forging partnerships between auditors and security managers breakthrough methods that work l.
Skip this Video
Loading SlideShow in 5 Seconds..
Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work PowerPoint Presentation
Download Presentation
Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work

Loading in 2 Seconds...

play fullscreen
1 / 26

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work - PowerPoint PPT Presentation

  • Uploaded on

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work. Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 540-231-9523. JCSC 2000. The Auditor’s Goals.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work' - Mia_John

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
forging partnerships between auditors and security managers breakthrough methods that work

Forging Partnerships Between Auditors and Security Managers: Breakthrough Methods That Work

Randy Marchany

VA Tech Computing Center

Blacksburg, VA 24060


JCSC 2000

Copyright 2000, Marchany

the auditor s goals
The Auditor’s Goals
  • Ensure Assets are protected according to company, local,state and federal regulatory policies.
  • Determine what needs to be done to ensure the protection of the above assets.
  • Make life miserable for sysadmins…:-)
    • Not really. They can save a sysadmin if a problem occurs.

Copyright 2000, Marchany

the sysadmin s goals
The Sysadmin’s Goals
  • Keep the systems up.
  • Keep users happy and out of our hair.
  • Keep auditors at arms’ length.
  • Get more resources to do the job properly.
  • Wear jeans or shorts to work when everyone else has to wear suits…….

Copyright 2000, Marchany

the sysadmin s audit strategy
The Sysadmin’s Audit Strategy
  • Turn a perceived weakness (the audit) into a strength (security checklists).
  • Develop a set of reporting matrices that can be used as audit reports or justification for security expenditures.
  • The above info can be used to help develop your incident response plan.

Copyright 2000, Marchany

the committee
The Committee
  • Management and Technical Personnel from the major areas of IS
    • University Libraries
    • Educational Technologies
    • University Network Management Group
    • University Computing Center
    • Administrative Information Systems

Copyright 2000, Marchany

the committee s scope
The Committee’s Scope
  • Information Systems Division only
  • Identified and prioritized Assets
    • RISKS associated with those ASSETS
    • CONTROLS that may applied to the ASSETS to mitigate the RISKS
  • Did NOT specifically consider assets outside IS control. However, those assets are included as clients when considering access to assets we wish to protect

Copyright 2000, Marchany

the committee s charge
The Committee’s Charge
  • From our VP for Information Systems
  • “Establish whether IS units are taking all reasonable precautions to protect info resources and to assure the accurate & reliable delivery of service”
  • “Investigate and advise the VPIS as to the security of systems throughout the university….Provide documentation of the security measures in place.”

Copyright 2000, Marchany

identifying the assets
Identifying the Assets
  • Compiled a list of IS assets (+100 systems)
  • Categorize them as critical, essential, normal
    • Critical - VT can’t operate w/o this asset for even a short period of time.
    • Essential - VT could work around the loss of the asset for up to a week. The asset needs to be returned to service asap
    • Normal - VT could operate w/o this asset for a finite period but entities may need to identify alternatives.

Copyright 2000, Marchany

prioritizing the assets
Prioritizing the Assets
  • The network(router, bridges, cabling, etc.) was treated as a single entity and deemed critical.
  • X assets were classified as critical and then rank ordered using a matrix prioritization technique. Each asset was compared to the other and members voted on their relative importance. Members could split their vote.

Copyright 2000, Marchany

identifying the risks
Identifying the Risks
  • A RISK was selected if it caused an incident that would:
    • Be extremely expensive to fix
    • Result in the loss of a critical service
    • Result in heavy, negative publicity especially outside the university
    • Have a high probability of occurring.
  • Risks were prioritized using matrix prioritization technique.

Copyright 2000, Marchany

mapping risks and assets
Mapping Risks and Assets
  • We built a matrix that maps the ordered list of critical assets against the ordered list of risks regardless of whether or not
    • A particular risk actually applied to the asset
    • Controls exist and/or already in place.
  • The matrix provides general guidance about the order each asset/risk is examined. All assets/risks need to be examined eventually.

Copyright 2000, Marchany

identifying controls
Identifying Controls
  • Specific controls identified by the committee were put in a matrix
  • The controls were then mapped against a list of risks and in those cells are the control ids that can mitigate a particular risk for a particular asset.

Copyright 2000, Marchany

  • The process recommends a general order which IS should apply scarce resources to perform a cost benefit analysis for the various assets & risks.
  • For each asset, as directed by mgt, appropriate staff should:
    • Review the risks & controls
    • Add any further risks/controls not identified
    • Assess the potential cost of an incident
    • Assess the cost of control purchases and deployment
    • Analyze cost vs. benefit for each asset
    • Submit results to mgt which retains the responsibility to weigh investments and make implementation decisions

Copyright 2000, Marchany


Copyright 2000, Marchany

appendix 1
  • The following matrices are examples of your matrix reports
    • Exhibit A (ASSET Matrix)
    • Exhibit B (ASSET WEIGHT Matrix)
    • Exhibit C (RISKS Matrix)
    • Exhibit D (RISK WEIGHT Matrix)
    • Exhibit E (ASSET-RISK Matrix)
    • Exhibit F (CONTROLS Matrix)

Copyright 2000, Marchany

appendix 2
  • The following spreadsheets are the compliance reports.
  • Overall Compliance Report that lists the general vulnerabilities a system has. This is a quick 1 page report for mgt. or the auditors.
  • Asset/Risk Matrix list whether a system is affected by a risk. The risks are more specific.
  • Controls Matrix lists what controls are in place for a given system.
  • Individual Action Matrix lists the details of an audit for each node. Did the system comply?

Copyright 2000, Marchany

appendix 3
  • The following checklist gives the detailed commands to be performed in the “audit”.
  • The categories are based on the Risk Matrices in Appendix 1.
  • The results of the checklist commands are inserted in the Compliance matrices of Appendix 2.
  • This checklist and the matrices form the overall audit/security checklist package.

Copyright 2000, Marchany

appendix 4
  • Your company’s response policy will dictate the degree of audit record keeping you’ll have to maintain.
  • There are 2 strategies:
    • Protect and Proceed
    • Pursue and Prosecute

Copyright 2000, Marchany

incident handling protect and proceed
Incident Handling:Protect and Proceed?

- Which strategy should your organization follow to handle an incident? This

dictates the level of record keeping needed to fulfill the strategy. (RFC2196)

- the protection and preservation of site facilities

- return to normal operations as soon as possible

- actively interfere with intruder attempts

- begin immediate damage assessment and recovery

Use if:

- assets are not well protected

- continued penetration could result in financial risk

- possibility or willingness to prosecute is not present

- user community is unknown

- unsophisticated users and their work is vulnerable

- the site is vulnerable to lawsuits from users if their resources

are undermined

Copyright 2000, Marchany

incident handling pursue and prosecute
Incident Handling:Pursue and Prosecute?

- allow intruders to continue their activity until the site can identify them. This is recommended by law enforcement agencies

- Use if:

- system assets are well protected

- good backups are available

- Asset risks are outweighed by risk of future penetrations

- it's a concentrated and frequent attack

- the site has a natural attraction to intruders, e.g. university, bank

- the site is willing to spend the money and risk to catch the guy

- intruder access can be controlled

- well-developed monitoring tools are available

- you have a technically competent support staff

- management is willing to prosecute

- system administrators know in general what evidence will aid in


- there is established contact with law enforcement agencies

- the site has involved their legal staff

Copyright 2000, Marchany