VPN Security Audit Assurance Program - Icq - Eng - 1012
VPN Security Audit Assurance Program - Icq - Eng - 1012
About ISACA
With more than 100,000 constituents in 180 countries, ISACA® (www.isaca.org) is a leading global provider of
knowledge, certifications, community, advocacy and education on information systems (IS) assurance and security,
enterprise governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit,
independent ISACA hosts international conferences, publishes the ISACA® Journal, and develops international IS
auditing and control standards, which help its constituents ensure trust in, and value from, information systems. It
also advances and attests IT skills and knowledge through the globally respected Certified Information Systems
Auditor® (CISA®), Certified Information Security Manager® (CISM®), Certified in the Governance of Enterprise IT®
(CGEIT®) and Certified in Risk and Information Systems Control™ (CRISC™) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT®
framework. COBIT helps IT professionals and enterprise leaders fulfill their IT governance and
management responsibilities, particularly in the areas of assurance, security, risk and control, and deliver value to
the business.
Disclaimer
ISACA has designed and created VPN Security Audit/Assurance Program (the “Work”) primarily as an educational
resource for governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure
a successful outcome. The Work should not be considered inclusive of all proper information, procedures and tests
or exclusive of other information, procedures and tests that are reasonably directed to obtaining the same results. In
determining the propriety of any specific information, procedure or test, governance and assurance professionals
should apply their own professional judgment to the specific circumstances presented by the particular systems or
information technology environment.
Reservation of Rights
© 2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: [email protected]
Web site: www.isaca.org
ISBN 978-60420-269-4
VPN Security Audit/Assurance Program
Acknowledgments
Expert Reviewers
Michael Castro, CISA, ResMor Trust Co, Canada
Joanne De Vito De Palma, BCMM, The Ardent Group LLC, USA
Russell K. Fairchild, CISA, CRISC, CISSP, PMP, SecureIsle, USA
Alek Geldenberg, CISA, CRISC, CISSP, MSMM, USA
Francis Kaitano, CISA, CISM, CISSP, ITIL, MCAD.Net, MCSD, Contact Energy, New Zealand
Kamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Arabia
Lily M. Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
Babu Srinivas, CISA, CISM, SP AusNet, Australia
David A. Williams, CRISC, PMP, OceanFirst Bank, USA
Knowledge Board
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Chairman
Steven Andrew Babb, CGEIT, CRISC, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil James Lageschulte, CGEIT, CPA, KPMG LLP, USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA
Siang Jun Julia Yeo, CISA, CPA (Australia), Visa Worldwide Pte. Limited., Singapore
Nikolaos Zacharopoulos, CISA, DeutschePost–DHL, Germany
ASIS International
Hewlett-Packard
IBM
Symantec Corp.
Table of Contents
I. Introduction.......................................................................................................................................5
II. Using This Document........................................................................................................................6
III. Controls Maturity Analysis................................................................................................................8
IV. Assurance and Control Framework..................................................................................................10
V. Executive Summary of Audit/Assurance Focus...............................................................................11
VI. Audit/Assurance Program................................................................................................................13
1. Planning and Scoping the Audit...................................................................................................13
2. Preparatory Steps.........................................................................................................................15
3. Governance..................................................................................................................................16
4. Policy...........................................................................................................................................17
5. Configuration...............................................................................................................................19
6. Maintenance and Monitoring.......................................................................................................26
VII. Maturity Assessment.......................................................................................................................28
VIII. Maturity Assessment vs. Target Assessment...................................................................................33
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-
setting model. ITAF provides standards that are designed to be mandatory, and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance practitioners with the requisite knowledge of the subject matter under review,
as described in ITAF, section 2200—General Standards. The audit/assurance programs are part of ITAF,
section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT ® framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF,
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many enterprises have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g.,
1.1, are in bold type and provide the reviewer with a scope or high-level explanation of the purpose for
the sub-steps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify use, the
program describes the audit/assurance objective—the reason for performing the steps in the topic area and
the specific controls follow. Each review step is listed after the control. These steps may include assessing
the control design by walking through a process, interviewing, observing or otherwise verifying the
process and the controls that address that process. In many cases, once the control design has been
verified, specific tests need to be performed to provide assurance that the process associated with the
control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing and report clearing—has been
excluded from this document because it is standard for the audit/assurance function and should be
identified elsewhere in the enterprise’s standards.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit and assurance professionals. This ties the assurance work to the enterprise’s control framework.
While the IT audit/assurance function has COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance enterprises include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO issued the
Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM
framework has a business decision focus when compared to the 2004 Internal Control—Integrated
Framework. Large enterprises are in the process of adopting ERM. The two frameworks are compared in
figure 1.
The 1992 Internal Control—Integrated Framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to include them as a reference in this document. When
completing the COSO component columns, consider the definitions of the components as described in
figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified, and conclusions for each line item. The reference/hyperlink is to be used to
cross-reference the audit/assurance step to the work paper that supports it. The numbering system of this
document provides a ready numbering scheme for the work papers. If desired, a link to the work paper
can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
work paper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a work paper describing the work performed.
III. Controls Maturity Analysis
One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the organization, so it can be rated from a maturity
level of non-existent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
The IT Assurance Guide Using COBIT, Appendix VII—Maturity Model for Internal Control (figure 2)
provides a generic maturity model showing the status of the internal control environment and the
establishment of internal controls in an enterprise. It shows how the management of internal control, and
an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity level of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progress in
the enhancement of controls. However, the perception of the maturity level may vary between the
process/IT asset owner and the auditor. Therefore, an auditor should obtain the concerned stakeholder’s
concurrence before submitting the final report to the management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the six-
level scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and target maturity goals. A graphic is provided as the last page
of this document (section VIII), based on sample assessments. It is suggested that the maturity assessment
for this review be included in the IT information security review, which would focus on the Deliver and
Support (DS) domain, IT process DS5 Ensure systems security.
DS5.8 Cryptographic key management—Determine that policies and procedures are in place to
organise the generation, change, revocation, destruction, distribution, certification, storage, entry, use
and archiving of cryptographic keys to ensure the protection of keys against modification and
unauthorised disclosure.
DS5.9 Malicious software prevention, detection and correction—Put preventive, detective and
corrective measures in place (especially up-to-date security patches and virus control) across the
organisation to protect information systems and technology from malware (e.g., viruses, worms,
spyware, spam).
DS5.10 Network security—Use security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorise access and
control information flows from and to networks.
DS9.2 Identification and maintenance of configuration items—Establish configuration procedures to
support management and logging of all changes to the configuration repository. Integrate these
procedures with change management, incident management and problem management procedures.
Refer to the IT Governance Institute’s COBIT Control Practices: Guidance to Achieve Control
Objectives for Successful IT Governance, 2nd Edition, published in 2007, for the related control practice
value and risk drivers.
The Internet has modified the manner in which enterprises interconnect their information networks.
Access can be over the Internet (public access) or over an extranet (trusted parties, e.g., suppliers,
customers, partners). Previously, an enterprise would lease dedicated communications lines between sites
or trusted business partners. The Internet permits ubiquitous connectivity; however, any data traversing a
public network can be captured by unintended parties, thereby potentially disclosing data. A VPN
provides a means to encrypt data between communicating parties.
VPN technology, if properly configured, will reduce the risk associated with privileged data traversing a
public network.
Scope—The audit/assurance review will focus on VPN standards, guidelines and procedures as well as
the implementation and governance of these activities. The review will rely upon other operational audits
of the incident management process, configuration management and security of networks and servers,
security management and awareness, business continuity management, information security management,
governance and management practices of IT and business units, and relationships with third parties.
For an auditee that incorporates its own PKI infrastructure into the VPN environment, it may be necessary
to extend the scope of the audit/assurance review to include encryption technologies and the use of PKI.
For this purpose, consult the ISACA E-commerce and Public Key Infrastructure (PKI) Audit/Assurance
Program for additional audit steps. It is not necessary to do so, however, if the main objective of the
audit/assurance review focuses on VPN implementation and ongoing monitoring/maintenance.
Feedback
Visit www.isaca.org/VPN-AP and use the feedback function to provide your comments and suggestions
on this document. Your feedback is a very important element in the development of ISACA guidance for
its constituents and is greatly appreciated.
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
2. Preparatory Steps
2.1 Obtain and review the current organization chart for the system and network
administration areas.
3. Identify the key network administration staff, the security manager and the key network
user stakeholders.
4. Obtain a copy of the latest network security risk analysis, including any information on
system, data and service classifications.
5. Obtain and review a copy of the enterprise’s:
Security policy
Security strategy or strategies
Security procedures and standards
Network architecture documentation
© 2012 ISACA. All rights reserved. Page 15
VPN Security Audit/Assurance Program
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
8. Governance
8.1 Executive Sponsor
Audit/Assurance Objective: The VPN implementation and maintenance is assigned to an
executive sponsor, who is responsible for its effective implementation and operations.
9. Executive Responsibility and Accountability of VPN-related Processes PO4.6 X X X X
© 2012 ISACA. All rights reserved. Page 16
VPN Security Audit/Assurance Program
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
Control: A senior executive within the IT organization is responsible for the VPN ME1.5
implementation, maintenance and oversight. ME2.5
ME4.1
9.1.1.1 Identify the senior executive responsible for the VPN program.
9.1.1.2 Obtain the position description of the executive responsible for the VPN
program.
9.1.1.3 Determine if the position has cross-reporting to the business units and IT
management (security, administration, etc.)
9.1.1.4 Obtain meeting minutes and other documentation to support the responsibilities
and accountability of the executive sponsor.
9.2 Senior Management Involvement in VPN Programs
Audit/Assurance Objective: Senior management participates in key decisions related to VPN
programs.
10. Senior Management Oversight of VPN Programs X X X X
Control: Senior management provides oversight of the VPN programs, including ME1.5
review and approval of policies affecting their respective operations.
10.1.1.1 Determine if business units affected by VPN implementation participate in the
review of policies affecting their business units.
10.1.1.2 Determine if support functions (e.g., HR, corporate communications,
compliance, information security) affected by VPN implementation participate
in the review of VPN policies.
11. Policy
11.1 HR Policies Aligned With and Support VPN Policies
Audit/Assurance Objective: VPN policies align with and are integrated into HR policies.
12. HR Policies Include Related VPN Policies
PO6.3
Control: HR policies include VPN disclosures, usage requirements as part of initial X
PO6.4
"onboarding" process and the annual employee acknowledgement of use policies.
12.1.1.1 Obtain a selection of HR policies relating to VPN usage.
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
13.2 VPN Policies in Compliance With Legal and Regulatory Policies and Requirements
Audit/Assurance Objective: VPN policies align with legal and regulatory policies and
requirements.
14. VPN Policies Are in Compliance With Legal Regulatory Requirements PO4.8
Control: VPN technologies are defined to satisfy legal and regulatory requirements ME3.1 X X X
within the enterprise's industry. ME3.2
14.1.1.1 Obtain a selection of VPN policy proposals or modifications.
14.1.1.2 Determine if the enterprise’s legal representatives have reviewed and
provided documented approval of VPN policies.
14.2 VPN Policies Align With Information Security
Audit/Assurance Objective: VPN policies are in compliance with information security
policies
15. VPN Policies Are Approved by the Information Security Function PO6.3
Control: The information security function assures compliance with information PO6.4
security policy by reviewing information security-related VPN policies prior to their DS5.1
X X
adoption and implementation. ME2.5
ME3.4
15.1.1.1 Obtain a selection of VPN policy proposals or modifications.
15.1.1.2 Determine if information security representatives have reviewed and provided
documented approval of VPN policies.
15.2 VPN Policy Integrated With Enterprise’s Data Classification Policy
Audit/Assurance Objective: Data Classification Policy includes VPN usage and configuration
requirements.
16. Data Classification Policy VPN Requirements
Control: The data classification policy identifies VPN requirements and PO2.3 X
configuration for each data classification.
16.1.1.1 Obtain the data classification policy.
16.1.1.2 Determine if the data classification policy includes VPN configuration and
usage requirements.
© 2012 ISACA. All rights reserved. Page 19
VPN Security Audit/Assurance Program
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
16.1.1.3 Determine if the VPN configuration and usage policy includes specific
applications or data elements requiring VPN usage.
16.1.1.4 Determine if VPN configuration and usage policy identifies functions that
must be executed using a VPN, and functions that must be excluded from
execution, with or without a VPN.
17. Configuration
17.1 VPN Architecture
Audit/Assurance Objective: Best security practices are implemented for the various VPN
architectures.
18. Edge Routers1 PO2.1
DS5.9 X
DS5.10
19. Edge Router Termination
Control: Edge routers terminate at the network firewall and an effective firewall
configuration applies appropriate filtering.
19.1.1.1.1 Identify edge routers within the network architecture.
19.1.1.1.2 Determine that the edge router terminates (a) at or in front of the
DMZ or (b) at an inline Intrusion Prevention System (IPS) deployed
between the edge router and the firewall.
19.1.1.1.3 Select a sample of edge routers.
19.1.1.1.4 Determine if the edge routers selected terminate at the firewall or in
the DMZ.
20. Edge Router Encryption X
Control: Edge routers use asymmetric keys supported by a Public Key DS5.8
Infrastructure or alternatively, one of the two standard symmetric key DS5.9
technologies, 3DES or AES2
1
These are defined as untrusted site-to-site connected networks.
2
Consider performing an audit of the PKI implementation using the ISACA E-commerce and Public Key Infrastructure (PKI) Audit/Assurance Program. Encryption controls,
including key storage, key maintenance, security, etc., should be reviewed.
© 2012 ISACA. All rights reserved. Page 20
VPN Security Audit/Assurance Program
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
3
These are defined as site-to-site networks integrated into a wide-area local area network (LAN).
4
This generally applies to extranets and non-owned networks.
© 2012 ISACA. All rights reserved. Page 21
VPN Security Audit/Assurance Program
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
28.1.1.1.1 Verify that the most current configuration of the VPN appliance
has been applied.
28.1.1.1.2 Determine that a vendor support contract or vendor support option
is available.
29. VPN Appliance Configuration Best Practices DS5.7
Control: Vendor-suggested and other best practices are applied to VPN DS5.9 X
appliance configuration. DS5.10
DS9.2
29.1.1.1.1 Determine if the VPN appliance vendor offers best practice
guidance.
29.1.1.1.2 Determine if the VPN appliance configuration is in compliance
with vendor guidance.
30. VPN Clients Installed on Specific Computers
31. VPN Clients Are Securely Configured DS5.4
Control: VPN clients are configured using vendor-suggested and other best DS5.5 X
practices in compliance with organization security policies. DS9.2
DS10
31.1.1.1.1 Determine if strong user authentication has been implemented:
Two-factor authentication
Password AND hardware tokens, digital certificates or smart
cards
31.1.1.1.2 Determine if user computer identity verification has been
implemented:
User computer is in compliance with organization security
requirements and policies
Validation of user computer identity and configuration:
- Personal firewall configuration
© 2012 ISACA. All rights reserved. Page 24
VPN Security Audit/Assurance Program
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
CommunicationInformation and
COBIT
Control Environment
Control Activities
Risk Assessment
Audit/Assurance Program Step Cross-
Monitoring
reference
6
Due to high volume, logging should be automated and unusual activities should be defined in an automated extract process.
© 2012 ISACA. All rights reserved. Page 28
VPN Security Audit/Assurance Program
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.3 Identity Management
1. Establish and communicate policies and procedures to uniquely identify, authenticate and
authorise access mechanisms and access rights for all users on a need-to-know/need-to-have
basis, based on predetermined and preapproved roles. Clearly state accountability of any user
for any action on any of the systems and/or applications involved.
2. Ensure that roles and access authorisation criteria for assigning user access rights take into
account:
Sensitivity of information and applications involved (data classification)
Policies for information protection and dissemination (legal, regulatory, internal policies
and contractual requirements)
Roles and responsibilities as defined within the enterprise
The need-to-have access rights associated with the function
Standard but individual user access profiles for common job roles in the organisation
Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorising users to establish responsibility and
enforce access rights in line with sensitivity of information and functional application
requirements and infrastructure components, and in compliance with applicable laws,
regulations, internal policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the
system owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in,
people out, people change). Grant, revoke and adapt user access rights in co-ordination with
human resources and user departments for users who are new, who have left the organisation,
or who have changed roles or jobs.
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.4 User Account Management
1. Ensure that access control procedures include but are not limited to:
Using unique user IDs to enable users to be linked to and held accountable for their actions
Awareness that the use of group IDs results in the loss of individual accountability and are
permitted only when justified for business or operational reasons and compensated by
mitigating controls. Group IDs must be approved and documented
Checking that the user has authorisation from the system owner for the use of the
information system or service, and the level of access granted is appropriate to the
business purpose and consistent with the organisational security policy
A procedure to require users to understand and acknowledge their access rights and the
conditions of such access
Ensuring that internal and external service providers do not provide access until
authorisation procedures have been completed
Maintaining a formal record, including access levels, of all persons registered to use the
service
A timely and regular review of user IDs and access rights
2. Ensure that management reviews or reallocates user access rights at regular intervals using a
formal process. User access rights should be reviewed or reallocated after any job changes,
such as transfer, promotion, demotion or termination of employment. Authorisations for
special privileged access rights should be reviewed independently at more frequent intervals.
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.5 Security Testing, Surveillance and Monitoring
1. Implement monitoring, testing, reviews and other controls to:
Promptly prevent/detect errors in the results of processing
Promptly identify attempted, successful and unsuccessful security breaches and incidents
Detect security events and thereby prevent security incidents by using detection and
prevention technologies
Determine whether the actions taken to resolve a breach of security are effective
2. Conduct effective and efficient security testing procedures at regular intervals to:
Verify that identity management procedures are effective
Verify that user account management is effective
Validate that security-relevant system parameter settings are defined correctly and are in
compliance with the information security baseline
Validate that network security controls/settings are configured properly and are in
compliance with the information security baseline
Validate that security monitoring procedures are working properly
Consider, where necessary, obtaining expert reviews of the security perimeter
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.8 Cryptographic Key Management
1. Ensure that there are appropriate procedures and practices in place for the generation, storage
and renewal of the root key, including dual custody and observation by witnesses.
2. Make sure that procedures are in place to determine when a root key renewal is required
(e.g., the root key is compromised or expired).
3. Create and maintain a written certification practice statement that describes the practices that
have been implemented in the certification authority, registration authority and directory
when using a public-key-based encryption system.
4. Create cryptographic keys in a secure manner. When possible, enable only individuals not
involved with the operational use of the keys to create the keys. Verify the credentials of key
requestors (e.g., registration authority).
5. Ensure that cryptographic keys are distributed in a secure manner (e.g., offline mechanisms)
and stored securely, that is:
In an encrypted form regardless of the storage media used (e.g., write-once disk with
encryption)
With adequate physical protection (e.g., sealed, dual custody vault) if stored on paper
6. Create a process that identifies and revokes compromised keys. Notify all stakeholders as
soon as possible of the compromised key.
7. Verify the authenticity of the counterparty before establishing a trusted path.
DS5.9 Malicious Software Prevention, Detection and Correction
1. Establish, document, communicate and enforce a malicious software prevention policy in the
organisation. Ensure that people in the organisation are aware of the need for protection
against malicious software, and their responsibilities relative to same.
2. Install and activate malicious software protection tools on all processing facilities, with
malicious software definition files that are updated as required (automatically or semi-
automatically).
3. Distribute all protection software centrally (version and patch-level) using centralised
configuration and change management.
4. Regularly review and evaluate information on new potential threats.
5. Filter incoming traffic, such as email and downloads, to protect against unsolicited
information (e.g., spyware, phishing emails).
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS5.10 Network Security
1. Establish, maintain, communicate and enforce a network security policy (e.g., provided
services, allowed traffic, types of connections permitted) that is reviewed and updated on a
regular basis (at least annually).
2. Establish and regularly update the standards and procedures for administering all networking
components (e.g., core routers, DMZ, VPN switches, wireless).
3. Properly secure network devices with special mechanisms and tools (e.g., authentication for
device management, secure communications, strong authentication mechanisms). Implement
active monitoring and pattern recognition to protect devices from attack.
4. Configure operating systems with minimal features enabled (e.g., features that are necessary
for functionality and are hardened for security applications). Remove all unnecessary
services, functionalities and interfaces (e.g., graphical user interface [GUI]). Apply all
relevant security patches and major updates to the system in a timely manner.
5. Plan the network security architecture (e.g., DMZ architectures, internal and external
network, IDS placement and wireless) to address processing and security requirements.
Ensure that documentation contains information on how traffic is exchanged through systems
and how the structure of the organisation’s internal network is hidden from the outside world.
6. Subject devices to reviews by experts who are independent of the implementation or
maintenance of the devices.
Referenc
Assessed Target e
COBIT 4.1 Control Practice Maturity Maturity Hyper-
Comments
link
DS9.2 Identification and Maintenance of Configuration Items
1. Define and implement a policy requiring all configuration items and their attributes and
versions to be identified and maintained.
2. Tag physical assets according to a defined policy. Consider using an automated mechanism,
such as barcodes.
3. Define a policy that integrates incident, change and problem management procedures with
the maintenance of the configuration repository.
4. Define a process to record new, modified and deleted configuration items and their relative
attributes and versions. Identify and maintain the relationships between configuration items
in the configuration repository.
5. Establish a process to maintain an audit trail for all changes to configuration items.
6. Define a process to identify critical configuration items in relationship to business functions
(component failure impact analysis).
7. Record all assets—including new hardware and software, procured or internally developed—
within the configuration management data repository.
8. Define and implement a process to ensure that valid licences are in place to prevent the
inclusion of unauthorised software.
DS9.2 Identification and Maintenance of Configuration Items DS5.4 User Account Management
4