Encryption and IT audit
In assessing the need for a client to implement encryption policies for their organization, the Auditor should conduct an analysis of the client's risk and data value. Companies with multiple external users, e-commerce applications, and sensitive customer/employee information should maintain rigid encryption policies aimed at encrypting the correct data at the appropriate stage in the data collection process.
Auditors should continually evaluate their client's encryption policies and procedures. Companies that are heavily reliant on e-commerce systems and wireless networks are extremely vulnerable to theft and loss of critical information in transmission. Policies and procedures should be documented and carried out to ensure that all transmitted data is protected.
The auditor should verify that management has controls in place over the data encryption management process. Access to keys should require dual control, keys should be composed of two separate components and should be maintained on a computer that is not accessible to programmers or outside users. Furthermore, management should attest that encryption policies ensure data protection at the desired level and verify that the cost of encrypting the data does not exceed the value of the information itself. All data that is required to be maintained for an extensive amount of time should be encrypted and transported to a remote location. Procedures should be in place to guarantee that all encrypted sensitive information arrives at its location and is stored properly. Finally, the auditor should attain verification from management that the encryption system is strong, not attackable, and compliant with all local and international laws and regulations.
Logical security audit
Just as it sounds, a logical security audit follows a format in an organized procedure. The first step in an audit of any system is to seek to understand its components and its structure. When auditing logical security the auditor should investigate what security controls are in place, and how they work. In particular, the following areas are key points in auditing logical security:
- Passwords: Every company should have written policies regarding passwords, and employees' use of them. Passwords should not be shared and employees should have mandatory scheduled changes. Employees should have user rights that are in line with their job functions. They should also be aware of proper log on/ log off procedures. Also helpful are security tokens, small devices that authorized users of computer programs or networks carry to assist in identity confirmation. They can also store cryptographic keys and biometric data. The most popular type of security token (RSA's SecurID) displays a number that changes every minute. Users are authenticated by entering a personal identification number and the number on the token.
- Termination Procedures: Proper termination procedures so that, old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for.
- Special User Accounts: Special User Accounts and other privileged accounts should be monitored and have proper controls in place.
- Remote Access: Remote access is often a point where intruders can enter a system. The logical security tools used for remote access should be very strict. Remote access should be logged.
Specific tools used in network security
Network security is achieved by various tools including firewalls and proxy servers, encryption, logical security and access controls, anti-virus software, and auditing systems such as log management.
Firewalls are a very basic part of network security. They are often placed between the private local network and the internet. Firewalls provide a flow-through for traffic in which it can be authenticated, monitored, logged, and reported. Some different types of firewalls include network layer firewalls, screened subnet firewalls, packet filter firewalls, dynamic packet filtering firewalls, hybrid firewalls, transparent firewalls, and application-level firewalls.
The process of encryption involves converting plain text into a series of unreadable characters known as the ciphertext. If the encrypted text is stolen or attained while in transit, the content is unreadable to the viewer. This guarantees secure transmission and is extremely useful to companies sending/receiving critical information. Once encrypted information arrives at its intended recipient, the decryption process is deployed to restore the ciphertext back to plaintext.
Proxy servers hide the true address of the client workstation and can also act as a firewall. Proxy server firewalls have special software to enforce authentication. Proxy server firewalls act as a middle man for user requests.
Antivirus software programs such as McAfee and Symantec software locate and dispose of malicious content. These virus protection programs run live updates to ensure they have the latest information about known computer viruses.
Logical security includes software safeguards for an organization's systems, including user ID and password access, authentication, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation.
Auditing systems, track and record what happens over an organization's network. Log Management solutions are often used to centrally collect audit trails from heterogeneous systems for analysis and forensics. Log management is excellent for tracking and identifying unauthorized users that might be trying to access the network, and what authorized users have been accessing in the network and changes to user authorities. Software that record and index user activities within window sessions such as ObserveIT provide a comprehensive audit trail of user activities when connected remotely through terminal services, Citrix and other remote access software.
Vulnerabilities in an organization's IT systems are often not attributed to technical weaknesses, but rather related to individual behavior of employees within the organization. A simple example of this is users leaving their computers unlocked or being vulnerable to phishing attacks. As a result, a thorough InfoSec audit will frequently include a penetration test in which auditors attempt to gain access to as much of the system as possible, from both the perspective of a typical employee as well as an outsider. A behavioral audit ensures preventative measures are in place such as a phishing webinar, where employees are made aware of what phishing is and how to detect it.