You are on page 1of 10

Security Monitoring

Audit perspectives on Security Monitoring :
Increased Audit Requirements for users with high privileges

Consul Breakfast Seminar

Tuesday May 10th 2006

Mr. Marc Vael
Managing Director
Valuendo

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 1

Agenda

• Introduction
• Causes for change
• Scoping
• Pro-active control monitoring
• Selecting control objectives
– Organisational
– Procedural
– Technological
• Conclusions
© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 2

Marc Vael Consul
Valuendo May 2006
1
Security Monitoring

Introduction
• Marc Vael
• Managing Director Valuendo (“value & do”) since July 2001
• Education
– Master Applied Economics (UAntwerp)
– Master Information Management (UHasselt)
– Master+ Applied Economics & ICT (KUL)
• Services
– IT Governance & IT Compliance Management
– Information Security Management
– Business Continuity / Disaster Recovery / Crisis Management
– Data Privacy & Protection
– IT Audit
• Certifications
– CISA / CISM / CISSP / ITIL Service Manager
© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 3

Increased Audit Requirements
Causes for change
Code Buysse
Code Lippens
SOX
• Regulatory environment HIPAA
– Regulatory requirements push every organization to increase
Basel II
compliance monitoring activities
– Organizations are required to provide a higher level of testing &
validation
– Extensive testing are required to validate the effectiveness of controls
across the entire organization
• Business environment
– Competitive & market drivers push organizations to search for ways to
reduce the ongoing costs of their compliance efforts
– Security compliance monitoring requires significant knowledge and
experience and continuous attention, which are difficult to maintain
• Global environment
– Global standards such as COSO, CobIT, ISO27001 and ITIL facilitates
organizations to implement proper governance levels and control
objectives within their own environment.

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 4

Marc Vael Consul
Valuendo May 2006
2
Security Monitoring

Increased Audit Requirements
SOX

PCAOB Standard 2
Article 40: ‘the auditor should determine whether management has addressed
the following elements: ... controls, including information technology
general controls, on which other controls are dependent. ...’

Article 50: ‘... information technology general controls over program
development, program changes, computer operations and access to
programs and data help ensure that specific controls over the processing of
transactions are operating effectively. ...’

Can the ICT infrastructure cause a material weakness
that impacts a defined key control and
that cannot be compensated elsewhere and
that also is not timely detected?

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 5

Increased Audit Requirements
Scoping for financial & management control
audits
1 Focus of financial audit
Accounts & Disclosures

Entities

Business Processes
Manual controls
Key Controls
Automated controls 2 Focus of IT audit

Key Application Controls

IT Management
Application-Specific ICT
Processes

Generic ICT infrastructure

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 6

Marc Vael Consul
Valuendo May 2006
3
Security Monitoring

Increased Audit Requirements
Proactive Control Monitoring = characteristic of
a mature organization
Vulnerability trends & “high-business-impact” threats
can be identified & addressed
before they lead to business disruptions or compliance issues

CobIT Maturity Level Increased Monitoring Efforts

Optimized

Managed & Measurable

Defined process

Repeatable

Ad-hoc

Maturity level

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 7

Compliance with control objectives
Approach
Testing
of
operating
effectivess

Activity & Status Data

Collecting

Analysis

Reporting
COSO Archiving

CobIT

ITIL

ISO 17799

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 8

Marc Vael Consul
Valuendo May 2006
4
Security Monitoring

Compliance with control objectives
Selecting control objectives

MONITOR

IMPLEMENT Information ASSESS
Assets

DESIGN

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 9

Compliance with control objectives
Selecting control objectives (examples)

• Organizational controls
– All system administrator activities & responsibilities are formally
documented
– The system administrators taking up system administrator
activities & responsibilities have formally acknowledged their
understanding and responsibility

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 10

Marc Vael Consul
Valuendo May 2006
5
Security Monitoring

Compliance with control objectives
Selecting control objectives : organizational

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 11

Compliance with control objectives
Selecting control objectives (examples)
• Procedural controls
– A formal document is available to the system administrators describing
the System Administration activities & tasks. The document is formally
communicated to all relevant employees on an annual basis. The
document is at least annually reviewed & updated if required, to reflect
the business requirements and the changing business environment
– Segregation of duties is enforced between system administrators to
ensure that their access is limited to
» a restricted number of functionalities by task
» a restricted number of applications, systems & network devices
– Access to powerful system & application level-ids, which contain broad
access rights (functionalities), is limited to a limited number of persons.
Further controls can be implemented to detect access to the password
such as sealing the envelope or use of one-time password
– Job rotation is used on certain administrator tasks to ensure that tasks
are accurately performed/controlled
– Regular audits on system administrator rights

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 12

Marc Vael Consul
Valuendo May 2006
6
Security Monitoring

Compliance with control objectives
Selecting control objectives : procedures : event
monitoring
ƒ Application
ƒ Database
ƒ Operating System
ƒ Network Authorised activity Unauthorised activity
ƒ Physical

Administrator

(privileged users)
Log event Alarm event

End-user

(trusted users)
Do nothing or Log event Log event or Alarm event

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 13

Compliance with control objectives
Selecting control objectives : procedures : status
monitoring
• Users & groups
– Implemented users & groups
– Idle use period of users
– Internal users versus External users
• Objects
– Authorisations for roles & individuals
– Version control (awareness of changes)
– Test & Production data

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 14

Marc Vael Consul
Valuendo May 2006
7
Security Monitoring

Compliance with control objectives
Selecting control objectives (examples)
• Technological controls
– Each system administrator has his/her own user account to perform
system administration tasks (individual accountability)
– Access to powerful application- & system level-ids is limited to a
restricted number of system administrators
– Logging is performed on the actions performed by the system
administrators via their powerful application- & system level-ids
– Logs are read-only and can only be accessed by authorized persons that
by preference cannot generate any administrator activities within the log
– Access is limited to those functionalities that are required by the System
Administrators. All other functionalities, which are not required for the
performance of day-to-day activities, have been revoked
– Encryption is applied to all confidential & sensitive data to ensure the
data integrity & data confidentiality. The decryption key is only known to
a limited number of persons within the organization (or put with an
external trusted organization)

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 15

Compliance with control objectives
Selecting control objectives : technology :
Extract & Process

Activity & Status
Data
Collecting

Analysis

Examples:
•OS logging Reporting
•Network traffic extraction using IPS
Archiving
•Compliance verification OS implementation

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 16

Marc Vael Consul
Valuendo May 2006
8
Security Monitoring

Compliance with control objectives
Selecting control objectives : technology & tools

Microsoft
Collection
Infrastructure
Events Administration
Unix
(log/alarm) Analysis
Applicative
Cisco Administration
Monitoring
Oracle Applicative
Compliance
Status Reporting
SAP -Security Infrastructure
-Capacity Compliance
Archiving
… -Performance

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 17

Conclusions

MONITOR

IMPLEMENT Information ASSESS
Assets

DESIGN

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 18

Marc Vael Consul
Valuendo May 2006
9
Security Monitoring

Conclusions

Determine
Determine Assess
Assess Design
Design
compliance
compliance Current
Current Future
Future Roadmap
Roadmap
principles
principles State
State State
State

•Which control model is applicable for the organization?
•What control objectives are to be applied?
•What IT infrastructure is proven compliant?
•What testing is required?
•What procedures and tools can be used to enable
effectiveness & efficiency?

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 19

Contact information

Mr. Marc Vael, CISA, CISM, CISSP, ITIL
Managing Director
Valuendo
Kriebrugstraat 33
1760 Roosdaal
Belgium
T: +32 5 433 61 93
M: +32 473 99 30 31
M: mvael@
mvael@valuendo.com
valuendo.com

© 2006 Valuendo. All rights reserved.
INFORMATION CLASSIFICATION = PUBLIC 20

Marc Vael Consul
Valuendo May 2006
10