IT Auditing:
Firewall Management Intrusion Detection, Intrusion Prevention
& Security Information Management
AC475 Team Project:
Katherine Jackowski
Elizabeth Kearney-Lang
Daureen Lingley-Chor
Security Information Management
PS1 Selection of Areas of Examination
The two areas of interest our team chose are Firewall Management and Intrusion
Detection, Intrusion Prevention and Security Information Management which complement each
other well; all focusing on the safeguarding of company assets. Since our collective knowledge
in these areas was quite limited we felt they would be challenging topics to research. The
potential threats to an Information System are numerous with names that sound as if they might
be more from a video game i.e. botnet, smurf attack, Trojan horse, but whose potential damage
to an Information System could be financially devastating.
Our research began with An Introduction to Computer Security: The NIST Handbook and
included the Special Publications from the National Institute of Standards and Technology SP
800-41 Revision 1 entitled Guidelines on Firewalls and Firewall Policy, SP 800-94 entitled
Guide to Intrusion Detection and Prevention Systems. We also used our textbook, Information
Technology Auditing and Assurance by James A. Hall. The following ISACA Standards were
utilized as well:
P3 Intrusion Detection Systems (IDS)
P4 Viruses and other Malicious Code
P6 Firewall Procedure
G40 Review of Security Management Practices
We visited various vendor websites and utilized the White Papers from Skybox Security
entitled How to Painlessly Audit Your Firewalls and Tufin entitled Firewall Operations
Management, Auditing, and Compliance.
Risks, Threats and Exposures
A risk is any and all exposure to the possibility of loss or theft, also known as a threat.
All businesses assume some risk--no business is immune to the exposure of threats. Because
opportunity and risk go hand in hand, you cannot have opportunity without also having some risk
and wherever there is risk, there is potential opportunity. The key is to minimize potential risk
and eliminate exposures to threats as much as possible; this is done through the use of controls.
Threats to an organization’s Information System’s security can come from both internal and
external sources and can be both intentional and accidental. According to the 1991 Annual
Report submitted by the Computer System Security and Privacy Advisory Board, the following
areas were found to contribute to the economic loss of organizations: “65% errors and omissions;
13% dishonest employees; 6% disgruntled employees; 8% loss of supporting infrastructure,
including power, communications, water, sewer, transportation, outsiders, including viruses,
espionage, dissidents, and malcontents of various kinds, and former employees who have been
away for more than six weeks1.” Between the years 1999 – 2003, attacks on computer servers
increased by over 530% to 137,000 incidents in the United States2. FinCEN3 reported in their
An Introduction to Computer Security – The NIST Handbook SP 800-12
The World Technology Risk Checklist 7.3
3
FinCen - Financial Crimes Enforcement Network – a U.S. government agency established by the U. S. Department
of Treasury in 1990 to provide multi-source financial intelligence and analysis.
1
2
Page 2 of 22
Security Information Management
Suspicious Activity Report that computer intrusions have increased more than 500% from 2003
to 2004.
On April 13, 2011, Senator Sheldon Whitehouse, a Democrat from Rhode Island, and
Senator Jon Kyl, a Republican from Arizona, introduced a bill acknowledging that “businesses in
the United States are bearing enormous losses as a result of criminal cyber attacks, depriving
businesses of hard-earned profits that could be reinvested in further job-producing innovation.”
The bill is entitled the Cyber Security Public Awareness Act of 2011. If enacted, this bill S.813,
will require the Department of Homeland Security along with various branches of the
government to report to Congress on the frequency and impact of cyber security incidents and
the number of prosecutions for cybercrimes occurring in the United States. It will also require “a
summary of the plans of the Secretary of Homeland Security to enhance public awareness of
common cyber security threats, including a description of the metrics used by the Department of
Homeland Security for evaluating the efficacy of public awareness campaigns” to be submitted
to Congress.4
Information Security is an area that will continue to require organizations to monitor and
reassess potential risks, threats and exposures to their Information Systems.
Key Success Factors













Senior management commitment to Information security
Management’s understanding of Information security issues
Information Security centrally-based
Integration between security objectives and business objectives
Proactive security plan which includes awareness training of staff
Automated risk management process which includes definition of risk limits and risk
tolerance
Performance measurements
Up-to-date Protective Techniques
Enforcement of Security Policies
Avoid over-control that may reduce the efficiency of the system
Applications are secured before implementation
Service Level Agreements (SLAs) are utilized with suppliers to promote awareness and
co-operation relative to security
IT Governance fosters ethical behavior
PS2 Selection of Client or Selection of Knowledgeable SourceClient
Our client, Image Polymers Company, LLC, is a small manufacturing business
established in 1991 with their headquarters located in Andover, Massachusetts and their
4
http://ezp.bentley.edu/login?url=http://search.proquest.com/docview862230
Page 3 of 22
Security Information Management
manufacturing facility located in Mount Pleasant, Tennessee. They are a wholly owned
subsidiary of Mitsui Chemicals America, Inc. Image Polymers Company outsources their IT
functions to Covisia Solutions, Inc. The software they currently use is Windows XP Professional
operating system and Sage Software, a SQL server-based enterprise management software
system, MAS500 Version 7.30.40. They also use Sage Fixed Assets System software, and
Microsoft Office 2007(Excel, Word, Outlook, and PowerPoint).
Image Polymers Company LLC as a total of five servers; there is a virtualized server with
three distinct server areas. The first one contains a domain controller section for access control
(confirming usernames and passwords), the exchange section (for the e-mail system) and the file
storage and print section. The second is the Citrix server which is used for virtual networking.
The third is the MAS500 server which houses the MAS500 database. There is also a back-up
server for the Domain controller and another Back-up Business Disaster Recovery (BDR) server.
PS3 Prepare Statement of Control Objectives
To ensure preventative, detective, and corrective measures are in place and working as
intended to protect the Information System from intrusion. To ensure proper controls are in place
to safeguard assets and prevent, detect and mitigate fraudulent activity.
To control access to the Information Systems to prevent unauthorized use and to restrict
authorized use.
PS4 Identification of Control Criteria
Master List of Controls
Firewall Management
Control
Resource
Firewall Policy5
NIST SP 800-41 Revision 1, Tufin
System Security Plan
NIST SP 800-41 Revision 1
Segregation of Duties
NIST SP 800-41 Revision 1
Testing – Configuration Compliance Analysis
NIST SP 800-41 Revision 1
Apply Patches
NIST SP 800-41 Revision 1
Logs & Alerts
NIST SP 800-41 Revision 1
Firewall Policy Back-up
NIST SP 800-41 Revision 1
Ruleset Back-up
NIST SP 800-41 Revision 1
Review of Firewall Policy
NIST SP 800-41 Revision 1
Penetration Testing
NIST SP 800-41 Revision 1
5
A complex set of rules defining access privileges and restrictions for specific users and services.
Page 4 of 22
Security Information Management
Configuration compliance with Network Security Policies
Skybox Security
Network Access Policy
Skybox Security
Periodic reviews of configurations (at least every six months)
Skybox Security
PCI DSS Compliance Requirements
Skybox Security
Manage Changes (Change Impact Analysis) (2x/month)
Skybox Security, CobiT AI6
Configuration Compliance Analysis (1x/qtr)
Skybox Security
Configuration Optimization (1x/year)
Skybox Security
Intrusion Detection, Intrusion Prevention and Security Management
Control
Resource
IPDS System
NIST SP 800-94
Restrict network access to IPDS components
NIST SP 800-94
Limit direct access to IPDS components
NIST SP 800-94
Update IPDS System
NIST SP 800-94
Protect IPDS management communication
NIST SP 800-94
Log System (Reporting Module)
NIST SP 800-94, ISACA P3
Maintain Log Files in secure location
NIST SP 800-94
Perform vulnerability tests
NIST SP 800-94
Conduct penetration tests
NIST SP 800-94
Intrusion Detection, Intrusion Prevention and Security Management (continued)
Antivirus Software
Spyware
Training
Response Procedure
Back-up Procedure
Security Policy
ISACA G40
Unique user ID and password for each individual network user
Automated enforcement of password change
Policy and Procedures related to Third Party Access
Implement and annually evaluate physical security access
Segregation of Duties
Inactive session shutdown
Periodic Review of Security System
ISACA G40
Asset Classification
ISACA G40
Background Screening of Employees
ISACA G40
Page 5 of 22
Security Information Management
Page 6 of 22
Security Information Management
Control Identification Form
CONTROL OBJECTIVE:
To ensure preventative, detective, and corrective measures are in place and working as intended to protect the Information
System from intrusion.
To ensure proper controls are in place to safeguard assets and prevent, detect and mitigate fraudulent activity.
Control
IPDS System (Intrusion
Prevention and Detection
System)
Control
Category
Mechanism
Create unique passwords
for IPDS users and
administrator
Restrict network access
to IPDS components
Mechanism
Limit direct access to
IPDS components
Mechanism
Update Intrusion
Detection System (IPDS)
when new threat is
detected and regularly
Mechanism
Protect IPDS
management
communication through
physical or logical
separation or encryption
Mechanism
Mechanism
Type of
Control
General
Primary
Preventative
Detective
General
Secondary
Preventative
General
Secondary
Preventative
General
Secondary
Preventative
Control Benefit
To prevent the
unauthorized access and
minimize possibility of
undetected intrusions.
Limited access to
authorized users only in
order to safeguard assets.
Preservation of the IPDS
components.
Adverse Impact of Control
Not In Place/Effect
Intrusion i.e. malware or spyware – loss of
confidentiality and integrity.
Compromised Information System.
Disclosure of proprietary information.
Unauthorized access:
Compromised system integrity and
availability by disabling the IPDS system.
Useless IPDS System.
Preservation of the IPDS
components.
Useless IPDS System.
General
Primary
Preventative
Most up-to-date intrusion
detection available to fight
newly recognized potential
intrusions.
Vulnerable to new intrusion techniques.
General
Secondary
Preventative
Protection from
unauthorized changes
Manipulation of communication log.
Page 7 of 22
Security Information Management
Control
Log System to record
logins, activities and
intrusions
Maintain Log System
files in secure location
Perform vulnerability
assessments/tests
quarterly
Conduct penetration tests
periodically
Firewall Policy
Network firewall
Antivirus Software
Spyware/Malware
Control
Control
Category
Mechanism
Type of
Control
Application
Primary
Detective
Policy
General
Secondary
Preventative
Mechanism
General
Primary
Detective
Mechanism
General
Primary
Detective
Organizational General
Secondary
Preventative
Mechanism
General
Primary
Preventative
Mechanism
General
Primary
Preventative
Mechanism
General
Primary
Preventative
Control
Category
Type of
Control
Control Benefit
Keep a log of login and
activities to determine
patterns—aiding in
detection of intrusions and
malicious code
To keep a record for future
management/audit
reference
To confirm the system is
functioning as designed
and intended
To confirm the system is
functioning as it should
Rules for the Firewall to
follow
To complement the IPDS
System; filter network
traffic
To complement the IPDS
System; detect many
threats the IPDS cannot
To complement the IPDS
System in a multi-layered
approach.
Control Benefit
Page 8 of 22
Adverse Impact of Control
Not In Place/Effect
Altered or missing log file; no audit
trail/history available.
Altered or missing log file; no audit
trail/history available—unaware of log
activity.
Do not know if the current system is
functioning as it should—no assurance
mechanisms.
Do not know if the current system is
functioning as it should; increased risk of
system being compromised.
Ineffective firewall either allowing a
threat in or slowing down the Information
System.
Unauthorized access to Information
Systems; compromised system and data
integrity.
Infected with malware i.e. virus, worms,
Trojan horse, malicious mobile code,
blended threats, keystroke logger,
backdoors.
Infection with malware and non-malware
forms of spyware; slows the system,
considerably affecting system
functionality and availability.
Adverse Impact of Control
Not In Place/Effect
Security Information Management
Training
Policy
Response Procedure
Procedure
Back-up Procedure
Procedure
General
Secondary
Preventative
General
Primary
Preventative
General
Secondary
Personnel have the skills
required to deal with the
security issues
Provide uniform response
if a threat is detected
Unqualified personnel could lead to
security compromise.
Current back-up if needed.
Unnecessary extended downtime.
Page 9 of 22
Incorrect measure taken when threat is
detected.
Security Information Management
Control Identification Form
CONTROL OBJECTIVE:
To control access to the Information Systems to prevent unauthorized use and to restrict authorized use.
To ensure proper controls are in place to ensure data and system availability in order for the Information Systems to fully support the
organization’s objectives.
Control
Security Policy
Unique user ID and
password for each
individual network user
(proper length; mix of
letters, numbers, &
symbols)
Automated enforcement
to changing passwords
Control
Type of
Category
Control
Organizational General
Secondary?
Preventative
Policy
General
Secondary
Preventative
Policy
Policy & Procedures
regarding Third Party
Access
Policy
Policy & Procedure to
deactivate access prior to
employee termination
Policy
Control Benefit
To communicate the
Policies authorized by
Management.
Controls access to the
system and fosters system
security.
General
Secondary
Preventative
General
Secondary
Preventative
Frequent password changes
limit the likelihood of
unauthorized access.
Controls, limits and
restricts outside access to
the system ensuring system
integrity.
General
Secondary
Preventative
Ensures only active
employees have access to
the system, limiting the
possibility of retaliation or
sabotage of system.
Page 10 of 22
Adverse Impact of Control
Not In Place/Effect
Lack of awareness of Security Policy;
compromised system and data integrity.
Unauthorized access to information which
could affect the security of information.
Possible password theft and unauthorized
access to the system.
System could be compromised due to no
controls as to how the system could be
accessed by outside parties (example:
guest password would ensure employees
do not share their passwords with guest
users); avoid group passwords, as this
erodes accountability
Disgruntled employees may access the
system and compromise the data and
security of the system or obtain
proprietary information.
Security Information Management
Control
Written Acceptable Use
Policy with required
Signature of employee
Implement and annually
evaluate physical
security (i.e. locks,
alarms systems, etc.)
Properly segregate duties
regarding the
Information System to
limit access
Inactive sessions shutdown after a defined
period of inactivity
Control
Category
Legal
Type of
Control
General
Secondary
Preventative
General
Primary
Preventative
Detective
Organizational General
Secondary
Preventative
Prevent unauthorized
access
Adverse Impact of Control
Not In Place/Effect
System could be vulnerable to
unauthorized access due to password
sharing or weak password selection, also
email usages (downloads, links);
peripheral devices, such as laptops and
USBs, etc.
Increased risk -- Unauthorized access
gained
Limit access based on job
descriptions and
appropriate access
Too many people with unlimited access,
which can lead to unauthorized access and
affect the reliability of the data.
Mechanism
Prevent unauthorized
access when a system is
left idle for a period of
time
Gain unauthorized access.
Mechanism
General
Secondary
Preventative
Control Benefit
Ensures employee
knowledge of and
responsibility to properly
safeguard the system.
Page 11 of 22
Security Information Management
Control Evidence Form
Control
IPDS System (Intrusion Prevention
and Detection System)
Evidence that Control
Would be in Place
Third arty confirmation. Documentation
of procedure for IPDS system, review
audit security log.
Create unique passwords for IPDS
users and administrator
List of users and administrators.
Restrict network access to IPDS
components
List of users and administrators.
Limit direct access to IPDS
components
View physical location for lock or method
of restriction accessing components i.e.
sensors or agents, management server,
database server.
Updated Log File. List of updates from
vendor.
Update Intrusion Detection System
(IPDS) when new threat is detected
and according to vendor
recommendations
Protect IPDS management
communication through physical or
logical separation or encryption
Log System to record log-ins and
intrusions
Third party confirmation.
Log file.
Maintain Log System files in secure
location
View physical location of Log System.
Perform vulnerability
assessments/tests quarterly
Third Party Confirmation. Observe
vulnerability test.
Page 12 of 22
Evidence that Control
Would be in Effect
System availability. No disruption or minimal
disruption of service due to detected intrusions.
Audit security log, documentation of system review
and response.
Security Information Management
Conduct penetration tests bi-annually
Control
Network firewall
Antivirus Software
Spyware
Training
Response Procedure
Back-up Procedure
Third Party confirmation. Observe
penetration test.
Evidence that Control
Would be in Place
Software License.
View Software License. View program in
program files on equipment i.e. laptop,
server.
View Software License. View program in
program files on equipment i.e. laptop,
server.
Physical written documentation.
Sign-in list of employees attending
training.
Documents used in training classes.
Written documentation of procedure.
Documentation readily available in
hardcopy or online.
Written documentation of procedure.
Documentation readily available in
hardcopy or online.
Page 13 of 22
Evidence that Control
Would be in Effect
Security Information Management
Control
Security Policy
Unique user ID and password for
each individual network user (long in
length - mix of letters, numbers, &
symbols)
Automated enforcement to change
password within a predetermined
period
Policy & Procedures regarding Third
Party Access
Evidence that Control
Evidence that Control
Would be in Place
Would be in Effect
Documented
Understanding of Policy by Management.
Policy.
Policy is readily available in hardcopy and
online.
List of UserIDs. List of active employees. Number of employees matches the number of
UserIDs.
Documented Policy.
Automated program alert.
Understanding of Policy by Management and staff.
Documented Policy.
SLA
Understanding of Policy by Management and Third
Party.
Policy & Procedure to deactivate
access prior to employee termination
Documented Policy
Understanding of Policy by Management and staff.
Written Acceptable Use Policy with
required Signature of employee
Documented Policy.
Document with Employee’s signature.
Understanding of Policy by Employees.
Implement and annually evaluate
physical security (i.e. locks, alarms
systems, etc.)
Properly segregate duties regarding
the Information System to limit
access
Inactive sessions shut-down after a
defined period of inactivity
Documented procedure.
Understanding of Procedure by Management.
Documented review.
RACI Chart.
Organization Chart
Appropriate access rights dependent upon duties.
Documented Policy.
Computer returns to log-in screen.
Page 14 of 22
Log-in required to access system after designated
allotment of time.
Security Information Management
Audit Objectives

To determine whether controls are in place and in effect to provide reasonable assurance
that preventative, detective, and corrective measures are in place and working as intended to
protect the Information System from intrusion.

To determine whether controls are in place and in effect to provide reasonable assurance
that assets are safeguarded and fraudulent activity is prevented, detected and mitigated.

To determine whether controls are in place and in effect to provide reasonable assurance
that unauthorized access to the Information Systems is prevented and authorized use is
restricted.

To determine whether controls are in place and in effect to provide reasonable assurance
that data and system availability is maintained in order for the Information Systems to fully
support the organization’s objectives.
Audit Steps (note: these are just bulleted thoughts I had while at the gym; I will develop real audit
steps)
o Gain knowledge/understanding
o Identify the current infrastructure i.e. hardware, software
o Mission Statement
o Obtain existing policies
o RACI (organization) charts
o Business objectives
o Assess and determine risk (do we need to assess the risk of the organization as well as audit
risk?)
o Current risk
o Risk appetite
o Risk tolerance
o Define scope
o Determine qualifications (existing and needed)
o Get specialist (where necessary)
o Determine procedures
o Tests of controls
o Report
o Review with management
o Revise
o submit
Page 15 of 22
Security Information Management
Audit Evidence Form for Assessment of Controls in Place
Control
IPDS System (Intrusion
Prevention and Detection
System)
Create unique passwords for
IPDS users and administrator
Control Criteria
Evidence that Would Show the
Control to be in Place
(Control Evidence)
Obtain list of users and administrators.
Interview management and staff and IT
staff.
Restrict network access to IPDS
components
Limit direct access to IPDS
components
Update Intrusion Detection
System (IPDS) when new threat
is detected and quarterly
Protect IPDS management
communication through
physical or logical separation or
encryption
Log System to record log-ins
and intrusions
Maintain Log System files in
secure location
View physical location for lock or method
of restriction accessing components i.e.
sensors, agents,
View log file.
View physical location of Log System.
Perform vulnerability
assessments/tests quarterly
Page 16 of 22
Audit Evidence
Evidence Obtained as to Whether
the Control is in Place
(Audit Evidence)
Control in
Place
Y/P/N
Security Information Management
Control
Control Criteria
Evidence that Would Show the
Control to be in Place
(Control Evidence)
Conduct penetration tests biannually
Network firewall
Antivirus Software
Spyware
Training
Response Procedure
Back-up Procedure
Page 17 of 22
Audit Evidence
Evidence Obtained as to Whether
the Control is in Place
(Audit Evidence)
Control in
Place
Y/P/N
Security Information Management
Control
Control Criteria
Evidence that Would Show the
Control to be in Place
(Control Evidence)
Security Policy
Unique user ID and password
for each individual network user
(long in length - mix of letters,
numbers, & symbols)
Automated enforcement to
changing passwords
Policy & Procedures regarding
Third Party Access
Policy & Procedure to
deactivate access prior to
employee termination
Written Policy re: proper use of
Information System with
required Signature of employee
Implement and annually
evaluate physical security (i.e.
locks, alarms systems, etc.)
Properly segregate duties
regarding the Information
System to limit access
Inactive sessions shut-down
after a defined period of
inactivity
Page 18 of 22
Audit Evidence
Evidence Obtained as to Whether
the Control is in Place
(Audit Evidence)
Control in
Place
Y/P/N
Security Information Management
Audit Conclusion
Instruction: Ensure that there is sufficient, competent and appropriate evidence to support audit conclusions and audit findings.
Review control tables and Audit Results Comparison Sheets.
Is there an adequate combination of controls in place to address the control objective from a “process” audit perspective? Are the
controls in place appropriate in design to address the control objective?
Is there an adequate combination of controls in effect to provide reasonable assurance that the control objective would be achieved, or
met? Is there sufficient, competent evidence to support the audit conclusion and to demonstrate that the controls are in effect?
Completed by:
Date:
Reviewed by:
Date:
Page 19 of 22
Security Information Management
Audit Results Comparison Sheet – Control Criteria to Review or Test Results
Control
Control Evidence that Would
Demonstrate the Control
Would be in Place
Control in
Place
Y/P/N
Page 20 of 22
Control Evidence that Would
Demonstrate the Control
Would be in Effect
Control in
Effect
Y/P/N
Security Information Management
Audit Conclusion
Instruction: Ensure that there is sufficient, competent and appropriate evidence to support audit conclusions and audit findings.
Review control tables and Audit Results Comparison Sheets.
Is there an adequate combination of controls in place to address the control objective from a “process” audit perspective? Are the
controls in place appropriate in design to address the control objective?
Is there an adequate combination of controls in effect to provide reasonable assurance that the control objective would be achieved, or
met? Is there sufficient, competent evidence to support the audit conclusion and to demonstrate that the controls are in effect?
Completed by:
Date:
Reviewed by:
Date:
Page 21 of 22
Security Information Management
Works Cited
Firewall Operations Management, Auditing and Compliance. (2011, February). Retrieved April
2011, from Tufin Secure Track Web site: http://www.tufin.com
ISACA. (2010). IT Standards, Guidelines,and Tools and Techniques for Audit and Assurance
and Control Professionals. Rolling Meadows.
Scarfone, K., & Hoffman, P. (2009, September). National Institute of Standards and Technology
Guidelines on Firewalls and Firewall Policy SP800-41 Revision1. Gaithersburg,
Maryland, United States of America.
Scarfone, K., & Mell, P. (2007, February). National Institute of Standards and Technology Guide
to Intrusion Detection and Prevention Systems (IPDS) SP 800-94. Gaithersburg,
Maryland, United States of America.
Skybox Security, Inc. (2010, May). Retrieved April 2011, from Skybox Security Web Site:
http://www.skyboxsecurity.com
http://www.cloudave.com/wordpress/wp-content/uploads/2010/09/bitglobe-security.jpg
Page 22 of 22