MM Consulting Services is a firm that specializes in IT Consulting Services and Organizational Processes Improvement.
It’s that time of year again when we are audited or given audit results of our last audit reviews conducted for 2011. If you are in the preparation mode for being audited, this really means that an outside firm will conduct a formal written examination of key components of the organization. If audit results have already been provided, it is a good time to reassess, design and implement remediation plans.
One of the most common examinations conducted are Information Security Audits where the confidentiality, availability and integrity of an organization’s information is assured. Conducting an Information Security Audit is one of the best ways to evaluate the effectiveness of controls in place related to the organization’s information to assure that the following critical components are well covered with adequate controls in place:
Confidentiality: ensuring that only the people who are authorized to have access to information are able to do so. It's about keeping valuable information only in the hands of those people who are intended to see it.
Availability: ensuring that information and information systems are available and operational when they are needed.
Integrity: maintaining the value and the state of information, ensuring that it is protected from unauthorized modification.
A common definition of an Information Security Audit defines it as a systematic and measurable technical assessment of a system or application. Information Security Auditors work with a full understanding and knowledge of the organization (in many occasions includes confidential and sensitive data) in order to understand the resources and assets that will be audited.
This type of audit does not take place in a nut shell; it is a crucial part of the on-going process of defining and maintaining effective security controls. This includes everyone who uses computer resources and assets throughout the organization. Below a list of common sensitive assets to consider:
- Computers, laptops, tablets and smart phones
- Routers and networking equipment
- Printers
- Cameras, digital or analog, with company-sensitive photographs
- Data - sales, customer information, employee information
- VoIP phones, VoIP or regular phone call recordings and records
- Email
- Log of employees daily schedule and activities
- Web pages, especially those that ask for customer details and those that are backed by web scripts that query a database
- Web server computer
- Security cameras
- Employee access cards.
- Access points (i.e., any scanners that control room entry)
Information Security Auditors perform their work through interviews, vulnerability scans, examination of operating system access controls, analysis of historical data, physical access to the systems, automated assessments, among others. Some common questions that Information Security Audits will strive to answer:
-Are passwords difficult to crack?
-Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
-Is there adequate segregation of duties implemented to support the information integrity objectives of the organization?
-Are there audit logs that record who has accesses to specific data? Are they reviewed?
-Are the security settings for operating systems in accordance with accepted industry security practices or regulatory required parameters?
-Have all unnecessary applications and computer services been eliminated for each system?
-Are these operating systems and applications patched to current levels?
-How is backup media stored? Who has access to it? Is it up-to-date?
-Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
-Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
-Have custom-built applications been written with security in mind?
-How have these custom applications been tested for security flaws?
-How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
-Are physical access controls to computer facilities and data appropriately restricted?
Because technology advancements is a moving target, you must have in mind that Information Security - Audits are not a one-time task, but an on-going effort to improve data protection. This implies continuous monitoring and measuring of established controls and identified risks.
MM Consulting Services is your solution for helping you get through your Information Security Pre-Audit Homework. If you have already been audited, we can assist you in refining your controls and correct deficiencies that are discovered through the audit process.
Written by:
Migxenia Maldonado, CISA, CRISC, CSSGB, ITILf
MM Consulting Services
Business Manager