Professional Documents
Culture Documents
Vulnerability Assessment Audit Work Program
Vulnerability Assessment Audit Work Program
High-Level Directions
2 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
3 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
4 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
5 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
Security Requirements
6 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
maintained?
• Verify that all data classifications are signed off on by the
business owner of that data and that security classifications are
reviewed periodically for accuracy.
• Confirm that brief descriptions accompany each recorded
security classification. Each should also be accompanied by a
unique identifier.
7 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
Secure Environment
8 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
Malicious Cells
9 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
− Incidents that may require environment, manufacturing facility and a regional outsourced data
forensic investigation center.
• Escalation process to address − Perform a basic vulnerability scan on the three selected subnets
situations involving suspected or for the presence of three critical Microsoft Windows patches
actual malicious code (MS04-011, MS05-039, MS06-040). Exploit and utilize
weaknesses if found.
• Escalation process for reporting
serious attacks (emergency − Test third-party vendor’s response to suspected malicious
response process) internal traffic (as a result of the above tests).
• Patch management • Review the noncompliance report generated for the following
framework/strategy MS04-011, MS05-039, MS06-040 patches.
10 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
11 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
Patch • Verify that a process has been defined for the testing and
Management installation of system patches and updates.
− Is all patch testing performed in accordance with the corporate
policy?
− How often are patches pushed to critical servers and
workstations?
− Do operations personnel receive key security advisories,
including information on new vulnerabilities and patches, from
industry-recognized security groups and vendors (i.e.,
Microsoft, CERT, CIAC, Cisco, etc.)?
− Do they define the roles and responsibilities of the patch
management process?
− Is there a process in place to identify non-Microsoft and
application-specific patches?
• Confirm that a log of rolled out patches is kept by IT personnel.
The log should contain information such as the date, vendor and
type of patch.
Special Topics
12 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
− Instant messaging services • Send malicious attachments to/from a valid Lotus Notes account.
• Mail server configurations • Log into and use Yahoo Mail, Hotmail and other third-party
• Inventory of key third-party access websites to send emails to a Lotus Notes account.
connections • Connect to AOL Instant Messenger and MSN messenger to verify if
• Sample outsourcing contracts ports are not blocked.
• Escalation process for reporting • Pull the firewall logs for outbound traffic on common instant
outsourcing provider security messaging TCP/UDP ports.
issues
Public Key • For an enterprise that makes use of a public key infrastructure
Infrastructure (PKI), documented stand procedures should be established,
which define the:
− The process required to manage cryptographic keys/digital
certificates within the PKI scanning email for viruses and
offensive material
− Methods required to operate the PKI
− Actions to be taken in the event of a compromise or suspected
compromise of the PKI
• Are users aware of their function to protect private keys?
E-mail • Does the acceptable use policy include email provisions? Below
is a list of topics that should be covered:
− Configuring mail servers (assuming a pre-built image isn’t
already provided)
◦ Are mail servers covered in configuration management
documentation?
− Applying the industry-approved anti-virus solution to the email
infrastructure
− Applying encryption for sensitive data (if applicable)
− Making users aware of the consequences of improper email
use
− Prohibiting the use of web email, automatic forwarding to
external addresses, private encryption and the opening of
attachments from unauthorized sources.
• Verify if capacity planning efforts have been documented to
ensure that the mail server is not overloaded.
− Are controls in place to limit the size of each message and
mailbox?
− Are there restrictions on the use of large distribution lists?
− Are spam filters in place to eliminate spam messages sent to
the corporate servers?
• Verify that a legal banner is appended to all outgoing mail
messages and return-to-sender messages. It should warn all
users and recipients that the contents of the actual message may
be legally in the possession of the organization and that use may
be monitored.
13 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
request process?
− If not, why?
• Is third-party access part of the vendor management program?
− If not, why?
• Discuss processes surrounding the provisioning and termination
of third-party access.
− Are the business risks associated with the third-party
assessed?
− Is senior management responsible for authorizing third-party
access?
− Are contracts in place between the two parties to waive liability
if damage occurs?
• Assess the technical controls in place between the third-party
and the corporate architecture.
− Are all communications encrypted between the two parties?
− If utilizing VPN, is split tunneling enabled?
− Is a TACACS server used to centrally manage all accounts,
and are all login attempts logged?
− Are all vendor actions logged to a central repository?
− Are there automatic timeouts if idle thresholds are met?
Electronic • Discuss the organization of the group that is responsible for all
Commerce electronic commerce initiatives.
− Is there a top-level business manager ultimately responsible
for all electronic commerce?
− Is there a high-level group responsible for coordinating
electronic commerce initiatives throughout the organization?
• Confirm that risk analysis has been performed prior to the
execution of any major electronic commerce venture.
− Was an industry-proven risk analysis method used?
− Did it focus on key risks, such as capacity problems due to
high customer demand or divulgence of sensitive customer
information?
• Confirm that adequate testing has been performed prior to going
live. A review should be performed by an experienced information
security practitioner and approved by senior management.
• Verify plans are in place to ensure that important domain
registrations are renewed and that domain names that could be
used to masquerade as the organization are registered.
Outsourcing • Discuss the strategy and policies of outsourced providers and the
transfer of activity to them.
− Have the information risks associated with outsourcing been
thoroughly examined?
− Has critical and sensitive parts of the network been identified
and segregated?
− Has an exit strategy been formed in the eventuality of an early
14 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
Instant • Confirm that there are documented policies that outline proper
Messaging usage for instant messaging clients. Topics can include:
− Guidelines for business and personal use
− The types of instant messaging services permitted
− User guidelines for acceptable use
− Details of any monitoring activities that may take place on the
network
− Disabling of various packaged services (video, voice, etc.)
• Assess the technical controls prohibiting the misuse of instant
messaging software.
− Is there the use of encryption to protect sensitive messages?
− Is logging enabled of key events at clients and servers?
− Are firewalls blocking instant messaging traffic at the network
perimeter?
− Is a standard configuration applied to all employee machines?
Management Review
Documents Requested:
• Information technology audit
plan/approach
• Information technology audit
results
15 Source: www.knowledgeleader.com
Section Key Objectives/Control Questions Results
16 Source: www.knowledgeleader.com