VPN Security Audit Assurance Program - Icq - Eng - 1012

VPN Security Audit/Assurance Program
About ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of
knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security,
enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit,
independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS
auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It
also advances and attests IT skills and knowledge through the globally respected Certified Information Systems
Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT®
(CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT®
framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and
management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to
the business.
Disclaimer
ISACA has designed and created VPN Security Audit/Assurance Program (the “Work”) primarily as an educational
resource for governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure
a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests
or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific information, procedure or test, governance and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or
information technology environment.
Reservation of Rights
© 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: www.isaca.org/VPN-AP

Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-60420-269-4
© 2012 ISACA. All rights reserved. Page 2

Acknowledgments
ISACA wishes to recognize:

Author
Norm Kelson, CISA, CGEIT, CPA, CPE Interactive, Inc., USA
Expert Reviewers
Michael Castro, CISA, ResMor Trust Co, Canada
Joanne De Vito De Palma, BCMM, The Ardent Group LLC, USA
Russell K. Fairchild, CISA, CRISC, CISSP, PMP, SecureIsle, USA
Alek Geldenberg, CISA, CRISC, CISSP, MSMM, USA
Francis Kaitano, CISA, CISM, CISSP, ITIL, MCAD.Net, MCSD, Contact Energy, New Zealand
Kamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Arabia
Lily M. Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
Babu Srinivas, CISA, CISM, SP AusNet, Australia
David A. Williams, CRISC, PMP, OceanFirst Bank, USA
ISACA Board of Directors

Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice
President
Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, 6 Sigma, Quest Software, Spain, Vice
President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice
President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International
President
Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd. (retired), USA, Past
International President
John Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, Singapore, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director
Knowledge Board
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Chairman
Steven Andrew Babb, CGEIT, CRISC, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil James Lageschulte, CGEIT, CPA, KPMG LLP, USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA
Guidance and Practices Committee

Phil James Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
Dan Haley, CISA, CGEIT, CRISC, MCP, Johnson & Johnson, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Pelissari, Brazil
Jotham Nyamari, CISA, Deloitte, USA
Connie Lynn Spinelli, CISA, CRISC, CFE, CIA, CMA, CPA, GRC Solutions LLC, USA
John William Walker, CISM, CRISC, CITP, FBCS, ITPC Secure Bastion Ltd., UK

Siang Jun Julia Yeo, CISA, CPA (Australia), Visa Worldwide Pte. Limited., Singapore
Nikolaos Zacharopoulos, CISA, DeutschePost–DHL, Germany
ISACA and IT Governance Institute® (ITGI®) Affiliates and Sponsors

Information Security Forum
Institute of Management Accountants Inc.
ISACA chapters
ITGI France
ITGI Japan
Norwich University
Socitum Performance Management Group
Solvay Brussels School of Economics and Management
Strategic Technology Management Institute (STMI) of the National University of Singapore
University of Antwerp Management School
ASIS International
Hewlett-Packard
IBM
Symantec Corp.

Table of Contents
I. Introduction.......................................................................................................................................5
II. Using This Document........................................................................................................................6
III. Controls Maturity Analysis................................................................................................................8
IV. Assurance and Control Framework..................................................................................................10
V. Executive Summary of Audit/Assurance Focus...............................................................................11
VI. Audit/Assurance Program................................................................................................................13
1. Planning and Scoping the Audit...................................................................................................13
2. Preparatory Steps.........................................................................................................................15
3. Governance..................................................................................................................................16
4. Policy...........................................................................................................................................17
5. Configuration...............................................................................................................................19
6. Maintenance and Monitoring.......................................................................................................26
VII. Maturity Assessment.......................................................................................................................28
VIII. Maturity Assessment vs. Target Assessment...................................................................................33
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-
setting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners with the requisite knowledge of the subject matter under review,
as described in ITAF, section 2200—General Standards. The audit/assurance programs are part of ITAF,
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT ® framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF,
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many enterprises have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.

Governance, Risk and Control of IT

Governance, risk and control of IT are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues will be evaluated as steps in the audit/assurance program.
Controls are the primary evaluation point in the process. The audit/assurance program will identify the
control objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter
expertise required to conduct the work and is supervised by a professional with the CISA designation
and/or necessary subject matter expertise to adequately review the work performed.
II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.
Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific work paper for that
section. The physical document was designed in Microsoft ® Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.
Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g.,
1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for
the sub-steps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify use, the
program describes the audit/assurance objective—the reason for performing the steps in the topic area and
the specific controls follow. Each review step is listed after the control. These steps may include assessing
the control design by walking through a process, interviewing, observing or otherwise verifying the
process and the controls that address that process. In many cases, once the control design has been
verified, specific tests need to be performed to provide assurance that the process associated with the
control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been
excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprise’s standards.

COBIT 4.1 Cross-reference

The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT 4.1 control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Subprocesses in the work program are too granular to be cross-referenced to COBIT. The
audit/assurance program is organized in a manner to facilitate an evaluation through a structure parallel to
the development process. COBIT provides in-depth control objectives and suggested control practices at
each level. As professionals review each control, they should refer to COBIT 4.1 or the IT Assurance
Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function has COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance enterprises include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO issued the
Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM
framework has a business decision focus when compared to the 2004 Internal Control—Integrated
Framework. Large enterprises are in the process of adopting ERM. The two frameworks are compared in
figure 1.
Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control—Integrated Framework ERM Integrated Framework
Control Environment: The control environment sets the tone of an Internal Environment: The internal environment encompasses the
organization, influencing the control consciousness of its people. It is tone of an organization, and sets the basis for how risk is viewed and
the foundation for all other components of internal control, providing addressed by an entity’s people, including risk management
discipline and structure. Control environment factors include the philosophy and risk appetite, integrity and ethical values, and the
integrity, ethical values, management’s operating style, delegation of environment in which they operate.
authority systems, as well as the processes for managing and
developing people in the organization.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channeled back to management’s strategy or objective-setting
processes.
Risk Assessment: Every entity faces a variety of risks from external Risk Assessment: Risks are analyzed, considering the likelihood and
and internal sources that must be assessed. A precondition to risk impact, as a basis for determining how they could be managed. Risk
assessment is establishment of objectives, and thus risk assessment is areas are assessed on an inherent and residual basis.
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Risk Response: Management selects risk responses—avoiding,
accepting, reducing, or sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

Internal Control—Integrated Framework ERM Integrated Framework
Control Activities: Control activities are the policies and procedures Control Activities: Policies and procedures are established and
that help ensure management directives are carried out. They help implemented to help ensure the risk responses are effectively carried
ensure that necessary actions are taken to address risks to achievement out.
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key Information and Communication: Relevant information is
role in internal control systems as they produce reports, including identified, captured, and communicated in a form and timeframe that
operational, financial and compliance-related information that make it enable people to carry out their responsibilities. Effective
possible to run and control the business. In a broader sense, effective communication also occurs in a broader sense, flowing down, across,
communication must ensure information flows down, across and up and up the entity.
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a Monitoring: The entirety of enterprise risk management is monitored
process that assesses the quality of the system’s performance over and modifications made as necessary. Monitoring is accomplished
time. This is accomplished through ongoing monitoring activities or through ongoing management activities, separate evaluations, or both.
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Information for figure 1 was obtained from the COSO web site www.coso.org/aboutus.htm.
The 1992 Internal Control—Integrated Framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to include them as a reference in this document. When
completing the COSO component columns, consider the definitions of the components as described in
figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified, and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
III. Controls Maturity Analysis
One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the organization, so it can be rated from a maturity
level of non-existent (0) to optimized (5). This approach is derived from the maturity model that the

Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control (figure 2)
provides a generic maturity model showing the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
Figure 2—Maturity Model for Internal Control

Maturity Level Status of the Internal Control Environment Establishment of Internal Controls
0 Non-existent There is no recognition of the need for internal control. There is no intent to assess the need for internal control.
Control is not part of the organisation’s culture or mission. Incidents are dealt with as they arise.
There is a high risk of control deficiencies and incidents.
1 Initial/ad hoc There is some recognition of the need for internal control. There is no awareness of the need for assessment of what is
The approach to risk and control requirements is ad hoc and needed in terms of IT controls. When performed, it is only on
disorganised, without communication or monitoring. an ad hoc basis, at a high level and in reaction to significant
Deficiencies are not identified. Employees are not aware of incidents. Assessment addresses only the actual incident.
their responsibilities.
2 Repeatable but Controls are in place but are not documented. Their operation Assessment of control needs occurs only when needed for
Intuitive is dependent on the knowledge and motivation of individuals. selected IT processes to determine the current level of control
Effectiveness is not adequately evaluated. Many control maturity, the target level that should be reached and the gaps
weaknesses exist and are not adequately addressed; the that exist. An informal workshop approach, involving IT
impact can be severe. Management actions to resolve control managers and the team involved in the process, is used to
issues are not prioritised or consistent. Employees may not be define an adequate approach to controls for the process and to
aware of their responsibilities. motivate an agreed-upon action plan.
3 Defined Controls are in place and adequately documented. Operating Critical IT processes are identified based on value and risk
effectiveness is evaluated on a periodic basis and there is an drivers. A detailed analysis is performed to identify control
average number of issues. However, the evaluation process is requirements and the root cause of gaps and to develop
not documented. While management is able to deal improvement opportunities. In addition to facilitated
predictably with most control issues, some control workshops, tools are used and interviews are performed to
weaknesses persist and impacts could still be severe. support the analysis and ensure that an IT process owner
Employees are aware of their responsibilities for control. owns and drives the assessment and improvement process.
4 Managed and There is an effective internal control and risk management IT process criticality is regularly defined with full support
Measurable environment. A formal, documented evaluation of controls and agreement from the relevant business process owners.
occurs frequently. Many controls are automated and regularly Assessment of control requirements is based on policy and
reviewed. Management is likely to detect most control issues, the actual maturity of these processes, following a thorough
but not all issues are routinely identified. There is consistent and measured analysis involving key stakeholders.
follow-up to address identified control weaknesses. A Accountability for these assessments is clear and enforced.
limited, tactical use of technology is applied to automate Improvement strategies are supported by business cases.
controls. Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organised occasionally.
5 Optimised An enterprisewide risk and control program provides Business changes consider the criticality of IT processes and
continuous and effective control and risk issues resolution. cover any need to reassess process control capability. IT
Internal control and risk management are integrated with process owners regularly perform self-assessments to confirm
enterprise practices, supported with automated real-time that controls are at the right level of maturity to meet
monitoring with full accountability for control monitoring, business needs and they consider maturity attributes to find
risk management and compliance enforcement. Control ways to make controls more efficient and effective. The
evaluation is continuous, based on self-assessments and gap organisation benchmarks to external best practices and seeks
and root cause analyses. Employees are proactively involved external advice on internal control effectiveness. For critical
in control improvements. processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity level of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progress in
the enhancement of controls. However, the perception of the maturity level may vary between the
process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s
concurrence before submitting the final report to the management.

At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and target maturity goals. A graphic is provided as the last page
of this document (section VIII), based on sample assessments. It is suggested that the maturity assessment
for this review be included in the IT information security review, which would focus on the Deliver and
Support (DS) domain, IT process DS5 Ensure systems security.
IV. Assurance and Control Framework
ISACA IT Assurance Framework and Standards

The following sections in ITAF are relevant to virtual private network (VPN) Security:
 3450—IT Processes
 3490—IT Support of Regulatory Compliance
 3630.4—Information Systems Operations
 3630.7—Information Security Management
 3630.11—Network Management and Controls
ISACA Control Framework

VPN Security is primarily a configuration and security issue. This audit is of narrow scope, focusing on
specific VPN-related controls. The primary COBIT areas for this evaluation have a wider scope; in
preparing and evaluating the results of this audit, consider the scope limitation of controls directly related
to VPN technologies and implementation. They include:
 DS5.3 Identity management—Ensure that all users (internal, external and temporary) and their
activity on IT systems (business application, IT environment, system operations, development and
maintenance) are uniquely identifiable. Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented business
needs and that job requirements are attached to user identities. Ensure that user access rights are
requested by user management, approved by system owners and implemented by the security-
responsible person. Maintain user identities and access rights in a central repository. Deploy cost-
effective technical and procedural measures, and keep them current to establish user identification,
implement authentication and enforce access rights.
 DS5.4 User account management—Address requesting, establishing, issuing, suspending, modifying
and closing user accounts and related user privileges with a set of user account management
procedures. Include an approval procedure outlining the data or system owner granting the access
privileges. These procedures should apply for all users, including administrator (privileged users) and
internal and external users, for normal and emergency cases. Rights and obligations relative to access
to enterprise systems and information should be contractually arranged for all types of users. Perform
regular management review of all accounts and related privileges.
 DS5.7 Protection of security technology—Make security-related technology resistant to tampering,
and do not disclose security documentation unnecessarily.

 DS5.8 Cryptographic key management—Determine that policies and procedures are in place to
organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use
and archiving of cryptographic keys to ensure the protection of keys against modification and
unauthorised disclosure.
 DS5.9 Malicious software prevention, detection and correction—Put preventive, detective and
corrective measures in place (especially up-to-date security patches and virus control) across the
organisation to protect information systems and technology from malware (e.g., viruses, worms,
spyware, spam).
 DS5.10 Network security—Use security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorise access and
control information flows from and to networks.
 DS9.2 Identification and maintenance of configuration items—Establish configuration procedures to
support management and logging of all changes to the configuration repository. Integrate these
procedures with change management, incident management and problem management procedures.
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control
Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice
value and risk drivers.
V. Executive Summary of Audit/Assurance Focus

A virtual private network (VPN) is a technology to protect data as they travel through public networks.
The Internet has modified the manner in which enterprises interconnect their information networks.
Access can be over the Internet (public access) or over an extranet (trusted parties, e.g., suppliers,
customers, partners). Previously, an enterprise would lease dedicated communications lines between sites
or trusted business partners. The Internet permits ubiquitous connectivity; however, any data traversing a
public network can be captured by unintended parties, thereby potentially disclosing data. A VPN
provides a means to encrypt data between communicating parties.
VPNs address two primary types of connectivity:

 Site-to-site—In a site-to-site connection, the parties direct their communications through the Internet
to intermediate routers. The VPN technology will vary: casual or arms-length relationships will use a
VPN technology based on asymmetric encryption (i.e., a public key infrastructure [PKI] that utilizes
digital certificates) to prevent the transmitting party from being able to decrypt transmissions from
other partners. When connecting transmissions between trusted parties, including branch offices, etc.,
the site-to-site connection can utilize a shared encryption key (symmetric) that must be kept
confidential.
 User workstation to site—Business partners and employees need to communicate securely. This
requires a VPN that is easily configured and initiated with minimal maintenance. The two most
common alternatives are a software program installed on the user’s workstation with the appropriate
cryptography keys or using the standard Secure Sockets Layer (SSL) protocol, which is built into all
major Internet browsers. The latter capability is known as an SSL VPN.
Independent of the type of connectivity, the primary issues are:

 Security of transmissions, including preventing “hijacking” of transmissions and preventing malware
from entering the network
 Managing the technology
 Configuration management
 Ensuring information is unaltered and maintains accuracy and reliability

Business Impact and Risk

The impact on the business transmitting data through public networks and the accompanying risk are
significant. Depending on the industry, enterprises may experience outages and intrusion attempts for
financial gain, to obtain intellectual property, to create business disruption, to obtain sensitive private
information, or to compromise national security. The perpetrators of an intrusion can be external or
internal, private government sponsored. This activity may increase the enterprise’s risk of:
 Public relations issues with the customers or the public (reputational risk)
 Inability to comply with regulatory processing requirements (regulatory and financial risk)
 Inability to perform critical business functions (operational and financial risk)
 Inability to maintain payroll and employee privacy (regulatory and reputational risk)
 Loss of physical or informational assets (reputational and financial risk)
 Inability to meet contractual service level agreements (SLAs) with third parties or customers
(contractual risk)
VPN technology, if properly configured, will reduce the risk associated with privileged data traversing a
public network.
Objective and Scope

Objective—The objective of the audit/assurance review is to provide management with an independent
assessment of the VPN implementation and ongoing monitoring/maintenance of the effectiveness of the
supporting technology.
Scope—The audit/assurance review will focus on VPN standards, guidelines and procedures as well as
the implementation and governance of these activities. The review will rely upon other operational audits
of the incident management process, configuration management and security of networks and servers,
security management and awareness, business continuity management, information security management,
governance and management practices of IT and business units, and relationships with third parties.
For an auditee that incorporates its own PKI infrastructure into the VPN environment, it may be necessary
to extend the scope of the audit/assurance review to include encryption technologies and the use of PKI.
For this purpose, consult the ISACA E-commerce and Public Key Infrastructure (PKI) Audit/Assurance
Program for additional audit steps. It is not necessary to do so, however, if the main objective of the
audit/assurance review focuses on VPN implementation and ongoing monitoring/maintenance.
Minimum Audit Skills

The IT audit and assurance professional must have an understanding of good-practice information
security processes and understand the various VPN technologies, solutions and deficiencies. Because this
is a dynamic field, professionals performing this audit should ensure that they have performed the
necessary research to ensure that they understand the underlying technologies employed by VPNs and
current control mechanisms.
Feedback
Visit www.isaca.org/VPN-AP and use the feedback function to provide your comments and suggestions
on this document. Your feedback is a very important element in the development of ISACA guidance for
its constituents and is greatly appreciated.

VI. Audit/Assurance Program
COSO Reference Issue

Hyper- Cross- Comments
link reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
1. Planning and Scoping the Audit

1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance
program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe,
annual plan and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer must understand the operating
environment and prepare a proposed scope, subject to a later risk assessment.
1.2.1 Perform a high-level walk-through of the network architecture using VPN-technology.
1.2.2 Establish initial boundaries of the audit/assurance review.
1.2.2.1 Identify limitations and/or constraints affecting the audit.
1.3 Define assurance.
The review requires two sources of standards. The corporate standards defined in the policy
and procedure documentation establish the corporate expectations. At minimum, corporate
standards should be implemented. The second source, a good-practice reference,
establishes industry standards. Enhancements should be proposed to address gaps between
the two.
1.3.1 Determine if COBIT and the appropriate security incident management framework
will be used as a good-practice reference.


link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
1.4 Identify and document risk.

The risk assessment is necessary to evaluate where audit resources should be focused. The
risk-based approach assures utilization of audit resources in the most effective manner.
1.4.1 Identify the business risk associated with the failure to implement VPN technologies
and the failure to implement VPN technologies securely.
1.4.2 Identify the technology risk associated with the failure to implement VPN
technologies and the failure to implement VPN technologies securely.
1.4.3 Determine if a VPN architecture threat assessment and modeling processing process
has been established and implemented.
1.4.4 Based on risk assessment, identify changes to the scope.
1.4.5 Discuss the risk with IT, business and operational audit management, and adjust the
risk assessment.
1.5 Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating
environment and associated risk. As further research and analysis are performed, changes
to the scope and approach will result.
1.5.1 Identify the senior IT audit/assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance
program, and the authorizations required.
1.6 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team,
other assurance teams and the enterprise is essential.
1.6.1 Identify the drivers for a successful review (this should exist in the audit/assurance
function’s standards and procedures).
1.6.2 Communicate success attributes to the process owner or stakeholder, and obtain
agreement.

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
1.7 Define audit/assurance resources required.

The resources required are defined in the introduction to this audit/assurance program.
1.7.1 Determine the audit/assurance skills necessary for the review.
1.7.2 Determine the estimated total resources (hours) and time frame (start and end dates)
required for the review.
1.8 Define deliverables.
Deliverables are not limited to the final report. Communication between the audit/assurance
teams and the process owner is essential to assignment success.
1.8.1 Determine the interim deliverables, including initial findings, status reports, draft
reports, due dates for responses and the final report.
1.9 Communicate.
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the executive
responsible for operating systems and infrastructure.
2. Preparatory Steps
2.1 Obtain and review the current organization chart for the system and network
administration areas.
3. Identify the key network administration staff, the security manager and the key network
user stakeholders.
4. Obtain a copy of the latest network security risk analysis, including any information on
system, data and service classifications.
5. Obtain and review a copy of the enterprise’s:
 Security policy
 Security strategy or strategies
 Security procedures and standards
 Network architecture documentation

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
 Network inventory or schematic of physical network components

 Network problem tracking, resolution and escalation procedures
 VPN-related documentation and vendor contracts
 Copies of signed user security and awareness documents
 New employee training materials relating to security
 R
elevant legal and regulatory information related to security and information access
 VPN supplier contracts, SLAs
 Supplier due diligence selection criteria, process
 Business impact analysis (BIA), business continuity plans
(BCPs),disaster recovery plans (DRPs) and all continuity of operations plans
 Human resources (HR) onboarding/offboarding procedures and standards
 Information security remote access policies, procedures and standards
 Information security mobile computing policies, procedures and
standards
 Information security wireless networking standards
 Information security acceptable use policies, procedures and standards
 Encryption policies, procedures and standards
 Incident response policies, procedures, standards
 Monitoring and audit policies, procedures, standards
6. Interview the senior security officer and the IT security administrator regarding VPN
implementation.
7. Interview the technical support team leader or equivalent responsible for VPN
architecture, design, implementation, and maintenance processes and procedures.
8. Governance
8.1 Executive Sponsor
Audit/Assurance Objective: The VPN implementation and maintenance is assigned to an
executive sponsor, who is responsible for its effective implementation and operations.
9. Executive Responsibility and Accountability of VPN-related Processes PO4.6 X X X X

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
Control: A senior executive within the IT organization is responsible for the VPN ME1.5
implementation, maintenance and oversight. ME2.5
ME4.1
9.1.1.1 Identify the senior executive responsible for the VPN program.
9.1.1.2 Obtain the position description of the executive responsible for the VPN
program.
9.1.1.3 Determine if the position has cross-reporting to the business units and IT
management (security, administration, etc.)
9.1.1.4 Obtain meeting minutes and other documentation to support the responsibilities
and accountability of the executive sponsor.
9.2 Senior Management Involvement in VPN Programs
Audit/Assurance Objective: Senior management participates in key decisions related to VPN
programs.
10. Senior Management Oversight of VPN Programs X X X X
Control: Senior management provides oversight of the VPN programs, including ME1.5
review and approval of policies affecting their respective operations.
10.1.1.1 Determine if business units affected by VPN implementation participate in the
review of policies affecting their business units.
10.1.1.2 Determine if support functions (e.g., HR, corporate communications,
compliance, information security) affected by VPN implementation participate
in the review of VPN policies.
11. Policy
11.1 HR Policies Aligned With and Support VPN Policies
Audit/Assurance Objective: VPN policies align with and are integrated into HR policies.
12. HR Policies Include Related VPN Policies
PO6.3
Control: HR policies include VPN disclosures, usage requirements as part of initial X
PO6.4
"onboarding" process and the annual employee acknowledgement of use policies.
12.1.1.1 Obtain a selection of HR policies relating to VPN usage.


link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
12.1.1.2 Determine if VPN usage policies are incorporated in the HR policies.

12.2 VPN Policies in Compliance With Corporate Policies
Audit/Assurance Objective: VPN policies align with corporate compliance policies.
13. VPN Policies Are in Compliance With Corporate Compliance and Related Policies
PO4.8
Control: Corporate compliance (financial reporting, regulatory and statutory) X X X
ME3.1
functions review VPN policies prior to implementation to assure adherence to ME3.3
appropriate requirements.
13.1.1.1 Obtain the corporate compliance policies relating to data security and privacy.
13.1.1.2 Determine if VPN requirements are a component of the policies.
13.1.1.3 Obtain a selection of VPN policy proposals or modifications.
13.1.1.4 Determine if corporate compliance representatives have reviewed and
provided documented approval of VPN policies.


link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
13.2 VPN Policies in Compliance With Legal and Regulatory Policies and Requirements
Audit/Assurance Objective: VPN policies align with legal and regulatory policies and
requirements.
14. VPN Policies Are in Compliance With Legal Regulatory Requirements PO4.8
Control: VPN technologies are defined to satisfy legal and regulatory requirements ME3.1 X X X
within the enterprise's industry. ME3.2
14.1.1.2 Determine if the enterprise’s legal representatives have reviewed and
provided documented approval of VPN policies.
14.2 VPN Policies Align With Information Security
Audit/Assurance Objective: VPN policies are in compliance with information security
policies
15. VPN Policies Are Approved by the Information Security Function PO6.3
Control: The information security function assures compliance with information PO6.4
security policy by reviewing information security-related VPN policies prior to their DS5.1
X X
adoption and implementation. ME2.5
ME3.4
15.1.1.2 Determine if information security representatives have reviewed and provided
documented approval of VPN policies.
15.2 VPN Policy Integrated With Enterprise’s Data Classification Policy
Audit/Assurance Objective: Data Classification Policy includes VPN usage and configuration
requirements.
16. Data Classification Policy VPN Requirements
Control: The data classification policy identifies VPN requirements and PO2.3 X
configuration for each data classification.
16.1.1.1 Obtain the data classification policy.
16.1.1.2 Determine if the data classification policy includes VPN configuration and
usage requirements.

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
16.1.1.3 Determine if the VPN configuration and usage policy includes specific
applications or data elements requiring VPN usage.
16.1.1.4 Determine if VPN configuration and usage policy identifies functions that
must be executed using a VPN, and functions that must be excluded from
execution, with or without a VPN.
17. Configuration
17.1 VPN Architecture
Audit/Assurance Objective: Best security practices are implemented for the various VPN
architectures.
18. Edge Routers1 PO2.1
DS5.9 X
DS5.10
19. Edge Router Termination
Control: Edge routers terminate at the network firewall and an effective firewall
configuration applies appropriate filtering.
19.1.1.1.1 Identify edge routers within the network architecture.
19.1.1.1.2 Determine that the edge router terminates (a) at or in front of the
DMZ or (b) at an inline Intrusion Prevention System (IPS) deployed
between the edge router and the firewall.
19.1.1.1.3 Select a sample of edge routers.
19.1.1.1.4 Determine if the edge routers selected terminate at the firewall or in
the DMZ.
20. Edge Router Encryption X
Control: Edge routers use asymmetric keys supported by a Public Key DS5.8
Infrastructure or alternatively, one of the two standard symmetric key DS5.9
technologies, 3DES or AES2
1
These are defined as untrusted site-to-site connected networks.
2
Consider performing an audit of the PKI implementation using the ISACA E-commerce and Public Key Infrastructure (PKI) Audit/Assurance Program. Encryption controls,
including key storage, key maintenance, security, etc., should be reviewed.

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
20.1.1.1.1 Select a sample of edge routers.

20.1.1.1.2 Identify the encryption configuration in use to protect the data.
20.1.1.1.3 Determine the effectiveness of the control of keys and digital
certificates.
20.1.1.1.4 Determine if an untrusted partner would have the ability to
compromise the private key structure.
21. Trusted Routers3
22. Trusted Router Termination DS5.9
Control: Trusted routers terminate in a trusted DMZ or within the network, DS5.10 X
subject to appropriate firewall filtering. DS9.2
22.1.1.1.1 Identify trusted router terminations within the network architecture.
22.1.1.1.2 Determine that the trusted router terminates in a designated DMZ
designed with firewall filtering appropriate to the data classification
of the data traversing the network segment.
22.1.1.1.3 Determine that the designated DMZ is designed with firewall
filtering appropriate to the data classification of the data traversing
the network segment.
23. Trusted Router Encryption
DS5.7
Control: Trusted routers use symmetric keys supported by appropriate key X
DS5.8
length, security of key storage and, where appropriate, contracts/agreements 4
23.1.1.1.1 Select a sample of trusted router networks.
23.1.1.1.2 Identify the encryption configuration in use to protect the data.
23.1.1.1.3 Determine the effectiveness of the control of keys.
23.1.1.1.4 Determine if appropriate SLAs, contracts and other legal remedies
have been executed between nonrelated parties.
23.1.1.1.5 Determine if a trusted partner would have the ability to
compromise the key structure.
3
These are defined as site-to-site networks integrated into a wide-area local area network (LAN).
4
This generally applies to extranets and non-owned networks.

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
24. SSL VPN

25. Secure SSL VPN Configuration PO5.9
Control: SSL VPN is installed with a secure configuration which mitigates its PO9.2
inherent weaknesses. DS5.3
X
DS5.4
DS5.10
5.1.1.1.1 Obtain the SSL VPN Configuration Policy.
25.1.1.1.2 Determine if strong user authentication has been implemented.
Consider:
 Two-factor authentication
 Password AND hardware tokens
 Digital certificates
 Smart cards
25.1.1.1.3 Determine if user computer identity verification has been
implemented:
 User computer validated to be in compliance with enterprise
security requirements and policies prior to connection.
 Validation of user computer identity and configuration includes:
- Personal firewall configuration
- Antivirus/malware configuration and currency of pattern
files
- Required security patches
- Limitation of split tunneling 5
- Evaluation of registry entries
25.1.1.1.4 Determine if a secure desktop solution or “sandboxing” has been
implemented for connections not satisfying or unable to validate
computer identity verification.
25.1.1.1.5 Determine if the SSL VPN provides for deletion of all session data
from the client’s cache, including:
 Browser history
5
This enables network traffic to traverse separate networks via the same network connection.

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
 Internet temporary files

 Cookies
 Documents
 Passwords
25.1.1.1.6 Determine if the SSL VPN provides a keystroke logger detection
sweep prior to completing a connection.
25.1.1.1.7 Determine if session time-outs are implemented and what the
time-out period is and determine if it complies with security
policies, standards and procedures.
25.1.1.1.8 Determine if SSL verification is required prior to connection and
denied if the SSL version level is at a lower level that security
policy dictates.
25.1.1.1.9 Determine if server certificate support has been implemented and
will only permit connection with a valid, authenticated certificate.
25.1.1.1.10 Determine if resource availability, system functionality, and
application access are limited based on satisfying the configuration
parameters considered above.
25.1.1.1.11 Determine if public computers (e.g., Internet cafés, kiosks, etc.)
are permitted to connect to the SSL VPN.
25.1.1.1.12 Determine if client-side certificates are required, and if so,
connection is contingent upon client-side certificate verification and
authentication.
26. SSL VPN Awareness Program
DS1.6
Control: User education and security awareness is provided on a regular basis and X X X
DS7
participation by all users of the enterprise's VPN facilities is required.
26.1.1.1 Determine that VPN awareness and security programs are routinely and
regularly offered.
26.1.1.2 Determine if the security awareness program addresses VPN use policy.
26.1.1.3 Evaluate how the follow-up process is maintained to assure user participation.
26.1.1.4 Determine if participation is documented in logs or sign-in sheets.


link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
27. VPN Appliances

28. VPN Appliance Configuration and Vendor Support
Control: VPN appliances are maintained with the most current configuration, X
DS9.2
and support is readily available from the vendor.
28.1.1.1.1 Verify that the most current configuration of the VPN appliance
has been applied.
28.1.1.1.2 Determine that a vendor support contract or vendor support option
is available.
29. VPN Appliance Configuration Best Practices DS5.7
Control: Vendor-suggested and other best practices are applied to VPN DS5.9 X
appliance configuration. DS5.10
DS9.2
29.1.1.1.1 Determine if the VPN appliance vendor offers best practice
guidance.
29.1.1.1.2 Determine if the VPN appliance configuration is in compliance
with vendor guidance.
30. VPN Clients Installed on Specific Computers
31. VPN Clients Are Securely Configured DS5.4
Control: VPN clients are configured using vendor-suggested and other best DS5.5 X
practices in compliance with organization security policies. DS9.2
DS10
31.1.1.1.1 Determine if strong user authentication has been implemented:
 Two-factor authentication
 Password AND hardware tokens, digital certificates or smart
cards
implemented:
 User computer is in compliance with organization security
requirements and policies
 Validation of user computer identity and configuration:

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference

files
- Limitation of split tunneling5
- Evaluation of registry entries
31.1.1.1.3 Determine if resource availability, system functionality and
application access are limited to authorized individuals, based on
satisfying the configuration parameters considered above.
32. VPN Clients Are Installed Based on Job Functional Need
Control: VPN clients are installed on user computers based on data PO2.3 X
classification policy of applications installed on computer or on another DS9.2
request.
32.1.1.1.1 Determine if the data classification policy requires a VPN be
installed as a condition of accessing specific sensitive data.
32.1.1.1.2 Select a sample of computers with the VPN installed and
determine if the data classification policy/VPN policy is practiced.
33. VPNs Installed on “Bring Your Own Device” Adhere to Information Security
DS5.9
Policy X
DS5.10
Control: VPNs installed on non-enterprise owned equipment subscribe to
DS9.2
minimum security standards.
implemented:
 User computer in compliance with enterprise security
requirements and policies
 Validation of user computer identity and configuration:
files
- Limitation of split tunneling5
- Evaluation of Registry entries
34. VPN Access Is Removed Upon Termination or Transfer DS5.4

link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
Control: VPN access is terminated or removed as part of the user X

DS5.10
deprovisioning process.
34.1.1.1.1 Obtain the deprovisioning procedure.
34.1.1.1.2 Determine that the VPN deactivation is part of the deprovisioning
process.
34.1.1.1.3 Obtain a sample of recent user terminations and determine that the
VPN privileges for the terminated users have been deactivated.
35. VPN Installation List Review
Control: The list of installed VPNs is reviewed at least annually.
36. Determine if a list of computers or users with VPNs installed exists.
37. If the list exists, determine if the list is reviewed at least annually to ensure that
only authorized users have access to and have an installed VPN.
37.1 VPN Architecture
Audit/Assurance Objective: The VPN architecture is reviewed on a regular basis to ensure the
solution is current and addresses the risk and vulnerability issues identified in risk
assessments.
38. VPN Architecture Review PO2.1
Control: VPN architecture review is conducted on a regular basis. PO3
38.1.1.1 Determine if the VPN architecture review process is documented.
38.1.1.2 Determine the date of the most recent VPN architecture review.
38.1.1.3 Evaluate the effectiveness of the most recent review.
38.1.1.4 Determine if a vulnerability exists due to out-of-date technology.


link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
39. Maintenance and Monitoring

39.1 Patch Management
Audit/Assurance Objective: VPN technology is included in the routine patch management
process.
40. Patch Management Administration AI6
Control: Patch management of VPN technology is included in the configuration AI7 X
change management processes. DS9.2
40.1.1.1 Scan the change management system for configuration changes affecting the
VPN technologies.
40.1.1.2 Determine if the change management process implemented for VPN
maintenance is in compliance with the installation change management
procedure.
40.2 Integration of VPN Technologies With the Help Desk
Audit/Assurance Objective: VPN support requests are processed routinely through the help
desk.
41. VPN Support Is Provided by the Help Desk DS8
Control: VPN support is a help desk task with appropriate controls and procedures. DS10 X
41.1.1.1 Obtain the help desk procedures.
41.1.1.2 Determine if VPN support tasks are included in the help desk Procedures.
41.1.1.3 Determine if VPN issues are reported in the incident reporting/issue monitoring
system.
41.1.1.4 Select VPN related incidents in the help desk, Incident Reporting, and/or Issue
Monitoring System.
41.1.1.5 Determine that the issues were closed on a timely basis in an effective manner.


link reference
COBIT
Control Environment
Control Activities
Risk Assessment
Monitoring
reference
41.2 VPN Capacity Planning

Audit/Assurance Objective: VPN utilization and resources requirements are integrated into
the installation capacity plan.
42. VPN Capacity Planning
Control: The capacity plan incorporated VPN required resources and such resources DS3 X
are actively monitored.
42.1.1.1 Obtain the installation capacity plan.
42.1.1.2 Determine that VPN technologies are included in the plan.
42.1.1.3 Evaluate capacity reports to determine that VPN resource utilization is
monitored and the necessary adjustments are implemented in a timely manner.
42.2 VPN Monitoring
Audit/Assurance Objective: Processes exist to monitor VPN usage and identify unauthorized
activities and VPN usage.
43. VPN Monitoring
DS5.5
Control: VPN usage is monitored for unauthorized use.
43.1.1.1 Determine the process for reviewing VPN usage.6
43.1.1.2 Select a sample of VPN usage violations. Determine how the violations were
investigated and the actions taken.
6
Due to high volume, logging should be automated and unusual activities should be defined in an automated extract process.
VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance
reviews, and the reviewer’s observations, assign a maturity level to each of the following COBIT 4.1 control practices. When completing this
assessment, focus the evaluation on how the VPN implementation relates to each of the issues identified in the following table.
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.3 Identity Management
1. Establish and communicate policies and procedures to uniquely identify, authenticate and
authorise access mechanisms and access rights for all users on a need-to-know/need-to-have
basis, based on predetermined and preapproved roles. Clearly state accountability of any user
for any action on any of the systems and/or applications involved.
2. Ensure that roles and access authorisation criteria for assigning user access rights take into
account:
 Sensitivity of information and applications involved (data classification)
 Policies for information protection and dissemination (legal, regulatory, internal policies
and contractual requirements)
 Roles and responsibilities as defined within the enterprise
 The need-to-have access rights associated with the function
 Standard but individual user access profiles for common job roles in the organisation
 Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorising users to establish responsibility and
enforce access rights in line with sensitivity of information and functional application
requirements and infrastructure components, and in compliance with applicable laws,
regulations, internal policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the
system owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in,
people out, people change). Grant, revoke and adapt user access rights in co-ordination with
human resources and user departments for users who are new, who have left the organisation,
or who have changed roles or jobs.
© 2012 ISACA All rights reserved. Page 29

Referenc
Assessed Target e
Comments
link
DS5.4 User Account Management
1. Ensure that access control procedures include but are not limited to:
 Using unique user IDs to enable users to be linked to and held accountable for their actions
 Awareness that the use of group IDs results in the loss of individual accountability and are
permitted only when justified for business or operational reasons and compensated by
mitigating controls. Group IDs must be approved and documented
 Checking that the user has authorisation from the system owner for the use of the
information system or service, and the level of access granted is appropriate to the
business purpose and consistent with the organisational security policy
 A procedure to require users to understand and acknowledge their access rights and the
conditions of such access
 Ensuring that internal and external service providers do not provide access until
authorisation procedures have been completed
 Maintaining a formal record, including access levels, of all persons registered to use the
service
 A timely and regular review of user IDs and access rights
2. Ensure that management reviews or reallocates user access rights at regular intervals using a
formal process. User access rights should be reviewed or reallocated after any job changes,
such as transfer, promotion, demotion or termination of employment. Authorisations for
special privileged access rights should be reviewed independently at more frequent intervals.

Referenc
Assessed Target e
Comments
link
DS5.5 Security Testing, Surveillance and Monitoring
1. Implement monitoring, testing, reviews and other controls to:
 Promptly prevent/detect errors in the results of processing
 Promptly identify attempted, successful and unsuccessful security breaches and incidents
 Detect security events and thereby prevent security incidents by using detection and
prevention technologies
 Determine whether the actions taken to resolve a breach of security are effective
2. Conduct effective and efficient security testing procedures at regular intervals to:
 Verify that identity management procedures are effective
 Verify that user account management is effective
 Validate that security-relevant system parameter settings are defined correctly and are in
compliance with the information security baseline
 Validate that network security controls/settings are configured properly and are in
compliance with the information security baseline
 Validate that security monitoring procedures are working properly
 Consider, where necessary, obtaining expert reviews of the security perimeter
DS5.7 Protection of Security Technology

1. Ensure that all hardware, software and facilities related to the security function and controls,
e.g., security tokens and encryptors, are tamperproof.
2. Secure security documentation and specifications to prevent unauthorised access. However,
do not make security of systems reliant solely on secrecy of security specifications.
3. Make the security design of dedicated security technology (e.g., encryption algorithms)
strong enough to resist exposure, even if the security design is made available to
unauthorised individuals.
4. Evaluate the protection mechanisms on a regular basis (at least annually) and perform
updates to the protection of the security technology, if necessary.

Referenc
Assessed Target e
Comments
link
DS5.8 Cryptographic Key Management
1. Ensure that there are appropriate procedures and practices in place for the generation, storage
and renewal of the root key, including dual custody and observation by witnesses.
2. Make sure that procedures are in place to determine when a root key renewal is required
(e.g., the root key is compromised or expired).
3. Create and maintain a written certification practice statement that describes the practices that
have been implemented in the certification authority, registration authority and directory
when using a public-key-based encryption system.
4. Create cryptographic keys in a secure manner. When possible, enable only individuals not
involved with the operational use of the keys to create the keys. Verify the credentials of key
requestors (e.g., registration authority).
5. Ensure that cryptographic keys are distributed in a secure manner (e.g., offline mechanisms)
and stored securely, that is:
 In an encrypted form regardless of the storage media used (e.g., write-once disk with
encryption)
 With adequate physical protection (e.g., sealed, dual custody vault) if stored on paper
6. Create a process that identifies and revokes compromised keys. Notify all stakeholders as
soon as possible of the compromised key.
7. Verify the authenticity of the counterparty before establishing a trusted path.
DS5.9 Malicious Software Prevention, Detection and Correction
1. Establish, document, communicate and enforce a malicious software prevention policy in the
organisation. Ensure that people in the organisation are aware of the need for protection
against malicious software, and their responsibilities relative to same.
2. Install and activate malicious software protection tools on all processing facilities, with
malicious software definition files that are updated as required (automatically or semi-
automatically).
3. Distribute all protection software centrally (version and patch-level) using centralised
configuration and change management.
4. Regularly review and evaluate information on new potential threats.
5. Filter incoming traffic, such as email and downloads, to protect against unsolicited
information (e.g., spyware, phishing emails).

Referenc
Assessed Target e
Comments
link
DS5.10 Network Security
1. Establish, maintain, communicate and enforce a network security policy (e.g., provided
services, allowed traffic, types of connections permitted) that is reviewed and updated on a
regular basis (at least annually).
2. Establish and regularly update the standards and procedures for administering all networking
components (e.g., core routers, DMZ, VPN switches, wireless).
3. Properly secure network devices with special mechanisms and tools (e.g., authentication for
device management, secure communications, strong authentication mechanisms). Implement
active monitoring and pattern recognition to protect devices from attack.
4. Configure operating systems with minimal features enabled (e.g., features that are necessary
for functionality and are hardened for security applications). Remove all unnecessary
services, functionalities and interfaces (e.g., graphical user interface [GUI]). Apply all
relevant security patches and major updates to the system in a timely manner.
5. Plan the network security architecture (e.g., DMZ architectures, internal and external
network, IDS placement and wireless) to address processing and security requirements.
Ensure that documentation contains information on how traffic is exchanged through systems
and how the structure of the organisation’s internal network is hidden from the outside world.
6. Subject devices to reviews by experts who are independent of the implementation or
maintenance of the devices.

Referenc
Assessed Target e
Comments
link
DS9.2 Identification and Maintenance of Configuration Items
1. Define and implement a policy requiring all configuration items and their attributes and
versions to be identified and maintained.
2. Tag physical assets according to a defined policy. Consider using an automated mechanism,
such as barcodes.
3. Define a policy that integrates incident, change and problem management procedures with
the maintenance of the configuration repository.
4. Define a process to record new, modified and deleted configuration items and their relative
attributes and versions. Identify and maintain the relationships between configuration items
in the configuration repository.
5. Establish a process to maintain an audit trail for all changes to configuration items.
6. Define a process to identify critical configuration items in relationship to business functions
(component failure impact analysis).
7. Record all assets—including new hardware and software, procured or internally developed—
within the configuration management data repository.
8. Define and implement a process to ensure that valid licences are in place to prevent the
inclusion of unauthorised software.
VIII. Maturity Assessment vs. Target Assessment

This spider graph is an example of the assessment results and maturity target for a VPN security assessment.


DS5.3 Identity Management
DS9.2 Identification and Maintenance of Configuration Items DS5.4 User Account Management
4
DS5.10 Network Security 0 DS5.5 Security Testing, Surveillance and Monitoring
DS5.9 Malicious Software Prevention, Detection and Correction

Assessment
DS5.7 Protection of Security Technology
Target
DS5.8 Cryptographic Key Management

VPN Security Audit Assurance Program - Icq - Eng - 1012

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VPN Security Audit Assurance Program - Icq - Eng - 1012

Uploaded by

Copyright:

Available Formats

VPN Security Audit/Assurance Program

VPN Security Audit/Assurance Program

Provide feedback: www.isaca.org/VPN-AP

© 2012 ISACA. All rights reserved. Page 2

ISACA wishes to recognize:

ISACA Board of Directors

Guidance and Practices Committee

© 2012 ISACA. All rights reserved. Page 3

ISACA and IT Governance Institute® (ITGI®) Affiliates and Sponsors

© 2012 ISACA. All rights reserved. Page 4

© 2012 ISACA. All rights reserved. Page 5

Governance, Risk and Control of IT

Responsibilities of IT Audit and Assurance Professionals

II. Using This Document

Work Program Steps

© 2012 ISACA. All rights reserved. Page 6

COBIT 4.1 Cross-reference

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

© 2012 ISACA. All rights reserved. Page 7

Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks

© 2012 ISACA. All rights reserved. Page 8

Figure 2—Maturity Model for Internal Control

© 2012 ISACA. All rights reserved. Page 9

IV. Assurance and Control Framework

ISACA IT Assurance Framework and Standards

ISACA Control Framework

© 2012 ISACA. All rights reserved. Page 10

V. Executive Summary of Audit/Assurance Focus

VPNs address two primary types of connectivity:

Independent of the type of connectivity, the primary issues are:

© 2012 ISACA. All rights reserved. Page 11

Business Impact and Risk

Objective and Scope

Minimum Audit Skills

© 2012 ISACA. All rights reserved. Page 12

VI. Audit/Assurance Program

COSO Reference Issue

1. Planning and Scoping the Audit

© 2012 ISACA. All rights reserved. Page 13

COSO Reference Issue

1.4 Identify and document risk.

COSO Reference Issue

1.7 Define audit/assurance resources required.

COSO Reference Issue

 Network inventory or schematic of physical network components

COSO Reference Issue

© 2012 ISACA. All rights reserved. Page 17

COSO Reference Issue

12.1.1.2 Determine if VPN usage policies are incorporated in the HR policies.

© 2012 ISACA. All rights reserved. Page 18

COSO Reference Issue

COSO Reference Issue

COSO Reference Issue

20.1.1.1.1 Select a sample of edge routers.

COSO Reference Issue

24. SSL VPN

COSO Reference Issue

 Internet temporary files

© 2012 ISACA. All rights reserved. Page 23

COSO Reference Issue

27. VPN Appliances

COSO Reference Issue

- Antivirus/malware configuration and currency of pattern