NetPerimSec Prog 20jan09 Research

Network Perimeter Security Audit/Assurance Program
ISACA
With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a
recognized worldwide leader in IT goernance, control, securit! and assurance" #ounded in
1$6$, ISACA s%onsors international con&erences, %u'lishes the ISACA Journal
(
, and deelo%s
international in&ormation s!stems auditing and control standards" It also administers the
glo'all! res%ected Certi)ed In&ormation S!stems Auditor* (CISA
(
) designation, earned '!
more than 60,000 %ro&essionals since 1$+8, the Certi)ed In&ormation Securit! -anager
(

(CIS-
(
) designation, earned '! more than 10,000 %ro&essionals since .00., and the new
Certi)ed in the /oernance o& 0nter%rise IT* (C/0IT*) designation"
Disclaimer
ISACA has designed and created Network Perimeter Security Audit/Assurance Program (the
1Wor23), %rimaril! as an in&ormational resource &or audit and assurance %ro&essionals" ISACA
ma2es no claim that use o& an! o& the Wor2 will assure a success&ul outcome" The Wor2
should not 'e considered inclusie o& all %ro%er in&ormation, %rocedures and tests or
e4clusie o& other in&ormation, %rocedures and tests that are reasona'l! directed to
o'taining the same results" In determining the %ro%riet! o& an! s%eci)c in&ormation,
%rocedure or test, audit5assurance %ro&essionals should a%%l! their own %ro&essional
6udgment to the s%eci)c circumstances %resented '! the %articular s!stems or IT
enironment"
Reservation of Rights
7 .00$ ISACA" All rights resered" 8o %art o& this %u'lication ma! 'e used, co%ied,
re%roduced, modi)ed, distri'uted, dis%la!ed, stored in a retrieal s!stem or transmitted in
an! &orm '! an! means (electronic, mechanical, %hotoco%!ing, recording or otherwise)
without the %rior written authorization o& ISACA" 9e%roduction and use o& all or %ortions o&
this %u'lication are %ermitted solel! &or academic, internal and noncommercial use, and
consulting5adisor! engagements, and must include &ull attri'ution o& the material:s source"
8o other right or %ermission is granted with res%ect to this wor2"
ISACA
;+01 Algon<uin 9oad, Suite 1010
9olling -eadows, I= 60008 >SA
?hone@ A1"8B+".C;"1CBC
#a4@ A1"8B+".C;"1BB;
0Dmail@ info@isaca.org
We' site@ www.isaca.org
2009 ISACA. All rights reserved. Page 2
ISE8 $+8D1D60B.0D080DC
?rinted in the >nited States o& America
ISACA wishes to recognize:
Author
8orm Felson, CISA, C/0IT, C?A, The Felson /rou%, >SA
Expert Reviewers
-ichael Castro, CISA, CISS?, Suncor 0nerg! Inc", Canada
Gugo FHnc2e, CIS-, CISS?, /CIG, I8AC, >rugua!
San6a! Iaid, CISA, #u6itsu Siemens Com%uters, Eelgium
9einhard 0" Ioglmaier, /la4oSmithFlineJ-edical Ke%artment, Ital!
ISACA Board o !irectors
=!nn =awton, CISA, #ECS, #CA, #IIA, F?-/ ==?, >F, International ?resident
/eorge Ata!a, CISA, CIS-, C/0IT, CISS?, ICT Control SA, Eelgium, Iice ?resident
Goward 8icholson, CISA, C/0IT, Cit! o& Salis'ur!, Australia, Iice ?resident
Lose Angel ?ena I'arra, C/0IT, Consultoria en Comunicaciones e In&o" SA M CI, -e4ico, Iice
?resident
9o'ert 0" Stroud, CA Inc", >SA, Iice ?resident
Fenneth =" Iander Wal, CISA, C?A, 0rnst M Noung ==? (retired), >SA, Iice ?resident
#ran2 Nam, CISA, CIA, CC?, C#0, C#SA, ##A, #GFCS, #GFIoK, #ocus Strategic /rou% Inc", Gong
Fong, Iice ?resident
-arios Kamianides, CISA, CIS-, CA, C?A, 0rnst M Noung, >SA, ?ast International ?resident
0erett C" Lohnson Lr", C?A, Keloitte M Touche ==? (retired), >SA, ?ast International ?resident
/regor! T" /rochols2i, CISA, The Kow Chemical Com%an!, >SA, Kirector
Ton! Ga!es, Oueensland /oernment, Australia, Kirector
Lo StewartD9attra!, CISA, CIS-, CS0?S, 9S- Eird Cameron, Australia, Kirector
Assurance Committee
/regor! T" /rochols2i, CISA, The Kow Chemical Com%an!, >SA, Chair
?i%%a /" Andrews, CISA, ACA, CIA, Amcor, Australia
9ichard Erise'ois, CISA, C/A, PQce o& the Auditor /eneral o& Canada, Canada
Sergio #legins2!, CISA, ICI, >rugua!
9o'ert Lohnson, CISA, CIS-, CISS?, 04ecutie Consultant, >SA
Anthon! ?" 8o'le, CISA, CC?, Iiacom Inc", >SA
9o'ert /" ?ar2er, CISA, CA, C-C, #CA, Keloittte M Touche ==? (retired), Canada
0ri2 ?ols, CISA, CIS-, Shell International D ITCI, 8etherlands
Iatsaraman Ien2ata2rishnan, CISA, CIS-, C/0IT, ACA, 0mirates Airlines, >A0
Table of Contents
I. Introduction....................................................................................................................................... 4
II. Using This Docuent........................................................................................................................!
III. Controls "aturit# Anal#sis................................................................................................................$
I%. Assurance and Control &rae'or(....................................................................................................9
%. )*ecutive Suar# o+ Audit,Assurance &ocus...............................................................................-0
%I. Audit,Assurance Progra................................................................................................................-2
-. Planning and Sco.ing the Audit...................................................................................................-2
2. Pre.arator# Ste.s.........................................................................................................................-!
3. /et'or( Securit# Design.............................................................................................................-0
4. /et'or( Securit# Co.onents....................................................................................................2-
%II. "aturit# Assessent........................................................................................................................ 3-
I. Introduction
Overview
ISACA has develo.ed the IT Assurance Framework
T"
1ITA&
T"
2 as a co.rehensive and good3.ractice3
setting odel. ITA& .rovides standards that are designed to 4e andator#5 and are the guiding .rinci.les
under 'hich the IT audit and assurance .ro+ession o.erates. The guidelines .rovide in+oration and
direction +or the .ractice o+ IT audit and assurance. The tools and techni6ues .rovide ethodologies5 tools
and te.lates to .rovide direction in the a..lication o+ IT audit and assurance .rocesses.
Purpose
The audit,assurance .rogra is a tool and te.late to 4e used as a roada. +or the co.letion o+ a
s.eci+ic assurance .rocess. The ISACA Assurance Coittee has coissioned audit,assurance
.rogras to 4e develo.ed +or use 4# IT audit and assurance .ractitioners. This audit,assurance .rogra is
intended to 4e utili7ed 4# IT audit and assurance .ro+essionals 'ith the re6uisite (no'ledge o+ the su48ect
atter under revie'5 as descri4ed in ITA&5 section 22009:eneral Standards. The audit,assurance
.rogras are .art o+ ITA&5 section 40009IT Assurance Tools and Techni6ues.
Control Framework
The audit,assurance .rogras have 4een develo.ed in alignent 'ith the IT :overnance Institute
;

1IT:I
T"
2 Control Objectives for Information and related Technology 1C<=IT
;
29s.eci+icall# C<=IT 4.-9
using generall# a..lica4le and acce.ted good .ractices. The# re+lect ITA&5 sections 34009IT
"anageent Processes5 30009IT Audit and Assurance Processes5 and 3>009IT Audit and Assurance
"anageent.
"an# organi7ations have e4raced several +rae'or(s at an enter.rise level5 including the Coittee o+
S.onsoring <rgani7ations o+ the Tread'a# Coission 1C<S<2 Internal Control &rae'or(. The
i.ortance o+ the control +rae'or( has 4een enhanced due to regulator# re6uireents 4# the US
Securities and )*change Coission 1S)C2 as directed 4# the US Sar4anes3<*le# Act o+ 2002 and
siilar legislation in other countries. The# see( to integrate control +rae'or( eleents used 4# the
general audit,assurance tea into the IT audit and assurance +rae'or(. Since C<S< is 'idel# used5 it
has 4een selected +or inclusion in this audit,assurance .rogra. The revie'er a# delete or renae these
coluns to align 'ith the enter.rise?s control +rae'or(.
IT overnance! Risk an" Control
IT governance5 ris( and control are critical in the .er+orance o+ an# assurance anageent .rocess.
:overnance o+ the .rocess under revie' 'ill 4e evaluated as .art o+ the .olicies and anageent
oversight controls. @is( .la#s an i.ortant role in evaluating 'hat to audit and ho' anageent
a..roaches and anages ris(. =oth issues 'ill 4e evaluated as ste.s in the audit,assurance .rogra.
Controls are the .riar# evaluation .oint in the .rocess. The audit,assurance .rogra 'ill identi+# the
control o48ectives and the ste.s to deterine control design and e++ectiveness.
Responsi#ilities of IT Au"it an" Assurance Professionals
IT audit and assurance .ro+essionals are e*.ected to custoi7e this docuent to the environent in
'hich the# are .er+oring an assurance .rocess. This docuent is to 4e used as a revie' tool and starting
.oint. It a# 4e odi+ied 4# the IT audit and assurance .ro+essionalA it is not intended to 4e a chec(list or
6uestionnaire. It is assued that the IT audit and assurance .ro+essional holds the Certi+ied In+oration
S#stes Auditor 1CISA2 designation5 or has the necessar# su48ect atter e*.ertise re6uired to conduct the
'or( and is su.ervised 4# a .ro+essional 'ith the CISA designation and necessar# su48ect atter
e*.ertise to ade6uatel# revie' the 'or( .er+ored.
II. Using This Document
This audit,assurance .rogra 'as develo.ed to assist the audit and assurance .ro+essional in designing
and e*ecuting a revie'. Details regarding the +orat and use o+ the docuent +ollo'.
$ork Program Steps
The +irst colun o+ the .rogra descri4es the ste.s to 4e .er+ored. The nu4ering schee used
.rovides 4uilt3in 'or( .a.er nu4ering +or ease o+ cross3re+erence to the s.eci+ic 'or( .a.er +or that
section. The .h#sical docuent 'as designed in "icroso+t
;
Bord. The IT audit and assurance
.ro+essional is encouraged to a(e odi+ications to this docuent to re+lect the s.eci+ic environent
under revie'.
Ste. - is .art o+ the +act gathering and .re3+ield'or( .re.aration. =ecause the .re3+ield'or( is essential to
a success+ul and .ro+essional revie'5 the ste.s have 4een itei7ed in this .lan. The +irst3level ste.s5 e.g.5
-.-5 are in bold t#.e and .rovide the revie'er 'ith a sco.e or high3level e*.lanation o+ the .ur.ose +or
the su4ste.s.
=eginning in ste. 25 the ste.s associated 'ith the 'or( .rogra are itei7ed. To si.li+# the use o+ the
.rogra5 the audit,assurance .rogra descri4es the audit,assurance o48ective9the reason +or .er+oring
the ste.s in the to.ic area. The s.eci+ic controls +ollo' and are sho'n in blue t#.e. )ach revie' ste. is
listed 4elo' the control. These ste.s a# include assessing the control design 4# 'al(ing through a
.rocess5 intervie'ing5 o4serving or other'ise veri+#ing the .rocess and the controls that address that
.rocess. In an# cases5 once the control design has 4een veri+ied5 s.eci+ic tests need to 4e .er+ored to
.rovide assurance that the .rocess associated 'ith the control is 4eing +ollo'ed.
The aturit# assessent5 'hich is descri4ed in ore detail later in this docuent5 a(es u. the last
section o+ the .rogra.
2009 ISACA. All rights reserved. Page !
The audit,assurance .lan 'ra.3u.9those .rocesses associated 'ith the co.letion and revie' o+ 'or(
.a.ers5 .re.aration o+ issues and recoendations5 re.ort 'riting and re.ort clearing9has 4een
e*cluded +ro this docuent5 since it is standard +or the audit,assurance +unction and should 4e identi+ied
else'here in the enter.rise?s standards.
CO%IT Cross&reference
The C<=IT cross3re+erence .rovides the audit and assurance .ro+essional 'ith the a4ilit# to re+er to the
s.eci+ic C<=IT control o48ective that su..orts the audit,assurance ste.. The C<=IT control o48ective
should 4e identi+ied +or each audit,assurance ste. in the section. "ulti.le cross3re+erences are not
uncoon. Processes at lo'er levels in the 'or( .rogra are too granular to 4e cross3re+erenced to
C<=IT. The audit,assurance .rogra is organi7ed in a anner to +acilitate an evaluation through a
structure .arallel to the develo.ent .rocess. C<=IT .rovides in3de.th control o48ectives and suggested
control .ractices at each level. As the .ro+essional revie's each control5 he,she should re+er to C<=IT 4.-
or the IT Assurance Guide !sing CO"IT +or good3.ractice control guidance.
COSO Components
As noted in the introduction5 C<S< and siilar +rae'or(s have 4ecoe increasingl# .o.ular aong
audit and assurance .ro+essionals. This ties the assurance 'or( to the enter.rise?s control +rae'or(.
Bhile the IT audit,assurance +unction has C<=IT as a +rae'or(5 o.erational audit and assurance
.ro+essionals use the +rae'or( esta4lished 4# the enter.rise. Since C<S< is the ost .revalent internal
control +rae'or(5 it has 4een included in this docuent and is a 4ridge to align IT audit,assurance 'ith
the rest o+ the audit,assurance +unction. "an# audit,assurance enter.rises include the C<S< control
co.onents 'ithin their re.ort and suari7e assurance activities to the audit coittee o+ the 4oard o+
directors.
&or each control5 the audit and assurance .ro+essional should indicate the C<S< co.onent1s2 addressed.
It is .ossi4le 4ut generall# not necessar#5 to e*tend this anal#sis to the s.eci+ic audit ste. level.
The original C<S< internal control +rae'or( contained +ive co.onents. In 20045 C<S< 'as revised
as the #nter$rise %isk &anagement '#%&( Integrated Framework and e*tended to eight co.onents. The
.riar# di++erence 4et'een the t'o +rae'or(s is the additional +ocus on )@" and integration into the
4usiness decision odel. )@" is in the .rocess o+ 4eing ado.ted 4# large enter.rises. The t'o
+rae'or(s are co.ared in figure 1.
Figure 1Com!arison of C"S" Internal Control and #$% Integrated Framewor&s
Internal Control Framewor& #$% Integrated Framewor&
Control #n'ironment: The control environent sets the tone o+ an
organi7ation5 in+luencing the control consciousness o+ its .eo.le. It is
the +oundation +or all other co.onents o+ internal control5 .roviding
disci.line and structure. Control environent +actors include the
integrit#5 ethical values5 anageent?s o.erating st#le5 delegation o+
authorit# s#stes5 as 'ell as the .rocesses +or anaging and
develo.ing .eo.le in the organi7ation.
Internal #n'ironmentC The internal environent enco.asses the
tone o+ an organi7ation5 and sets the 4asis +or ho' ris( is vie'ed and
addressed 4# an entit#?s .eo.le5 including ris( anageent
.hiloso.h# and ris( a..etite5 integrit# and ethical values5 and the
environent in 'hich the# o.erate.
"b(ecti'e SettingC <48ectives ust e*ist 4e+ore anageent can
identi+# .otential events a++ecting their achieveent. )nter.rise ris(
anageent ensures that anageent has in .lace a .rocess to set
o48ectives and that the chosen o48ectives su..ort and align 'ith the
entit#?s ission and are consistent 'ith its ris( a..etite.
#'ent IdentificationC Internal and e*ternal events a++ecting
achieveent o+ an entit#?s o48ectives ust 4e identi+ied5 distinguishing
4et'een ris(s and o..ortunities. <..ortunities are channeled 4ac( to
anageent?s strateg# or o48ective3setting .rocesses.
Figure 1Com!arison of C"S" Internal Control and #$% Integrated Framewor&s
Internal Control Framewor& #$% Integrated Framewor&
$is& AssessmentC )ver# entit# +aces a variet# o+ ris(s +ro e*ternal
and internal sources that ust 4e assessed. A .recondition to ris(
assessent is esta4lishent o+ o48ectives5 and thus ris( assessent is
the identi+ication and anal#sis o+ relevant ris(s to achieveent o+
assigned o48ectives. @is( assessent is a .rere6uisite +or deterining
ho' the ris(s should 4e anaged.
$is& AssessmentC @is(s are anal#7ed5 considering the li(elihood and
i.act5 as a 4asis +or deterining ho' the# could 4e anaged. @is(
areas are assessed on an inherent and residual 4asis.
$is& $es!onse: "anageent selects ris( res.onses9avoiding5
acce.ting5 reducing5 or sharing ris(9develo.ing a set o+ actions to
align ris(s 'ith the entit#?s ris( tolerances and ris( a..etite.
Control Acti'itiesC Control activities are the .olicies and .rocedures
that hel. ensure anageent directives are carried out. The# hel.
ensure that necessar# actions are ta(en to address ris(s to achieveent
o+ the entit#Ds o48ectives. Control activities occur throughout the
organi7ation5 at all levels and in all +unctions. The# include a range o+
activities as diverse as a..rovals5 authori7ations5 veri+ications5
reconciliations5 revie's o+ o.erating .er+orance5 securit# o+ assets
and segregation o+ duties.
Control Acti'ities: Policies and .rocedures are esta4lished and
i.leented to hel. ensure the ris( res.onses are e++ectivel# carried
out.
Information and CommunicationC In+oration s#stes .la# a (e#
role in internal control s#stes as the# .roduce re.orts5 including
o.erational5 +inancial and co.liance3related in+oration that a(e it
.ossi4le to run and control the 4usiness. In a 4roader sense5 e++ective
counication ust ensure in+oration +lo's do'n5 across and u.
the organi7ation. )++ective counication should also 4e ensured 'ith
e*ternal .arties5 such as custoers5 su..liers5 regulators and
shareholders.
Information and Communication: @elevant in+oration is
identi+ied5 ca.tured5 and counicated in a +or and tie+rae that
ena4le .eo.le to carr# out their res.onsi4ilities. )++ective
counication also occurs in a 4roader sense5 +lo'ing do'n5 across5
and u. the entit#.
%onitoringC Internal control s#stes need to 4e onitored9a
.rocess that assesses the 6ualit# o+ the s#ste?s .er+orance over
tie. This is acco.lished through ongoing onitoring activities or
se.arate evaluations. Internal control de+iciencies detected through
these onitoring activities should 4e re.orted u.strea and corrective
actions should 4e ta(en to ensure continuous i.roveent o+ the
s#ste.
%onitoring: The entiret# o+ enter.rise ris( anageent is onitored
and odi+ications ade as necessar#. "onitoring is acco.lished
through ongoing anageent activities5 se.arate evaluations5 or 4oth..
In+oration +or figure 1 'as o4tained +ro the C<S< 'e4 site www.coso.org)aboutus.htm.
The original C<S< internal control +rae'or( addresses the needs o+ the IT audit and assurance
.ro+essionalC control environent5 ris( assessent5 control activities5 in+oration and counication5
and onitoring. As such5 ISACA has elected to utili7e the +ive3co.onent odel +or these
audit,assurance .rogras. As ore enter.rises i.leent the )@" odel5 the additional three coluns
can 4e added5 i+ relevant. Bhen co.leting the C<S< co.onent coluns5 consider the de+initions o+
the co.onents as descri4ed in figure 1.
Reference'()perlink
:ood .ractices re6uire the audit and assurance .ro+essional to create a 'or( .a.er +or each line ite5
'hich descri4es the 'or( .er+ored5 issues identi+ied5 and conclusions. The re+erence,h#.erlin( is to 4e
used to cross3re+erence the audit,assurance ste. to the 'or( .a.er that su..orts it. The nu4ering s#ste
o+ this docuent .rovides a read# nu4ering schee +or the 'or( .a.ers. I+ desired5 a lin( to the 'or(
.a.er can 4e .asted into this colun.
Issue Cross&reference
This colun can 4e used to +lag a +inding,issue that the IT audit and assurance .ro+essional 'ants to
+urther investigate or esta4lish as a .otential +inding. The .otential +indings should 4e docuented in a
'or( .a.er that indicates the dis.osition o+ the +indings 1+orall# re.orted5 re.orted as a eo or ver4al
+inding5 or 'aived2.
Comments
The coents colun can 4e used to indicate the 'aiving o+ a ste. or other notations. It is not to 4e used
in .lace o+ a 'or( .a.er descri4ing the 'or( .er+ored.
2009 ISACA. All rights reserved. Page $
III. Controls %aturit) Anal)sis
<ne o+ the consistent re6uests o+ sta(eholders 'ho have undergone IT audit,assurance revie's is a desire
to understand ho' their .er+orance co.ares to good .ractices. Audit and assurance .ro+essionals ust
.rovide an o48ective 4asis +or the revie' conclusions. "aturit# odeling +or anageent and control
over IT .rocesses is 4ased on a ethod o+ evaluating the organi7ation5 so it can 4e rated +ro a aturit#
level o+ none*istent 102 to o.tii7ed 1!2. This a..roach is derived +ro the aturit# odel that the
So+t'are )ngineering Institute 1S)I2 o+ Carnegie "ellon Universit# de+ined +or the aturit# o+ so+t'are
develo.ent.
The IT Assurance Guide !sing CO"IT5 A..endi* %II9"aturit# "odel +or Internal Control5 in figure *5
.rovides a generic aturit# odel sho'ing the status o+ the internal control environent and the
esta4lishent o+ internal controls in an enter.rise. It sho's ho' the anageent o+ internal control5 and
an a'areness o+ the need to esta4lish 4etter internal controls5 t#.icall# develo.s +ro an ad hoc to an
o.tii7ed level. The odel .rovides a high3level guide to hel. C<=IT users a..reciate 'hat is re6uired
+or e++ective internal controls in IT and to hel. .osition their enter.rise on the aturit# scale.
Figure *%aturit) %odel for Internal Control
%aturit) +e'el Status of the Internal Control #n'ironment #stablishment of Internal Controls
0 /on3e*istent There is no recognition o+ the need +or internal control.
Control is not .art o+ the organi7ation?s culture or ission.
There is a high ris( o+ control de+iciencies and incidents.
There is no intent to assess the need +or internal control.
Incidents are dealt 'ith as the# arise.
- Initial,ad hoc There is soe recognition o+ the need +or internal control.
The a..roach to ris( and control re6uireents is ad hoc and
disorgani7ed5 'ithout counication or onitoring.
De+iciencies are not identi+ied. ).lo#ees are not a'are o+
their res.onsi4ilities.
There is no a'areness o+ the need +or assessent o+ 'hat is
needed in ters o+ IT controls. Bhen .er+ored5 it is onl# on
an ad hoc 4asis5 at a high level and in reaction to signi+icant
incidents. Assessent addresses onl# the actual incident.
2 @e.eata4le 4ut
Intuitive
Controls are in .lace 4ut are not docuented. Their o.eration
is de.endent on the (no'ledge and otivation o+ individuals.
)++ectiveness is not ade6uatel# evaluated. "an# control
'ea(nesses e*ist and are not ade6uatel# addressedA the
i.act can 4e severe. "anageent actions to resolve control
issues are not .rioriti7ed or consistent. ).lo#ees a# not
4e a'are o+ their res.onsi4ilities.
Assessent o+ control needs occurs onl# 'hen needed +or
selected IT .rocesses to deterine the current level o+ control
aturit#5 the target level that should 4e reached and the ga.s
that e*ist. An in+oral 'or(sho. a..roach5 involving IT
anagers and the tea involved in the .rocess5 is used to
de+ine an ade6uate a..roach to controls +or the .rocess and to
otivate an agreed3u.on action .lan.
3 De+ined Controls are in .lace and ade6uatel# docuented. <.erating
e++ectiveness is evaluated on a .eriodic 4asis and there is an
average nu4er o+ issues. Eo'ever5 the evaluation .rocess is
not docuented. Bhile anageent is a4le to deal
.redicta4l# 'ith ost control issues5 soe control
'ea(nesses .ersist and i.acts could still 4e severe.
).lo#ees are a'are o+ their res.onsi4ilities +or control.
Critical IT .rocesses are identi+ied 4ased on value and ris(
drivers. A detailed anal#sis is .er+ored to identi+# control
re6uireents and the root cause o+ ga.s and to develo.
i.roveent o..ortunities. In addition to +acilitated
'or(sho.s5 tools are used and intervie's are .er+ored to
su..ort the anal#sis and ensure that an IT .rocess o'ner
o'ns and drives the assessent and i.roveent .rocess.
4 "anaged and
"easura4le
There is an e++ective internal control and ris( anageent
environent. A +oral5 docuented evaluation o+ controls
occurs +re6uentl#. "an# controls are autoated and regularl#
revie'ed. "anageent is li(el# to detect ost control issues5
4ut not all issues are routinel# identi+ied. There is consistent
+ollo'3u. to address identi+ied control 'ea(nesses. A liited5
tactical use o+ technolog# is a..lied to autoate controls.
IT .rocess criticalit# is regularl# de+ined 'ith +ull su..ort
and agreeent +ro the relevant 4usiness .rocess o'ners.
Assessent o+ control re6uireents is 4ased on .olic# and
the actual aturit# o+ these .rocesses5 +ollo'ing a thorough
and easured anal#sis involving (e# sta(eholders.
Accounta4ilit# +or these assessents is clear and en+orced.
I.roveent strategies are su..orted 4# 4usiness cases.
Per+orance in achieving the desired outcoes is
consistentl# onitored. )*ternal control revie's are
organi7ed occasionall#.
! <.tii7ed An enter.rise'ide ris( and control .rogra .rovides
continuous and e++ective control and ris( issues resolution.
Internal control and ris( anageent are integrated 'ith
enter.rise .ractices5 su..orted 'ith autoated real3tie
onitoring 'ith +ull accounta4ilit# +or control onitoring5
ris( anageent and co.liance en+orceent. Control
evaluation is continuous5 4ased on sel+3assessents and ga.
and root cause anal#ses. ).lo#ees are .roactivel# involved
in control i.roveents.
=usiness changes consider the criticalit# o+ IT .rocesses and
cover an# need to reassess .rocess control ca.a4ilit#. IT
.rocess o'ners regularl# .er+or sel+3assessents to con+ir
that controls are at the right level o+ aturit# to eet 4usiness
needs and the# consider aturit# attri4utes to +ind 'a#s to
a(e controls ore e++icient and e++ective. The organi7ation
4enchar(s to e*ternal 4est .ractices and see(s e*ternal
advice on internal control e++ectiveness. &or critical
.rocesses5 inde.endent revie's ta(e .lace to .rovide
assurance that the controls are at the desired level o+ aturit#
2009 ISACA. All rights reserved. Page >
Figure *%aturit) %odel for Internal Control
%aturit) +e'el Status of the Internal Control #n'ironment #stablishment of Internal Controls
and 'or(ing as .lanned.
The aturit# odel evaluation is one o+ the +inal ste.s in the evaluation .rocess. The IT audit and
assurance .ro+essional can address the (e# controls 'ithin the sco.e o+ the 'or( .rogra and +orulate
an o48ective assessent o+ the aturit# level o+ the control .ractices. The aturit# assessent can 4e a
.art o+ the audit,assurance re.ort and can 4e used as a etric +ro #ear to #ear to docuent .rogression
in the enhanceent o+ controls. Eo'ever5 it ust 4e noted that the .erce.tion o+ the aturit# level a#
var# 4et'een the .rocess,IT asset o'ner and the auditor. There+ore5 an auditor should o4tain the
concerned sta(eholder?s concurrence 4e+ore su4itting the +inal re.ort to the anageent.
At the conclusion o+ the revie'5 once all +indings and recoendations are co.leted5 the .ro+essional
assesses the current state o+ the C<=IT control +rae'or( and assigns it a aturit# level using the si*3
level scale. Soe .ractitioners utili7e decials 1*.2!5 *.!5 *.$!2 to indicate gradations in the aturit#
odel. As a +urther re+erence5 C<=IT .rovides a de+inition o+ the aturit# designations 4# control
o48ective. Bhile this a..roach is not andator#5 the .rocess is .rovided as a se.arate section at the end o+
the audit,assurance .rogra +or those enter.rises that 'ish to i.leent it. It is suggested that a aturit#
assessent 4e ade at the C<=IT control level. To .rovide +urther value to the client,custoer5 the
.ro+essional can also o4tain aturit# targets +ro the client,custoer. The gra.hic .resentation descri4ing
the achieveent or ga.s 4et'een the actual and targeted aturit# goals has 4een reoved +ro this
.resentation since onl# one C<=IT su4section is 'ithin the sco.e o+ this revie'. It is suggested that the
aturit# assessent +or this revie' 4e included in the IT in+oration securit# revie'5 'hich 'ould +ocus
on the Deliver and Su..ort 1DS2 doain5 IT .rocess DS! #nsure systems security.
I,. Assurance and Control Framewor&
ISACA IT Assurance Framework an" Stan"ar"s
The +ollo'ing sections in ITA& are relevant to net'or( .erieter securit#C
34-09IT :overnance
342!9IT In+oration Strateg#
34909IT Su..ort o+ @egulator# Co.liance
3030.$9In+oration Securit# "anageent
3030.--9/et'or( "anageent and Controls
3030.-09)nter.rise Portals
3030.-$9Identi+ication and Authentication
ISACA has long recogni7ed the s.eciali7ed nature o+ IT assurance and strives to advance glo4all#
a..lica4le standards. :uidelines and .rocedures .rovide detailed guidance on ho' to +ollo' those
standards. IS Auditing Standard S-! IT Controls, IS Auditing :uideline :3> Access Controls5 and IS
Auditing Procedures P3 Intrusion Detection and P0 &ire'alls are relevant to this audit,assurance .rogra.
ISACA Controls Framework
C<=IT is an IT governance +rae'or( and su..orting tool set that allo's anagers to 4ridge the ga.
aong control re6uireents5 technical issues and 4usiness ris(s. C<=IT ena4les clear .olic# develo.ent
and good .ractice +or IT control throughout enter.rises.
Utili7ing C<=IT as the control +rae'or( on 'hich IT audit,assurance activities are 4ased aligns IT
audit,assurance 'ith good .ractices as develo.ed 4# the enter.rise.
The C<=IT control o48ective DS!.-0 *etwork security5 in the DS doain5 addresses good .ractices +or
ensuring net'or( securit#C
!se security techni+ues and related management $rocedures 'e.g., firewalls, security
a$$liances, network segmentation, intrusion detection( to authori-e access and control
information flows from and to networks.
@e+er to the IT :overnance Institute?s CO"IT Control .ractices Guidance to Achieve Control Objectives
for /uccessful IT Governance, 0
nd
#dition5 .u4lished in 200$5 +or the related control .ractice value and
ris( drivers.
,. #-ecuti'e Summar) of Audit.Assurance Focus
*etwork Perimeter Securit)
/et'or( .erieter securit# is a .roactive .rocess to ensure the .rotection o+ the enter.rise?s data5 assets
and in+oration that are stored on co.uter e6ui.ent residing on a net'or(5 and the in+oration
+lo'ing through the net'or(.
/et'or( .erieter securit# is 4uilt on the conce.t that la#ers o+ securit# co.onents5 'hen aggregated5
.rovide the necessar# .rotection +ro unauthori7ed access to the net'or(. This .rocess includesC
Securit# .olic# 4uilt on good .ractices5 using recogni7ed standards
Authori7ation and access controls addressed 4# identit# anageent
)*ternal .erieter control through the use o+ +ire'alls to .rotect the internal net'or( +ro e*ternal
intrusion
%irtual .rivate net'or(s 1%P/s2 to allo' authori7ed tra++ic through the +ire'all5 using encr#.tion
techni6ues to .revent eavesdro..ing5 and .h#sical devices 1to(ens2 o+ 'hich the user ust have
custod# to +urther enhance authentication
Intrusion detection tools to identi+# sus.ect net'or( activit# and issue alerts
Penetration testing to ensure that +ire'alls are securel# con+igured
Internal securit# assessents to evaluate .olic# and .rocedures
@is( anageent to evaluate and identi+# net'or(s and resources re6uiring enhanced securit#
Internal net'or( segentation5 liiting access o+ data in certain locations to authori7ed users and
restricting that area +ro others 'ithin the enter.rise
%usiness Impact an" Risk
The enter.rise?s net'or( is the .riar# counications channel in thatC
Fe# 4usiness .rocesses 1a..lications2 +unction through the net'or(.
&inancial transactions are stored and .rocessed.
)3ail containing .rivileged in+oration is e*changed.
Anal#sis5 4usiness strateg#5 intellectual .ro.ert#5 .resentations5 etc.5 are stored and e*changed.
Personal identi+ication in+oration a# 4e stored and transitted.
The +ailure to .rovide ade6uate net'or( securit# could result inC
Disclosure o+ .rivileged in+oration
Goss o+ .h#sical assets
Goss o+ intellectual .ro.ert#
Goss o+ co.etitive advantage
2009 ISACA. All rights reserved. Page -0
Goss o+ custoer con+idence
%iolation o+ regulator# re6uireents
Disru.tion o+ net'or( tra++ic5 resulting in the ina4ilit# to .er+or critical 4usiness +unctions
In+ection o+ co.uter s#stes 'ith viruses and other al'are5 'hich disru.t .rocessing and re6uire
costl# disin+ection
Use o+ the net'or( as a launching .ad +or alicious activit# against other enter.rises 1and the
.otential to 4e held lia4le +or their daages2
O#+ective an" Scope
"b(ecti'eThe o48ectives o+ the net'or( .erieter securit# audit,assurance revie' are toC
Provide anageent 'ith an inde.endent assessent relating to the e++ectiveness o+ the net'or(
.erieter securit# and its alignent 'ith the IT securit# architecture and .olic#
Provide anageent 'ith an evaluation o+ the IT +unction?s .re.aredness in the event o+ an intrusion
Identi+# issues that a++ect the securit# o+ the enter.rise?s net'or(
Sco!eThe revie' 'ill +ocus on the net'or( .erieter securit#5 including associated .olicies5 standards
and .rocedures as 'ell as the e++ectiveness o+ the securit# i.leentation.
H=e+ore .roviding this docuent to the client5 the revie'er should custoi7e the reainder o+ this
.aragra.h on sco.e to descri4e 'hich net'or(s 'ithin the enter.rise 'ill 4e revie'ed. In addition5 the
revie'er should deterine i+ the sco.e also includes inde.endent .enetration and intrusion testing.
:enerall#5 this re6uires signi+icant .lanning to avoid disru.ting the 4usiness .rocesses and other net'or(
tra++ic. The sco.e should include such stateents asC
The revie' 'ill +ocus on the net'or(s at the IJK location as 'ell as the connectivit# to the
Internet
The 'e4 servers anaged 4# third3.art# su..liers 'ill 4e e*cluded +ro this revie' and assessed
se.aratel#L
,inimum Au"it Skills
The IT audit and assurance .ro+essional ust have an understanding o+ good3.ractice s#stes net'or(
securit# .rocesses and re6uireents as 'ell as a good gras. o+ net'or(ing conce.ts5 e*.osures and
control techni6ues. Pro+essionals 'ho have achieved CISA certi+ication should have these s(ills.
2009 ISACA. All rights reserved. Page --
,I. Audit.Assurance /rogram
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
1 . /+A33I34 A3D SC"/I34 T2# AUDIT
1.1 Define audit.assurance ob(ecti'es.
The audit,assurance o48ectives are high level and descri4e the overall audit goals.
-.-.- @evie' the audit,assurance o48ectives in the introduction to this
audit,assurance .rogra.
-.-.2 "odi+# the audit,assurance o48ectives to align 'ith the audit,assurance
universe5 annual .lan and charter.
1.* Define boundaries of re'iew.
The revie' ust have a de+ined sco.e. The revie'er should understand the o.erating
environent and .re.are a .ro.osed sco.e5 su48ect to a later ris( assessent.
-.2.- <4tain and revie' the 4usiness continuit# and IT continuit# .olicies.
-.2.2 <4tain and revie' the 4usiness continuit# .lan 1=CP2 and IT continuit# .lan
1ITCP2.
-.2.3 Deterine the entities addressed in the =CP and ITCP.
-.2.4 )sta4lish initial 4oundaries o+ the audit,assurance revie'.
-.2.! Identi+# liitations and,or constraints a++ecting audit o+ s.eci+ic s#stes.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
1.5 Define assurance.
The revie' re6uires t'o sources o+ standards. The cor.orate standards de+ined in .olic# and
.rocedure docuentation esta4lish the cor.orate e*.ectations. At iniu5 cor.orate
standards should 4e i.leented. The second source5 a good3.ractice re+erence5 esta4lishes
industr# standards. )nhanceents should 4e .ro.osed to address ga.s 4et'een the t'o.
-.3.- @evie' the 4usiness continuit# .olic# and standards.
-.3.2 Deterine i+ C<=IT and the a..ro.riate s#stes develo.ent +rae'or( 'ill
4e used as a good3.ractice re+erence.
-.3.3 Deterine i+ there are ga.s in the .olic#.
1.6 Identif) and document ris&s.
The ris( assessent is necessar# to evaluate 'here audit resources should 4e +ocused. In
ost enter.rises5 audit resources are not availa4le +or all .rocesses. The ris(34ased a..roach
assures utili7ation o+ audit resources in the ost e++ective anner.
-.4.- Identi+# the 4usiness ris( associated 'ith the =CP and ITCP.
-.4.2 @evie' .revious audits o+ the =CP and ITCP and other assessents.
-.4.3 Deterine i+ issues identi+ied .reviousl# have 4een reediated.
-.4.4 )valuate the overall ris( +actor +or .er+oring the revie'.
-.4.! =ased on the ris( assessent5 identi+# changes to the sco.e.
-.4.0 Discuss the ris(s 'ith IT5 4usiness and o.erational audit anageent5 and
ad8ust the ris( assessent.
-.4.$ =ased on the ris( assessent5 revise the sco.e.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
1.7 Define the change !rocess.
The initial audit a..roach is 4ased on the revie'er?s understanding o+ the o.erating
environent and associated ris(s. As +urther research and anal#sis are .er+ored5 changes to
the sco.e and a..roach 'ill result.
-.!.- Identi+# the senior IT assurance resource res.onsi4le +or the revie'.
-.!.2 )sta4lish the .rocess +or suggesting and i.leenting changes to the
audit,assurance .rogra5 and the authori7ations re6uired.
1.8 Define assignment success.
The success +actors need to 4e identi+ied. Counication aong the IT audit,assurance
tea5 other assurance teas and the enter.rise is essential.
-.0.- Identi+# the drivers +or a success+ul revie' 1this should e*ist in the assurance
+unction?s standards and .rocedures2.
-.0.2 Counicate success attri4utes to the .rocess o'ner or sta(eholder5 and o4tain
agreeent.
1.9 Define audit.assurance resources re:uired.
The resources re6uired are de+ined in the introduction to this audit,assurance .rogra.
-.$.- Deterine the audit,assurance s(ills necessar# +or the revie'.
-.$.2 )stiate the total resources 1hours2 and tie +rae 1start and end dates2
re6uired +or the revie'.
1.; Define deli'erables.
The delivera4le is not liited to the +inal re.ort. Counication 4et'een the
audit,assurance teas and the .rocess o'ner is essential to assignent success.
-.>.- Deterine the interi delivera4les5 including initial +indings5 status re.orts5
dra+t re.orts5 due dates +or res.onses and the +inal re.ort.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
1.< Communications
The audit,assurance .rocess is clearl# counicated to the custoer,client.
-.9.- Conduct an o.ening con+erence to discuss the revie' o48ectives 'ith the
in+oration securit# o++icer5 the net'or( securit# e*ecutive and the IT
o.erations e*ecutive.
* . /$#/A$AT"$= ST#/S
*.1 "btain and re'iew the current organization chart for the s)stem and networ&
administration areas.
2.-.- Identi+# the (e# net'or( adinistration sta++5 the securit# anager and the (e#
net'or( user sta(eholders.
*.* "btain a co!) of the latest networ& securit) ris& anal)sis> including an)
information on s)stem> data and ser'ice classifications.
2.2.- <4tain and revie' a co.# o+ the enter.rise?sC
Securit# .olic#
Securit# strateg# or strategies
Securit# .rocedures and standards
/et'or( inventor# or scheatic o+ .h#sical net'or( co.onents
/et'or( .ro4le3trac(ing5 resolution and escalation .rocedures
Securit# violation re.orts and anageent revie' .rocedures
Gist o+ vendors and custoers 'ith access to the net'or(
Co.ies o+ contracts 'ith service .roviders +or data transission
Co.ies o+ signed user securit# and a'areness docuents
/e' e.lo#ee training aterials relating to securit#
@elevant legal and regulator# in+oration related to securit# and
in+oration access
2009 ISACA. All rights reserved. Page -!
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
2.2.2 Intervie' the senior securit# o++icer and the IT securit# adinistrator.
5 . 3#T?"$@ S#CU$IT= D#SI43
5.1 Securit) ris& anal)sis
Audit,assurance o48ectiveC @is( anal#sis should 4e e.lo#ed to deterine the e*.osures
associated 'ith the net'or( securit# design.
$is& anal)sis methodolog)
Control: $is& methods are utilized to determine the !robabilit) and cost
associated with networ& e-!osures> and asset ownershi! is assigned to establish
accountabilit) for ris& decisions.
P<4.>
P<0.2
P<9.4
I I
3.-.-.- Deterine that a ethodical securit# ris( anal#sis has 4een co.leted
and docuented.
3.-.-.2 <4tain and revie' a co.# o+ the ris( anal#sis and deterine i+ it
includes a detailed list o+ all in+oration assets9such as servers and
'or(stations5 so+t'are and data5 and services running on the
.lat+ors connected to the net'or(9that need .rotection.
3.-.-.3 Deterine i+ an o'ner has 4een identi+ied +or each in+oration asset
and veri+# that a value has 4een assigned to each asset 1high5
ediu5 lo'2 that re.resents the cost to the enter.rise should the
asset 4e co.roised.
3.-.-.4 Co.are the ris( anal#sis 'ith the net'or( inventor# or scheatic o+
the net'or( to veri+# that all o+ the .h#sical access .oints to the
in+oration assets have 4een identi+ied and the anal#sis is co.lete.
3.-.-.! <4tain and revie' a co.# o+ the results o+ the tests +ocused on
.enetration5 'ea( .oint5 vulnera4ilit#5 hone# .ots5 etc.5 .er+ored in
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
the .ast or at regular intervals5 and deterine 'hat corrective and
.reventive actions 'ere ta(en. Deterine i+ a change .lan e*ists.
5.* Securit) !olic)
Audit,assurance o48ectiveC A net'or( securit# .olic# that recogni7es the good .ractices o+ a
recogni7ed net'or( standard and esta4lishes a clear net'or( securit# strateg# should 4e
i.leented.
Control: A securit) !olic) has been de'elo!ed and documented> based on a
recognized standard.
P<4.>
P<0.2
DS!.-0
I
3.2.-.- Deterine that a docuented securit# .olic# has 4een a..roved and
i.leented.
3.2.-.2 <4tain and revie' a co.# o+ the securit# .olic# and deterine i+ it
con+ors to relevant standards5 such as IS< -$$99.
3.2.-.3 Deterine i+ the securit# .olic# sets a clear .olic# direction and
includes su..ort and coitent 4# anageent +or in+oration
securit# across the enter.rise. The .olic# should containC
A de+inition o+ in+oration securit# and its overall o48ectives and
sco.e
A stateent o+ anageent intent5 su..orting the goals and
.rinci.les o+ in+oration securit#
A 4rie+ e*.lanation o+ the securit# .olicies5 .rinci.les5 standards
and co.liance re6uireents that are o+ .articular i.ortance to the
enter.rise
A de+inition o+ general and s.eci+ic res.onsi4ilities +or in+oration
securit# anageent5 including onitoring and re.orting
2009 ISACA. All rights reserved. Page -$
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
@e+erences to docuentation that a# su..ort the .olic#5 e.g.5
detailed securit# .olicies and .rocedures
Securit) strateg)
Control: A securit) strateg) that is in alignment with the securit) !olic) has been
im!lemented.
P<0.2
DS!.-0
I
3.2.-.4 Deterine that a securit# strateg# 1or strategies2 that is 4ased on the
securit# .olic# has 4een develo.ed and docuented. The strateg#
should s.eci+# the t#.es o+ controls5 such as deilitari7ed 7ones
1D"Ks25 trust 7ones5 hardened o.erating s#stes5 least .rivilege and
se.aration o+ duties5 that should 4e i.leented.
3.2.-.! Con+ir that each strateg# is su..orted 4# docuented detailed
securit# .rocedures and standards. These .rocedures and standards
should 4e s.eci+ic to the a..lication and o.erating s#ste. @evie'
the .rocedures and standards5 and deterine i+ the# are detailed
enough to ena4le a (no'ledgea4le user to .er+or the .rocedure or
con+igure the s#ste or a..lication.
3.2.-.0 Deterine that the securit# strateg# and its re6uireents are
counicated to all re6uired.
Third1!art) !ro'iders
Control: Third1!art) !ro'iders that are !ro'iding networ& ser'ices> or whose
!roducts re:uire the enter!riseAs data to tra'erse their networ&s> must !ro'ide
ade:uate assurance that the securit) !olicies re:uired internall) b) the enter!rise
are satisfied.
DS2.-
DS2.2
DS2.4
I
3.2.-.$ Deterine i+ sensitive data are .rocessed on third3.art# net'or(s.
3.2.-.> I+ third .arties are involved5 deterine i+ the contracts 'ith those third
2009 ISACA. All rights reserved. Page ->
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
.arties re6uire adherence to enter.rise .olic#.
3.2.-.9 I+ third .arties are involved5 consider a relevant5 sco.ed revie' o+
third3.art# net'or( securit#.
5.5 Trust zones
Audit,assurance o48ectiveC Trust 7ones should 4e esta4lished to esta4lish a classi+ication +or
assigning a..ro.riate securit#5 4ased u.on the sensitivit# o+ the data .rocessed in the 7ones.
Trust zone classification
Control: A trust zone is assigned for each networ& node> according to the
sensiti'it) of the data tra'ersing the networ&.
P<2.3
P<0.2
DS!.-0
I
3.3.-.- @evie' the net'or( inventor# or scheatic o+ the net'or(5 and veri+#
'ith (no'ledgea4le IT net'or( .ersonnel that all o+ the .h#sical
access .oints to the in+oration assets have 4een identi+ied.
3.3.-.2 %eri+# that all connections to the net'or( have 4een classi+ied as
trusted5 4ased on the level o+ control re6uired 4# the securit# .olic#.
&our .otential classi+ications +or interconnected s#stes areC
TrustedC S#stes that are under direct control o+ the enter.rise
SeitrustedC Authenticated access re6uired to .rotect e*.osed
s#stes not accessi4le 4# the .u4lic
UntrustedC Authenticated access re6uired to s.eci+ic in+oration
resources on e*.osed .u4licl# accessi4le s#stes
EostileC @estricted access to the re6uired s#stes. Unauthori7ed
access atte.ts are e*.ected.
3.3.-.3 %eri+# that5 +or each o+ the connections docuented .reviousl#5 the
.rotocols used to connect have 4een identi+ied +or 4oth in'ard and
out'ard services 1ETTP5 ETTPS5 &TP5 Telnet5 etc.2.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
Control: The networ& segmentation is im!lemented according to the trust zone
classifications.
DS!.-0 I
3.3.-.4 @evie' the D"K architecture in .lace and deterine i+ it a..ears
a..ro.riate given the trust classi+ications and .rotocols associated
'ith the connections to the net'or( services.
3.3.-.! %eri+# that the enter.rise?s internal net'or( is on its o'n net'or(
segent and that services 1e3ail5 'e45 &TP5 etc.2 accessed +ro
outside connections are classi+ied into a..ro.riate trust 7ones and
.artitioned or segented a..ro.riatel#.
5.6 2ardened s)stems
Audit,assurance o48ectiveC The o.erating s#stes +or servers and other net'or( a..liances
o.erating on the net'or( should 4e con+igured +or a*iu securit# 1hardened2.
2arden the ser'er o!erating s)stems configurations.
Control: The configuration of ser'ersA o!erating s)stems has been ade:uatel)
secured BhardenedC to limit e-!osure from well1documented e-!osures.
1
DS!.-0 I
3.4.-.- Deterine i+ the core o.erating s#ste has 4een hardened 'ith the
+ollo'ingC
All services,daeons,started tas(s not s.eci+icall# re6uired on
each server have 4een disa4led or reoved.
All current5 relevant .atches5 service .ac(s and other u.dates to
the o.erating s#ste and a..lications have 4een a..lied.
-
I+ audit,assurance revie's addressing server identit# anageent and con+iguration anageent 'ere .er+ored recentl#5 'ith satis+actor# ratings5 reliance +or this control a#
4e .laced on that e++ort.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
Unencr#.ted .rotocols have 4een avoidedA 'here the# have 4een
i.leented5 the 8usti+ication +or their use is docuented.
)*ternal ail servers scan +or al'are .rior to allo'ing e3ail
+iles into an enter.rise?s net'or(.
Adinistrator accounts have 4een renaed to naes that do not
identi+# the accounts as adinistrators.
De+ault .ass'ords have 4een changed.
:uest accounts have 4een disa4led.
Anon#ous &TP has 4een disa4led.
Access to s#ste logs is tightl# restricted.
At least seven da#s o+ log +iles are retained.
De+ault +ile5 director# and other .erissions are restricted on a
need3to3(no' 4asis.
Barning essages are routed to in+oration securit#
.ro+essionals 'hen users gain access to restricted areas.
3.4.-.2 @evie' the access role and categor# schees to deterine i+ the
access .rivileges granted to users are restrictive enough to liit ris(s
+ro alicious users. The conce.t o+ least .rivilege states that each
su48ect should 4e granted the ost restrictive set o+ .rivileges needed
+or the .er+orance o+ authori7ed tas(s.
Se!aration of duties of !erimeter com!onents
Control: The !erimeter securit) strateg) and !olicies !ro'ide for ade:uate
se!aration of duties to !reclude one indi'idual from ha'ing access and control of
the enter!riseAs entire networ&.
P<4.0
DS!.-0 I
3.4.-.3 @evie' the overall .erieter securit# strateg# and .olic# to veri+# that
no one individual is allo'ed access to all the co.onents o+ an
2009 ISACA. All rights reserved. Page 2-
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
enter.rise?s net'or( securit# structure.
6 . 3#T?"$@ S#CU$IT= C"%/"3#3TS
6.1 $outers
Audit,assurance o48ectiveC @outers should 4e con+igured to .rovide a*iu securit#
'hile .roviding a..ro.riate access to the net'or( segents.
3etwor& segmentation
Control: 3etwor&s ha'e been segmented b) trust le'els> using a!!ro!riatel)
configured routers> and default !assword settings are changed from the factor)
defaults.
DS!.-0 I
4.-.-.- @evie' the net'or( scheatic5 and veri+# that routers are installed
4et'een net'or( segents o+ di++ering trust levels.
4.-.-.2 %eri+# 'ith the net'or( adinistrator that all unnecessar# services
and .rotocols have 4een reoved +ro all e*ternal routers.
4.-.-.3 Deterine5 'here .ossi4le5 i+ encr#.ted .ass'ords have 4een
reoved +ro router con+iguration +iles.
4.-.-.4 Deterine i+ all access to routers has 4een liited 1Telnet and ETTP
.orts are disa4led5 IP addresses +ro 'hich net'or( adinistrators
can connect to routers are liited5 and odes are reoved +ro
router au*iliar# .orts2.
4.-.-.! @evie' and deterine to 'hat e*tent e*ternal routers are .roviding
coarse +iltering ca.a4ilities that can 4e a..lied to the entire net'or(
to reduce granular +iltering 4# +ire'alls. Deterine i+ e*ternal routers
are +iltering out 1den#ing2 the +ollo'ingC
Incoing tra++ic 'ith a source address that is internal to the
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
net'or(5 'ithin the range o+ invalid or .rivate addresses or the
loo.4ac( address o+ -2$.0.0.-
Incoing tra++ic critical to hosts5 such as +ire'alls or +ire'all
anageent console
Incoing tra++ic 'ith IP o.tions set5 such as source routing
Incoing tra++ic destined +or the 4roadcast address o+ a su4net
All incoing and outgoing Internet Control "essage Protocol
1IC"P2 tra++ic
All outgoing tra++ic e*ce.t that 'ith a source address internal to
the net'or(
4.-.-.0 Con+ir that e*ternal routers are not 4eing used as granular +ilters and
that state+ul or d#naic +iltering is 4eing i.leented 4# the +ire'all
in accordance 'ith the +ire'all .olic#.
6.* Switches
Audit,assurance o48ectiveC S'itches should 4e .laced on the net'or( to direct tra++ic5
.rovide acce.ta4le .er+orance5 liit access to restricted net'or( segents and .rovide
assurance that onl# authori7ed technicians have access to the s'itch anageent +acilit#.
Switch !lacement
Control: Switches are strategicall) !laced on the networ& to ma-imize
!erformance> secure the switch configuration and !ermit a!!ro!riate
management.
4.2.-.- @evie' the .laceent and use o+ s'itches in the net'or( scheatic.
Bhere there are s'itches that have the ca.a4ilit# to 4e anaged
and,or onitored reotel#5 ensure that the net'or( adinistrator has
ta(en ste.s to liit access to these devices and .rotect .ass'ords.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
Switch usage
Control: Switches are utilized for networ& !erformanceD routers are used when it
is necessar) to secure a segment of the networ&.
4.2.-.2 @evie' the use o+ s'itches on sensitive net'or( segents to
deterine i+ the s'itch .rovides the a..ro.riate securit# or i+ a router
solution a# 4e ore a..ro.riate.
6.5 Firewalls
Audit,assurance o48ectiveC &ire'alls should 4e con+igured to .rovide a*iu securit# to
sensitive data5 and .olicies and standards should 4e esta4lished to identi+# the re6uired
+ire'all rules.
Firewall rule re:uirements
Control: The firewall rule re:uirements are assessed and documented.
DS!.-0 I
4.3.-.- Deterine 'ith a..lication5 s#ste and net'or( adinistrators i+
there is a co.lete5 docuented understanding o+ net'or( tra++ic that
needs to .ass into and out o+ the enter.rise?s net'or(.
4.3.-.2 Discuss 'ith the net'or( adinistrator the reasoning 4ehind the
architecture and t#.e o+ +ire'all installed5 and deterine i+ the choice
'as ade 4ased on an o48ective evaluation o+ the needs and
re6uireents o+ the enter.rise.
Firewall configuration
Control: The firewall configuration reflects the rule1set re:uirements.
DS!.-0 I
4.3.-.3 @evie' the +ire'all rule set to deterine i+ the de+ault3den# .rinci.le
4# 'hich all tra++ic is denied e*ce.t that 'hich is e*.licitl# re6uired
has 4een a..ro.riatel# i.leented into the +ire'all rules.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
4.3.-.4 )*aine the +ire'all de+ault i.licit rule set that is shi..ed 'ith a
+ire'all to ensure that it is not circuventing the i.licit +ire'all
rules.
4.3.-.! @evie' the terination o+ %P/s to ensure that onl# trusted net'or(s
and clients have %P/ access. %P/s that connect an# nontrusted
source should not 4e .eritted through a +ire'all 'ithout soe +or
o+ +iltering at the %P/?s terinationA encr#.ted %P/ tra++ic .recludes
an# ins.ection .rocess 4# a +ire'all.
4.3.-.0 %eri+# that the +ire'all con+iguration 4loc(s in4ound reote access
so+t'are 1reote des(to.5 .cAn#'here5 %irtual /et'or( Co.uting
M%/CN5 etc.2 unless authori7ed in 'riting 4# in+oration securit#
anageent5 and such use is docuented and onitored.
6.6 $emote access,/3s
Audit,assurance o48ectiveC %P/s should 4e used to .rovide secure reote access +ro
outside the enter.rise?s internal net'or(. The %P/ should encr#.t net'or( tra++ic 4et'een
the e*ternal source and the internal +ire'all5 and .rovide authentication securit#.
,/3 utilization
Control: ,/3s are re:uired to access sensiti'e enter!rise information.
DS!.-0 I
4.4.-.- Deterine i+ the reote access .olic# esta4lishes classi+ication o+ data
re6uiring %P/ utili7ation.
,/3 configuration
Control: The ,/3 configuration !ro'ides communication securit) through
encr)!tion and ensures authentication.
DS!.-0 I
4.4.-.2 )valuate 'hether encr#.tion is 4eing utili7ed to inii7e the
e*.osure o+ unauthori7ed access to con+idential +iles stored on clients
2009 ISACA. All rights reserved. Page 2!
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
connected to an enter.rise?s net'or( via a %P/.
4.4.-.3 Deterine i+ client 'or(station standards re6uire the 'or(station
utili7ing a client34ased %P/ had unnecessar# services reoved that
could 4e a source o+ e*.loitation.
4.4.-.4 Deterine i+ the in4ound .orts that are sensitive 1i.e.5 e3ail5 +ile
access,sharing5 internal 'e4 sites5 etc.2 are unavaila4le 'ithout a
%P/ connection.
4.4.-.! Disa4le s.lit tunneling.
6.7 $emote accessDial1u!
Audit,assurance o48ectiveC Dial3u. reote access use should 4e inii7ed to situations
'here other access is not +easi4le and a..ro.riate controls to .ositivel# identi+# the user and
user location are e.lo#ed.
Control: $emote dial1u! access is secured through configuration controls> use is
limited to necessar) functions> encr)!tion is utilized where !ossible> and
wor&stations a'ailable for remote dial1u! access are restricted.
DS!.-0 I
4.!.-.- @evie' and deterine i+ servers connected to dial3u. reote access
ca.a4ilities are utili7ing strong authentication controls. These
controls should include re6uireents +or iniu3length .ass'ords
'ith i*ed characters and +re6uent change.
4.!.-.2 @evie' and con+ir that end users are restricted +ro connecting odes to their
des(to. achines unless s.eci+icall# authori7ed to do so.
4.!.-.3 @evie' and deterine 'hether the +ollo'ing dial3u. countereasures
have 4een i.leented to reduce the ris( o+ unauthori7ed access to
net'or( resourcesC
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
:ranting access to onl# s.eci+ic users
Using dial3u. server +eatures to restrict users to s.eci+ic devices
and a..lications
Utili7ing call34ac( odes
@estricting reote access ties5 'hen .ossi4le
Using se.arate dial3u. usernaes and .ass'ords +ro those
used +or accessing the net'or(
@egularl# onitoring all reote access tra++ic
Utili7ing to(ens5 sart cards5 and 4ioetric or digital
certi+icates5 'hen .ractical5 to strengthen authentication
Using encr#.ted authentication ethods5 such as .ass'ord
authentication .rotocol 1PAP25 challenge handsha(e
authentication .rotocol 1CEAP2 or Shiva .ass'ord
authentication .rotocol 1SPAP2
6.8 ?ireless networ&ing
Audit,assurance o48ectiveC Bireless net'or(ing should 4e secured 'ith encr#.tion +eatures5
authentication and5 i+ .ossi4le5 to(ens.
Control: #ncr)!tion and user authentication is re:uired for wireless networ&s.
Use of to&ens is strongl) recommended.
DS!.-0 I
4.0.-.- %eri+# that Bi&i Protected Access 1BPA2 is ena4led.
4.0.-.2 Con+ir that +actor# de+aults +or adinistrator user ID5 .ass'ord5
BPA (e# and Service Set Identi+ier 1SSID2 have 4een changed.
4.0.-.3 Con+ir that the 'ireless net'or( has not 4een .laced on the internal
side or trusted side o+ an enter.rise?s .erieter +ire'all.
4.0.-.4 Con+ir that .erieter +ire'alls allo' tra++ic onl# +ro a 'ireless
2009 ISACA. All rights reserved. Page 2$
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
net'or( that uses Internet .rotocol securit# 1IPSec29i.e.5 a net'or(
over 'hich an IPSec %P/ runs +or con+identialit# .ur.oses.
4.0.-.! Deterine i+ se.arate (e#s have 4een assigned to each 'ireless device
and are changed +re6uentl#.
4.0.-.0 Deterine i+ to(ens are re6uired.
6.9 Intrusion detection
Audit,assurance o48ectiveC Intrusion detection tools should 4e e.lo#ed to onitor +or
intrusions.
Intrusion detection !rogram
Control: Intrusion detection software is installed and monitored> and intrusion
alerts are researched.
DS!.-0 I
4.$.-.- Con+ir that host34ased and net'or(34ased intrusion detection
schees are in .lace.
4.$.-.2 )nsure that net'or(34ased intrusion detection schees address the
+ollo'ing conce.tual eleentsC
)vent odule 1the sensor2
Anal#sis odule 1the tra++ic anal#7er2
@es.onse odule 1generates the con+igured res.onse to a
detected attac(2
Data4ase odule 1records tra++ic histor#2
4.$.-.3 <4tain and revie' the docuented incident res.onse .rocedures to
deterine i+ a (no'ledgea4le individual 'ill 4e a4le to investigate5
understand and .er+or root cause anal#sis5 and i.leent the
a..ro.riate res.onse.
4.$.-.4 Deterine i+ an incident triggers a res.onse +ro the Co.uting
2009 ISACA. All rights reserved. Page 2>
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
Incident @es.onse Tea 1CI@T2.
2
6.; 3etwor& securit) assessments
Audit,assurance o48ectiveC /et'or( securit# assessents5 including e*ternal .enetration
tests5 internal securit# assessents5 and revie's o+ .olicies and .rocedures5 should 4e
.er+ored regularl#5 and the results o+ these assessents should 4e .rovided to the IT
e*ecutive and ris( anageent e*ecutive.
/enetration tests
Control: /enetration tests are !erformed on a regular schedule Bmonthl) to
:uarterl)> de!ending on the sensiti'it)C.
DS!.-0 I I I
4.>.-.- Deterine that a s#steatic a..roach has 4een develo.ed and
docuented +or conducting .enetration tests.
4.>.-.2 Con+ir that s.eci+ic re6uireents have 4een develo.ed and
docuented +or the .enetration tests that are conducted.
4.>.-.3 Con+ir that test etrics have 4een develo.ed so the results o+
.enetration tests can 4e 6uanti+ied and easured.
4.>.-.4 Deterine i+ .enetration tests are liited to the e*ternall# +acing
net'or(5 or i+ the# also include sensitive internal net'or(s that are
.rotected 4# internal +ire'alls.
4.>.-.! )nsure that the results o+ .enetration tests are counicated
ade6uatel# to the technical sta++ and anageent.
4.>.-.0 )nsure that the results o+ .enetration tests are considered ade6uatel#
in the change .lan.
2
@e+er to Incident &anagement Audit)Assurance .rogram.
C"0IT
Cross1
reference
C"S"
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

)
n
v
i
r
o
n
e
n
t
@
i
s
(

A
s
s
e
s
s
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
+
o
r
a
t
i
o
n

a
n
d
C
o
u
n
i
c
a
t
i
o
n
"
o
n
i
t
o
r
i
n
g
Internal networ& assessments
Control: Internal networ& assessments that re'iew the configurations> !olicies
and utilization of networ& a!!liances are !erformed at least annuall).
DS!.-0 I I I
4.>.-.$ Deterine i+ in+oration securit# anageent .er+ors an internal
net'or( sel+3assessent5 and evaluate the +re6uenc# and e++ectiveness
o+ the .rogra.
4.>.-.> Deterine i+ .ro+essional revie's o+ the net'or( securit# .olic# and
i.leentation are .er+ored .eriodicall#.
,II. %aturit) Assessment
The aturit# assessent is an o..ortunit# +or the revie'er to assess the aturit# o+ the .rocesses revie'ed. =ased on the results o+ audit,assurance revie'5 and the
revie'er?s o4servations5 assign a aturit# level to the +ollo'ing C<=IT control .ractice.
2009 ISACA. All rights reserved. Page 3-
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eference
2)!er1
lin&
Comments
DS7.1E 3etwor& Securit)
-. )sta4lish5 aintain5 counicate and en+orce a net'or( securit# .olic# 1e.g.5 .rovided
services5 allo'ed tra++ic5 t#.es o+ connections .eritted2 that is revie'ed and u.dated on a
regular 4asis 1at least annuall#2.
2. )sta4lish and regularl# u.date the standards and .rocedures +or adinistering all net'or(ing
co.onents 1e.g.5 core routers5 D"K5 %P/ s'itches5 'ireless2.
3. Pro.erl# secure net'or( devices 'ith s.ecial echaniss and tools 1e.g.5 authentication +or
device anageent5 secure counications5 strong authentication echaniss2. I.leent
active onitoring and .attern recognition to .rotect devices +ro attac(.
4. Con+igure o.erating s#stes 'ith inial +eatures ena4led 1e.g.5 +eatures that are necessar#
+or +unctionalit# and are hardened +or securit# a..lications2. @eove all unnecessar#
services5 +unctionalities and inter+aces 1e.g.5 gra.hical user inter+ace M:UIN2. A..l# all
relevant securit# .atches and a8or u.dates to the s#ste in a tiel# anner.
!. Plan the net'or( securit# architecture 1e.g.5 D"K architectures5 internal and e*ternal
net'or(5 IDS .laceent and 'ireless2 to address .rocessing and securit# re6uireents.
)nsure that docuentation contains in+oration on ho' tra++ic is e*changed through s#stes
and ho' the structure o+ the organi7ation?s internal net'or( is hidden +ro the outside
'orld.
0. Su48ect devices to revie's 4# e*.erts 'ho are inde.endent o+ the i.leentation or
aintenance o+ the devices.

NetPerimSec Prog 20jan09 Research

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

NetPerimSec Prog 20jan09 Research

Încărcat de

Drepturi de autor:

Formate disponibile

Network Perimeter Security Audit/Assurance Program

S-ar putea să vă placă și