Professional Documents
Culture Documents
Standards define mandatory requirements for IS auditing and reporting. They inform:
− IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code
of Professional Ethics for IS auditors
− Management and other interested parties of the profession’s expectations concerning the work of practitioners
®
− Holders of the Certified Information Systems Auditor (CISA ) designation of requirements. Failure to comply with these standards may
result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately,
in disciplinary action.
Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve
implementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of
the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provide
information on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS Auditing
Procedures is to provide further information on how to comply with the IS Auditing Standards.
COBIT resources should be used as a source of best practice guidance. Each of the following is organised by IT management process, as
defined in the COBIT Framework. COBIT is intended for use by business and IT management as well as IS auditors; therefore, its usage
enables the understanding of business objectives, and communication of best practices and recommendations, to be made around a
commonly understood and well-respected standard reference. COBIT includes:
− Control Objectives—High-level and detailed generic statements of minimum good control
− Control Practices—Practical rationales and guidance on how to implement the control objectives
− Audit Guidelines—Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance, and
substantiate the risk of controls not being met
− Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical
success factors
Glossary of terms can be found on the ISACA web site at www.isaca.org/glossary. The words audit and review are used interchangeably.
Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professional
responsibilities set out in the ISACA Code of Professional Ethics for IS auditors. ISACA makes no claim that use of this product will assure a
successful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other procedures
and tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, the
controls professional should apply his/her own professional judgment to the specific control circumstances presented by the particular
systems or information technology environment.
The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.
Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The Standards
Board also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. The
Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to
identify emerging issues requiring new standards. Any suggestions should be e-mailed (standards@isaca.org), faxed (+1.847. 253.1443) or
mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards and
academic relations.
2.1 Definition
2.1.1 Virtual Private Networking—New Issues for Network Security , published by the IT Governance Institute, defines VPN as a:
“…network of virtual circuits that carries private traffic through public or shared networks such as the Internet or those provided by
network service providers (NSPs).” For the purpose of this guideline, this definition of VPN is used.
2.1.2 In the context of VPN, the terms “tunnel” and “tunneling” are often used. The process of encapsulating one type of packet in
another packet type so the data can be transferred across paths that otherwise would not transmit the data is called tunneling. The
paths the encapsulated packets follow in an Internet VPN are called tunnels.
2.2.2 In the pure provider model, most of the VPN functionality is built into the service provider infrastructure and not in the network of
the organisation. This model is often deployed over one service provider’s network. There is a clear line of distinction between the
organisation’s network and the service provider’s network. Remote access to the organisation’s network is typically provided by a
dedicated circuit (such as, T1, T3), ATM connections or dedicated frame relay connections. The customer owns and operates the
remote access VPN-related equipment and software in the network, while equipment and software inside the service provider’s
network, from the physical circuit out, is owned and operated by the service provider. The service provider initiates VPN tunnels
from edge-to-edge of the network and relies on the private circuits on either end for security. In this model, the provider has a high
level of control over the network and is responsible for capacity planning, design, configuration, diagnostics and troubleshooting.
2.3.2 The site-to-site connectivity provides separate intranets to connect securely, effectively creating one large intranet. Site-to-site
VPNs are often used by geographically distributed organisations to create a single logical network.
2.3.3 The remote access connectivity permits mobile employees to access the organisation’s intranet, via the Internet, using a secure
network communications. This is used in combination with global dial-up, wireless and broadband ISPs. Many organisations use
remote access VPNs to provide low-cost network accessibility to their employees.
2.3.4 Extended enterprise extranet connectivity provides connections to networks outside the enterprise. Business, research or
marketing partners often use these to speed communications through secured connections. Generally, extranets have stronger
controls in place to allow, manage and monitor network-to-network traffic, and the internal network may be protected from the
extranet via firewalls.
2.4.2 The firewall-based VPNs are the most common form of implementation. Since most organisations already use a firewall to
connect to the Internet, they need to add encryption software and some kind of authorisation software.
2.4.3 There are two types of router-based VPNs. In one, software is added to the router to allow encryption to occur. With the second
type, a third-party vendor-supplied external card must be inserted into the same chassis as the router to off-load the encryption
process from the router’s CPU to the card.
2.4.4 With remote access-based VPNs, someone from a remote location can create an encrypted packet stream or tunnel to a network
device in the organisation.
2.4.5 With hardware (black box)-based VPNs, the vendor offers a black box, or a device with encryption software, to create a VPN
tunnel. The black box VPN device is ordinarily behind the firewall or on the side of the firewall to secure the data, but in fact the
VPN system may be wholly independent of the firewall.
2.4.6 In software-based VPNs, the software handles the tunneling to another client or encryption of packets. Software is loaded on the
client and the server. Traffic starts from a specific client within the organisation and makes a connection to a server located at the
remote site. Traffic leaving the client is encrypted or encapsulated, and routed to its destination. The same applies for someone
trying to connect to the internal network.
2.5.2 Firewall-to-client is the most commonly used topology, and it applies to remote users who dial into an internal network.
2.5.3 LAN-to-LAN is the second most commonly used topology. It extends the firewall-to-client topology to different remote offices and
among offices, business partners and suppliers when a VPN tunnel has been created between two sites.
2.5.4 In firewall-to-intranet/extranet topology, intranets are used by employees and extranets are used externally by customers,
business partners and suppliers. When remote users try to access servers on the extranet or intranet, a decision must be made as
to which server they may access.
4. CHARTER
4.1 Mandate
4.1.1 Before commencing a review of a VPN, the IS auditor should provide reasonable assurance of the requisite mandate by virtue of
the IS auditor’s position or the required written mandate provided by the organisation, to carry out the envisaged review. In case
the review is initiated by the organisation, the IS auditor also should obtain reasonable assurance that the organisation has the
appropriate authority to commission the review.
5. INDEPENDENCE
6. COMPETENCE
7. PLANNING
7.3 Approach
7.3.1 The IS auditor should formulate the approach in such a way that the scope and objectives of the review could be fulfilled in an
objective and professional manner. The approach followed should depend on whether the review is pre-implementation, at the
implementation stage or post-implementation. The approach should be appropriately documented. When and where external
8.1 General
8.1.1 This section addresses the wide spectrum of aspects to be addressed during the execution of a VPN review. For a specific VPN
review, aspects relevant to the review should be identified from this wide spectrum of aspects depending on the envisaged scope
and objectives of the review.
8.1.2 The VPN review should be carried out per the defined approach (with refinements as appropriate), so the envisaged objectives of
the review are fulfilled.
8.1.3 In general, study of available documentation (such as, business case, system documentation, contracts, service level agreements
and logs), discussions with the stakeholders and service providers, and observation should be used appropriately in gathering,
analysing and interpreting the data. Where appropriate, the IS auditor should test the significant processes/functions in the VPN
environment to verify that the processes/functions are performing as intended.
8.1.4 Where necessary and agreed upon with the organisation, external expert inputs could be used suitably in the collection, analysis
and interpretation of the data.
8.1.5 The inferences and recommendations should be based on an objective analysis and interpretation of the data.
8.1.6 Appropriate audit trails should be maintained for the data gathered, analysis made, inferences arrived at and corrective actions
recommended.
9. REPORTING
9.1.2 The observations and recommendations should be validated with the stakeholders and organisation, as appropriate, before
finalising the report.
10. FOLLOW-UP
APPENDIX
COBIT Reference
Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT
processes and consideration of COBIT information criteria.
References
Virtual Private Networking—New Issues for Network Security, IT Governance Institute, USA, 2001
Control Objectives for Netcentric Technology (CONCT), IT Governance Institute, USA, 1999
Copyright 2004
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: standards@isaca.org
Web site: www.isaca.org