Scribd Logo
Upload

Welcome to Scribd!

  • AB WS UsingaFrameworktoGuideanITSecurityReview

    Uploaded by

    Kevin Ramrattan
    10 views38 pages

    Original Title

    AB-WS-UsingaFrameworktoGuideanITSecurityReview

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    10 views38 pages

    AB WS UsingaFrameworktoGuideanITSecurityReview

    Uploaded by

    Kevin Ramrattan

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 38

    IT Security: The Virginia Tech Journey

    Using a Framework to Guide


    an IT Security Review
    IT Security: The Virginia Tech Journey

    Justin T. Noble
    Director of Internal Audit
    Virginia Tech
    IT Security: The Virginia Tech Journey

    Justin T. Noble, CIA, MBC


    Director of Internal Audit, Office of
    Audit, Risk, and Compliance
    Virginia Tech

    Justin Noble, who is a Certified Internal Auditor, is the Director of


    Internal Audit for Virginia Tech. Justin provides management
    direction in planning all risk-based compliance, information
    technology, investigative, and advisory reviews. He supervises
    a team of internal auditors, reviews the evaluation of internal
    controls and resulting recommendations, and partners proactively
    with colleagues across the university. Justin completed his Master
    of Architecture and Master of Business Administration at Texas
    Tech. After graduating from Tech, Justin started his career with The
    University of Texas Southwestern Medical Center and worked for
    Southwest Airlines prior to returning to his alma mater in 2009. A
    certified internal auditor, Justin has worked in higher education for
    more than 10 years, and in internal audit for more than 15 years.
    IT Security: The Virginia Tech Journey

    Learning Objectives

    Getting Familiar With Frameworks

    Agenda Framework Mapping

    Virginia Tech’s IT Security Journey

    Q&A

    Conclusion
    IT Security: The Virginia Tech Journey

    Learning Objectives
    ● Understand the common IT
    security frameworks.
    ● Use the foundational knowledge
    and resources gained to conduct
    IT controls reviews.
    ● Understand how internal audit
    can partner with IT to strengthen
    their organization’s information
    security programs.
    IT Security: The Virginia Tech Journey

    Poll Question #1

    Are IT security reviews a common part of your audit activities?

    a. Yes
    b. No
    c. I don’t know
    IT Security: The Virginia Tech Journey

    Getting Familiar With


    01
    Frameworks
    IT Security: The Virginia Tech Journey

    What Is a Framework?

    Framework: IT Security Framework:


    ● “A basic structure underlying a ● A series of documented processes
    system, concept, or text.” that define policies and procedures
    – Oxford English Dictionary Online
    around IT security controls.
    ● A support structure or system that
    holds parts together. ● They define and prioritize the tasks
    required to manage security
    enterprise-wide.
    ● They assist with complying with
    industry standards and other
    regulations.
    IT Security: The Virginia Tech Journey

    What Is a Framework?

    Frameworks:
    ● Provide a starting point for the establishment of robust
    administrative activities.
    ● Assist with showing compliance with overlapping regulatory
    requirements through effective crosswalks.
    ● Are customizable to your organization, needs, or problems.
    IT Security: The Virginia Tech Journey

    Common Frameworks
    ● International Organization for Standardization (ISO) 27000 series
    ● National Institute of Standards and Technology (NIST)
    ○ NIST 800-53: An InfoSec benchmark for U.S. Government agencies
    that is widely used in the private sector.
    ○ NIST 800-171: More popular, based on the U.S. Dept. of Defense
    requirements on contractors.
    ● Control Objectives for Information and Related Technologies (COBIT)
    ● Center for Internet Security (CIS) Critical Security Controls
    ● Committee of Sponsoring Organizations (COSO)
    IT Security: The Virginia Tech Journey

    Poll Question #2

    Does your organization use a common IT security framework?

    a. Yes
    b. No
    c. I don’t know
    IT Security: The Virginia Tech Journey

    02 Framework Mapping
    IT Security: The Virginia Tech Journey

    CIS v8 to NIST
    IT Security: The Virginia Tech Journey

    CIS v8 to COBIT
    IT Security: The Virginia Tech Journey

    If you can dream of it…


    ● PCI
    ● CMMC
    ● HIPAA
    ● Azure Security Benchmark
    ● SOC 2
    ● NIST
    ● Cloud Security Alliance
    IT Security: The Virginia Tech Journey

    Virginia Tech’s IT
    03
    Security Journey
    IT Security: The Virginia Tech Journey

    First Things First


    IT Security: The Virginia Tech Journey

    How to Get Started

    Relationships Frameworks Governance

    ● Have you reached out and ● Do you know your framework? ● How are things governed at
    established a working your university?
    relationship with your CIO, ● Have you read the framework?
    ITSO, and other key IT ● What are the policies and
    ● Did you Google how to standards that you need to be
    personnel? conduct an assessment with able to articulate an
    ● Do you have an “in” with your framework? awareness of?
    research computing,
    academic computing, and
    auxiliary computing?
    IT Security: The Virginia Tech Journey

    Approaches
    Similar to a non-IT audit, you can approach IT
    security in different ways.
    Determine the Methodology: Determine the Scope:
    ● Single Process ● Enterprise-level
    ○ Inventory ● Unit Level
    ○ Firewall Configuration ● Hybrid
    ● Comprehensive
    ○ Security Review
    IT Security: The Virginia Tech Journey

    Poll Question #3

    Do you look at IT security as a single topic or hybrid?

    a. Single, comprehensive
    b. Hybrid/Crosscutting
    c. I don’t know
    IT Security: The Virginia Tech Journey

    VT Examples
    ● Single Process/Enterprise-level
    ○ IT Network Security
    ○ Incident Response
    ● Single Process/Unit-level
    ○ Secured Research Computing
    ● Single Process/Hybrid
    ○ Risk Assessment
    ○ Server Security
    ● Comprehensive
    ○ Typically, only on the unit level.
    IT Security: The Virginia Tech Journey

    Using the CIS Critical


    Security Controls v8
    IT Security: The Virginia Tech Journey

    Why CIS Critical Controls?


    ● Simplicity
    ○ They are written in easy-to-understand terms with
    sufficient definitions.
    ● Easy cross walking
    ○ They easily map to NIST, COBIT, ISO, and other
    common frameworks.
    ● Commonality
    ○ We have found them widely known and understood,
    this lowers the “acceptance” threshold.
    IT Security: The Virginia Tech Journey

    Structure of CIS Control


    ● Overview
    ○ A brief description of the control and its intent.
    ● Control Criticality
    ○ A description of the importance of the control to assist with
    an attack.
    ● Tools
    ○ Links to more technical documents or process descriptions.

    ● Safeguard Descriptions
    ○ A detailed table, based on implementation groups, that
    outline actions that should be taken.
    IT Security: The Virginia Tech Journey

    CIS Critical Controls


    1. Inventory and Control of Enterprise 10. Malware Defenses
    Assets
    11. Data Recovery
    2. Inventory and Control of Software
    12. Network Infrastructure Management
    Assets
    13. Network Monitoring and Defense
    3. Data Protection
    14. Security Awareness and Skills
    4. Secure Configuration
    Training
    5. Account Management
    15. Service Provider Management
    6. Access Control Management
    16. Application Software Security
    7. Continuous Vulnerability
    17. Incident Response Management
    Management
    18. Penetration Testing
    8. Audit Log Management
    9. Email and Web Browser Protections
    IT Security: The Virginia Tech Journey

    Poll Question #4

    Were you familiar with the CIS Controls prior to this presentation?

    a. Yes
    b. No
    IT Security: The Virginia Tech Journey

    Safeguards as
    Fieldwork
    Take the safeguard
    descriptions and turn them
    into an audit program. The
    safeguards outline the
    controls, the inverse is the
    audit program.
    IT Security: The Virginia Tech Journey

    Hybrid Example:
    Linux Server Security
    IT Security: The Virginia Tech Journey

    Objectives
    ● Determine whether operating systems were supported and patched.

    ● Determine whether servers were securely configured to restrict access to


    authorized personnel.

    ● Determine whether physical security and environmental controls were


    implemented.

    ● Determine whether servers were configured to collect required log


    information, and whether logs were monitored and sent to a remote server.

    ● Determine whether system administrators were aware of university


    information technology standards and had completed security training.
    IT Security: The Virginia Tech Journey

    Objectives & CIS Controls


    ● Secure Configuration: Determine whether operating systems were supported
    and patched.

    ● Account Management: Determine whether servers were securely configured to


    restrict access to authorized personnel.

    ● Penetration Testing: Determine whether physical security and environmental


    controls were implemented.

    ● Audit Log Management: Determine whether servers were configured to collect required
    log information, and whether logs were monitored and sent to a remote server.

    ● Security Awareness and Skills Training: Determine whether system administrators


    were aware of university information technology standards and had completed
    security training.
    IT Security: The Virginia Tech Journey

    Project Challenges/Strategies
    ● Inventory of Servers
    ○ We sent a survey to every college/unit/institute asking basic
    questions on if they had Linux servers and if yes, how many. We
    also asked about if servers were rated as ‘high risk’.
    ● Remote IT Support
    ○ We did a lot of Zoom remote screen sharing.

    ● Configuration Review
    ○ We used a tool called CIS-CAT available from the Center for
    Internet Security.
    ○ There is a learning curve to understand the results.
    IT Security: The Virginia Tech Journey
    IT Security: The Virginia Tech Journey

    Some Places to Start


    IT Security: The Virginia Tech Journey

    Some Places to Start


    ● Inventory and Risk Assessment Process
    ○ How do you protect what you don’t know about?
    ○ You can’t protect everything, so how do you determine
    what you protect?

    ● Backup
    ○ How are you backing up your systems?
    ○ How are you backing up remote systems?
    ○ How do you know the backups are effective?

    ● Patching/Encryption/Malware
    ○ How are you monitoring patching on high-risk systems?
    ○ How are you enforcing encryption?
    ○ How are you ensuring up-to-date malware protection?
    IT Security: The Virginia Tech Journey

    Some Places to Start


    ● Incident Response
    ○ When was it last tested?
    ○ Is it comprehensive?
    ○ Is it actually usable?

    ● Administrative Access
    ○ How do you manage elevated privileges?
    ○ How are you ensuring that what you deploy doesn’t get undone?

    ● Logging
    ○ Are they aggregated in any meaningful way?
    ○ Are they actually reviewed?
    IT Security: The Virginia Tech Journey

    Questions & Answers


    Questions & Answers
    IT Security: The Virginia Tech Journey

    Thank You

    Justin T. Noble
    Director of Internal Audit
    Virginia Tech

    You might also like