Network Perimeter Risk

Document Name Risk Control Matrix (RCM)

Project Reference
Version Reference
Document Owner
Reviewed By
Date
Risk
S.NO Process Objective Name Objective Description Risk Name Risk Description Risk Significance Risk Type
1 Review of Network Code* To ensure proper documentation of network Code* Inadequate implementation of security controls Medium Planning
Perimeter Risk architecture for the scoped environment. due to lack of understanding of information flow
and network connectivity.

2 Review of Network Code* To ensure periodic review of network devices Code* Exposure of sensitive or critical business High Unauthorized use
Perimeter Risk rules and configuration setting. applications due to unauthorized or unsecure
connections to the network.
3 Review of Network Code* Establishment of trust zones for assigning Code* Insufficient segregation of highly sensitive High Authority/limit
Perimeter Risk appropriate security, based upon the sensitivity Network from other Network may expose
of the data processed in the zones. sensitive information resources to unauthorized
access.

4 Review of Network Code* Establishment of trust zones for assigning Code* Insufficient segmentation of network may High Authority/limit
Perimeter Risk appropriate security, based upon the sensitivity expose internal network to the outside world
of the data processed in the zones. which can lead to compromise of the network.

5 Review of Network Code* To ensure proper segregation of duties in the Code* Insufficient segregation of duties may expose High Authority/limit
Perimeter Risk perimeter Network components from rest of the sensitive information of enterprise to
network. unauthorized individuals which can misuse the
access.

6 Review of Network Code* To ensure proper access control for physical and Code* Inappropriate control over physical and logical High Access
Perimeter Risk logical network. access to diagnostic and configuration network
ports may result in unauthorized access to
network services.
7 Review of Network Code* To ensure a formal process for approving and Code* Without formal approval and testing of changes, High Access
Perimeter Risk testing all network connections and configuration the network services can be disrupted and can
changes. open up security loopholes.

8 Review of Network Code* To ensure vendor defaults are being removed or Code* Unauthorized access and compromise of High Access
Perimeter Risk changed. network devices due to known default settings
by malicious individuals.

9 Review of Network Code* To ensure protection of scoped systems and Code* Outdated antivirus are vulnerable to published High Integrity
Perimeter Risk network devices against malwares and viruses. exploits, often called "zero day" (an attack that
exploits a previously unknown vulnerability),
against otherwise secured systems.
10 Review of Network Code* To ensure classification of vulnerabilities on the Code* Delay in mitigation of critical vulnerabilities Medium Access
Perimeter Risk basis of risk ranking. which can be exploited due to lack of severity
rating or ranking.

11 Review of Network Code* To ensure least privilege access to authorized Code* Failure to assign roles on the basis of least Medium Access
Perimeter Risk personnel. privileges can expose data to unauthorized
personnel.

12 Review of Network Code* To ensure proper account management for third Code* Unauthorized access by a malicious individual High Access
Perimeter Risk parties inside scoped environment. from the third party network. Creation of
backdoors for easy access to the organization's
network.
13 Review of Network Code* To ensure invalid access attempts are being Code* Subject to brute force attacks due to lack of Medium Access
Perimeter Risk blocked. account-lockout mechanism.

14 Review of Network Code* To ensure strong authentication. Code* Malicious individual can compromise a system High Access
Perimeter Risk by exploiting weak or nonexistent passwords.
15 Review of Network Code* To ensure proper authentication procedure Code* Malicious individuals can use "social Medium Access
Perimeter Risk engineering”—for example, calling a help desk
and acting as a legitimate user—to have a
password changed so they can utilize a user ID.

16 Review of Network Code* To ensure integrity and availability of logs. Code* Malicious users can attempt to alter audit logs to High Access
Perimeter Risk hide their actions in case they have access to
logs and network devices.
17 Review of Network Code* To ensure that routers are configured with secure Code* Malicious users can perform various attacks High Unauthorized use
Perimeter Risk configurations and removal of factory default against weak protocols like Telnet
settings to achieve optimum level of security. communication sniffing, router hijacking and
brute force attacks. In addition attackers can
change the routing in case proper access
controls are not in place.

18 Review of Network Code* To ensure correct placement of the routers in the Code* Incorrect placement of the routers coupled with High Unauthorized use
Perimeter Risk network to achieve maximum security. insecure configuration can lead to network
compromise.
19 Review of Network Code* To ensure acceptable performance, limit access Code* Unauthorized modification in switch High Unauthorized use
Perimeter Risk to restricted network segments and provide configurations due to lack of if passwords or
assurance that only authorized technicians have execution of malicious scripts.
access to the switch management facility.

20 Review of Network Code* To ensure acceptable performance, limit access Code* Exploitation of vulnerable switches by malicious High Unauthorized use
Perimeter Risk to restricted network segments and provide users for gaining access in the network.
assurance that only authorized technicians have
access to the switch management facility.

21 Review of Network Code* To ensure that firewalls are configured to provide Code* Improper or lack of ruleset configuration can High Unauthorized use
Perimeter Risk maximum security to sensitive data, and policies open access for malicious individuals in secure
and standards should be established to identify zone of the network.
the required firewall rules.
22 Review of Network Code* To ensure that firewalls are configured to provide Code* Malicious users can take advantage insecure Medium Unauthorized use
Perimeter Risk maximum security to sensitive data, and policies service and ports.
and standards should be established to identify
the required firewall rules.

23 Review of Network Code* To achieve secure wireless networking with Code* Sniffing of information and man in the middle High Access
Perimeter Risk encryption features and authentication. attack due to lack of strong encryption and
authentication.

24 Review of Network Code* To ensure that intrusion detection tools are Code* Malicious users can attack internal network with High Access
Perimeter Risk employed to identify and monitor intrusions. the zero day vulnerabilities and their exploits.
25 Review of Network Code* To identify security vulnerabilities via Network Code* Malicious user or disgruntled employee can take High Access
Perimeter Risk security assessments for timely mitigation of the advantage of default configuration settings for
vulnerabilities. unauthorized access to the network. For
instance access of terminated user has not been
revoked and he took this opportunity to disrupt
the network.

26 Review of Network Code* To identify security vulnerabilities via Network Code* Malicious users can take advantage of Medium Unauthorized use
Perimeter Risk security assessments for timely mitigation of the exploitable vulnerabilities to gain access to
vulnerabilities. network components.

27 Review of Network Code* User activities are logged to identify all malicious Code* Missing chain of evidences and malicious Medium Unauthorized use
Perimeter Risk activities. activities conducted by the user due to lack of
centralized logs. System logs are susceptible of
deletion/modification if compromised.

28 Review of Network Code* Critical Network devices should be recovered Code* Lack of Business continuity plan can make the High Infrastructure
Perimeter Risk during a disaster in order to continue the business recovery difficult and delayed which
business operations. can cause significant business loss.
29 Review of Network Code* The operating systems for servers and other Code* Systems and network operating systems having High Unauthorized use
Perimeter Risk network appliances operating on the network default configurations are at high risk of
should be configured for maximum security compromise as default configurations are easily
(hardened). available to malicious individuals.

30 Review of Network Code* To prevent unauthorized physical access, damage Code* Without physical security controls, unauthorized High Access
Perimeter Risk and interference to the organization’s premises persons could potentially gain access to the
and information. facility to steal, disable, disrupt, or destroy
critical systems.
31 Review of Network Code* To maintain the integrity and availability of Code* If backup information is stored in a non-secured Medium Infrastructure
Perimeter Risk information and information processing facilities. facility, backups that contain sensitive data may
easily be lost, stolen, or copied for malicious
intent.

32 Review of Network Code* To detect security incidents, network disruption Code* Without adequate monitoring, identification of Medium Unauthorized use
Perimeter Risk and unauthorized activities. incidents and attacks can take longer time and
malicious users can take this opportunity to
perform their tasks.

33 Review of Network Code* To ensure information security events and Code* Without effective incident management an High Unauthorized use
Perimeter Risk weaknesses associated with information systems incident can rapidly disrupt business operations,
are communicated to take timely corrective information security, IT systems, employees or
actions. customers and other vital business functions
34 Review of Network Code* To ensure secure remote communication for all Code* Malicious users can execute various types of High Access
Perimeter Risk external connections. attacks for instance - data modification, data
destruction if data does not traverse over a
secure channel. In addition, unencrypted
information is vulnerable to sniffing.

35 Review of Network Code* Alignment of VPN policies with Information Code* Non compliance to the security policy for VPN Medium Regulatory
Perimeter Risk security policies to achieve security and corporate can lead to information leakage or
compliance. network/system compromise.
36 Review of Network Code* Best security practices are implemented for VPN Code* Lack of required host security software on public High Unauthorized use
Perimeter Risk architectures. machines can lead to compromise of the VPN
connection. Session hijacking if the remote
connection is not adequately protected. Spread
of malware in case the public host machine is
infected.

37 Review of Network Code* Best security practices are implemented for VPN Code* Lack of user education and security awareness Medium Unauthorized use
Perimeter Risk architectures. can cause security risks to your organization
since unaware users can access VPN through any
public terminal that do not meet your corporate
security policies and standards
38 Review of Network Code* Best security practices are implemented for VPN Code* Without adequate de-provisioning process and High Unauthorized use
Perimeter Risk architectures. lack of VPN access review, terminated users or
authorized users can expose confidential
information to the outside world.

39 Review of Network Code* To identify unauthorized access, malicious Code* If access to Network Devices is not restricted High Access
Perimeter Risk activities and maintain secure authentication on through VLAN/static IP/LANVPN etc. to only
the network devices users who require such access for business
needs, there could be an increased risk of
unauthorized access to these devices.
 Test Evidence/WP Auditor's Reply
Control Name Control Description Description Testing reference Review Status of Manager Manager's Review Comments to Comments
Code* The organization maintains the Physical and logical diagrams of networking 1. Select a
devices including the flow of network traffic. The diagrams are updated and sample of
approved by the management whenever there is a change in the network. systems or
architectures
that pertain
to the testing
location.
Obtain
physical and
logical
diagrams for
each system
or
architecture
selected.
Verify by
technical
inspection
that the
diagrams
reflect the
system or
architecture
in question.
Confirm that
the diagrams
represent
the up to
date
mapping of
internal and
external
connectivity
between the
various
network
segments
Code* A regular review of firewalls and routers rule set is conducted at least in 1. Verify that
every six (6) months. firewall and
router
configuration
standards
require
review of
firewall and
router rule
sets at least
every six
months.
2. Obtain
and examine
documentati
on to verify
that the rule
sets are
reviewed at
least every
six months.
Code* A trust zone is assigned for each network node, according to the sensitivity of 1. Review
the data traversing the network. the overall
perimeter
security
strategy and
policy to
verify that no
one
individual is
allowed
access to all
the
components
of an
enterprise’s
network
security
structure.
2. Review
the network
inventory or
schematic of
the network,
and verify
Code* The organization has implemented the network segmentation according to 1. with Review
the trust zone classifications. knowledgeab
the DMZ
le IT network
architecture
personnel
in place and
that
determineall of the
if
physical
it appears
access points
appropriate
to
given thethe
information
trust
assets have
classification
been
s and
identified.
protocols
3. Verify that
associated
all
with the
connections
connections
Code* to
to the
The organization has defined the segregation of duties on the basis of roles Obtain the the
and business requirement. network
list
network of
have been
individuals
services.
classified
from
2. Verify that as
trusted,
different
the
based on the
departments
enterprise’s
level
and
internal of
verify
control
their
network roles
is
required
and
on its ownby
the security
authorization
network
policy.
to Four
perform
segment and
potential
their duties.
that services
classification
(e-mail, web,
s for etc.)
FTP,
Code* interconnect
As a policy all remote administration is performed over an encrypted channel Verify
accessed that
with a secure client & strong authentication. ed
remote
from systems
outside
are:
administratio
connections
•are
n Trusted:
is classified
Systems that
performed
into
are under
with a secure
appropriate
direct
client control
using
trust zones
of the
strong
and
enterprise
authenticatio
partitioned
•orSemi
n
trusted:
mechanisms.
segmented
Authenticate
appropriately
d access
required to
protect
exposed
systems not
accessible by
the public
• Untrusted:
Authenticate
d access
required to
specific
information
resources on
exposed
publicly
accessible
systems
Code* The organization has defined a formal process for approving and testing all Examine
network connections and changes to the firewall, router and all other documented
network devices configurations. This should also include any type of procedures
infrastructure change to the devices including switches and other network to verify
devices. there is a
Organization should follow a defined quality change control and testing formal
process with established baselines, testing and release standards which process for
focus on system availability, confidentiality and integrity of systems and testing and
services approval of
all:
- Network
connections
and
- Changes to
firewall and
router
configuration
Code* The organization follows secure practices before configuring any device such a.
s Choose a
as changing vendor-supplied defaults and removing/disabling unnecessary sample of
default accounts before installing a device in the network. system
components,
and attempt
to log on
(with system
administrato
r help) to the
devices and
applications
using default
vendor-
supplied
Code* As a policy the organization keep all anti-virus definitions up to date and 1. Examine
accounts and
perform periodic scans and generate audit logs as per the requirements. policies
passwords,and
procedures
to verify that
to
ALLverify that
default
anti-virus
passwords
software
(includingand
definitions
those on
are required
operating
to be kept up
systems,
to date. that
software
2. Examine
provides
anti-virus
security
configuration
services,
s, including
application
the
and master
system
installation
accounts,
of
POS the
software
terminals,to
verify anti-
and Simple
virus
Network
mechanisms
Management
are:
Protocol
a.
(SNMP)
Configured
community
to perform
strings) have
automatic
been
updates,
changed. and
b.
(UseConfigured
vendor
to perform
manuals and
periodic
sources on
scans.
the Internet
to find
vendor-
supplied
accounts/pas
swords.)
b. For the
sample of
system
components,
verify that all
unnecessary
default
accounts
(including
accounts
used by
operating
systems,
security
software,
applications,
Code* The organization classifies the risk criteria for the identified vulnerabilities. Examine
The vulnerabilities are prioritized and mitigated as per the business risk. policies and
procedures
to verify that
processes
are defined
for the
following:
1. To identify
new security
vulnerabilitie
s
2. To assign a
risk ranking
to
vulnerabilitie
s that
includes
identification
of all “high
risk” and
“critical”
vulnerabilitie
s.
3. To use
reputable
outside
sources for
security
vulnerability
information.

Code* The organization provides the access on the basis of job responsibilities. Also Examine
access permission reviews are conducted at least in every six(6) months. written
Unauthorized access identified are revoked immediately. policy for
access
control, and
verify that
the policy
incorporates:
1. Defining
access needs
and privilege
assignments
for each role
2. Restriction
of access to
privileged
user IDs to
least
privileges
necessary to
Code* The organization manages IDs used by third parties with proper restriction to Interview
perform job
access, support, or maintain system components onsite or via remote access personnel
responsibiliti
and observe
es
processes
3. for
managing
Assignment
accounts
of access
used by third
based on
parties to
individual
access,
personnel’s
support, or
job
maintain
classification
system
and function
components
4.
to verify that
Documented
accounts
approval
used for
(electronicall
remote
y or in
access are:
writing) by
1. Disabled
authorized
when not in
parties for all
use
access,
2. Enabled
including
only when
listing of
needed
specific by
the third
privileges
party, and
approved.
disabled
Code* The organization has limited the repeated access attempts by locking out the1. For a
user ID after not more than six attempts. (Six attempts is the best industrysample of
practice, however the organization can define the number of attempts as per system
the business requirement or criticality of the application or device) components,
inspect
system
configuration
settings to
verify that
authenticatio
n parameters
Code* The organization has implemented proper user-authentication management To areverify
set tothat
for non-consumer users and administrators on all system components by users
require arethat
employing at least one or more of the following methods to authenticate all authenticate
user
users: d using be
accounts
1. Something you know, such as a password or passphrase unique
locked out ID
2. Something you have, such as a token device or smart card and
after not
3. Something you are, such as a biometric. additional
more than
authenticatio
six invalid
n (for
logon
example,
attempts a
password/ph
2. Review
rase)
internal for
access
processes to the
organization'
and
scustomer/us
data
environment
er
,documentati
perform the
following:
on, and
1. Examine
observe
documentati
implemented
on describing
processes to
the
verify that
authenticatio
non-
n method(s)
consumer
used.
customer
2. For each
user
type of are
accounts
authenticatio
temporarily
n method
locked-out
used and for
after not
each
moretypethanof
system
six invalid
component,
access
observe
attempts.an
authenticatio
n to verify
authenticatio
Code* The organization has defined the criteria for verifying user identity before Examine
modifying any authentication credential—for example, performing password authenticatio
resets, provisioning new tokens, or generating new keys. n procedures
for modifying
authenticatio
n credentials
and observe
security
personnel to
verify that, if
a user
requests a
reset of an
authenticatio
n credential
by phone, e-
mail, web, or
other non-
face-to-face
method, the
user’s
identity is
verified
before the
authenticatio
n credential
is modified.

Code* The organization tracks and monitor all access to network resources and Verify access
Secure audit trails so they cannot be altered. to all audit
trails is
logged.
Verify invalid
logical access
attempts are
logged
Verify use of
identification
and
authenticatio
n
mechanisms
is logged
Verify all
elevation of
privileges is
logged.
Verify all
changes,
additions, or
deletions to
any account
with root or
administrativ
e privileges
are logged.
Verify the
following are
logged:
1.
Initialization
of audit logs
2. Stopping
or pausing of
audit logs.
Code* As a policy routers are configured to provide maximum security while 1.Review the
providing appropriate access to the network segments. network
schematic,
and verify
that routers
are installed
between
network
segments of
differing
trust levels.
2.Verify with
the network
administrato
r that all
unnecessary
services and
protocols
have been
removed
from all
external
routers.
3.Determine,
where
possible, if
encrypted
passwords
have been
removed
from router
configuration
files.
4.Determine
if all access
to routers
has been
Code* The organization has designed the network architecture such that edge 1. Identify
routers terminate at the network firewall and an effective firewall edge routers
configuration applies appropriate filtering. Also, edge routers use asymmetric within the
keys supported by a Public Key Infrastructure or alternatively, one of the two network
standard symmetric key technologies, 3DES or AES architecture.
2. Determine
that the edge
router
terminates
(a) at or in
front of the
DMZ or (b) at
an inline
Intrusion
Prevention
System (IPS)
deployed
between the
edge router
and the
firewall.
3. Select a
sample of
edge routers
and identify
the
following:
•Determine
if the edge
routers
selected
terminate at
the firewall
or in the
DMZ
•Identify the
encryption
configuration
in use to
protect the
data.
•Determine
the
effectiveness
of the
control of
Code* The organization has placed the switches strategically in the network to Review the
maximize performance, also switch configurations are secured which placement
permits only appropriate level of access. and use of
switches in
the network
schematic.
Where there
are switches
that have the
capability to
be managed
and/or
monitored
remotely,
ensure that
the network
administrato
r has taken
steps to limit
access to
these devices
and protect
passwords.

Code* As per best security practice and business requirement switches are utilized Review the
for network performance; routers are used when it is necessary to secure a use of
segment of the network. switches on
sensitive
network
segments to
determine if
the switch
provides the
appropriate
security or if
Code* As a policy firewall rule requirements are assessed and documented at a router
1. Determine
regular intervals. solution
with may
be more
application,
appropriate.
system and
network
administrato
rs if there is a
complete,
documented
understandin
g of network
traffic that
needs to
pass into and
out of the
enterprise’s
network.
2. Discuss
with the
network
administrato
r the
reasoning
behind the
architecture
and type of
firewall
installed, and
determine if
the choice
was made
based on an
objective
evaluation of
the needs
Code* The firewall configuration reflects the rule-set requirements. 1. Review
the firewall
rule set to
determine if
the default-
deny
principle by
which all
traffic is
denied
except that
which is
explicitly
required has
been
appropriately
implemented
into the
firewall rules.
2. Examine
the firewall
default
implicit rule
set that is
shipped with
a firewall to
ensure that it
is not
circumventin
g the implicit
firewall rules
3. Review
the
termination
of VPNs to
ensure that
only trusted
Code* The organization uses strong cryptography for authentication and Examine
transmission of sensitive data to prevent malicious users from gaining access documented
to the wireless network or utilizing wireless networks to access internal standards
networks. and compare
to system
Note: Use of tokens is strongly recommended. Wireless network must be configuration
secured with at least WPA2 encryption mechanism (Wi-Fi Protected Access 2. settings to
It is also recommended that all access points must require valid verify the
authentication for every user or has a centralized management via Wireless following for
Controller). all wireless
networks
identified:
1. Industry
best
practices are
used to
implement
strong
encryption
for
Code* The organization has installed Intrusion detection software is which is 1.Confirm
authenticatio
monitored, and intrusion alerts are researched by a dedicated individual or that
n andhost-
team. based and
transmission.
network-
2. Weak
based
encryption
intrusion
(for example,
detection
WEP, SSL) is
schemes
not used are as a
in place.
security
2 Ensure
control for
that
authenticatio
network-
n or
based
transmission.
intrusion
3.Verify that
detection
Wi-Fi
schemes
Protected
address
Access the
following
(WPA2) is
conceptual
enabled
elements:
4. Confirm
•that
Event
factory
module
defaults (thefor
sensor)
administrato
•r user
Analysis
ID,
module
password, (the
traffic
WPA key and
Code* As a process the organization conducts internal network assessments that 1. Determine
review the configurations, policies of network appliances are performed at if
least in every six months. information
security
management
performs an
internal
network self-
assessment,
and evaluate
the
frequency
and
effectiveness
Code* The organization performs Vulnerability Assessment and Penetration Testing of Determine
1. the
(VA/PT) on a regular schedule (monthly to quarterly or semi-annually program.
that a
depending on the sensitivity of the network) 2. Determine
systematic
if
approach has
Note: It is not necessary that the organization will perform penetration professional
been
testing due to the criticality of the network. The organization may conduct reviews of
developed
only the vulnerability assessment using any industry acknowledged scanning the network
and
tool and further can verify the false positives of the tool manually. security
documented
policy and
for
implementati
conducting
on are
VA/PT
performed
exercise.
periodically.
2. Confirm
that specific
requirement
s have been
developed
Code* The organization has implemented the solution for log management. Logs for Examine
and
external-facing technologies (for example, wireless, firewalls, DNS, mail) are Network
documented
written onto a secure, centralized, internal log server or media. settings,
for the
monitored
VA/PT
files, and
exercise
results
conducted.from
monitoring
3. Confirm
activities
that test to
verify
metrics the
have
logs
beenare
stored
developed so
centrally.
the results of
VA/PT
exercise can
be quantified
and
measured.
4. Determine
Code* The organization network has been designed to provide appropriate Examine
if VA/PT
redundancy in case of any disaster or a cyber attack such virus outbreak, Network
exercise is
Denial of Service attack (DoS) etc. design
limited and
to
configuration
the
for the
externally
availability
facing of
network
network, or
devices
if it also in
the event of
include
disaster
sensitiveor
outage.
internal
networks
that are
protected by
internal
firewalls.
5. Ensure
that the
results of
VA/PT
exercise are
communicat
ed
adequately
to the
technical
staff and
management
.
6. Ensure
that the
results of
VA/PT
exercise are
Code* The organization has followed hardening standards and guidelines. The Determine if
configuration of network’ operating systems has been adequately secured the core
(hardened) to limit exposure from well-documented exposures operating
system has
been
hardened
with the
following:
• All
services/dae
mons/starte
d tasks not
specifically
required on
each server
have been
disabled or
removed.
• All current,
relevant
patches,
service packs
and other
updates to
the
operating
system and
Code* As policy the secure areas like data centers shall be protected by appropriate 1. Verify that
applications
entry controls and monitoring to ensure that only authorized personnel are access
have beenis
allowed access. controlled
applied.
with
• badge
readers
Unencryptedor
other devices
protocols
including
have been
authorized
avoided;
badges
where theyand
lock
haveandbeen key.
2. Observe a
implemented
system
, the
administrato
justification
r’s
forattempt
their use
to
is log into
consoles
documented. for
randomly
• External
selected
mail servers
systems
scan for data
center
malware and
verify
prior tothat
they are e-
allowing
“locked”
mail files tointo
prevent
an
unauthorized
enterprise’s
use.
network.
3.
• Verify that
either video
Administrato
cameras
r accounts or
access
have been
control
renamed to
mechanisms
names that
(or both) are
do not
in place the
identify to
monitor
accountsthe as
entry/exit
administrato
points
rs. to
sensitive
• Default
areas.
passwords
4.
haveVerify
been that
either
changed. video
cameras
• Guest or
access
accounts
control
have been
mechanisms
disabled.
(or
• both) are
protected
Anonymous
from
FTP has been
tampering
disabled. or
disabling.
• Access to
5. Verifylogs
system that
data from
is tightly
video
restricted.
cameras
• At least
and/or
seven days
access
of log files
Code* As a policy back-up copies of information and software are taken and tested 1. Verify
regularly in accordance with the enterprise backup policy. All backup copies Back up
are encrypted by strong encryption algorithm. tapes are
stored at
secure
locations.
Also, data
integrity and
recovery
should be
verified.
2. Verify that
the storage
location
security is
reviewed at
least
annually to
confirm that
backup
media
storage is
secure.
3. Verify that
all media is
classified so
the
sensitivity of
the data can
be
determined.
4. Determine
who is
having
access to the
backup files
of the
Code* The organization has defined the procedures for monitoring the use of 1. Verify and
information processing facilities and the results of the monitoring activities review
are reviewed regularly. continuous
monitoring
process and
procedure
for the
device logs
and health
checks.
2. Ensure
that a secure
Code* The organization has defined the process for reporting Information security 1. Verify that
protocol is
events through appropriate management channels as quickly as possible and responsibility
used to
all employees, contractors and third party users of information systems and formonitor the
services shall be required to note and report any observed or suspected establishing,
network
security event or weaknesses in the network or system services. The process documenting
perimeter
should highlight the following: ,devices
and like
distributing
SNMP v3.
a. Clearly identify the incident response roles and responsibilities; security
3. Review
b. Incident types that may impact organization's Security Focus Areas; incident
the
c. Incident response procedures for defined incident types; and response
utilizationand
of
d. A clear escalation path and procedures to escalate Security Incidents. escalation
CPU,
d. A root cause analysis process for investigation and reporting. procedures
memory andis
formally
interface
assigned.
bandwidth of
2.
theReview
network
security
perimeter
incidents
devices for
reports
the last 3
related
months.to
the network
perimeter
devices
during last 6
months, if
any, and
ensure that
the same
was
communicat
ed to the
management
.
Code* The organization has implemented VPN solution to provide secure remote 1 Evaluate
access from outside world to the organization's internal network. The VPN whether
should encrypt network traffic between the external source and the internal encryption is
firewall. As a security policy VPN should be required, to access any sensitive being utilized
enterprise information remotely. to minimize
the exposure
of
unauthorized
access to
confidential
files stored
on clients
connected to
an
enterprise’s
Code* The organization ensures that corporate compliance (financial reporting, 1. Obtainvia
network thea
regulatory and statutory) functions review VPN policies prior to corporate
VPN
implementation to assure adherence to appropriate requirements and VPN compliance
2. Determine
Policies are approved by the Information Security Function. policies
if client
relating
workstationto
data security
standards
and
requireprivacy.
the
2 Determine
workstation
if VPN a
utilizing
requirement
client-based
sVPNarehad
a
component
unnecessary
of the
services
policies.
removed
3.
thatObtain
couldabe
selection
a source of of
VPN policy
exploitation.
proposals
3. Determine or
modification
if the
s.
inbound
4. Determine
ports that
if
arecorporate
sensitive
compliance
(i.e., e-mail,
and
file
Information
access/sharin
security
g, internal
representativ
web sites,
es have
etc.) are
reviewed
unavailable
and provided
without a
documented
VPN
approval
connection. of
VPN policies.
4. Split
5. VPN is
tunneling
technologies
only enabled
are defined
if the
to satisfy
organization'
s security
policy allows
it.
Code* The organization has implemented the SSL VPN with a secure configuration 1. Obtain the
which mitigates its inherent weaknesses. SSL VPN
Configuratio
n Policy and
Determine if
strong user
authenticatio
n has been
implemented
. Consider:
• Two-factor
authenticatio
n
• Password
AND
hardware
tokens
• Digital
certificates
• Smart
cards
2. Determine
if a secure
desktop
solution or
“sandboxing”
has been
implemented
for
connections
not satisfying
or unable to
validate
computer
identity
verification.
3. Determine
Code* The organization provides VPN education and security awareness on regular 1. Determine
basis and ensures participation of all users of the enterprise. that VPN
awareness
and security
programs are
routinely and
regularly
offered.
2. Determine
if the
security
awareness
program
addresses
VPN use
policy.
3. Evaluate
how the
follow-up
process is
maintained
to assure
user
participation.
4. Determine
if
participation
is
documented
in logs or
sign-in
sheets.
Code* As a policy VPN access is removed upon termination or transfer 1. Obtain the
as a DE provisioning process. The list of installed VPNs is reviewed at least de-
annually and VPN usage is monitored for unauthorized use. provisioning
procedure.
2. Determine
that the VPN
deactivation
is part of the
de-
provisioning
process.
3. Obtain a
sample of
recent user
Code* The organization has implemented security controls to restrict access to terminations
1. Obtain the
Network Devices through VLAN/static IP/LANVPN etc. to only those users and
IP or URL to
who require such access to fulfill business requirement. determine
access the
that
networkthe VPN
privileges
device / for
the
install the
terminated
client
users have in
application
been
case there is
deactivated.
no URL. (i.e.
4. Determine
putty, Secure
if
CRTa list of
etc.)
computers
2. Try to or
users with
access the
VPNs
device
installed
console via
exists.
LAN and
5. If the list
WLAN.
exists,
3. Obtain the
determine
IP addresses if
the
usedlisttois
reviewed
access theat
least
CLI of the
annually
console to
ensure
4. Try tothat
only
access the
authorized
CLI of the
users have
network
access
device to viaand
have
LAN and an
installed
WLAN.
VPN.
Note:
6. Determine
Reaching to
the
the process
login
for
page reviewing
only
VPN usage.
without
7. Select athe
knowing
sample of
VPN usage
violations.
Determine
how the
violations
were
investigated
and the
actions
taken.
Initial Findings
Naming convention:
The naming convention for the Risk, Control and test in RCM: i.e. CC_RR_YYYY_AA_X_n (Sample copy of RCM is atta
o CC - Country Code
o RR - Report number
o YYYY - Year
o AA - Audit name in abbreviation
o X - R- Risk / C - control / T- test
o n - serial number of the particular name

Information Processing objectives:

C Completeness
A Accuracy
V Validity
R Restricted Access
T Timelines
e copy of RCM is attached for reference):
Column Name
Process
Objective Name
Objective Description
Risk Name
Risk Description
Risk Significance
Risk Type
Control Name
Control Description

Frequency

Control Type 1

Control Type 2
COSO Element

Information processing Objective

Testing Detail Name

Type
Test Description
Description
This is the title of the main process (project), e.g. (Security and Controls over core GSM)

Sequence number for the objective. Follow the naming convention as in Convention sheet.
The scope of review sent in the opening email.

Sequence number for the risk. Follow the naming convention as in Convention sheet.
The actual risk of not having proper control in place.
The significance of the risk as it affects the process/ organization.
Type of risk. The drop down will give more details as to what it is.

Sequence number for the control. Follow the naming convention as in Convention sheet.
The proper control to mitigate the risk.
The periodicity of applying the control.
E.g. multiple times (more than once in in a day), daily (once a day), weekly, fortnightly, monthly, yearly and adhoc.

Whether the control is preventive or detective in nature. Some controls prevent a risk whereas some controls detect risk and aid
intervention to stop the risk from getting worse.
Type of control from the perspective of auto (IT), manual or both.
The COSO element that the control belongs to.
This describes what information processing objective the control achieves. The expansion of each letter is explained in Convention sheet

Sequence number for the test. Follow the naming convention as in Convention sheet.
This defines what is the testing type.

Detailed steps describing how to test the control. One control may have multiple steps to test it.