voice over internet protocol voip audit assurance program icq eng 0112

8/9/2019 Voice Over Internet Protocol VoIP Audit Assurance Program Icq Eng 0112

1/44

Voice-over Internet Protocol (VoIP)

Audit/Assurance Program


2/44

Voice-over Internet Protocol (VoIP) Audit/Assurance Program

ISACA®

With 95,000 constituents in 160 countries, ISACA (www.isaca.org ) is a leading global provider o !no"ledge,

certiications, co##unit$, advocac$ and education on inor#ation s$ste#s (IS) assurance and securit$, enterprisegovernance and #anage#ent o I%, and I%&related ris! and co#pliance' ounded in 1969, the nonproit, independent

ISACA hosts international conerences, publishes the ISACA® Journal , and develops international IS auditing and

control standards, "hich help its constituents ensure trust in, and value ro#, inor#ation s$ste#s' It also advancesand attests I% s!ills and !no"ledge through the globall$ respected Certiied Inor#ation S$ste#s Auditor (CISA),

Certiied Inor#ation Securit$ *anager (CIS*), Certiied in the +overnance o nterprise I% (C+I%) and

Certiied in -is! and Inor#ation S$ste#s Control. (C-ISC.) designations' ISACA continuall$ updates C/I%,

"hich helps I% proessionals and enterprise leaders ulil their I% governance and #anage#ent responsibilities, particularl$ in the areas o assurance, securit$, ris! and control, and deliver value to the business'

DisclaimerISACA has designed and created Voice-over Internet Protocol (VoIP) Audit/Assurance Program (the Wor!2)

pri#aril$ as an inor#ational resource or audit and assurance proessionals' ISACA #a!es no clai# that use o an$o the Wor! "ill assure a successul outco#e' %he Wor! should not be considered inclusive o all proper

inor#ation, procedures and tests or e3clusive o other inor#ation, procedures and tests that are reasonabl$ directed

to obtaining the sa#e results' In deter#ining the propriet$ o an$ speciic inor#ation, procedure or test, audit and

assurance proessionals should appl$ their o"n proessional 4udg#ent to the speciic circu#stances presented b$ the particular s$ste#s or I% environ#ent'

Reservation of Rights 01 ISACA' All rights reserved' 7o part o this publication #a$ be used, copied, reproduced, #odiied,

distributed, displa$ed, stored in a retrieval s$ste# or trans#itted in an$ or# b$ an$ #eans (electronic, #echanical, photocop$ing, recording or other"ise) "ithout the prior "ritten authori8ation o ISACA' -eproduction and use o

all or portions o this publication are per#itted solel$ or acade#ic, internal and nonco##ercial use and

consultingadvisor$ engage#ents and #ust include ull attribution o the #aterial:s source' 7o other right or

per#ission is granted "ith respect to this "or!'

ISACA

;


3/44


ISACA wishes to recognize:

AuthorEe Fal"eris!$, CISA, CA (SA), GISH C Interactive Inc', @SA

!"ert Revie#ersiane ' ili, @SCI, Canada

Jves *' orleans, CISA, Charles -iver >aboratories, @SA

F' F' *oo!he$, CISA, CIS*, C-ISC, CISS, 7et"or! Intelligence India vt' >td', IndiaEohn +' %annahill, CIS*, C+I%, C-ISC, CA, E' %annahill K Associates, Canada

ISACA $oard of DirectorsFenneth >' Lander Wal, CISA, CA, rnst K Joung >> (retired), @SA, International residentChristos F' i#itriadis, h'', CISA, CIS*, C-ISC, I7%-A>/% S'A', +reece, Lice resident

+regor$ %' +rochols!i, CISA, %he o" Che#ical Co', @SA, Lice resident

%on$ Ga$es, C+I%, ACGS, CG, ACS, CA, IIA, Mueensland +overn#ent, Australia, Lice resident 7ira4 Fapasi, CISA, Fapasi angad %ech Consulting vt' >td', India, Lice resident

Ee Spive$, C-ISC, C, S, Securit$ -is! *anage#ent, Inc', @SA, Lice resident

Eo Ste"art&-attra$, CISA, CIS*, C+I%, C-ISC, CSS, -S* ird Ca#eron, Australia, Lice resident

#il :Angelo, CISA, CIS*, an! o %o!$o&*itsubishi @E >td' (retired), @SA, ast International resident>$nn C' >a"ton, CISA, C-ISC, CS CI%, CA, IIA, F*+ >td', -ussian ederation, ast International

residentAllan 7eville oard#an, CISA, CIS*, C+I%, C-ISC, CA (SA), CISS, *organ Stanle$, @F, irector *arc Lael, h'', CISA, CIS*, C+I%, CISS, Laluendo, elgiu#, irector

%no#ledge $oard*arc Lael, h'', CISA, CIS*, C+I%, CISS, Laluendo, elgiu#, Chair#an

*ichael A' erardi Er', CISA, C+I%, an! o A#erica, @SA

Eohn Go Chi, CISA, CIS*, C-ISC, C, CC, rnst K Joung >>, Singaporehillip E' >ageschulte, C+I%, CA, F*+ >>, @SA

Eon Singleton, CISA, CA, Auditor +eneral o *anitoba (retired), Canadaatric! Stachtchen!o, CISA, C+I%, Stachtchen!o K Associates SAS, rance

&uidance and Practices Committeehillip E >agesch lte C+I% CA F*+ >> @SA Chair#an


4/44


7or"ich @niversit$

Solva$ russels School o cono#ics and *anage#ent

Strategic %echnolog$ *anage#ent Institute (S%*I) o the 7ational @niversit$ o Singapore

@niversit$ o Ant"erp *anage#ent School

ASI S$ste# Integration

Ge"lett&ac!ard

I*S/Aro4ects Inc'

S$#antec Corp'

%ruAr3 Inc'

Table of Contents

I' Introduction D

II' @sing %his ocu#ent 5

III' Assurance and Control ra#e"or! ?IL' 3ecutive Su##ar$ o AuditAssurance ocus ?

L' AuditAssurance rogra# 1

1' lanning and Scoping the Audit 1

' reparator$ Steps 1D

;' +overnance 16

D' Server Coniguration D

5' 7et"or! ;

6' Contingenc$ lanning ;;

LI' *aturit$ Assess#ent ;5

Appendi3 1' LoI %hreat %a3ono#$ D0

Appendi3 ' Separation o ata and LoI L>A7s (Sche#atic) D1

Appendi3 ;' -eerences D

I. Introduction

vervie#


5/44


*an$ organi8ations have e#braced several ra#e"or!s at an enterprise level, including the Co##ittee o

Sponsoring /rgani8ations o the %read"a$ Co##ission (C/S/) Internal Control ra#e"or!' %he

i#portance o the control ra#e"or! has been enhanced due to regulator$ re=uire#ents b$ the @SSecurities and 3change Co##ission (SC) as directed b$ the @S Sarbanes&/3le$ Act o 00 and

si#ilar legislation in other countries' nterprises see! to integrate control ra#e"or! ele#ents used b$the general auditassurance tea# into the I% audit and assurance ra#e"or!' Since C/S/ is "idel$ used,

it has been selected or inclusion in this auditassurance progra#' %he revie"er #a$ delete or rena#e

these colu#ns to align "ith the enterprise:s control ra#e"or!'

I' &overnance, Ris+ and Control

I% governance, ris! and control are critical in the peror#ance o an$ assurance #anage#ent process'+overnance o the process under revie" "ill be evaluated as part o the policies and #anage#ent

oversight controls' -is! pla$s an i#portant role in evaluating "hat to audit and ho" #anage#ent

approaches and #anages ris!' oth issues "ill be evaluated as steps in the auditassurance progra#'

Controls are the pri#ar$ evaluation point in the process' %he auditassurance progra# "ill identi$ thecontrol ob4ectives and the steps to deter#ine control design and eectiveness'

Res"onsiilities of I' Audit and Assurance ProfessionalsI% audit and assurance proessionals are e3pected to custo#i8e this docu#ent to the environ#ent in

"hich the$ are peror#ing an assurance process' %his docu#ent is to be used as a revie" tool and starting point' It #a$ be #odiied b$ the I% audit and assurance proessionalH it is not intended to be a chec!list or

=uestionnaire' It is assu#ed that the I% audit and assurance proessional has the necessar$ sub4ect #atter

e3pertise re=uired to conduct the "or! and is supervised b$ a proessional "ith the CISA designation

andor necessar$ sub4ect #atter e3pertise to ade=uatel$ revie" the "or! peror#ed'

II. Using This Document

%his auditassurance progra# "as developed to assist the audit and assurance proessional in designingand e3ecuting a revie"' etails regarding the or#at and use o the docu#ent ollo"'

.or+ Program Ste"s


6/44


%he #aturit$ assess#ent, "hich is described in #ore detail later in this docu#ent, #a!es up the last

section o the progra#'

%he auditassurance plan "rap&upOthose processes associated "ith the co#pletion and revie" o "or!

papers, preparation o issues and reco##endations, report "riting, and report clearingOhas beene3cluded ro# this docu#ent since it is standard or the auditassurance unction and should be identiied

else"here in the enterprise:s standards'

C$I' Cross-reference%he C/I% cross&reerence provides the audit and assurance proessional "ith the abilit$ to reer to the

speciic C/I% control ob4ective that supports the auditassurance step' %he C/I% control ob4ective

should be identiied or each auditassurance step in the section' *ultiple cross&reerences are not

unco##on' rocesses at lo"er levels in the "or! progra# are too granular to be cross&reerenced to

C/I%' %he auditassurance progra# is organi8ed in a #anner to acilitate an evaluation through a

structure parallel to the develop#ent process' C/I% provides in&depth control ob4ectives and suggested

control practices at each level' As proessionals revie" each control, the$ should reer to C/I% D'1 or

the I! Assurance %uide& 'sing CI! or good&practice control guidance'

CS Com"onents

As noted in the introduction, C/S/ and si#ilar ra#e"or!s have beco#e increasingl$ popular a#ongaudit and assurance proessionals' %his ties the assurance "or! to the enterprise:s control ra#e"or!'

While the I% auditassurance unction uses C/I% as a ra#e"or!, operational audit and assurance

proessionals use the ra#e"or! established b$ the enterprise' Since C/S/ is the #ost prevalent internal

control ra#e"or!, it has been included in this docu#ent and is a bridge to align I% auditassurance "ith

the rest o the auditassurance unction' *an$ auditassurance organi8ations include the C/S/ control

co#ponents "ithin their report and su##ari8e assurance activities to the audit co##ittee o the board o

directors'

or each control, the audit and assurance proessional should indicate the C/S/ co#ponent(s) addressed'

It is possible, but generall$ not necessar$, to e3tend this anal$sis to the speciic audit step level'

%h i i l C/S/ i t l t l ! t i d i t I 00D C/S/ i d


7/44


Figure 1Com!arison of C"S" Internal Control and #$% Integrated Framewor&s

Internal Control Framewor& #$% Integrated Framewor&

$is& AssessmentB ver$ entit$ aces a variet$ o ris!s ro# e3ternal

and internal sources that #ust be assessed' A precondition to ris!assess#ent is establish#ent o ob4ectives, and, thus, ris! assess#ent is

the identiication and anal$sis o relevant ris!s to achieve#ent o

assigned ob4ectives' -is! assess#ent is a prere=uisite or deter#iningho" the ris!s should be #anaged'

$is& AssessmentB -is!s are anal$8ed, considering the li!elihood and

i#pact, as a basis or deter#ining ho" the$ could be #anaged' -is!areas are assessed on an inherent and residual basis'

$is& $es!onseB *anage#ent selects ris! responsesOavoiding,

accepting, reducing or sharing ris!Odeveloping a set o actions toalign ris!s "ith the entit$:s ris! tolerances and ris! appetite'

Control Acti'itiesB Control activities are the policies and procedures

that help ensure #anage#ent directives are carried out' %he$ help

ensure that necessar$ actions are ta!en to address ris!s to achieve#ent

o the entit$Ps ob4ectives' Control activities occur throughout theorgani8ation, at all levels and in all unctions' %he$ include a range o

activities as diverse as approvals, authori8ations, veriications,

reconciliations, revie"s o operating peror#ance, securit$ o assets

and segregation o duties'

Control Acti'itiesB olicies and procedures are established and

i#ple#ented to help ensure the ris! responses are eectivel$ carried

out'

Information and CommunicationB Inor#ation s$ste#s pla$ a !e$

role in internal control s$ste#s as the$ produce reports, including

operational, inancial and co#pliance&related inor#ation that #a!e it possible to run and control the business' In a broader sense, eective

co##unication #ust ensure inor#ation lo"s do"n, across and up

the organi8ation' ective co##unication should also be ensured "ith

e3ternal parties, such as custo#ers, suppliers, regulators and

shareholders'

Information and CommunicationB -elevant inor#ation is

identiied, captured and co##unicated in a or# and ti#e ra#e that

enable people to carr$ out their responsibilities' ectiveco##unication also occurs in a broader sense, lo"ing do"n, across

and up the entit$'

%onitoringB Internal control s$ste#s need to be #onitoredOa

process that assesses the =ualit$ o the s$ste#:s peror#ance over

ti#e' %his is acco#plished through ongoing #onitoring activities orseparate evaluations' Internal control deiciencies detected through

these #onitoring activities should be reported upstrea# and corrective

actions should be ta!en to ensure continuous i#prove#ent o the

s$ste#'

%onitoringB %he entiret$ o enterprise ris! #anage#ent is #onitored

and #odiications are #ade as necessar$' *onitoring is acco#plished

through ongoing #anage#ent activities, separate evaluations or both'

Inor#ation or figure 1 "as obtained ro# the C/S/ "eb site, www.coso.org/aoutus.tm .

%he original C/S/ internal control ra#e"or! addresses the needs o the I% audit and assurance

proessionalB control environ#ent, ris! assess#ent, control activities, inor#ation and co##unication,

and #onitoring' As such, ISACA has elected to utili8e the ive&co#ponent #odel or these audit

assurance progra#s' As #ore enterprises i#ple#ent the -* #odel, the additional three colu#ns can be

added i relevant When co#pleting the C/S/ co#ponent colu#ns consider the deinitions o the

http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm


8/44


III. Assurance and Control Framewor&

ISACA I' Assurance *rame#or+ and Standards%he I%A sections relevant to LoI server are ;6;0 +eneral Controls and ;650 Auditing Applications'

ISACA Controls *rame#or+ C/I% is a ra#e"or! or the governance o I% and supporting tool set that allo"s #anagers to bridge

the gap a#ong control re=uire#ents, technical issues and business ris!s' C/I% enables clear polic$

develop#ent and good practice or I% control throughout enterprises'

As described in the ollo"ing 3ecutive Su##ar$, LoI server is an architecture that supports and drives business processes'

%he pri#ar$ C/I% processes associated "ith an i#ple#entation o LoI server are as ollo"sB

• / efine te Information Arcitecture0 eined data classiication sche#e used to establish

content securit$ re=uire#ents

• /6 Communicate $anagement Aims and irection O/nce governance and policies are established

co##unicating sa#e to the users

•

AI1 Identif1 Automated Solutions0 usiness re=uire#ents necessar$ to deine and i#ple#ent business processes

• AI; Ac2uire and $aintain !ecnolog1 Infrastructure0 %echnolog$ architecture re=uired to support

the LoI server environ#ent and ensure align#ent "ith the enterprise architecture

• S5 *nsure S1stems Securit1 OSecurit$ coniguration and processes re=uired to secure the LoI

server contents

• S9 $anage te Configuration OConiguration settings o the various servers "hich support the

inrastructure o LoI server '

•

S11 $anage ata Oata #anage#ent classiication, storage, and retention• * $onitor and *valuate Internal Control0 %he decentrali8ed nature o LoI server installations

re=uires the #onitoring o internal control b$ as a part o the #anage#ent structure

• *; *nsure Com+liance wit *3ternal ,e2uirements OCo#pliance "ith regulator$ and legal entities


9/44


Co##on ter#s related to LoI are Internet %elephon$, I %elephon$, roadband %elephon$ and Loice&

over roadband' %hese ter#s each reer to ho" LoI is being used and should be considered as reerringto LoI technologies, rather than being s$non$#ous "ith LoI'

%raditional analog circuit&based telephon$, the public s"itched telephone net"or! (S%7), is o"ned and

operated b$ the traditional local and international carriers, reerred to as teleco#s'2 %he legac$ S%7 is

based on circuit&s"itched %i#e ivision *ultiple3ed (%*) connections, also !no"n as lain /ld

%elephone Service (/%S)'

LoI provides an eective channel or voice and #ulti#edia co##unications at lo"er cost and "ith

greater le3ibilit$'

LoI has beco#e an i#portant co#ponent o #odern corporate co##unications, and #an$ enterprises

depend entirel$ on it or voice and #ulti#edia' As "ith #ost ne" technologies, there are both securit$

opportunities and ris! "ith LoI' %he ris! includes i#proper or inade=uate installation, co##ingling o

voice and data on the sa#e circuits, =ualit$ o service (MoS) and the li!elihood o hac!ing attac!s on

LoI net"or!s' %he opportunities include leveraging e3isting inor#ation securit$ inrastructures to

protect LoI pac!et strea#s (e'g', ire"alls) and the use o encr$ption to protect the conidentialit$ o

voice and #ulti#edia co##unications'

LoI s$ste#s include traditional phone handsets, conerencing units and #obile devices, as "ell as other

co#ponents such as call processors, gate"a$s, routers, ire"alls and various LoI protocols' ue to thehigh&peror#ance de#ands o LoIOespeciall$ voice and videoOstandard net"or! hard"are and

sot"are are t$picall$ supple#ented "ith special LoI co#ponents'

A #a4or advantage o "ireless LoI is that I phones that "or! on Wi&i net"or!s can be used in place o

cell phones, in #an$ cases' ublic ?0'11 hotspots are oten ree or available at a lo" dail$ cost to the end

user' When connecting to a Wi&i net"or! or "eb and eail access, there is no additional cost to #a!eLoI calls other than the cost o the users: LoI service' LoI service usuall$ costs ar less than cell phone

service and #a$ oer ree unli#ited international calling, so#ething end users do not get "ith #ost

cellular plans'


10/44


and video' ailure to deliver consistent MoS re=uire#ents (dropped calls, indistinct or garbled video, etc')

has an obvious negative i#pact on dail$ operations across the enterprise, ro# oices to the shop loor to

e3ecutive suites'

Since LoI uses the I protocol, it is vulnerable to the usual attac!s b$ hac!ers, #al"are, etc' In addition,ailure to enorce ade=uate separation bet"een voice and data circuits i#plies that i either one "ere to be

co#pro#ised, the enterprise "ould be e3posed to the partial or co#plete loss o both critical unctions'

@nli!e the S%7, "hich uses 100 percent o allocated band"idth (usuall$ 6D Fbitssec), LoI

connections are routed b$ the underl$ing I net"or! using the best #eans possible at that particular

#o#ent' It is possible, thereore, to e3perience lo"er MoS due to LoI net"or! congestion' %hus, the

=ualit$ o the call "ill be a unction o the =ualit$ o the underl$ing net"or!' or e3a#ple, LoI calls#ade over a lo"&band"idth, consu#er grade, est orts2 Internet connection "ill be o poorer =ualit$

than those #ade over an enterprisePs high&speed (e'g', %1 class or above) local area net"or! (>A7) or

"ide area net"or! (WA7)'

%he dependence on LoI co##unications i#plies a direct or indirect i#pact onB

• Co##unications, both "ithin the enterprise and "ith the e3ternal "orld

• /ngoing business operations

• Custo#er relations• Gelp des! and technical support

• Contractual issues

• >egal and co#pliance issues (e'g', ris! o trans#itting sensitive personal identiiable inor#ation

(II) in LoI S*S #essages or chat sessions, in breach o the @S Gealth Insurance ortabilit$ and

Accountabilit$ Act (GIAA) or a$#ent Card Industr$ (CI) re=uire#ents)

Loice and #ulti#edia co##unications t$picall$ contain or relate to business&critical inor#ation,

including, but not li#ited toB• Intellectual propert$ (e'g', patents, cop$righted #aterial)

• Sensitive corporate #aterial, including data relating to inancials, #ar!eting and strategic planning,

sensitive personnel inor#ation sales and #ar!eting and dail$ business operations


11/44


• Securit$ breaches due to #al"are carried b$ instant #essaging

• >oss o sales due to inabilit$ o custo#ers to reach sales personnel

• rand da#age and loss o co#petitive advantage• >a"suits b$ aggrieved third parties i hac!ers succeed in using co#pro#ised LoI servers to attac!

other sites

• Inabilit$ to co#pl$ "ith legal discover$ de#ands

• Inabilit$ to restore voice or #ulti#edia co##unication "ithin a reasonable ti#e ra#e

• /icer liabilit$

1ective and Sco"eA t$pical LoI net"or! co#prises a co#ple3 series o cooperating protocols, net"or!s ("ireless and"ired), servers, securit$ architectures, special services (such as &911), bac!up and recover$ s$ste#s, and

interaces to the S%7'

uring the audit planning process, the auditor #ust deter#ine the scope o the audit' epending on the

speciic i#ple#entation, this #a$ includeB

• valuation o governance, policies and oversight relating to LoI

• ata classiication policies and #anage#ent

• %he appropriate LoI business case, actual deplo$#ent or upgrade processes, strateg$ andi#ple#entation controls

• %echnical architecture(s), including securit$ s$ste#s, #ultiple plator#s (dierent vendors "hich

suppl$ andor support LoI), interaces "ith data net"or!s, bac!up and recover$, data retention and

destruction polic$, and technolog$

• Assess#ents o I% inrastructure and personnel to support the LoI architecture(s)

• aseline conigurations o deplo$ed hard"are and sot"are

• Issues related to decentrali8ed LoI servers, such as diering securit$ standards

• Issues related to ailover clustering, "here appropriate

Securit$ considerations or the S%7 or dial&up are outside the scope o this docu#ent'


12/44


). Audit,Assurance 0rogram

Audit,Assurance 0rogram Ste!C"5ITCross6

reference

C"S"

$eference-+!er6

lin&

IssueCross6

reference

Comments

C o n t r o l , n v i r o n #

e n t

- i s !

A s s e s s #

e n t

C o n t r o l A c t i v i t i e s

I n o r #

a t i o n a n d

C o # # u n i c a t i o n

* o n i t o r i n g

34 P5A66I6& A6D SCPI6& ' A7DI'

1.1 Define the audit,assurance ob(ecti'es. The audit,assurance ob(ecti'es are high6le'el

and describe the o'erall audit goals.

1'1'1 -evie" the auditassurance ob4ectives in the introduction to this auditassurance

progra#'

1'1' *odi$ the auditassurance ob4ectives to align "ith the auditassurance universe,

annual plan and charter'

1./ Define audit assignment success. The success factors need to be identified.

Communication among the IT audit,assurance team7 other assurance teams and

the enter!rise is essential.

1''1 Identi$ the drivers or a successul revie"' (%his should e3ist in the assurance

unction:s standards and procedures')

1'' Co##unicate success attributes to the process o"ner or sta!eholder, and obtain

agree#ent'

1. Define the boundaries of the re'iew. The re'iew must ha'e a defined sco!e.

Understand the functions and a!!lication re8uirements for the )oI0 ser'ers withinthe sco!e.

1';'1 /btain a list o LoI servers and, or each, the relevant #anuacturer, supplier

and sot"are versions'

1';' Identi$ the criteria or selecting LoI servers or inclusion or e3clusion in the

current auditrevie"'

01 ISACA' All rights reserved' age 1


13/44


Audit,Assurance 0rogram Ste!

C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o l , n v i r o n # e n t

- i s !

A s s e s s # e n t


I n o r # a t i o n a n d


*

o n i t o r i n g

1.9 Identif+ and document audit ris&. The ris& assessment is necessar+ to e'aluate

where audit resources should be focused. In most enter!rises7 audit resources are

not a'ailable for all !rocesses. The ris&6based a!!roach assures utilization of audit

resources in the most effecti'e manner.

1'D'1 Identi$ the business ris! associated "ith the use o LoI under consideration or

auditrevie"'

1'D' ased on the ris! assess#ent, evaluate the overall audit ris! actor or peror#ing the auditrevie"'

1'D'; ased on the ris! assess#ent, identi$ changes to the scope'

1'D'D iscuss the ris! "ith I% #anage#ent and ad4ust the ris! assess#ent'

1'D'5 ased on the ris! assess#ent, revise the scope'

1. Define the audit change !rocess. The initial audit a!!roach is based on the

re'iewer;s understanding of the o!erating en'ironment and associated ris&. As

further research and anal+sis are !erformed7 changes to the sco!e and a!!roach

ma+ result.

1'5'1 Identi$ the senior I% assurance and business resources responsible or the

revie"'

1'5' stablish the process or suggesting and i#ple#enting changes to the

auditassurance progra# and the authori8ations re=uired'

1.< Define the audit,assurance resources re8uired. The resources re8uired are defined

in the introduction to this audit,assurance !rogram.

1'6'1 eter#ine the auditassurance s!ills necessar$ or the revie"'

1'6' sti#ate the total auditassurance resources (hours) and ti#e ra#e (start and

end dates) re=uired or the revie"'

01 ISACA' All rights reserved' age 1;


14/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t




*

o n i t o r i n g

1.= Define deli'erables. The deli'erables are not limited to the final re!ort.

Communication between the audit,assurance teams and the !rocess owner is

essential to assignment success.

1' Communicate the audit,assurance !rocess clearl+ to the customer,client.

1'?'1 Conduct an opening conerence to discussB

• /b4ectives "ith the sta!eholders• -elevant docu#ents (e'g', policies, processes, #anage#ent

co##unications, #inutes o #eetings, deplo$#ent docu#entation) re=uired

to peror# the auditrevie"

• Scope, scope li#itations (audit boundaries), budgets, due dates, ti#e lines,

#ilestones and deliverables

• Available inor#ation securit$ resources re=uired to assist "ith the

auditrevie"

84 PRPARA'R9 S'PS

/.1 "btain and re'iew the current organizational charts relating to )oI0

communications.

'1'1 /btain the organi8ational chart or senior #anage#ent overseeing LoI

co##unications'

'1' /btain the organi8ational chart or the I% inrastructure supporting and

interacing "ith LoI'

'1'; /btain the organi8ational chart or LoI coniguration and user #aintenance'

/./ "btain the (ob descri!tions of !ersonnel res!onsible for the )oI0 infrastructure7

configuration and user administration.

/. Determine if !re'ious )oI0 infrastructure audits,re'iews ha'e been !erformed.

';'1 I prior auditsrevie"s have been peror#ed, obtain the relevant "or! papers'

01 ISACA' All rights reserved' age 1D


15/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t




*

o n i t o r i n g

';'1'1 -evie" the current securit$ coniguration docu#entation, as "ell as

relevant unctional and ad#inistrative control, to deter#ine i previousl$

identiied issues have been addressed'

';'1' eter#ine i the speciic LoI servers or net"or!s under consideration

or inclusion in the scope o this auditrevie" "ere included in the prior

auditrevie"'

';'1'; -evie" an$ penetration testing and vulnerabilit$ assess#ent that "as

peror#ed'/.9 Select the )oI0 ser'ers or networ&s to be included in the audit,re'iew.

'D'1 /btain a list LoI net"or!s and servers' LoI #edia servers #a$ include an$ o

the ollo"ingB

*edia gate"a$, or protocol translation t$picall$ S%7 toro# local

protocols

G';; gate!eeper "hich provides address translation (alias to I address)

ire"alls and application&la$er gate"a$s or address iltering and securit$

Interactive voice response (IL-) server

Signaling #edia server (#edia gate"a$ controller) to handle call control

Auto#ated call distribution (AC) or receiving and distributing calls in a

contact center Conerencing #edia server or voice and video conerencing

%e3t&to&speech (%%S) serverOconverts te3t eail to speech

Auto#ated voice&to&eail response s$ste#

Loice or video applications server

Strea#ing content server

a3&on&de#and server

otentiall$ running LoiceR*> or *-C' 01 ISACA' All rights reserved' age 15


16/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t




*

o n i t o r i n g

'D' eter#ine the business units associated "ith each LoI net"or! or server'

Select the net"or!s or inclusion in a sa#ple o the population' Include in the

sa#ple high&proile net"or!sservers, processes re=uiring intensive resources

(such as dedicated to video conerencing) or IL-'

/."btain Ser'er Documents

or the servers to be included in scope, obtain the ollo"ing docu#ents ro# each serverB

Server docu#entsB coniguration, sot"are versions, hard"are, LoI protocols

deplo$ed, etc'

Securit$ docu#ents olicies docu#ents

>ist o ad#inistrators "ith access

LoI net"or! diagra#

:4 &VR6A6C

.1 5usiness Case

AuditAssurance /b4ectiveB %he initial LoI server inrastructure and LoI applications

are supported b$ a docu#ented business case describing the return on invest#ent and

other direct and indirect beneits'

LoI usiness Case -e=uire#ents

ControlB A business case to support the deplo$#ent o LoI is ull$ docu#entedand describes the beneits to be reali8ed'

/1'

/'1AI1';

AI;'1

S11'1

R R R

;'1'1'1 /btain a cop$ o the business case docu#ent supporting the deplo$#ent

o LoI in the enterprise to replace earlier (analog) technolog$'

;'1'1' eter#ine that business case docu#ent ade=uatel$ describes the beneits

to be reali8ed ro# deplo$ing LoI in place o analog technolog$ and is

appropriatel$ authori8ed'

;'1'1'; eter#ine that, subse=uent to deplo$#ent, the pro4ected beneits "ere

achieved or e3ceeded'



17/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t




*

o n i t o r i n g

;'1'1'D eter#ined "hether the conversion to LoI "as included in an$ short&

ter# or long&ter# strategic I% plan'

./ )oI0 0olicies

+uiding rinciples

AuditAssurance /b4ectiveB LoI deplo$#ent adheres to enterprise ob4ectives or

guiding principles'

LoI +uiding rinciples ocu#ent

ControlB A guiding principles docu#ent has been established and

addresses !e$ issues o LoI design, deplo$#ent and operations'

/1'D

/6AI1'1

AI1'D

*D

R R

;''1'1 eter#ine i a guiding principles or si#ilarl$ na#ed

docu#ent e3ists "hich outlines the speciic design

ob4ectives or a LoI architecture or inrastructure'

;''1' /btain a cop$ o the guiding principles docu#ent'

;''1'; eter#ine "hether the guiding principles address general

enterprise policies relating to conidentialit$ and privac$,

data integrit$, and availabilit$, as "ell as cop$right, records

retention and overall securit$';''1'D $ reerence to or#al docu#entation (#inutes o #eetings,

progress reports, etc'), deter#ine "hether the guiding

principles "ere enorced during the ac=uisition o LoI

technolog$ and deplo$#ent'

;''1'5 Site esignB Leri$ that the guiding principles re=uire that

LoI architectsB

• @se a consistent design

• Approve changes based on de#onstrated need

• Gave a designated o"ner or each net"or!

;''1'6 Architecture ocu#entationB Leri$ that docu#entation isB

01 ISACA' All rights reserved' age 1<


18/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t




*

o n i t o r i n g

• Stored in a location and or#at that prevents

unauthori8ed changes

• Is updated regularl$ as changes occur

• Is accessible to authori8ed personnel

olicies and Standards

AuditAssurance /b4ectiveB olicies and standards adhere to enterprise policies and

standards'

LoI olicies and Standards

ControlB LoI policies are deined, docu#ented, and distributed to LoI

ad#inistrators, architects and relevant users'

/6'D/6'5 R

;''1'< eter#ine i a LoI policies and standards docu#ent e3ists'

;''1'? /btain the LoI policies and standards docu#ent, and revie" it

as noted in the ollo"ing steps'

;''1'9 eter#ine that LoI policies and standards are revie"ed at least

annuall$ and updated as re=uired'

;''1'10 -evie" the LoI policies and standards docu#ent, and revie" it

as noted in the ollo"ing steps'

;''1'11 Architecture standards include the points indicated in theollo"ing steps'

;''1'1 All LoI phones #ust be on a virtual >A7 (L>A7)

separate ro# an$ data L>A7 and #ust use -C

191? nonroutable addresses';

;''1'1; Loice >A7s and L>A7s #ust be ire"alled o ro#

an$ data L>A7s>A7s'

; *ost LoI phones have a built&in s"itch that supports the ?0'1p= L>A7 standard, #a!ing it possible to establish L>A7s bet"een the des!top and the nearest "iring closet'

See sche#atic diagra# in Appendi3 ' 01 ISACA' All rights reserved' age 1?

http://www.techweb.com/encyclopedia/defineterm.jhtml?term=VLAN&x=&y=http://www.techweb.com/encyclopedia/defineterm.jhtml?term=VLAN&x=&y=http://www.techweb.com/encyclopedia/defineterm.jhtml?term=VLAN&x=&y=


19/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t



C o # # u n i c a

t i o n

*

o n i t o r i n g

;''1'1D Appropriate #echanis#s, such as access control lists

(AC>s), are re=uired to prevent an$ co##unication

across L>A7s'

;''1'15 -evie" the AC>s to ensure the$ provide the appropriate

isolation bet"een LoI L>A7 and dataother

L>A7s'

;''1'16 Connections ro# LoI co#ponents to the Internet are

e3pressl$ orbidden';''1'1< In the case o an$ e3ceptions to the above polic$,

deter#ine that the ris! has been docu#ented and

appropriate counter#easures i#ple#ented (e'g',

additional LoI&a"are ire"alls)'

;''1'1? I teleco##uters are per#itted to access the LoI R

over the Internet, the$ #ust enter via an encr$pted

L7 tunnel "ith strong user authentication'

;''1'19 An intrusion detection s$ste# (IS) or intrusion

prevention s$ste# (IS) is deplo$ed to protect

against e3ternal enial o Service (oS) attac!s'

;''1'0 LoI&enabled phones #ust authenticate "hen connecting

to the R b$ a challenge&response process'

;''1'1 In a high&securit$ environ#ent, LoI phones #ust be

encr$pted to deter internal attac!s (e'g', "here a

rogue2 C is connected to a LoI net"or! to

intercept voice pac!ets')D

D In a situation in "hich encr$ption is not being used, the LoI L>A7 should prevent sniing o the LoI traic b$ preventing a laptop ro# being connected to the LoI net"or!' %hus, in general,

unauthori8ed devices such as laptops "ith sotphones or other LoI phones (ro# so#e other #anuacturer) should be prevented ro# successull$ connecting on to the LoI L>A7' 01 ISACA' All rights reserved' age 19


20/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t



C o # # u n i c a

t i o n

*

o n i t o r i n g

;''1' I encr$ption is deplo$ed, it #ust be enorced toro# all

phones and bet"een the gate"a$ and the e3ternal

S%7'

;''1'; I encr$ption is deplo$ed, an industr$&standard

encr$ption algorith# such as AS or ;S, is

re=uired' 7o proprietar$ algorith#s, vendor&

supplied or other"ise should ever be used, due to

their un!no"n eectiveness'

;''1'D I "ireless connectivit$ is deplo$ed (i'e', toro# cell

phones), a strong encr$ption protocol, such as

WA, is used, not W or other "ea! encr$ption'

;''1'5 In a regulated environ#ent, S!$pe is not per#itted due

to the ease o user i#personation and lac! o

G%%S (encr$ption) protection'

;''1'6 Where easible, the option o *AC&binding should be

i#ple#ented to ensure no unauthori8ed devices

connect to the LoI L>A7'

;''1'< /perations

;''1'? Leri$ that all LoI&related ad#inistrative pass"ords

(and encr$ptiondecr$ption !e$s, "here appropriate)

have been changed ro# the #anuacturer:s deault

values'

;''1'9 Leri$ that ad#inistrative pass"ords and

encr$ptiondecr$ption !e$s are !no"n onl$ to a

restricted list o trusted personnel'

;''1';0 eter#ine that e#ergenc$ copies o all ad#inistrative

pass"ords and encr$ptiondecr$ption !e$s are !ept

in a secure location "ith restricted access'



21/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o

l , n v i r o n # e n t

- i s !

A s s e s s # e n t

C o n t

r o l A c t i v i t i e s


C o # # u n i c a

t i o n

*

o n i t o r i n g

;''1';1 eter#ine that LoI policies and standards are revie"ed

at least annuall$ and updated as re=uired'

;''1'; LoI Content

;''1';; Instant #essage (I*) and chat content are sub4ect to

revie" according to enterprise data classiication

and acceptable use policies'

;''1';D I* and chat data are retained according to enterprise

retention policies, "ith provisions or a #orestringent polic$ based on data classiication, data

content or user group (e'g', C&suite e3ecutives)'

;''1';5 eplo$#ent olicies

;''1';6 LoI deplo$#ents ollo" a prescribed pro4ect

ra#e"or!, e'g', the I% Inrastructure >ibrar$

(I%I>)'

;''1';< I this is a ne" deplo$#ent o LoI or a recent upgrade

ro# an earlier version o LoI, docu#ented

industr$&standard good practices "ere ollo"ed'

;''1';? %he deplo$#ent process includes or#al securit$ and

control re=uire#ents, including secure architecture,

net"or! securit$, patching, incident and incident&

trigger deinition, co#pliance, e&discover$, and

encr$ption'5

;''1';9 Securit$ re=uire#ents are deined according to enterprise

securit$ policies, separation o duties, approval

policies, co#pliance, disaster recover$, incident

#anage#ent, etc'

5 7ote that the Co##unications Assistance or >a" norce#ent Act (CA>A), 199D, re=uires LoI s$ste#s to be capable o la"ul intercept'



22/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t

C o n t

r o l A c t i v i t i e s


C o # # u n i c a

t i o n

*

o n i t o r i n g

;''1'D0 %he deplo$#ent process includes appropriate e3pected

peror#ance #etrics to =uanti$ hard"are needed,

at present and in the uture'

;''1'D1 LoI operations sta conducts appropriate and regular

capacit$ planning to deter#ine anticipated uture

processing capacit$ to #eet e3pected business

needs'

;''1'D Speciic /rgani8ational @nit olicies;''1'D; Speciic organi8ational units #a$ alter policies to re=uire

#ore stringent securit$ and design guidelines' *ore

rela3ed policies not in co#pliance "ith data

classiication standards and guidelines #ust be

approved b$ inor#ation securit$ #anage#ent and

the business data o"ner'

;''1'DD +ain docu#entar$ evidence o an$ such recent

approval(s)'

;''1'D5 Audit olicies

;''1'D6 Audit policies are aligned "ith enterprise audit policies based on data classiication'

;''1'D< Audit policies include #onitoring o access to LoI

servers b$ ad#inistrators and other privileged users'

-oles and -esponsibilities

AuditAssurance /b4ectiveB olicies and standards address the roles and

responsibilities or i#ple#enting and #aintaining LoI server installations

including the underl$ing technolog$ stac! that supports LoI server'

-oles and -esponsibilities escription

ControlB A LoI server policies and roles docu#ent describes the speciic

/D'6

/<R R

01 ISACA' All rights reserved' age


23/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t



C o # # u n i c a

t i o n

*

o n i t o r i n g

responsibilities o !e$ 4ob unctions'

;''1'D? eter#ine i a LoI Server roles and responsibilities docu#ent

e3ists'

;''1'D9 I a LoI server roles and responsibilities docu#ent e3ists,

evaluate the appropriateness o the descriptions or the

ollo"ing rolesB

• 3ecutive sponsor (applications)

•

+overnance board or steering co##ittee (applications)• %echnolog$ ad#inistrator

• %echnolog$ support tea#

• LoI ad#inistrator

• 7et"or! architect

• /rgani8ational unit ad#inistrator

;''1'50 -evie" the roles against the ollo"ing responsibilities to assure

these responsibilities are assigned to a 4ob unction and to

speciic individualsB

• *anage#ent o the technical inrastructure, including

server, net"or!s, database #anage#ent, #ailbo3

#anage#ent, etc'• *anage#ent o the LoI server inrastructure

• Applications #anage#ent

• Access controls, i'e', user provisioning

• eror#ance evaluation

• usiness continuit$ and disaster recover$

01 ISACA' All rights reserved' age ;


24/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t



C o # # u n i c a

t i o n

*

o n i t o r i n g

. %onitoring

*onitoring

AuditAssurance /b4ectiveB LoI server i#ple#entations and applications are

sub4ect to regular #onitoring and reporting, based on criticalit$ and sensitivit$ o

data, and adherence to #anage#ent oversight re=uire#ents'

*anage#ent /versight o LoI Server eplo$#ents and /perations

ControlB LoI server i#ple#entations ollo" the enterprise pro4ect

#anage#ent s$ste#, and "here practical, the pro4ect #anage#ent ands$ste#s develop#ent lie c$cle'

/10

*1 R R

;';'1'1 repare a sa#ple o recent LoI server deplo$#ents (upgrades or

ne" deplo$#ents')

;';'1' Select high&ris! or high&proile LoI server i#ple#entations'

;';'1'; /btain pro4ect docu#entation'

;';'1'D eter#ine i the #onitoring o the LoI server pro4ect "asis in

align#ent "ith enterprise standards'

;';'1'5 eter#ine i LoI server operations are #onitored in a #anner

consistent "ith other operational processes'

Issue *onitoring

ControlB LoI server i#ple#entation and operations are sub4ect to issue

#onitoring and escalation to appropriate #anagers in the I% and business

units'

/10

S?

*1

*

*D

R R R R

;';'1'6 /btain issue #onitoring reports'

;';'1'< valuate the issue #onitoring unction or eectiveness,

co#pleteness, and appropriate and ti#el$ escalations'

01 ISACA' All rights reserved' age D


25/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t



C o # # u n i c a

t i o n

*

o n i t o r i n g

;4 SRVR C6*I&7RA'I6

9.1 )irtualization

AuditAssurance /b4ectiveB LoI servers running in a virtuali8ed environ#ent are ull$

segregated ro# other servers running on the sa#e ph$sical hard"are'

Lirtuali8ation Segregation

ControlB LoI servers are segregated ro# other servers in the virtuali8ation pool'

/'1

S5'1

S9R

/btain the server virtuali8ation speciications and architecture docu#entation'

eter#ine that controls "ithin the virtuali8ation coniguration assure co#plete

segregation o LoI server processes and access rights ro# other

environ#ents'

I a virtuali8ation audit has been peror#ed, revie" the indings and issue

#onitoring or identiied control concerns and re#ediation plans'

I no recent virtuali8ation audit has been peror#ed and the LoI servers operate

in a virtuali8ed environ#ent, consider postponing the LoI server audit

until a virtuali8ation audit can be peror#ed' -eer to the ISACA

L*"are Server Lirtuali8ation AuditAssurance rogra#, as needed'

9./ "!erating S+stem -ardening

AuditAssurance /b4ectiveB /perating s$ste#s o the host servers are hardened

according to best practices'

/perating S$ste#s Are Conigured or Securit$

ControlB /perating s$ste#s are conigured or #a3i#u# securit$'S9 R

D''1'1 stablish "hether a recent operating s$ste# auditrevie" "as co#pleted

or the relevant operating s$ste#'

• I so, obtain a cop$ o the report and ensure all issues "ere

appropriatel$ re#ediated'

• I not, consider conducting an auditrevie" o the underl$ing



26/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t



C o # # u n i c a

t i o n

*

o n i t o r i n g

operating s$ste# securit$ and controls' -eer to the appropriate

ISACA /perating S$ste# AuditAssurance rogra#, as needed'

D''1' -evie" i the organi8ation has an$ operating s$ste# coniguration

baseline or LoI servers'

D''1'; Leri$ that LoI serversOvirtual and realOare dedicated to LoI

processes onl$'

D''1'D Leri$ that nonessential services or dae#ons are not operating on the

servers'D''1'5 Leri$ that onl$ ports necessar$ or LoI are open in the server ire"all'

D''1'6 Leri$ that ire"alls protecting LoI L>A7s and servers are conigured

to deter #ost co##on LoI attac! scenarios' %he ollo"ing is a

none3haustive list o such attac!sB

• oS and istributed enial o Service (oS) attac!s

• MoS *odiication Attac!

• LoI ac!et In4ection

• oS Against Supple#entar$ Services (e'g', d$na#ic host

coniguration protocol GCT or do#ain na#e s$ste# 7ST)

• Wireless oS

• ac!et o eath2 oSOessentiall$ a lood o rando# trans#ission

control protocol (%C), @, or Internet control #essage protocol

(IC*) pac!ets designed to crash LoI servers

• I hone lood oSOa large volu#e o call data is sent to a single

LoI endpoint in an atte#pt to e3haust its central processing unit

(C@), band"idth, %C sessions, etc'

• 7S oisoning

• %oll raudOuse o LoI servers to place unauthori8ed toll calls over

the S%7



27/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t




*

o n i t o r i n g

9. )oI0 S!ecific 0olicies

Securit$ Settings Are stablished @sing olicies

AuditAssurance /b4ectiveB Securit$ settings or users are established and

enorced through policies assigned to the organi8ational units and director$ root'

Securit$ olic$ Settings Are stablished @sing olic$ ocu#ents

ControlB Securit$ polic$ is established or users using the polic$ docu#ent

and is assigned to the organi8ational unit, and, "here necessar$ to an

individual'

/';

S5';

S5'D

S9

R

D';'1'1 /btain the policies docu#ent or each server in scope'

D';'1' eter#ine i policies have been established "ithin the director$ hierarch$'

D';'1'; eter#ine i e3plicitl$ assigned policies create an e3posure or

unauthori8ed access'

ass"ord olicies

AuditAssurance /b4ectiveB ass"ord policies ade=uatel$ protect the users and the

privac$ o eails and applications'

D';'1'D ass"ord olicies rotect the Identit$ and Access to ails

ControlB LoI pass"ordpersonal identiication nu#ber (I7) policies are

in align#ent "ith enterprise identit$ #anage#ent policies and practices'

S5';

S5'D

S9R

D';'1'5 eter#ine that all users are re=uired to set up a private pass"ord

to access their voice #ails'

D';'1'6 or a sa#ple o LoI phones, deter#ine that voice #ail cannot

be accessed "ithout a pass"ordI7 and that deault

pass"ordsI7s (e'g', 0000, 1;D) have been changed'

D';'1'< Leri$ that ire"all rule bases bloc! an$ access b$ regular (data)

users to the LoI L>A7 ro# their "or!stations'

ass"ordI7 olicies rotect the LoI hone:s Coniguration

ControlB A I7 is re=uired to access coniguration inor#ation on each

S5';

S5'D

S9

R

01 ISACA' All rights reserved' age <


28/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t




*

o n i t o r i n g

individual LoI handsetphone'

D';'1'? eter#ine that a D&digit or longer I7 is assigned to each LoI

handsetphone to access the device:s coniguration #enu'

Application Access Controls

AuditAssurance /b4ectiveB Applications (e'g', call center, custo#er sel&service)

utili8ing the LoI inrastructure have appropriate access securit$ in align#ent "ith

data classiication and user account policies'

D';'1'9 Access Control *aintenance

ControlB Access controls are #aintained or provisioning, deprovisioningand transer procedures'

S5';S5'D R

D';'1'10 /btain the provisioning, transer and ter#ination procedures'

D';'1'11 valuate the procedures or design eectiveness'

D';'1'1 Select a sa#ple o ne" users, ter#inated users and transerees'

Leri$ that access control to a sa#ple set o users is in

co#pliance "ith the access control #aintenance procedures'

h$sical Securit$ Controls

AuditAssurance /b4ectiveB LoI R servers have ade=uate ph$sical protection

against unauthori8ed ta#pering'

h$sical Access to L>A7 Gard"are is -estrictedControlB Access to sensitive devices, such as L>A7 s"itches, is

restricted to a s#all nu#ber o trusted individuals on a strict need to

!no"2 basis'

D';'1'1; Select a sa#ple o L>A7 s"itches and other hard"are and

deter#ine that the$ are all in loc!ed cabinets or roo#s to "hich

access is li#ited to a s#all nu#ber o trusted engineers'

D';'1'1D eter#ine that appropriate electronic access controls, such as

#agnetic badge readers, s#art card readers, bio#etric scanners

(ingerprint, hand geo#etr$, iris, acial geo#etr$, etc'), are in

place to restrict such access'

01 ISACA' All rights reserved' age ?


29/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t




*

o n i t o r i n g

etails o the eplo$ed LoI S$ste# Are -estricted

AuditAssurance /b4ectiveB Inor#ation about "hich LoI hard"are and sot"are

are deplo$ed is restricted or internal use onl$'

>i#itations on LoI eplo$#ent

ControlB Speciic details about the deplo$ed LoI hard"are and sot"are

(such as #anuacturer, supplier, #odel, version nu#ber, etc') are restricted

to internal e#plo$ees on a need to !no"2 basis'

D';'1'15 eter#ine that the above sensitive inor#ation ("hich could be

used b$ intruders to plan attac!s on the LoI net"or!s) are 7/% displa$ed on open e3ternal or internal "eb sites'

D';'1'16 eter#ine that access to technical docu#entation relevant to

the deplo$ed LoI net"or!(s) is restricted to a s#all group o

trusted individuals, on a need to !no"2 basis'

D';'1'1< eter#ine that and all such inor#ation is classiied as

Conidential, Internal @se /nl$2 or si#ilar'

9.9 )oI0 Ser'er Configuration

Ad#inistrators Access

AuditAssurance /b4ectiveB Ad#inistrators are li#ited in their abilit$ to accessand #odi$ server conigurations'

D'D'1'1 Ad#inistrator Access is eined

ControlB LoI Ad#inistrators are deined and docu#ented b$ access

level'

S5'; R

D'D'1' /btain the ad#inistrator access assign#ents'

D'D'1'; eter#ine that the ad#inistrator access rights have been created

in a granular #anor consistent "ith the enterprise securit$

policies'

D'D'1'D eter#ine that the access assign#ents deine the ollo"ing LoI



30/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments

C o n t r o


- i s !

A s s e s s # e n t




*

o n i t o r i n g

ad#inistrator access rightsB

• ull access ad#inistrators

• Ad#inistrators (speciic server)

• atabase ad#inistrators

• -e#ote R ad#inistrators

• Lie"&onl$ ad#inistrators

• S$ste# ad#inistrator

@nauthori8ed @sers Cannot Assu#e Ad#inistrator rivilegesControlB /nl$ ad#inistrators have access to the privileged ad#inistrator

unctions'

S9 R

D'D'1'5 /btain access and identi$ proiles, and veri$ that onl$

authori8ed ad#inistrators have access to LoI server and

ad#inistration unctions'

D'D'1'6 eter#ine that, i groups are used, the #e#bers o the LoI

ad#inistrative groups are appropriate based on 4ob title'

D'D'1'< eter#ine i users or #e#bers o groups associated "ith the

ad#inistrator unctions should no longer have access due to

ter#ination, 4ob transer or 4ob redeinition'

igital Certiicate *anage#ent

AuditAssurance /b4ectiveB R'509 digital certiicates used to drive server

authentication "ith SS>%>S, are ade=uatel$ #anaged and corresponding private

!e$s protected'

D'D'1'? SS>%>S igital Certiicates are Ade=uatel$ %rac!ed and *anaged

ControlB An electronic or digital log o all deplo$ed R'509 digital

certiicates (digital identities) is #aintained and updated'

S5'<

S5'? R

D'D'1'9 eter#ine that a suitable trac!ing log or inde3 is #aintained o

all deplo$ed digital certiicates, sho"ing at least the ollo"ing

inor#ationB

01 ISACA' All rights reserved' age ;0


31/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t




*

o n i t o r i n g

• Certiicate I, supplier

• 3piration date

• ate revo!ed (i applicable)

• rivate !e$ (a long string o he3adeci#al digits)

• -elevant server I

• ass"ord to unloc! the certiicate in the operating s$ste#

certiicate store

D'D'1'10 eter#ine that access to the above log or inde3 is restricted to a

s#all list o trusted, senior personnel'

Server Access

AuditAssurance /b4ectiveB Server access is li#ited as re=uired to peror# 4ob

unction'

Server Access -estrictions

ControlB Access to LoI servers is deined b$ 4ob unction'S5'D R

D'D'1'11 eter#ine i LoI server access is deined b$ 4ob unction'

D'D'1'1 or the sa#ple set o LoI servers, deter#ine "ho can access

the servers b$ revie"ing relevant docu#entation'

D'D'1'1; valuate i these access settings are appropriate and consistent"ith enterprise securit$ polic$'

>i#it ort Access to LoI Servers

AuditAssurance /b4ectiveB 7et"or! coniguration is set to provide #a3i#u#

securit$'

LoI Is Conigured or Secure 3ternal Access

ControlB Access to LoI re=uires an encr$pted L7 tunnel'

S5'<

S5'? R

D'D'1'1D @sing the sa#ple o LoI server docu#ents, deter#ine the

ollo"ingB

• ither an encr$pted L7 tunnel or SS>%>S is re=uired to gain

access to an$ LoI server in use



32/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t

C o n

t r o l A c t i v i t i e s



*

o n i t o r i n g

• /nl$ industr$&standard encr$ption is allo"ed (AS or ;S)

• Strong authentication is re=uired or all e3ternal users

9. )oI0 %essaging Configuration

Internet Access Is Gighl$ -estricted

AuditAssurance /b4ectiveB Access to and ro# the Internet is restricted to

ad#inistrators'

Access to the Internet ro# An$ LoI evice Is orbidden

ControlB 7o Internet&enabled "or!stations are per#itted to connect toan$ voice L>A7'

S9 R

D'5'1'1 -evie" LoI architecture docu#entation to deter#ine "hether

an$ "or!stations (Cs, laptops, notepads, netboo!s or tablets)

can access the data net"or!'

D'5'1' ro# an internal "or!station, atte#pt to connect to the I

address o one or #ore LoI servers' (%his should be

unsuccessul in all cases')

D'5'1'; eter#ine i antivirus and other antial"are protection sot"are is

re=uired to protect LoI servers'

D'5'1'D or each server, deter#ine that the re=uired sot"are pac!ages b$ vendor and versionrevision level are installed, updated and #onitored'

9.< %essaging Com!liance

AuditAssurance /b4ectiveB LoI is appropriatel$ conigured to co#pl$ "ith relevant

regulator$, legal, industr$ and enterprise internal re=uire#ents'

*essage -etention is Appropriate or the 7eeds o the nterprise

ControlB %e3t #essages (I* and Chat) are retained or the appropriate ti#e span to

co#pl$ "ith the #ost restrictive re=uire#ent'S11' R

D'6'1'1 Leri$ that "ritten enterprise polic$ speciicall$ and clearl$ deines the

retention period or all electronic #essaging and that this ti#e period

01 ISACA' All rights reserved' age ;


33/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t

C o n




*

o n i t o r i n g

e=uals or e3ceeds that or the #ost restrictive relevant co#pliance

re=uire#ent'

D'6'1' Leri$ that LoI server operations #anage#ent is ull$ a"are o the

#essage retention and electronic discover$ policies'

D'6'1'; Consider legal advice as to "hether the retention policies also appl$ to

video content'

olicies Are in lace to ect a >egal Gold

ControlB A legal hold polic$ is docu#ented, up to date, and conve$ed to LoI server operations #anage#ent'

S5

S11*1

R R

D'6'1'D /btain a cop$ o the legal hold polic$ and deter#ine "hether it has been

co##unicated to, and understood b$, LoI server operations

#anage#ent'

D'6'1'5 $ =uer$ and observation, deter#ine "hether LoI server operations

#anage#ent has the necessar$ tools and e3pertise to peror# e&

discover$ searches across #ultiple te3t #ailbo3es'

9.= Auditing And 2ogging

AuditAssurance /b4ectiveB LoI server is conigured to log access to critical process

unctions'

Auditing is nabled

ControlB %he LoI server logging is #aintained and revie"edOeither operating

s$ste# logs or LoI server logs or both'

S9 R

D'


34/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t

C o n




*

o n i t o r i n g

A7'S5'1 R

5'1'1'1 /btain a net"or! sche#atic or the LoI servers "ithin the audit scope'

5'1'1' eter#ine i the LoI server net"or! seg#ents are ade=uatel$ secured,

i'e', not directl$ accessible ro# the Internet, behind the appropriate

ire"all(s), and "ithin the scope o deplo$ed ISsISs'

5'1'1'; eter#ine that ire"alls in ront o LoI L>A7s are LoI&a"are (i'e',

the$ understand2 the deplo$ed LoI protocols SI or G';;T) and that

the appropriate ports are open in the ire"all, depending on the speciic

LoI hard"are'

./ ?etwor& 0rotection

AuditAssurance /b4ectiveB %he LoI net"or!s and L>A7s are included in securit$

#onitoring and vulnerabilit$ assess#ent'

Inclusion in 7et"or! Assess#ents and enetration %ests

ControlB LoI and I R servers are included in all net"or! securit$ assess#ents

and penetration tests'S5'9 R R

5''1'1 -evie" docu#entation relating to recent vulnerabilit$ assess#ents and

penetration tests (b$ internal or e3ternal testers) and deter#ine that all

LoI servers and L>A7s "ere included in the scope o such tests'

5''1' eter#ine "hether all vulnerabilities relating to LoI net"or!s and

L>A7s "ere appropriatel$ re#ediated in a ti#el$ ashion'

01 ISACA' All rights reserved' age ;D


35/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t

C o n




*

o n i t o r i n g

=4 C6'I6&6C9 P5A66I6&


36/44



C"5IT

Cross6

reference

C"S"

$eference

-+!er6

lin&

Issue

Cross6

reference

Comments


- i s !

A s s e s s # e n t

C o n



C o # # u n i c

a t i o n

*

o n i t o r i n g

na#el$ all o the ollo"ingB

• Service level agree#ents (S>As), "hich deine ho" long LoI can

be do"n beore service has to be restored (li!el$ ver$ short)

• -ecover$ point ob4ectives (-/s), "hich deter#ine ho" #uch data

can be lost, #easured in #inutes

• -ecover$ ti#e ob4ectives (-%/s), "hich deter#ine the #a3i#u#

ti#e allo"ed or recovering each service, #easured in #inutes

6''1' /btain and revie" a cop$ o the last recover$ test and deter#ine "hether

all o the above "ere tested and "hether all deiciencies in the testedrecover$ process have been ull$ re#ediated'

6''1'; eter#ine "hether bac!up copies o the LoI server databases and

sot"are areB

• *aintained in a secure osite acilit$

• ac!up tapes or dis!s are encr$pted beore leaving the pre#ises

• Access to osite bac!up copies is restricted to a s#all nu#ber o

trusted e#plo$ees

• ac!up copies are carried to the osite storage b$ a third part$ in a

secure ashion (e'g', ar#ored vehicles, ar#ed guards)

•

*aintained at a vault utilit$ service



37/44


)I. %aturit+ Assessment

%he #aturit$ assess#ent is an opportunit$ or the revie"er to assess the #aturit$ o the processes revie"ed' ased on the results o the auditassurance revie"

and the revie"er:s observations, assign a #aturit$ level to each o the ollo"ing C/I% control ob4ectives'

C"5IT Control "b(ecti'eAssessed

%aturit+

Target

%aturit+

$eference

-+!er6

lin&

Comments

0"1 Define a Strategic IT 0lan

• /1'1 I% Lalue *anage#entOWor! "ith the business to ensure that the enterprise

portolio o I%&enabled invest#ents contains progra##es that have solid business casesU

• /1' usiness&I% Align#entOstablish processes o bi&directional education and

reciprocal involve#ent in strategic planning to achieve business and I% align#ent and

integrationU

0"/ Define the Information Architecture

• /'1 nterprise Inor#ation Architecture *odelOstablish and #aintain an enterprise

inor#ation #odel to enable applications develop#ent and decision&supporting activities,

consistent "ith I% plans as described in /1U

• /'; ata Classiication Sche#eOstablish a classiication sche#e that applies

throughout the enterprise, based on the criticalit$ and sensitivit$ (e'g', public, conidential,

top secret) o enterprise data' %his sche#e should include details about data o"nershipH

deinition o appropriate securit$ levels and protection controlsH and a brie description o

data retention and destruction re=uire#ents, criticalit$ and sensitivit$' It should be used as

the basis or appl$ing controls such as access controls, archiving or encr$ption'

0"9 Define the IT 0rocesses7 "rganisation and $elationshi!s

• /D'6 stablish#ent o -oles and -esponsibilitiesOstablish and co##unicate roles and

responsibilities or I% personnel and end users that delineate bet"een I% personnel and end&

user authorit$, responsibilities and accountabilit$ or #eeting the organisation’s needs'

• /D'? -esponsibilit$ or -is!, Securit$ and Co#plianceO#bed o"nership and

responsibilit$ or I%&related ris!s "ithin the business at an appropriate senior level' eine

and assign roles critical or #anaging I% ris!s, including the speciic responsibilit$ or

inor#ation securit$, ph$sical securit$ and co#plianceU

• /D'9 ata and S$ste# /"nershipOrovide the business "ith procedures and tools,

enabling it to address its responsibilities or o"nership o data and inor#ation s$ste#s'

/"ners should #a!e decisions about classi$ing inor#ation and s$ste#s and protecting

the# in line "ith this classiication'

01 ISACA' All rights reserved' age ;<


38/44



%aturit+

Target

%aturit+

$eference

-+!er6

lin&

Comments

AI1 Identif+ Automated Solutions

• AI1'1 einition and *aintenance o usiness unctional and %echnical -e=uire#entsO

Identi$, priorities, speci$ and agree on business unctional and technical re=uire#ents

covering the ull scope o all initiatives re=uired to achieve the e3pected outco#es o the

I%&enabled invest#ent progra##e'

• AI1'; easibilit$ Stud$ and or#ulation o Alternative Courses o ActionOevelop a

easibilit$ stud$ that e3a#ines the possibilit$ o i#ple#enting the re=uire#ents' usiness

#anage#ent, supported b$ the I% unction, should assess the easibilit$ and alternative

courses o action and #a!e a reco##endation to the business sponsor'

AI Ac8uire and %aintain Technolog+ Infrastructure

• AI;'1 %echnological Inrastructure Ac=uisition lanOroduce a plan or the ac=uisition,

i#ple#entation and #aintenance o the technological inrastructure that #eets established

business, unctional and technical re=uire#ents and is in accord "ith the organisation:s

technolog$ direction'

AI= Install and Accredit Solutions and Changes

• AI


39/44



%aturit+

Target

%aturit+

$eference

-+!er6

lin&

Comments

• S5'; Identit$ *anage#entOnsure that all users (internal, e3ternal and te#porar$) and

their activit$ on I% s$ste#s (business application, I% environ#ent, s$ste# operations,

develop#ent and #aintenance) are uni=uel$ identiiable' nable user identities via

authentication #echanis#s' Conir# that user access rights to s$ste#s and data are in line

"ith deined and docu#ented business needs and that 4ob re=uire#ents are attached to user

identities' nsure that user access rights are re=uested b$ user #anage#ent, approved b$

s$ste# o"ners and i#ple#ented b$ the securit$&responsible person' *aintain user

identities and access rights in a central repositor$' eplo$ cost&eective technical and

procedural #easures, and !eep the# current to establish user identiication, i#ple#ent

authentication and enorce access rights'

• S5'D @ser Account *anage#entOAddress re=uesting, establi