Phase 1

  1. Definitions                                                                  
  2. Business Plan – Policy (Security) Audit
  3. Business Plan – Standards (Security) Audit
  4. Policy – Standards (Security) Audit
  5. Infrastructure – Standards/Data (Security) Audit
  6. Guidelines – Data (Security) Audit
  7. Users/Clients – Data (Security) Audit
  8. Recommended Course of Action

 

 

 

Definitions

 

The definition of Information Security applied in this audit, is the standard definition:

  • Confidentiality – Ensuring that information is not accessed by unauthorized persons
  • Integrity – Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users
  • Authentication – Ensuring that users are the persons they claim to be

 

Degree of Risk

 

Where estimates of the actual probabilities of the threats are unavailable, there are three degrees of risk probability:

 

  • Low – Only actual intent to incur the risk AND active measures to compromise the security system would cause a security violation.  The security systems in question conform to industry standards AND during their normal function would not allow the security violation NOR would regular user activity cause security to be compromised.  The remedy for low probability of risk does not fall within the purview of this organization.

 

  • Medium – Although the system in place would allow a security violation, the regular use of that system would NOT.  Security is compromised ONLY if the user deviates from regular procedures for that system.  The remedy for medium probability of risk is to apply the appropriate security measures to the SYSTEM.  Alternatively, the cost of the risk can be transferred to the actual violators of the procedure.

 

  • High – The system does not prohibit security to be compromised AND the user, during the regular course of activity can allow security to be compromised.  Past history would indicate the violation has happened before.  The remedy for high probability of risk is to put in the appropriate security measures as well as define the terms of proper use, so as to not expose the system to the vulnerability.

 

Three concepts that require definition for a threat risk assessment are:

1)      Asset:  A resource, process, or system that has value to the organization

2)      Threat:  Any circumstance or event than has an adverse impact on that asset.

3)      Vulnerability:  The likelihood of that asset being compromised by that particular threat.

Risk to an Asset from that Threat is defined as the product of the value of the Asset and the Vulnerability

The impact of the compromise is consistent with XYZ existing Information Management policy

Definition of Impact Terms

Term

Impact

Low

Will have little or no impact on the critical functions and services of the Society.

Moderate

May impact on some of the critical functions and services of the Society.  Society can continue to function in a reduced capacity.

High

Will have severe impact on the critical functions and services of the Society.  Society will not continue functioning unless business resumption plan is implemented.

Finally, risk has been categorized into three areas

1)      Operational –services as defined by the business plan may be compromised

2)      Financial – there will be a financial impact

3)      Legal – there is a risk to either not meeting legal obligations or breaking the law

Business Plan – Policy (Security) Audit

 

In the absence of a business plan, a security audit of the policy is not possible.  Only an audit of the policy was performed

The purpose of the policy document

1.      Define how the goals defined by the business plan will be met

§         Which business objects i.e. data systems, infrastructure systems

2.      Define how the principles espoused by the organization will be imposed

3.      Define which business unit is responsible using the objects to meet the business goals

 

 

2)      The policy defines seven data system standards

1.      Collective Bargaining System (CBS)

2.      DocuShare

3.      Finance Information System

4.      Finance Information System – Disability Benefits Plan (DBP)

5.      Human Resources Information System

6.      Payroll Information System

7.      STATIS

IT Audit Constraints

  1. Define the system

                                                               i.      Technology, scope, lifecycle, requirements

  1. Define the purpose of the system
  2. Define which Business Unit is the owner of the system

 

Information System

Documented

System

Purpose

Business Unit

Collective Bargaining System (CBS)

 

Yes

Undefined

Defined

Defined

DocuShare

Yes

Undefined

Defined

Defined

Finance Information System

Yes

Undefined

Defined

Defined

Finance Information System – Disability Benefits Plan (DBP)

 

Yes

Undefined

Defined

Defined

Human Resources Information System

Yes

Defined

Defined

Defined

Payroll Information System

Yes

Defined

Defined

Defined

STATIS

Yes

Defined

Defined

Defined

Data base management Systems

No

Undefined/

Unaddressed

Undefined/

Unaddressed

Undefined/

Unaddressed

Telephone Systems

Yes

Undefined

Defined

Defined

Mail Systems

Yes

Defined

Defined

Defined

Internet Access

Yes

Defined

Defined

Defined

FlowPort

Yes

Undefined

Define

Defined

CAFT

Yes

Undefined

Defined

Defined

INSYNC

Yes

Undefined

Defined

Defined

Web Survey

Yes

Undefined

Defined

Defined

Website

Yes

Undefined

Defined

Defined

Accpac

Yes

Undefined

Defined

defined

 

Notes: 

 

*Many of the critical database systems do not have system requirements defined.

 

*The information policy and procedures manual covers the two areas without a clear definition of the standards (middle step).  Clarification in this area will add clarity to future IT (security) audits.

 

Without a clear valuation from the business plan, expected loss, hence risk is difficult to calculate.  Also absent are availability requirements.  This information is inferred based upon the existing solutions.  The assumption being made is that the requirements do not exceed that of an organization of this nature, hence standard industry solutions are deemed acceptable at mitigating the risk.

 

Business Plan – Standards (Security) Audit

 

No formal documentation exists to cover this area, so no formal audit was performed.

The purpose of the standards document is to define

1.      Define how the business objects will be deployed.

2.      Define the service levels that can be expected and the requirements that must be in place in order to meet them.

3.      Define which business unit is responsible for designing, implementing and enforcing the standards and guidelines (procedures)

 

Given the lack of formal documents, an Implied Standard has been surmised and security vulnerabilities measured against it.

 

Policy – Standards (Security) Audit

 

IT Audit Constraints

1)      Define the IT control

2)      Does the control conform to industry best practices

3)      Is the control documented in the manual

Based upon the requirements of the business, these practices have been identified

 

IT Control

Best Practice

Manual

Network Operating System (security

Windows Server 2000/2003

Yes

No

Application Availability

Hardware servers

Yes

No

Database

SQL and Pervasive

Yes

No

Security

ISA

Yes

No

Data practices

Defined procedures

No

No

 

 

 

 

 

Two security vulnerabilities have been identified under clause 2.3 Access to Database

 

“providing access to the STATIS_query (read-only) database for performing ad-hoc queries using Microsoft Access.”

There is no guideline clearly stating that black box databases should not be made (nor are these entities identified).  There is a risk that data from these black boxes can deviate from the main body

If you are working with a committee, you may provide information about committee members to the Chairperson of the Committee.” 

A confidentiality or a data definition concern arises here.  Should a member give an unlisted number for contact purposes but NOT authorize us to distribute it, it may subject the organization to violation of privacy rights.

 

Infrastructure – Standards/Data (Security) Audit

 

Information Technology Infrastructure

 

The infrastructure was analyzed from three aspects; the physical configuration and the logical/data configuration, and maintenance activity

 

Physical Infrastructure

 

Only a cursory assessment of the physical instructure was made since requirements were not clearly defined.

 

The three areas taken under consideration were Servers, Desktops, and Network Infrastructure

 

Servers

 

The chart below outlines the deployment of applications across the existing servers. The PowerEdge series of servers are consistent with highly available server technological typical of similar or more sensitive organizations.

Note:  A precautionary note, the Financespare-xp and XYZ-ISA machines