Posted on July 9, 2015 by lexi
Herbert McMorris, Information Security Analyst
The availability of critical systems and the confidentiality and integrity of customer data are paramount to the survival of organizations today. According to a Forrester Research, Inc. report “Maximize Business Performance With A World-Class GRC Program” published May 16, 2014, “Unexpected events are at best distracting and at worst catastrophic for organizations. A critical element of any good GRC program is the ability to identify and understand risks that may damage the organization, then take proper precautions to prevent them from happening and to reduce the impact of the consequences should precautions fail.” To avoid damaging events, build customer trust, and meet compliance requirements, it is important for organizations to ensure they have the right processes and controls in place.
The following provides an overview of the most common unimplemented controls identified during a review of the 2014 IT risk-based audits performed by cprlorca information security analysts. These results are not only considered industry best practices but are also seen in guidance outlined by the FFIEC, specifically the FFIEC Information Security IT Examination Handbook and Business Continuity Planning IT Examination Handbook.
Establish and maintain a system hardening standard and system hardening procedures
System hardening is the systematic process of securing devices before placing them in production. With a well-defined hardening process, your organization can lower the risk of attack due to default accounts, unpatched systems and flawed malware protection, among other things.
Install a generator sized to support the facility
Ideally, a generator will provide power to the entire office. Alternatively, power should be available to the data center, including all critical servers, switches, routers, firewalls, security systems, video surveillance and proximity readers.
Test the system continuity plan regularly
Continuity plan testing is performed to ensure the process will work and your organization can continue to operate after a business interruption. Your organization should consider the availability of critical staff, the equipment needed to resume operations, the methods needed to restore data, and the time it takes to restore services. The test should be performed annually. Both the business continuity and disaster recovery plan should be updated to reflect lessons learned from the testing event.
Establish and maintain a documented list of protocols, ports, applications and services for essential operations
Firewalls are composed of many access lists that allow traffic to flow in and out of the network. The required list should simply document the ports and services allowed to communicate through the firewall, which devices are allowed to communicate, and the business reason for the ports in use. If vendors have Virtual Private Network (VPN) access, the list should indicate the systems they are approved to communicate with and the allowed IP addresses of the vendor.
Use strong data encryption to transmit restricted data or restricted information over public networks
Most organizations assume that transmitting data over a public telephone line is safe. Encryption of all data leaving the physical safety of your office is the best defense against exposure due to misconfiguration or unscrupulous individuals.
Scan for rogue and other network devices and deny access until approval has been received
A rogue device is any piece of equipment connected to your network that has not been authorized by your organization. A rogue device can be a wireless access point, an employee’s personal laptop or a data switch. There are many risks associated with rogue devices. Rogue protection should block access to your network until the device has been checked by IT staff and specifically allowed to connect.
Communicate security awareness and the internal control framework to all constituents
A common organizational process is to communicate security awareness issues to new employees as part of their orientation, but often times organizations fail to repeat this process after the initial hiring period. The protection of information assets is the responsibility of everyone in your organization and requires continuing education. On-going training efforts should address new threats, as well as include reminders of common threats. A formal security awareness program should, at a minimum, include annual training.
Establish and maintain a configuration management policy
A policy dictating the configurations of systems offers protection by indicating the types of systems to be purchased, what can and cannot be installed on systems, and how the security of the system should be configured. In addition, the policy protects your IT department by providing standardization and defining recourse if unauthorized software is installed or services are disabled.
Establish and maintain a process to control patch management
Patch management is simply the installation of software updates to mitigate known vulnerabilities in operating systems and software. To ensure all computers remain up-to-date and are not left vulnerable, your organization’s patch management process should be monitored on an on-going basis, especially if individual workstations are allowed to download updates. Networking equipment should also be updated periodically as new operating system versions are released by the manufacturer.
Perform penetration testing and vulnerability scanning on a regular basis
Penetration testing and vulnerability scanning involve a three part security testing process: internal penetration testing, external penetration testing and automated vulnerability scans. In the audit context, all three portions should be implemented.
Establish access rights based on least privilege
Access to data should be limited based on job function. However, many organizations establish users as local administrators on their workstations. As a result, users have access to all data. This is a critical issue. Access is to be granted in a granular fashion and is most easily managed by group memberships.
There is nothing more potentially damaging to an organization than an ineffective business continuity plan or security breach. Failing to implement controls that help safeguard assets can disable operations, result in regulatory violations and destroy an organization’s brand. However, many organizations continue to fall short when it comes to effectively managing their risk exposure.
Reviewing controls currently in place and identifying potential areas of vulnerability will enable your organization to manage risk proactively and reduce exposure. While there is no such thing as absolute protection, proper review and implementation of security controls, including those highlighted above in addition to others, will ensure your organization’s ability to protect itself against significant risks.
For more information and an in-depth review of the most common unimplemented risk controls, see cprlorca’s white paper “2014 IT Risk-based Audit Findings.”
Posted in IT Audit Management