An Introduction To
All too often there is a lack of documented operating procedures in organisations that the Auditor visits or they are out of date. What would happen to an organisation if the critical procedures for dealing with a given process were in someone's head and they left the organisation?
Documents often have no document control in place or have hand written changes on them. These are tell tale signs to the Auditor that perhaps documented procedures are not what they should be. Rest assured, the Auditor will check a sample set of documents looking for failings such as these.
Change control is always an area with a great deal of scope for getting it wrong. The rule of thumb is that any change to an operational system or issued document must go through change control and that the change control board must have sufficient representation from all relevant areas of the business. In many organisations this process is either ignored, has lip service paid to it or is not implemented properly. The Auditor will review a number of change requests and see that they have been properly managed from raising to closing. A number of visible changes (e.g. the installation of a server on the production network) will be checked to determine that they were subject to change control. The current network setup will be checked against the current network diagrams and if they differ (or the current network diagram does not exist or is patently out of date) then the Auditor will draw certain conclusions about the management of change within the organisation.
In smaller organisations, segregation of duties can be a problem, but in larger organisations there should be no one person able to influence the whole of a transaction or process which require collusion to perpetrate a misuse or fraud (remember Barings?). The Auditor will check to see where possibilities for collusion exist.
Segregation of operational and development environments may be difficult in smaller organisations but should not be a problem in a larger organisation. Many organisations allow the developer or 'expert' just to fix that bug in the system with no control over what is being done. This can be a recipe for disaster. Developers will always claim that they need top-level access privileges for all systems that you have, but are they really needed? The Auditor will check that the operational and development environments are properly segregated, that access rights are properly monitored and managed and that there is an appropriate promotion process from development to production.
If there are external facilities management or party supplied services are in place the Auditor will check to see that there are appropriate controls in place and that these are appropriately monitored and managed. Typically service level agreements will be checked against performance.
Capacity planning is often not carried out properly and many is the time that systems are impacted by insufficient capacity. The Auditor will examine the capacity planning reports and evaluate the trend analysis reports for appropriateness.
Often there is no formal acceptance of a new system with evidence of sufficient testing. Systems seem often to be driven to their implementation date by some arbitrary decision or agreement from higher management. Once an immovable deadline is set the usual first casualties are full and proper testing and appropriate security controls. The Auditor will examine a number of projects to determine whether there has been an appropriate process of system acceptance.
Every day there is a report of a new virus somewhere the world. There are always high profile casualties of such attacks that cause external communications systems to be closed down (remember 'Melissa' and 'the Love Bug'?). In many organisations the updating of virus signatures is performed at infrequent periods, the laptops are never updated unless they connect to the network and stand-alone machines are ignored. The Auditor is looking for evidence that the organisation has effectively managed their exposure to such attacks.
If there are found to be failings in this control or an inordinate number of attacks inside the organisation, the Auditor is going to ask why.
It has often been said that 'backups are easy - it is the restores that cause the problems'. This is still, sadly, true in a number of organisations. Whilst it has often been said that 'we recover files on a regular basis for people who need them recovered' this is no proof that all of the critical information that an organisation requires is actually recoverable. The Auditor will look for evidence of recoverability - typically linked with the proof from the Business Continuity Management process (Section 7.11). So your backups work - can you recover fully to keep your business going?
Almost al organisations these days have some sort of network or another. The Auditor will ensure that there are appropriate controls, based on the risk assessment, in place for network management and monitoring. A range of controls should be implemented and the Auditor will check that they are all working properly and together.
With the miniaturisation of storage and the ability to store massive amounts of data on small devices, it is essential that any organisation manages and controls removable storage services appropriately. The Auditor will review how removable media is managed within the organisation.
When media is to be disposed of the Auditor must ensure that the process is appropriate and that there is no chance that media can be accessed by unauthorised people (internal or external).
The handling of information is always a problem especially if there are no well publicised rules managing information given a given classification. The Auditor will investigate how information is managed in relation to its classification.
Where information is exchanged between two (or more) organisations the 'giving' organisation must ensure that there is appropriate security in place. Terms of trading must be agreed and be seen to be agreed before trading takes place. The Auditor will determine the degree of conformance with these requirements.
Electronic commerce means a lot of different things to different people and definitions are often 'grey' around the edges or have their meanings interchanged with other terms. The difference between traditional trading and electronic commerce is that the channel of trading must be adequately secure, the local supermarket does not close down if there is a denial of service attack because they can still open the doors and sell products and take money for them. Electronic commerce is more vulnerable to electronic attacks. In addition to this there are possibilities of fraudulent transactions taking place. Most of the threats are the same as always but there is the ability to be anonymous on the Internet and systems are more vulnerable to disruption that their 'bricks and mortar' colleagues. Even electronic commerce systems are held in physical locations somewhere and are managed by some human staff, so much of the ISO 27002 standard is applicable to them anyway - not just firewalls and other technical measures. The Auditor will examine any electronic commerce systems to ensure that there are appropriate security controls in place, monitored and acted upon in a timely manner if they show any indication of an incident. The types of checks that the Auditor will do will vary from organisation to organisation and depend on the exact type of Electronic commerce system in use.
Email is probably the most important application in many businesses and it has achieved the number one spot almost by stealth. Email has replaced much of the traditional forms of communications and by its very nature there are inherent security risks, and typically these differ from those relating to more traditional forms of communications. The Auditor will ensure that there is an organisational policy in place regarding the use of electronic mail. There are going to be times when email is inappropriate (such as very sensitive documents) and the Auditor will check to see that information is handled correctly in email.
Email needs to comply with the requirements of the Company's Act, which is something many organisations forget - even though their faxes and letter headed paper do comply.
There has been much written about email abuse and a number of high profile cases in the press. Any organisation must ensure that they are protected adequately against the risks of email abuse (remember Norwich Union vs. Western Provident, Bradley Chait etc). The Auditor will check that there are appropriate controls in place that are properly monitored and managed.
The Auditor will investigate all other forms of information exchange to ensure that they also have appropriate controls in place and that they are properly monitored and managed.
Publicly available systems are often the first contact that an organisation has with the public. There are a number of legislative requirements for we sites as well as the problems of information leakage from web sites. There are numerous stories in the press of credit card or other personal details being acquired from web sites due to incorrect security being applied. On line payment systems must be secure and the Auditor will check that appropriate controls are in place and are effectively managed and monitored.
The Auditor will review the relevant logs and if there are found to be a number of attacks will investigate the reasons for them. A typical audit will examine a number of portables and stand alone PCs to determine the currency of their protection measures.
Where there are operations teams working in shifts the Auditor will look at the handover procedures to ensure that there are no issues from one shift to another that have been ignored. If there is no shift handover, all work should be recorded in the Help Desk and the Auditor will check this.
System use and actions of administrators specifically should be logged and monitored. The auditor will check that this is in place and is appropriately managed and monitored.
Fault logging through a nominated help desk or service desk is essential so that the organisation can monitor and manage the faults that occur within the organisation. A properly set up and run help desk is essential to managing these issues. The Auditor will typically check a number of faults at the desk to ensure that they have been resolved within the agreed time or escalated according to the defined escalation process.
Many organisations do not monitor log files until they have an event that makes them want to, i.e. they are only ever reactive after an event alerts them to a possible issue or incident. Many organisations do not have the appropriate software to monitor event logs or any other areas necessary for showing appropriate management of the information processing facilities. A number of organisations have the tools but do not check reports as this is seen as time consuming or the reports contain too much information to easily make sense of. The Auditor will check for evidence of active monitoring of the information processing systems and to ensure that there is appropriate action taken when an incident is detected.
Synchronising time across an information processing environment is now quite easy with access to the Internet, but still many organisations cannot perform this task for some reason. It is essential to ensure the accuracy of audit logs that may be required as evidence as well as a number of operational tasks such as replication and synchronisation. Typically, an Auditor will check the time on a variety different computers to ensure that a consistent known time has been propagated to all computers within the organisation - this will also include laptops and other portable devices.
The Security Practitioner
An Introduction to Information Security