Professional Documents
Culture Documents
Tips For Auditing Cybersecurity - 18october - Final PDF
Tips For Auditing Cybersecurity - 18october - Final PDF
CYBERSECURITY
Dr. Vilius Benetis, ISACA Lithuania Chapter, NRD CS
18 October 2016
8
© 2016 ISACA. All Rights Reserved
ISO 27032:
9
© 2016 ISACA. All Rights Reserved
ISO 27032 (&…):
SECURITY CONCEPTS
AND TECHNIQUES
10
11
12
Ex. Assess
org./IS resilience
to cyber threats
14
1: Inventory of Authorized and Unauthorized Devices 10: Data Recovery Capability (8)
2: Inventory of Authorized and Unauthorized Software 11: Secure Configurations for Network Devices such as Firewalls,
Routers, and Switches (10)
3: Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers 12: Boundary Defense (13)
4: Continuous Vulnerability Assessment and Remediation 13: Data Protection (17)
14: Controlled Access Based on the Need to Know (15)
5: Controlled Use of Administrative Privileges (12)
15: Wireless Access Control (7)
6: Maintenance, Monitoring, and Analysis of Audit Logs (14)
16: Account Monitoring and Control (16)
7: Email and Web Browser Protections (new)
17: Security Skills Assessment and Appropriate Training to Fill
8: Malware Defenses (5) Gaps (9)
9: Limitation and Control of Network Ports, Protocols, and 18: Application Software Security (6)
Services (11)
19: Incident Response and Management (18)
10: Data Recovery Capability (8)
20: Penetration Tests and Red Team Exercises (20)
15
© 2016 ISACA. All Rights Reserved
THE FIVE CRITICAL TENETS OF CYBER DEFENSE:
16
© 2016 ISACA. All Rights Reserved
CSC 1:
INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
17
© 2016 ISACA. All Rights Reserved
CSC 1:
INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
1.1 Deploy an automated asset inventory discovery tool and use it to build a
preliminary inventory of systems connected to an organization’s public and
private network(s). Both active tools that scan through IPv4 or IPv6 network
address ranges and passive tools that identify hosts based on analyzing their
traffic should be employed.
1.2 If the organization is dynamically assigning addresses using DHCP, then
deploy dynamic host configuration protocol (DHCP) server logging, and use
this information to improve the asset inventory and help detect unknown
systems.
1.3 Ensure that all equipment acquisitions automatically update the inventory
system as new, approved devices are connected to the network.
18
© 2016 ISACA. All Rights Reserved
CSC 1:
INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
1.4 Maintain an asset inventory of all systems connected to the network and the network devices
themselves, recording at least the network addresses, machine name(s), purpose of each
system, an asset owner responsible for each device, and the department associated with
each device. The inventory should include every system that has an Internet protocol (IP)
address on the network, including but not limited to desktops, laptops, servers, network
equipment (routers, switches, firewalls, etc.), printers, storage area networks, Voice Over-IP
telephones, multi-homed addresses, virtual addresses, etc. The asset inventory created must
also include data on whether the device is a portable and/or personal device. Devices such as
mobile phones, tablets, laptops, and other portable electronic devices that store or process
data must be identified, regardless of whether they are attached to the organization’s
network.
1.5 Deploy network level authentication via 802.1x to limit and control which devices can be
connected to the network. The 802.1x must be tied into the inventory data to determine
authorized versus unauthorized systems.
19
© 2016 ISACA. All Rights Reserved
CSC 1:
INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
20
© 2016 ISACA. All Rights Reserved
CSC 1:
INVENTORY OF AUTHORIZED AND UNAUTHORIZED DEVICES
ID Lower Risk Moderate Risk Higher Risk
Metric
Threshold Threshold Threshold
1.1 How many unauthorized devices are presently on the
Less that 1% 1%-4% 5%-10%
organization's network (by business unit)?
1.2 How long, on average, does it take to remove
1,440 Minutes 10,080 Minutes
unauthorized devices from the organization's network 60 Minutes
(1 Day) (1 Week)
(by business unit)?
1.3 What is the percentage of systems on the
organization's network that are not utilizing Network
Less that 1% 1%-4% 5%-10%
Level Authentication (NLA) to authenticate to the
organization's network (by business unit)?
1.5 How long does it take to detect new devices added to
1,440 Minutes 10,080 Minutes
the organization's network (time in minutes - by 60 Minutes
(1 Day) (1 Week)
business unit)?
1.6 How long does it take to isolate/remove unauthorized
1,440 Minutes 10,080 Minutes
devices from the organization's network (time in 60 Minutes
(1 Day) (1 Week)
minutes - by business unit)?
21
© 2016 ISACA. All Rights Reserved
Relationship to COBIT processes
22
© 2016 ISACA. All Rights Reserved
#4 ON AUDITING
CYBERSECURITY SKILLS
23
Automation of
business
functions
Ex. Assess
org/IS resilience
to cyber threats
24
3. SFIA6 – UK
25
© 2016 ISACA. All Rights Reserved
ADDITIONAL REASONS FOR SKILLS AUDIT
HR:
• Re-organization preparation. What skillsets we need to plan?
• What skillset to hire?
CISO office:
• Information security should be handled better. What skills are
missing?
Career planning:
• What should I focus for my cybersecurity career?
26
© 2016 ISACA. All Rights Reserved
HOW TO RUN SKILLS AUDIT?
Simplest:
• Ask: what skills are missing to reach the goals?
Medium:
• Inventory/assess existing skills via questionnaires (list competences,
ask to self-assess)
Sophisticated:
• Run serious tests to assess
27
© 2016 ISACA. All Rights Reserved
OUTPUT OF SKILLS AUDIT
Simplest:
• List of skills/competences and who covers them
• Items without people – missing competences
Medium:
• Skills/competences with required levels, and fulfilled
levels
• Gap is visible
Sophisticated:
• Detail report of professional skills assessors
28
© 2016 ISACA. All Rights Reserved
SUMMARY
29
1. SFIA: https://www.sfia-online.org
4. ISO 27032:
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_det
ail.htm?csnumber=44375
5. http://www.isaca.org/Knowledge-
Center/Research/ResearchDeliverables/Pages/Information-
Systems-Auditing-Tools-and-Techniques-Creating-Audit-
Programs.aspx
30
31
Copyright © 2016 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This
webinar may not be used, copied, reproduced, modified, distributed, displayed, stored in a retrieval system, or
transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
32