discovered apply to the business. The report should not just be the output from a Nessus scan, but actually clarify why a particular vulnerability is determined to be critical or low risk. Recommendations about how to address each audit exception should also be included. The auditor shouldn’t just drop off a stack of papers but also present the findings in a meeting between management, the auditor, and key stakeholders. This gives the auditor a chance to clarify findings and answer questions that might arise as the organization digests the audit report. After the report has been presented, the final work papers should be filed as proof of the audit. Auditing is not just about showing that you understand what needs to be done; it’s also about proving it! This phase includes:

• Create a clear and concise report detailing risk.
• Write an executive summary that highlights critical items.
• Present the audit findings to management and key stakeholders.
• Develop solutions to address audit exceptions.
• Provide all documentation and evidence to be filed by the organization.

Follow-Up Phase: Follow-up, Follow-up, Follow-up!

After the report is filed, that’s it, right? Not quite. It is important to understand that an audit is a snapshot in time. The deficiencies found need to be addressed and should be remedied as soon as possible after the audit occurs. An auditor might be called back after the organization has had a chance to remediate the deficiencies so that the auditor can re-examine the new controls or process. This gives the auditor a chance to get feedback on the solutions chosen. To prevent a conflict of interest, auditors are not generally involved in fixing the deficiencies. This helps to keep the auditor neutral to the situation so that he can be objective and unbiased.

Summary

This chapter covered some of the fundamental aspects of auditing. Providing a risk-based auditing approach that leverages industry standards and best practices is an integral part of a company’s IT Governance strategy. You can’t protect what you don’t know about. Auditing gives an organization the opportunity to test assumptions about how secure its assets and data are. In summary:

• The five pillars of security—assessment, prevention, detection, reaction, and recovery—define the process of security.
• The building blocks of a security strategy are policy, procedures, and standards. Policy is where security strategy is set, while procedures and standards provide guidance about how to accomplish the policies’ objectives.
• Security controls are how an organization prevents, detects, corrects, and recovers from an incident. Many types of controls work together to build a defensive strategy. Building a control table can identify weaknesses in security posture.
• Risk management isn’t just a recommended practice; SOX, HIPAA, and GLBA require it. Assessing risk provides the justification and prioritization necessary to invest time, money, and resources for the areas of security that are critical to the success of the business.
• Auditing is a process and has different degrees and depth. The scope of an audit defines whether or not you conduct a review, assessment, or full audit. The role of the auditor is to report on control deficiencies and risk.

References in This Chapter

Cole, Eric. Network Security Bible, First Edition. John Wiley & Sons, 2006.

Schneier, Bruce. Secrets & Lies: Digital Security in a Networked World. John Wiley & Sons, 2004.

Bejtlich, Richard. The Tao of Network Security Monitoring Beyond Intrusion Detection. Addion Wesley, 2004.

Landoll, Douglas J. The Security Risk Assessment handbook: A Guide for Performing Security Risk Assessments. Auerbach Publications, 2006.

Peltier, Thomas R/Peltier, Justin. Complete Guide to CISM Certification. Auerbach Publications, 2007.

Slade, Robert M. Information Security Management Handbook, Fifth Edition, Vol 3. Auerbach Publications, 2006.

Schwartau, Winn. Time-Based Security. Interactive Press, 1999.

SANS Institute, The SANS Security Policy Project, http://www.sans.org/resources/policies/#question

© Copyright Pearson Education. All rights reserved.