Information Systems

Audit
Auditing and Information Security
Policies
What is
“Auditing”
 A methodical examination and review
of measuring something against a
standard and report on risks.
 Answer the questions
 What Works?, What Should Work?, How
do you Know?
 Example of Audits
 Conformance Audit
 Security Audit
 Financial Audit
Differences Between Auditing and
Assessing
 Auditing
 Measurement against a standard
 Answer “How do you know”
 Usually INCLUDE assessing
 Assessing
 Subjective measurement
 Examples
 Identify security issues within the client
infrastructure
 Determine how good or bad your computer
infrastructure
 What needs to be done to improve the state of
security
 Quite often, assessments lead to policies
which can then be audited
Auditing in Info Technology and
Assurance
 At Three Levels
 Policy Level
 Is it effective?
 How is it followed?
 Procedure Level
 Do Administrators/Users follow the procedure?
 System/Application Level
 The place where we apply the policies and
procedures
What is a
Policy?
 Policy
 A plan or course of action that influences decisions
 Administrative control
 For policies to be effective, they must be:
 Disseminated
 Read
 Understood
 Agreed-to
 Uniformly enforced
 Unenforced policies can face hurdles and pose further risk to organization
 Policies require constant modification and maintenance

4
 Where Policies
Sit

Security Control Functions

Deterrent Directive Preventive Detective Corrective Compensating Recovery

Security Technical

Control Administrative X X X X X X X
Type
Physical

ROCHESTER INSTITUTE OF TECHNOLOGY

5
Policy and
Procedure
 Policy
 Answers WHAT and maybe WHY users
can (or can’t) do (or have)
 Usually based on some standard
 Outside standards (PCI) should be
reflected or referenced in policy
 Procedure
 Describes the WHO/WHAT/WHEN/HOW of
policy implementation
 WHO does WHAT WHEN and HOW
 The WHO can be in Either Place
ROCHESTER INSTITUTE OF TECHNOLOGY
Examples of
Policy
 Password Policy
 E-Mail Policy
 Sensitive Information Handling
Policy
 Anti-Virus Software policy
An Example of
Policy
 All user-level passwords (e.g., e-mail ,
web, desktop computer, etc.) MUST be
changed at least every six months.
 All passwords must conform to the
guidelines described [somewhere
else].
 Guidelines
 Over 7 characters in length
 Letters, numbers, symbols
 Max of 3 repeating characters
An Example of
Procedure
 The system administrator will ensure
that the password are changed by
blocking users offending the policy
after {n} time expires
 The system administrator will enforce the
strong password by…
Policies, Standards, and
Practices
 Types of Information Security Policy
 Enterprise information security (program) policies
 Issue-specific information security policies
 System-specific security policies
 Standards
 A more detailed statement on what must be done
to comply
 Practices
 Specific procedures and guidelines that explain
how to comply
10
Policies, Standards, and
Practices

11
Enterprise Information Security
Policy
 Sets strategic direction, scope, and tone for
organization’s security efforts
 Assigns responsibilities for areas of security
 Guides development, implementation, and
management of security program
 Typically owned by C-levels/board
 Not typically in the auditor’s realm

12
EISP
Elements
 EISP should include:
 An overview of corporate philosophy on security
 Information about security organization and
security roles
 Responsibilities for security that are shared by
all roles
 Responsibilities for security that are unique to each

role within the organization

13
Example EISP
Components
Issue-Specific Security Policy
(ISSP)
• Provides detailed, targeted
guidance

• Protects organization from

inefficiency and ambiguity
Issue-Specific Security Policy
(cont’d.)
ISSP
Cont
 Sample ISSP Topics
 Email and internet use
 Minimum system requirements
 Prohibitions against hacking
 Home use and BYOD
 Note that none of these apply to specific
systems, but to company tech as a whole.

19
• Statement
of
Purpose
Components of the
ISSP
• Statement of Purpose
• Authorized Access and
Usage of Equipment
• Prohibited Usage of
Equipment
Components of the ISSP
(cont’d.)
• Statement of Purpose
• Authorized Access and Usage of Equipment
• Prohibited Usage of Equipment
• Systems management
• Violations of policy
Components of the ISSP
(cont’d.)
• Statement of Purpose
• Authorized Access and Usage of Equipment
• Prohibited Usage of Equipment
• Systems management
• Violations of policy
• Policy review and modification
• Limitations of liability
Implementing the
ISSP
• Common approaches
– Several independent ISSP documents
– A single comprehensive ISSP document
– A modular ISSP document that unifies policy
creation and administration
• The recommended approach is the modular
policy
– Provides a balance between issue orientation and
policy management
System-Specific Security Policy
(SSP)
• These often look different from other policies
• Each equipment type may have own policies
• General methods of implementation apply
System-Specific Security Policy
(cont’d.)
• Access control lists
– user access lists, matrices, and capability tables
govern the rights and privileges
– A capability table is similar
specifies subjects and objects a user or
group may access
– frequently complex matrices, not simple lists or
tables
– Enable administrations to restrict access
according to user, computer, time, duration,
or even a particular file
System-Specific Security Policy
(cont’d.)

• Access control lists regulate

– Who can use the system
– What authorized users
can access
• user privileges: Read,
write, create, modify,
delete, compare,
copy
– When authorized users
can access the system
– Where authorized users
can access the system
from
– How authorized users
can access the system
– Restricting what users can access, e.g. printers, files, communications,
System-Specific Security Policy
(cont’d.)

• Configuration rules
– Specific configuration codes entered into security systems
■ Guide the execution of the system when information is passing
through it
• Rule policies are more specific to system operation than ACLs
– May or may not deal with users directly
• Many security systems require specific configuration scripts telling the
systems what actions to perform on each set of information they
process
SSSPs
cont
 Where do these reside on systems?
 File systems
 SELinux Policies
 Windows Group Policy
 App level ACLs
 Firewall rules

32
System-Specific Security Policy
(ex.)
Guidelines for Effective
Policy
Developing Information Security
Policy

● View policy development in two-parts

○ First, design and develop
○ Second, establish management process

ROCHESTER INSTITUTE OF TECHNOLOGY

Developing Information Security
Policy (cont)
• Phases
• Organization
• Investigation
• Analysis
• Implementation
• Communication
• Maintenance
 Guide for
NIST SP 800-18 Rev.1:
Developing Security Plans for Federal
Information Systems

• Reinforces business process-centered approach to policy

management
• must be properly disseminated
distributed, read, understood and agreed to, and managed
• Policies should be living documents
 Guide for
NIST SP 800-18 Rev.1:
Developing Security Plans for Federal
Information Systems

• Good management practices make for a

more resilient organization
• Policy requirements?
A final note on
Policy
• Unless you believe that the only reason to
have policies is to comply with regulation
and avoid litigation, it is important to
emphasize the preventative nature of
policy
– Policies should exist to inform employees of
what is and is not acceptable behavior in the
organization
– Policies should seek to improve employee
productivity and reduce risk