1 / 26

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work. Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Randy.Marchany@vt.edu 540-231-9523. JCSC 2000. The Auditor’s Goals.

Mia_John
Download Presentation

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 Randy.Marchany@vt.edu 540-231-9523 JCSC 2000 Copyright 2000, Marchany

  2. Copyright 2000, Marchany

  3. Copyright 2000, Marchany

  4. Copyright 2000, Marchany

  5. Copyright 2000, Marchany

  6. Copyright 2000, Marchany

  7. Copyright 2000, Marchany

  8. The Auditor’s Goals • Ensure Assets are protected according to company, local,state and federal regulatory policies. • Determine what needs to be done to ensure the protection of the above assets. • Make life miserable for sysadmins…:-) • Not really. They can save a sysadmin if a problem occurs. Copyright 2000, Marchany

  9. The Sysadmin’s Goals • Keep the systems up. • Keep users happy and out of our hair. • Keep auditors at arms’ length. • Get more resources to do the job properly. • Wear jeans or shorts to work when everyone else has to wear suits……. Copyright 2000, Marchany

  10. The Sysadmin’s Audit Strategy • Turn a perceived weakness (the audit) into a strength (security checklists). • Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures. • The above info can be used to help develop your incident response plan. Copyright 2000, Marchany

  11. The Committee • Management and Technical Personnel from the major areas of IS • University Libraries • Educational Technologies • University Network Management Group • University Computing Center • Administrative Information Systems Copyright 2000, Marchany

  12. The Committee’s Scope • Information Systems Division only • Identified and prioritized Assets • RISKS associated with those ASSETS • CONTROLS that may applied to the ASSETS to mitigate the RISKS • Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect Copyright 2000, Marchany

  13. The Committee’s Charge • From our VP for Information Systems • “Establish whether IS units are taking all reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service” • “Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.” Copyright 2000, Marchany

  14. Identifying the Assets • Compiled a list of IS assets (+100 systems) • Categorize them as critical, essential, normal • Critical - VT can’t operate w/o this asset for even a short period of time. • Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap • Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives. Copyright 2000, Marchany

  15. Prioritizing the Assets • The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical. • X assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote. Copyright 2000, Marchany

  16. Identifying the Risks • A RISK was selected if it caused an incident that would: • Be extremely expensive to fix • Result in the loss of a critical service • Result in heavy, negative publicity especially outside the university • Have a high probability of occurring. • Risks were prioritized using matrix prioritization technique. Copyright 2000, Marchany

  17. Mapping Risks and Assets • We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not • A particular risk actually applied to the asset • Controls exist and/or already in place. • The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually. Copyright 2000, Marchany

  18. Identifying Controls • Specific controls identified by the committee were put in a matrix • The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset. Copyright 2000, Marchany

  19. Recommendations • The process recommends a general order which IS should apply scarce resources to perform a cost benefit analysis for the various assets & risks. • For each asset, as directed by mgt, appropriate staff should: • Review the risks & controls • Add any further risks/controls not identified • Assess the potential cost of an incident • Assess the cost of control purchases and deployment • Analyze cost vs. benefit for each asset • Submit results to mgt which retains the responsibility to weigh investments and make implementation decisions Copyright 2000, Marchany

  20. References • http://security.vt.edu • www.sans.org • www.nipc.gov • www.jmu.edu/info-security • www.cornell.edu/CPL • www.securityfocus.com • www.insecure.org Copyright 2000, Marchany

  21. APPENDIX 1 • The following matrices are examples of your matrix reports • Exhibit A (ASSET Matrix) • Exhibit B (ASSET WEIGHT Matrix) • Exhibit C (RISKS Matrix) • Exhibit D (RISK WEIGHT Matrix) • Exhibit E (ASSET-RISK Matrix) • Exhibit F (CONTROLS Matrix) Copyright 2000, Marchany

  22. APPENDIX 2 • The following spreadsheets are the compliance reports. • Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors. • Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific. • Controls Matrix lists what controls are in place for a given system. • Individual Action Matrix lists the details of an audit for each node. Did the system comply? Copyright 2000, Marchany

  23. APPENDIX 3 • The following checklist gives the detailed commands to be performed in the “audit”. • The categories are based on the Risk Matrices in Appendix 1. • The results of the checklist commands are inserted in the Compliance matrices of Appendix 2. • This checklist and the matrices form the overall audit/security checklist package. Copyright 2000, Marchany

  24. APPENDIX 4 • Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain. • There are 2 strategies: • Protect and Proceed • Pursue and Prosecute Copyright 2000, Marchany

  25. Incident Handling:Protect and Proceed? - Which strategy should your organization follow to handle an incident? This dictates the level of record keeping needed to fulfill the strategy. (RFC2196) - the protection and preservation of site facilities - return to normal operations as soon as possible - actively interfere with intruder attempts - begin immediate damage assessment and recovery Use if: - assets are not well protected - continued penetration could result in financial risk - possibility or willingness to prosecute is not present - user community is unknown - unsophisticated users and their work is vulnerable - the site is vulnerable to lawsuits from users if their resources are undermined Copyright 2000, Marchany

  26. Incident Handling:Pursue and Prosecute? - allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies - Use if: - system assets are well protected - good backups are available - Asset risks are outweighed by risk of future penetrations - it's a concentrated and frequent attack - the site has a natural attraction to intruders, e.g. university, bank - the site is willing to spend the money and risk to catch the guy - intruder access can be controlled - well-developed monitoring tools are available - you have a technically competent support staff - management is willing to prosecute - system administrators know in general what evidence will aid in prosecution - there is established contact with law enforcement agencies - the site has involved their legal staff Copyright 2000, Marchany

More Related