vpn security audit assurance program icq eng 1012

8/16/2019 VPN Security Audit Assurance Program Icq Eng 1012

1/34

VPN Security Audit/Assurance Program


2/34

VPN Security Audit/Assurance ProgramAbout ISACA

With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org ) is a leading global provider o !no"ledge,

certiications, communit#, advocac# and education on inormation s#stems (IS) assurance and securit#, enterprise

governance and management o I$, and I$%related ris! and compliance& 'ounded in 1, the nonproit, independent ISACAhosts international conerences, publishes the ISACA® Journal , and develops international IS auditing and control standards,

"hich help its constituents ensure trust in, and value rom, inormation s#stems& It also advances and attests I$ s!ills and

!no"ledge through the globall# respected Certiied Inormation S#stems Auditor ® (CISA®), Certiied Inormation Securit#

*anager ® (CIS*®), Certiied in the +overnance o nterprise I$® (C+I$®) and Certiied in -is! and Inormation S#stemsControl. (C-ISC.) designations&

ISACA continuall# updates and e/pands the practical guidance and product amil# based on the CI$® rame"or!&

CI$ helps I$ proessionals and enterprise leaders ulill their I$ governance and management responsibilities,

particularl# in the areas o assurance, securit#, ris! and control, and deliver value to the business&

Disclaimer

ISACA has designed and created VPN Security Audit/Assurance Program (the 2Wor!3) primaril# as an educational resourceor governance and assurance proessionals& ISACA ma!es no claim that use o an# o the Wor! "ill assure a successul

outcome& $he Wor! should not be considered inclusive o all proper inormation, procedures and tests or e/clusive o other

inormation, procedures and tests that are reasonabl# directed to obtaining the same results& In determining the propriet# o

an# speciic inormation, procedure or test, governance and assurance proessionals should appl# their o"n proessional 4udgment to the speciic circumstances presented b# the particular s#stems or inormation technolog# environment&

Reservation of Rights

5 6016 ISACA& All rights reserved& 7o part o this publication ma# be used, copied, reproduced, modiied, distributed,

displa#ed, stored in a retrieval s#stem or transmitted in an# orm b# an# means (electronic, mechanical, photocop#ing,

recording or other"ise) "ithout the prior "ritten authoriation o ISACA& -eproduction and use o all or portions o this

publication are permitted solel# or academic, internal and noncommercial use and or consulting9advisor# engagements,and must include ull attribution o the material:s source& 7o other right or permission is granted "ith respect to this "or!&

ISACA

;


3/34


ISACA wishes to recognize:

AuthorNorm Kelson, CISA, CGEIT, CPA, C@ Interactive, Inc&, ?SA

Expert ReiewersMichael Castro, CISA, ResMor Trust Co, Canada

Joanne De Vito De Palma, CMM, The Ardent Grou! ""C, #SARussell K$ %airchild, CISA, CRISC, CISSP, PMP, SecureIsle, #SAAle& Gelden'er(, CISA, CRISC, CISSP, MSMM, #SA%rancis Kaitano, CISA, CISM, CISSP, ITI", MCAD$Net, MCSD, Contact Ener(), Ne* +ealandKamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Ara'ia"il) M$ Shue, CISA, CISM, CGEIT, CRISC, "MS Associates ""C, #SAa'u Srinias, CISA, CISM, SP AusNet, AustraliaDaid A$ -illiams, CRISC, PMP, .cean%irst an&, #SA

ISACA Board of Directors

Gre(or) T$ Grochols&i, CISA, The Do* Chemical Co$, #SA, International PresidentAllan oardman, CISA, CISM, CGEIT, CRISC, ACA, CA /SA0, CISSP, Mor(an Stanle), #K, VicePresident

Juan "uis Carselle, CISA, CGEIT, CRISC, -al1Mart, Me2ico, Vice President

Christos K$ Dimitriadis, Ph$D$, CISA, CISM, CRISC, INTRA".T S$A$, Greece, Vice PresidentRamses Galle(o, CISM, CGEIT, CCSK, CISSP, SCPM, 3 Si(ma, 4uest So5t*are, S!ain, Vice President

Ton) 6a)es, CGEIT, A%C6SE, C6E, %ACS, %CPA, %IIA, 4ueensland Goernment, Australia, VicePresident

Je7 S!ie), CRISC, CPP, PSP, Securit) Ris& Mana(ement Inc$, #SA, Vice PresidentMarc Vael, Ph$D$, CISA, CISM, CGEIT, CISSP, Valuendo, el(ium, Vice PresidentKenneth "$ Vander -al, CISA, CPA, Ernst 8 9oun( ""P /retired0, #SA, Past International PresidentEmil D:An(elo, CISA, CISM, an& o5 To&)o1Mitsu'ishi #%J "td$ /retired0, #SA, Past InternationalPresident

John 6o Chi, CISA, CISM, CRISC, CCP, C%E, Ernst 8 9oun( ""P, Sin(a!ore, DirectorKr)sten McCa'e, CISA, The 6ome De!ot, #SA, Director

Jo Ste*art1Rattra), CISA, CISM, CGEIT, CRISC, CSEPS, RM 6oldich, Australia, Director

K l d B d


4/34

VPN Security Audit/Assurance ProgramInstitute o5 Mana(ement Accountants Inc$ISACA cha!tersITGI %ranceITGI Ja!anNor*ich #niersit)Socitum Per5ormance Mana(ement Grou!Sola) russels School o5 Economics and Mana(ementStrate(ic Technolo() Mana(ement Institute /STMI0 o5 the National #niersit) o5 Sin(a!ore#niersit) o5 Ant*er! Mana(ement School

ASIS International6e*lett1Pac&ard

IMS)mantec Cor!$


5/34


able of Contents

I& Introduction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&D

II& ?sing $his Gocument&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&

III& Controls *aturit# Anal#sis&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8

IH& Assurance and Control 'rame"or!&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 10

H& /ecutive Summar# o Audit9Assurance 'ocus&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&&&&&&&&&11

HI& Audit9Assurance @rogram&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1;

1& @lanning and Scoping the Audit&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1;6& @reparator# Steps&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&1D

;& +overnance&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 1& @olic#&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& 1<

D& Coniguration&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1

& *aintenance and *onitoring&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6

HII& *aturit# Assessment&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&68

HIII& *aturit# Assessment vs& $arget Assessment&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&& &&&&&&&&&& &;;

I% Introduction

!eriew

ISACA has developed the I' Assurance (ramework $* (I$A'$*) as a comprehensive and good practice%setting

model& I$A' provides standards that are designed to be mandator#, and are the guiding principles under "hich

the I$ audit and assurance proession operates& $he guidelines provide inormation and direction or the practice

o I$ audit and assurance& $he tools and techni=ues provide methodologies, tools and templates to providedirection in the application o I$ audit and assurance processes&

Purpose


6/34

VPN Security Audit/Assurance Programaudit and assurance rame"or!& Since CS is "idel# used, it has been selected or inclusion in this

audit9assurance program& $he revie"er ma# delete or rename these columns to align "ith the enterprise:s control

rame"or!&

%oernance& Ris$ and Contro" o' I(

+overnance, ris! and control o I$ are critical in the perormance o an# assurance management process&

+overnance o the process under revie" "ill be evaluated as part o the policies and management oversight

controls& -is! pla#s an important role in evaluating "hat to audit and ho" management approaches and manages

ris!& oth issues "ill be evaluated as steps in the audit9assurance program& Controls are the primar# evaluation

point in the process& $he audit9assurance program "ill identi# the control ob4ectives and the steps to determine

control design and eectiveness&

Responsi)i"ities o' I( Audit and Assurance Pro'essiona"s

I$ audit and assurance proessionals are e/pected to customie this document to the environment in "hich the#

are perorming an assurance process& $his document is to be used as a revie" tool and starting point& It ma# be

modiied b# the I$ audit and assurance proessionalJ it is not intended to be a chec!list or =uestionnaire& It is

assumed that the I$ audit and assurance proessional has the necessar# sub4ect matter e/pertise re=uired to

conduct the "or! and is supervised b# a proessional "ith the CISA designation and9or necessar# sub4ect mattere/pertise to ade=uatel# revie" the "or! perormed&

II% &sing his Document

$his audit9assurance program "as developed to assist the audit and assurance proessional in designing and

e/ecuting a revie"& Getails regarding the ormat and use o the document ollo"&

*or$ Program Steps

$he irst column o the program describes the steps to be perormed& $he numbering scheme used provides built%

in "or! paper numbering or ease o cross%reerence to the speciic "or! paper or that section& $he ph#sical


7/34

VPN Security Audit/Assurance Programdocument because it is standard or the audit9assurance unction and should be identiied else"here in the

enterprise:s standards&

C!+I( ,-. Crossre'erence

$he CI$ cross%reerence provides the audit and assurance proessional "ith the abilit# to reer to the speciic

CI$ &1 control ob4ective that supports the audit9assurance step& $he CI$ control ob4ective should be

identiied or each audit9assurance step in the section& *ultiple cross%reerences are not uncommon&

Subprocesses in the "or! program are too granular to be cross%reerenced to CI$& $he audit9assurance

program is organied in a manner to acilitate an evaluation through a structure parallel to the development

process& CI$ provides in%depth control ob4ectives and suggested control practices at each level& As

proessionals revie" each control, the# should reer to CI$ &1 or the I' Assurance )uide" *sing C#+I' orgood%practice control guidance&

C!S! Components

As noted in the introduction, CS and similar rame"or!s have become increasingl# popular among audit and

assurance proessionals& $his ties the assurance "or! to the enterprise:s control rame"or!& While the I$

audit9assurance unction has CI$ as a rame"or!, operational audit and assurance proessionals use the

rame"or! established b# the enterprise& Since CS is the most prevalent internal control rame"or!, it has been included in this document and is a bridge to align I$ audit9assurance "ith the rest o the audit9assurance

unction& *an# audit9assurance enterprises include the CS control components "ithin their report andsummarie assurance activities to the audit committee o the board o directors&

'or each control, the audit and assurance proessional should indicate the CS component(s) addressed& It is

possible but generall# not necessar#, to e/tend this anal#sis to the speciic audit step level&

$he original CS internal control rame"or! contained ive components& In 600, CS issued the

,nter!rise isk anagement ,0 Integrated (ramework1 "hich includes eight components& $he -*rame"or! has a business decision ocus "hen compared to the 2334 Internal Control5Integrated (ramework &

>arge enterprises are in the process o adopting -*& $he t"o rame"or!s are compared in figure '&


8/34

VPN Security Audit/Assurance Program(igure ')Com$arison of C*S* Internal Control and +R, Integrated (rameworks

Internal Control—Integrated Framework ERM Integrated Framework Risk Res$onse- *anagement selects ris! responsesavoiding,

accepting, reducing, or sharing ris!developing a set o actions toalign ris!s "ith the entit#:s ris! tolerances and ris! appetite&

Control Activities Control activities are the policies and proceduresthat help ensure management directives are carried out& $he# help

ensure that necessar# actions are ta!en to address ris!s to achievement

o the entit#Ks ob4ectives& Control activities occur throughout the

organiation, at all levels and in all unctions& $he# include a range o

activities as diverse as approvals, authoriations, veriications,reconciliations, revie"s o operating perormance, securit# o assets

and segregation o duties&

Control Activities- @olicies and procedures are established andimplemented to help ensure the ris! responses are eectivel# carried

out&

Information and Communication Inormation s#stems pla# a !e#

role in internal control s#stems as the# produce reports, includingoperational, inancial and compliance%related inormation that ma!e it

possible to run and control the business& In a broader sense, eective

communication must ensure inormation lo"s do"n, across and up

the organiation& ective communication should also be ensured "ith

e/ternal parties, such as customers, suppliers, regulators andshareholders&

Information and Communication- -elevant inormation is

identiied, captured, and communicated in a orm and timerame thatenable people to carr# out their responsibilities& ective

communication also occurs in a broader sense, lo"ing do"n, across,

and up the entit#&

,onitoring Internal control s#stems need to be monitoreda

process that assesses the =ualit# o the s#stem:s perormance overtime& $his is accomplished through ongoing monitoring activities or

separate evaluations& Internal control deiciencies detected through

these monitoring activities should be reported upstream and corrective

actions should be ta!en to ensure continuous improvement o thes#stem&

,onitoring- $he entiret# o enterprise ris! management is monitored

and modiications made as necessar#& *onitoring is accomplishedthrough ongoing management activities, separate evaluations, or both&

Inormation or figure ' "as obtained rom the CS "eb site www.coso.org/a$outus.tm .

$he 16 Internal Control5Integrated (ramework addresses the needs o the I$ audit and assurance

proessional control environment, ris! assessment, control activities, inormation and communication, andmonitoring& As such, ISACA has elected to include them as a reerence in this document& When completing the

CS component columns, consider the deinitions o the components as described in figure '&

Re'erence/0yper"in$ +ood practices re=uire the audit and assurance proessional to create a "or! paper that describes the "or!

perormed, issues identiied, and conclusions or each line item& $he reerence9h#perlin! is to be used to cross%

th dit9 t t th ! th t t it $h b i t thi d t

http://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htmhttp://www.coso.org/aboutus.htm


9/34

VPN Security Audit/Assurance Programis based on a method o evaluating the organiation, so it can be rated rom a maturit# level o non%e/istent (0) to

optimied (D)& $his approach is derived rom the maturit# model that the Sot"are ngineering Institute (SI) o

Carnegie *ellon ?niversit# deined or the maturit# o sot"are development&

$he I' Assurance )uide *sing C#+I' , Appendi/ HII*aturit# *odel or Internal Control (figure 0) provides

a generic maturit# model sho"ing the status o the internal control environment and the establishment o internal

controls in an enterprise& It sho"s ho" the management o internal control, and an a"areness o the need to

establish better internal controls, t#picall# develops rom an ad oc to an optimied level& $he model provides a

high%level guide to help CI$ users appreciate "hat is re=uired or eective internal controls in I$ and to help

position their enterprise on the maturit# scale&

(igure 0),aturit/ ,odel for Internal Control,aturit/ 1evel Status of the Internal Control +nvironment +stablishment of Internal Controls0 7on%e/istent $here is no recognition o the need or internal control&

Control is not part o the organisation:s culture or mission&

$here is a high ris! o control deiciencies and incidents&

$here is no intent to assess the need or internal control&Incidents are dealt "ith as the# arise&

1 Initial9ad oc $here is some recognition o the need or internal control&$he approach to ris! and control re=uirements is ad oc and

disorganised, "ithout communication or monitoring&

Geiciencies are not identiied& mplo#ees are not a"are o

their responsibilities&

$here is no a"areness o the need or assessment o "hat isneeded in terms o I$ controls& When perormed, it is onl# on

an ad oc basis, at a high level and in reaction to signiicant

incidents& Assessment addresses onl# the actual incident&

6 -epeatable but

Intuitive

Controls are in place but are not documented& $heir operation

is dependent on the !no"ledge and motivation o individuals&ectiveness is not ade=uatel# evaluated& *an# control

"ea!nesses e/ist and are not ade=uatel# addressedJ the

impact can be severe& *anagement actions to resolve controlissues are not prioritised or consistent& mplo#ees ma# not be

a"are o their responsibilities&

Assessment o control needs occurs onl# "hen needed or

selected I$ processes to determine the current level o controlmaturit#, the target level that should be reached and the gaps

that e/ist& An inormal "or!shop approach, involving I$

managers and the team involved in the process, is used todeine an ade=uate approach to controls or the process and

to motivate an agreed%upon action plan&

; Geined Controls are in place and ade=uatel# documented& peratingeectiveness is evaluated on a periodic basis and there is an

average number o issues& Lo"ever, the evaluation process is

not documented& While management is able to deal

predictabl# "ith most control issues, some control

"ea!nesses persist and impacts could still be severe&

mplo#ees are a"are o their responsibilities or control&

Critical I$ processes are identiied based on value and ris!drivers& A detailed anal#sis is perormed to identi# control

re=uirements and the root cause o gaps and to develop

improvement opportunities& In addition to acilitated

"or!shops, tools are used and intervie"s are perormed to

support the anal#sis and ensure that an I$ process o"ner

o"ns and drives the assessment and improvement process& *anaged and

*easurable

$here is an eective internal control and ris! management

environment& A ormal, documented evaluation o controlsoccurs re=uentl#& *an# controls are automated and regularl#

revie"ed& *anagement is li!el# to detect most control issues,

I$ process criticalit# is regularl# deined "ith ull support

and agreement rom the relevant business process o"ners&Assessment o control re=uirements is based on polic# and

the actual maturit# o these processes, ollo"ing a thorough


10/34

VPN Security Audit/Assurance Programauditor& $hereore, an auditor should obtain the concerned sta!eholder:s concurrence beore submitting the inal

report to the management&

At the conclusion o the revie", once all indings and recommendations are completed, the proessional assesses

the current state o the CI$ control rame"or! and assigns it a maturit# level using the si/%level scale& Some

practitioners utilie decimals (/&6D, /&D, /&


11/34


• GSD&


12/34


+usiness Impact and Ris$

$he impact on the business transmitting data through public net"or!s and the accompan#ing ris! are signiicant&

Gepending on the industr#, enterprises ma# e/perience outages and intrusion attempts or inancial gain, to

obtain intellectual propert#, to create business disruption, to obtain sensitive private inormation, or to

compromise national securit#& $he perpetrators o an intrusion can be e/ternal or internal, private government

sponsored& $his activit# ma# increase the enterprise:s ris! o

• @ublic relations issues "ith the customers or the public (reputational ris!)

• Inabilit# to compl# "ith regulator# processing re=uirements (regulator# and inancial ris!)

• Inabilit# to perorm critical business unctions (operational and inancial ris!)

• Inabilit# to maintain pa#roll and emplo#ee privac# (regulator# and reputational ris!)

• >oss o ph#sical or inormational assets (reputational and inancial ris!)

• Inabilit# to meet contractual service level agreements (S>As) "ith third parties or customers (contractual

ris!)

H@7 technolog#, i properl# conigured, "ill reduce the ris! associated "ith privileged data traversing a public

net"or!&

!)1ectie and Scope

*b.ective) $he ob4ective o the audit9assurance revie" is to provide management "ith an independent

assessment o the H@7 implementation and ongoing monitoring9maintenance o the eectiveness o the

supporting technolog#&

Sco$e) $he audit9assurance revie" "ill ocus on H@7 standards, guidelines and procedures as "ell as the

implementation and governance o these activities& $he revie" "ill rel# upon other operational audits o the

incident management process, coniguration management and securit# o net"or!s and servers, securit#management and a"areness, business continuit# management, inormation securit# management, governance

and management practices o I$ and business units, and relationships "ith third parties&


13/34


2I% Audit4Assurance Program

Audit4Assurance Program Ste$

C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v i r o n m e n t

- i s ! A s s e s s m e n t

C o n t r o l A c t i v i t i e s

* o n i t o r i n g

.- P"anning and Scoping the Audit

1&1 Define audit4assurance ob.ectives%

$he audit9assurance ob4ectives are high level and describe the overall audit goals&

1&1&1 -evie" the audit9assurance ob4ectives in the introduction to this audit9assurance

program&

1&1&6 *odi# the audit9assurance ob4ectives to align "ith the audit9assurance universe,

annual plan and charter&

1&6 Define boundaries of review%

$he revie" must have a deined scope& $he revie"er must understand the operating

environment and prepare a proposed scope, sub4ect to a later ris! assessment&

1&6&1 @erorm a high%level "al!%through o the net"or! architecture using H@7%technolog#&

1&6&6 stablish initial boundaries o the audit9assurance revie"&

1&6&6&1 Identi# limitations and9or constraints aecting the audit&

1&; Define assurance%

$he revie" re=uires t"o sources o standards& $he corporate standards deined in the polic#

and procedure documentation establish the corporate e/pectations& At minimum, corporate

standards should be implemented& $he second source, a good%practice reerence, establishes

industr# standards& nhancements should be proposed to address gaps bet"een the t"o&

1&;&1 Getermine i CI$ and the appropriate securit# incident management rame"or!

"ill be used as a good%practice reerence&

5 6016 ISACA& All rights reserved& @age 1;


14/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t



* o n i t o

r i n g

1& Identif/ and document risk%

$he ris! assessment is necessar# to evaluate "here audit resources should be ocused& $he

ris!%based approach assures utiliation o audit resources in the most eective manner&

1&&1 Identi# the business ris! associated "ith the ailure to implement H@7 technologies

and the ailure to implement H@7 technologies securel#&

1&&6 Identi# the technolog# ris! associated "ith the ailure to implement H@7

technologies and the ailure to implement H@7 technologies securel#&

1&&; Getermine i a H@7 architecture threat assessment and modeling processing process

has been established and implemented&

1&& ased on ris! assessment, identi# changes to the scope&

1&&D Giscuss the ris! "ith I$, business and operational audit management, and ad4ust the

ris! assessment&

1&D Define the change $rocess%

$he initial audit approach is based on the revie"er:s understanding o the operating

environment and associated ris!& As urther research and anal#sis are perormed, changes to

the scope and approach "ill result&

1&D&1 Identi# the senior I$ audit9assurance resource responsible or the revie"&

1&D&6 stablish the process or suggesting and implementing changes to the audit9assurance

program, and the authoriations re=uired&

1& Define assignment success%

$he success actors need to be identiied& Communication among the I$ audit9assurance team,

other assurance teams and the enterprise is essential&

1&&1 Identi# the drivers or a successul revie" (this should e/ist in the audit9assurance

unction:s standards and procedures)&

1&&6 Communicate success attributes to the process o"ner or sta!eholder, and obtain

agreement&5 6016 ISACA& All rights reserved& @age 1


15/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t



* o n i t o

r i n g

1&< Define audit4assurance resources re7uired%

$he resources re=uired are deined in the introduction to this audit9assurance program&

1&


16/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t


* o n i t o

r i n g

• 7et"or! architecture documentation

• 7et"or! inventor# or schematic o ph#sical net"or! components

• 7et"or! problem trac!ing, resolution and escalation procedures

• H@7%related documentation and vendor contracts

• Copies o signed user securit# and a"areness documents

• 7e" emplo#ee training materials relating to securit#

• -

elevant legal and regulator# inormation related to securit# and inormation access• H@7 supplier contracts, S>As

• Supplier due diligence selection criteria, process

• usiness impact anal#sis (IA), business continuit# plans

(C@s),disaster recover# plans (G-@s) and all continuit# o operations plans

• Luman resources (L-) onboarding9oboarding procedures and standards

• Inormation securit# remote access policies, procedures and standards

• Inormation securit# mobile computing policies, procedures and

standards

• Inormation securit# "ireless net"or!ing standards

• Inormation securit# acceptable use policies, procedures and standards

•ncr#ption policies, procedures and standards

• Incident response policies, procedures, standards

• *onitoring and audit policies, procedures, standards

& Intervie" the senior securit# oicer and the I$ securit# administrator regarding H@7

implementation&

D& Intervie" the technical support team leader or e=uivalent responsible or H@7

architecture, design, implementation, and maintenance processes and procedures&

4- %oernance

;&1 +3ecutive S$onsor

Audit9Assurance b4ective $he H@7 implementation and maintenance is assigned to an

5 6016 ISACA& All rights reserved& @age 1


17/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t


* o n i t o

r i n g

e/ecutive sponsor, "ho is responsible or its eective implementation and operations&

& /ecutive -esponsibilit# and Accountabilit# o H@7%related @rocesses

Control A senior e/ecutive "ithin the I$ organiation is responsible or the H@7

implementation, maintenance and oversight&

@&

*1&D

*6&D

*&1

= = = =

;&1&1&1 Identi# the senior e/ecutive responsible or the H@7 program&

;&1&1&6 btain the position description o the e/ecutive responsible or the H@7

program&

;&1&1&; Getermine i the position has cross%reporting to the business units and I$

management (securit#, administration, etc&)

;&1&1& btain meeting minutes and other documentation to support the responsibilities

and accountabilit# o the e/ecutive sponsor&

;&6 Senior ,anagement Involvement in 2P9 Programs

Audit9Assurance b4ective Senior management participates in !e# decisions related to H@7

programs&


18/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t


* o n i t o

r i n g

,- Po"icy

&1 6R Policies Aligned :ith and Su$$ort 2P9 Policies

Audit9Assurance b4ective H@7 policies align "ith and are integrated into L- policies&

8& L- @olicies Include -elated H@7 @olicies

Control L- policies include H@7 disclosures, usage re=uirements as part o initial

PonboardingP process and the annual emplo#ee ac!no"ledgement o use policies&

@&;

@&=

&1&1&1 btain a selection o L- policies relating to H@7 usage&

&1&1&6 Getermine i H@7 usage policies are incorporated in the L- policies&

&6 2P9 Policies in Com$liance :ith Cor$orate Policies

Audit9Assurance b4ective H@7 policies align "ith corporate compliance policies&

& H@7 @olicies Are in Compliance With Corporate Compliance and -elated @olicies

Control Corporate compliance (inancial reporting, regulator# and statutor#)

unctions revie" H@7 policies prior to implementation to assure adherence to

appropriate re=uirements&

@&8

*;&1

*;&;

= = =

&6&1&1 btain the corporate compliance policies relating to data securit# and privac#&

&6&1&6 Getermine i H@7 re=uirements are a component o the policies&

&6&1&; btain a selection o H@7 polic# proposals or modiications&

&6&1& Getermine i corporate compliance representatives have revie"ed and provided

documented approval o H@7 policies&

&; 2P9 Policies in Com$liance :ith 1egal and Regulator/ Policies and Re7uirements

Audit9Assurance b4ective H@7 policies align "ith legal and regulator# policies and

re=uirements&

10& H@7 @olicies Are in Compliance With >egal -egulator# -e=uirements

Control H@7 technologies are deined to satis# legal and regulator# re=uirements

"ithin the enterpriseKs industr#&

@&8

*;&1

*;&6= = =

&;&1&1 btain a selection o H@7 polic# proposals or modiications&

&;&1&6 Getermine i the enterprise:s legal representatives have revie"ed and provided5 6016 ISACA& All rights reserved& @age 18


19/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t


* o n i t o

r i n g


& 2P9 Policies Align :ith Information Securit/

Audit9Assurance b4ective H@7 policies are in compliance "ith inormation securit#

policies

11& H@7 @olicies Are Approved b# the Inormation Securit# 'unction

Control $he inormation securit# unction assures compliance "ith inormation

securit# polic# b# revie"ing inormation securit#%related H@7 policies prior to their

adoption and implementation&

@&;

@&

GSD&1

*6&D*;&

= =

&&1&1 btain a selection o H@7 polic# proposals or modiications&

&&1&6 Getermine i inormation securit# representatives have revie"ed and provided


&D 2P9 Polic/ Integrated :ith +nter$rise;s Data Classification Polic/

Audit9Assurance b4ective Gata Classiication @olic# includes H@7 usage and coniguration

re=uirements&

16& Gata Classiication @olic# H@7 -e=uirements

Control $he data classiication polic# identiies H@7 re=uirements and

coniguration or each data classiication&@6&; =

&D&1&1 btain the data classiication polic#&&D&1&6 Getermine i the data classiication polic# includes H@7 coniguration and

usage re=uirements&

&D&1&; Getermine i the H@7 coniguration and usage polic# includes speciic

applications or data elements re=uiring H@7 usage&

&D&1& Getermine i H@7 coniguration and usage polic# identiies unctions that must

be e/ecuted using a H@7, and unctions that must be e/cluded rom e/ecution,

"ith or "ithout a H@7&



20/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t


* o n i t o

r i n g

5- Con6guration

D&1 2P9 Architecture

Audit9Assurance b4ective est securit# practices are implemented or the various H@7

architectures&

1;& dge -outers1 @6&1

GSD&

GSD&10=

1& dge -outer $ermination

Control dge routers terminate at the net"or! ire"all and an eective ire"all

coniguration applies appropriate iltering&

D&1&1&1&1 Identi# edge routers "ithin the net"or! architecture&

D&1&1&1&6 Getermine that the edge router terminates (a) at or in ront o the

G*Q or (b) at an inline Intrusion @revention S#stem (I@S) deplo#ed

bet"een the edge router and the ire"all&

D&1&1&1&; Select a sample o edge routers&

D&1&1&1& Getermine i the edge routers selected terminate at the ire"all or in

the G*Q&

1D& dge -outer ncr#ption

Control dge routers use as#mmetric !e#s supported b# a @ublic Ee#Inrastructure or alternativel#, one o the t"o standard s#mmetric !e#

technologies, ;GS or AS6

GSD&8GSD&

=

D&1&1&1&D Select a sample o edge routers&

D&1&1&1& Identi# the encr#ption coniguration in use to protect the data&

D&1&1&1&< Getermine the eectiveness o the control o !e#s and digital

certiicates&

1 $hese are deined as untrusted site%to%site connected net"or!s&

6 Consider perorming an audit o the @EI implementation using the ISACA ,-commerce and Pu$lic 8ey Infrastructure P8I0 Audit/Assurance Program&

ncr#ption controls, including !e# storage, !e# maintenance, securit#, etc&, should be revie"ed&5 6016 ISACA& All rights reserved& @age 60


21/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t


* o n i t o

r i n g

D&1&1&1&8 Getermine i an untrusted partner "ould have the abilit# to

compromise the private !e# structure&

1& $rusted -outers;

1


22/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t


* o n i t o

r i n g

GSD&

GSD&10

&1&1&1< btain the SS> H@7 Coniguration @olic#&

D&1&1&1&18 Getermine i strong user authentication has been implemented&

Consider

• $"o%actor authentication

• @ass"ord A7G hard"are to!ens

• Gigital certiicates

• Smart cards

D&1&1&1&1 Getermine i user computer identit# veriication has been

implemented

• ?ser computer validated to be in compliance "ith enterprise

securit# re=uirements and policies prior to connection&

• Halidation o user computer identit# and coniguration includes

@ersonal ire"all coniguration

Antivirus9mal"are coniguration and currenc# o pattern

iles

-e=uired securit# patches

>imitation o split tunneling D

valuation o registr# entriesD&1&1&1&60 Getermine i a secure des!top solution or 2sandbo/ing3 has been

implemented or connections not satis#ing or unable to validate

computer identit# veriication&

D&1&1&1&61 Getermine i the SS> H@7 provides or deletion o all session data

rom the client:s cache, including

• ro"ser histor#

• Internet temporar# iles

• Coo!ies

• Gocuments

D $his enables net"or! traic to traverse separate net"or!s via the same net"or! connection&5 6016 ISACA& All rights reserved& @age 66


23/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments

C o n t r o l , n v

i r o n m e n t

- i s ! A s s e

s s m e n t

C o n t r o l A

c t i v i t i e s

* o n i t o r i n g

• @ass"ords

D&1&1&1&66 Getermine i the SS> H@7 provides a !e#stro!e logger detection

s"eep prior to completing a connection&

D&1&1&1&6; Getermine i session time%outs are implemented and "hat the

time%out period is and determine i it complies "ith securit#

policies, standards and procedures&

D&1&1&1&6 Getermine i SS> veriication is re=uired prior to connection and

denied i the SS> version level is at a lo"er level that securit#

polic# dictates&D&1&1&1&6D Getermine i server certiicate support has been implemented and

"ill onl# permit connection "ith a valid, authenticated certiicate&

D&1&1&1&6 Getermine i resource availabilit#, s#stem unctionalit#, and

application access are limited based on satis#ing the coniguration

parameters considered above&

D&1&1&1&6< Getermine i public computers (e&g&, Internet caRs, !ios!s, etc&) are

permitted to connect to the SS> H@7&

D&1&1&1&68 Getermine i client%side certiicates are re=uired, and i so,

connection is contingent upon client%side certiicate veriication and

authentication&

61& SS> H@7 A"areness @rogram

Control ?ser education and securit# a"areness is provided on a regular basis and

participation b# all users o the enterpriseKs H@7 acilities is re=uired&

GS1&GS<

= = =

D&1&1&6 Getermine that H@7 a"areness and securit# programs are routinel# and

regularl# oered&

D&1&1&; Getermine i the securit# a"areness program addresses H@7 use polic#&

D&1&1& valuate ho" the ollo"%up process is maintained to assure user participation&

D&1&1&D Getermine i participation is documented in logs or sign%in sheets&

66& H@7 Appliances

6;& H@7 Appliance Coniguration and Hendor Support

Control H@7 appliances are maintained "ith the most current coniguration,

GS&6

=

5 6016 ISACA& All rights reserved& @age 6;


24/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments



C o n t r o l A

c t i v i t i e s

* o n i t o r i n g

and support is readil# available rom the vendor&

D&1&1&D&1 Heri# that the most current coniguration o the H@7 appliance has

been applied&

D&1&1&D&6 Getermine that a vendor support contract or vendor support option

is available&

6& H@7 Appliance Coniguration est @ractices

Control Hendor%suggested and other best practices are applied to H@7

appliance coniguration&

GSD&<

GSD&

GSD&10GS&6

=

D&1&1&D&; Getermine i the H@7 appliance vendor oers best practice

guidance&

D&1&1&D& Getermine i the H@7 appliance coniguration is in compliance

"ith vendor guidance&

6D& H@7 Clients Installed on Speciic Computers

6& H@7 Clients Are Securel# Conigured

Control H@7 clients are conigured using vendor%suggested and other best

practices in compliance "ith organiation securit# policies&

GSD&

GSD&D

GS&6

GS10

=

D&1&1&D&D Getermine i strong user authentication has been implemented

• $"o%actor authentication• @ass"ord A7G hard"are to!ens, digital certiicates or smart

cards

D&1&1&D& Getermine i user computer identit# veriication has been

implemented

• ?ser computer is in compliance "ith organiation securit#

re=uirements and policies

• Halidation o user computer identit# and coniguration

@ersonal ire"all coniguration

Antivirus9mal"are coniguration and currenc# o pattern

iles

-e=uired securit# patches



25/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments



C o n t r o l A

c t i v i t i e s

* o n i t o r i n g

>imitation o split tunnelingD

valuation o registr# entries

D&1&1&D&< Getermine i resource availabilit#, s#stem unctionalit# and

application access are limited to authoried individuals, based on

satis#ing the coniguration parameters considered above&

6


26/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments



C o n t r o l A

c t i v i t i e s

* o n i t o r i n g

D&1&1&D&16 Getermine that the H@7 deactivation is part o the deprovisioning

process&

D&1&1&D&1; btain a sample o recent user terminations and determine that the

H@7 privileges or the terminated users have been deactivated&

;0& H@7 Installation >ist -evie"

Control $he list o installed H@7s is revie"ed at least annuall#&

;1& Getermine i a list o computers or users "ith H@7s installed e/ists&

;6& I the list e/ists, determine i the list is revie"ed at least annuall# to ensure thatonl# authoried users have access to and have an installed H@7&

D&6 2P9 Architecture

Audit9Assurance b4ective $he H@7 architecture is revie"ed on a regular basis to ensure the

solution is current and addresses the ris! and vulnerabilit# issues identiied in ris!

assessments&

;;& H@7 Architecture -evie"

Control H@7 architecture revie" is conducted on a regular basis&

@6&1

@;

D&6&1&1 Getermine i the H@7 architecture revie" process is documented&

D&6&1&6 Getermine the date o the most recent H@7 architecture revie"&

D&6&1&; valuate the eectiveness o the most recent revie"&

D&6&1& Getermine i a vulnerabilit# e/ists due to out%o%date technolog#&

7- 2aintenance and 2onitoring

&1 Patch ,anagement

Audit9Assurance b4ective H@7 technolog# is included in the routine patch management

process&

;& @atch *anagement Administration

Control @atch management o H@7 technolog# is included in the coniguration

change management processes&

AI

AI<

GS&6

&1&1&1 Scan the change management s#stem or coniguration changes aecting the

H@7 technologies&



27/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments



C o n t r o l A

c t i v i t i e s

* o n i t o r i n g

&1&1&6 Getermine i the change management process implemented or H@7 maintenance

is in compliance "ith the installation change management procedure&

&6 Integration of 2P9 echnologies :ith the 6el$ Desk

Audit9Assurance b4ective H@7 support re=uests are processed routinel# through the help

des!&

;D& H@7 Support Is @rovided b# the Lelp Ges!

Control H@7 support is a help des! tas! "ith appropriate controls and procedures&

GS8

GS10

&6&1&1 btain the help des! procedures&

&6&1&6 Getermine i H@7 support tas!s are included in the help des! @rocedures&

&6&1&; Getermine i H@7 issues are reported in the incident reporting9issue monitoring

s#stem&

&6&1& Select H@7 related incidents in the help des!, Incident -eporting, and9or Issue

*onitoring S#stem&

&6&1&D Getermine that the issues "ere closed on a timel# basis in an eective manner&

&; 2P9 Ca$acit/ Planning

Audit9Assurance b4ective H@7 utiliation and resources re=uirements are integrated into

the installation capacit# plan&

;& H@7 Capacit# @lanningControl $he capacit# plan incorporated H@7 re=uired resources and such resources

are activel# monitored&

GS;

&;&1&1 btain the installation capacit# plan&

&;&1&6 Getermine that H@7 technologies are included in the plan&

&;&1&; valuate capacit# reports to determine that H@7 resource utiliation is monitored

and the necessar# ad4ustments are implemented in a timel# manner&

5 6016 ISACA& All rights reserved& @age 6<


28/34



C*BI

Cross5

reference

C*S* Reference

6/$er5

link

Issue

Cross5

reference

Comments



C o n t r o l A

c t i v i t i e s

* o n i t o r i n g

& 2P9 ,onitoring

Audit9Assurance b4ective @rocesses e/ist to monitor H@7 usage and identi# unauthoried

activities and H@7 usage&

;


29/34


2II% ,aturit/ Assessment

$he maturit# assessment is an opportunit# or the revie"er to assess the maturit# o the processes revie"ed& ased on the results o audit9assurance

revie"s, and the revie"er:s observations, assign a maturit# level to each o the ollo"ing CI$ &1 control practices& When completing this assessment,

ocus the evaluation on ho" the H@7 implementation relates to each o the issues identiied in the ollo"ing table&

C*BI


30/34


C*BI


31/34


C*BI


32/34


C*BI


33/34


C*BI


34/34


8S5-4 Identity 2anagement

8S5-, 9ser Account 2anagement

8S5-5 Security (esting& Surei""ance and 2onitoring

8S5-: Protection o' Security (echno"ogy

8S5-; Cryptographic

vpn security audit assurance program icq eng 1012

Documents