IT Auditing:
Firewall Management, Intrusion Detection, Intrusion Prevention
& Security Information Management
AC475 Team Project:
Katherine Jackowski
Elizabeth Kearney-Lang
Daureen Lingley-Chor
Security Information Management
PS1 Selection of Areas of Examination
The two areas of interest our team chose are Firewall Management and Intrusion
Detection, Intrusion Prevention and Security Information Management which complement each
other well; all focusing on the safeguarding of company assets. Since our collective knowledge
in these areas was quite limited we felt they would be challenging topics to research. The
potential threats to an Information System are numerous with names that sound as if they might
be more from a video game i.e. botnet, smurf attack, Trojan horse, but whose potential damage
to an Information System could be financially devastating and lead to reputational and
operational risk.
Our research began with An Introduction to Computer Security: The NIST Handbook and
included the Special Publications from the National Institute of Standards and Technology SP
800-41 Revision 1 entitled Guidelines on Firewalls and Firewall Policy, SP 800-61 Revision 1
entitled Computer Security Incident Handling Guide, SP 800-94 entitled Guide to Intrusion
Detection and Prevention Systems. We also used our textbook, Information Technology Auditing
and Assurance by James A. Hall. The following ISACA Standards were utilized as well:
P3 Intrusion Detection Systems (IDS)
P4 Viruses and other Malicious Code
P6 Firewall Procedure
G40 Review of Security Management Practices
We visited various vendor websites and utilized the White Papers from Skybox Security
entitled How to Painlessly Audit Your Firewalls and Tufin entitled Firewall Operations
Management, Auditing, and Compliance.
Research into the client organization included speaking with Jonathan Yorke, the Vice
President of Administration and Accounting at Image Polymers Company, LLC, and researching
the mission statement and business objectives on the parent website:
www.mitsuichem.com
Our knowledgeable source was Jason Allen, Network Engineer, from Covisia Solutions,
Inc. Covisia Solutions, Inc. provides security management to Image Polymers Company, LLC.
Page 2 of 44
PS1
PS2
PS3
PS4
PS5
PS6
PS7
PS8
Work-In-Progress Record
Selection of Areas of Examination
 state the areas selected and reason for selecting them
 how topic was researched and note sources (include hardcopy & electronic research & list persons
or organizations
 copy of team’s work-in-progress record
 identify purpose of the area of examination
 risks, threats and exposures associated with the areas
 critical success factors
Selection of Client or Selection of Knowledgeable Sources
 Identification of client organization with contact information
 Identification of knowledgeable sources
 Identify how the client organization measures IT process performance and benchmark your
selected process areas to the CobiT maturity models
 Discuss knowledgeable sources – what their experience has been with conducting or observing
how others have evaluated IT process performance
Prepare Statements of Control Objectives
 Statement of high-level control objective for each topic area
 Supporting control objectives (may be more granularly defined than the high-level objective) for
each topic area
Identification of Control Criteria
 Master list of controls for the topic areas selected
Identification of Control Criteria
 Tables w/ control category and type identified
Identification of Control Benefit and Impact of Control Not in Place/Effect
 Tables w/controls further identified in terms of their value and impact of not working as intended
with respect to the control objective
Identification of Control Evidence
 Tables w/controls further identified in terms of what would be considered as the desired evidence
to show that the control is in place and in effect
Formulate Audit Objectives
 List Audit Objectives
KJ
EKL DLC
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Security Information Management

Reference Closing the Loop Framework
KJ
PS9
PS10
PS11
PS12
PS13
Formulate Audit Steps to Gather and Analyze Evidence
 List of audit steps developed to gather and analyze the control evidence noted in the tables for each
control
Prepare Audit Strategy and Audit Work Program
 Description of approach to conducting audit work designed to address the previously identified
control objectives
 Audit Work Program containing stated control objective(s), audit objective(s) and the audit steps
developed to gather and analyze the control evidence noted in the tables for each control
Obtain External Input
 Provide an explanation of the type and extent of input obtained from external parties
 Identify which sources were the best for your project and why
Client Control Review
 Provide an explanation of the type and extent of input obtained from external parties
Class Presentation
 A handout to the class that identifies your team, the topic areas, sources for further information
Team Meeting Dates
Page 4 of 44
EKL DLC
√
√
√
√
√
√
√
√
√
√
√
√
√
√
Risks, Threats and Exposures
A risk is any and all exposure to the possibility of loss or theft or disruption, also known
as a threat. All businesses assume some risk--no business is immune to the exposure of threats.
Because opportunity and risk go hand in hand, you cannot have opportunity without also having
some risk and wherever there is risk, there is potential opportunity. The key is to minimize
potential risk and eliminate exposures to threats as much as possible; this is done through the use
of controls. Threats to an organization’s Information System’s security can come from both
internal and external sources and can be both intentional and accidental. They may include:
Denial of Service (DoS) attacks that affect a Web server to prevent it from providing
service to legitimate users
Malicious Code i.e. virus, worm, Trojan horse or any code-based malicious entity that
infects a host system
Unauthorized access i.e. logical or physical access to a system without permission
Inappropriate Usage i.e. violation of acceptable use policy or any other established
computer security policy
Multiple Components i.e. a malicious code provides unauthorized access1
According to the 1991 Annual Report submitted by the Computer System Security and
Privacy Advisory Board, the following areas were found to contribute to the economic loss of
organizations: “65% errors and omissions; 13% dishonest employees; 6% disgruntled
employees; 8% loss of supporting infrastructure, including power, communications, water,
sewer, transportation, outsiders, including viruses, espionage, dissidents, and malcontents of
various kinds, and former employees who have been away for more than six weeks2.” Between
the years 1999 – 2003, attacks on computer servers increased by over 530% to 137,000 incidents
in the United States3. FinCEN4 reported in their Suspicious Activity Report that computer
intrusions have increased more than 500% from 2003 to 2004.
On April 13, 2011, Senator Sheldon Whitehouse, a Democrat from Rhode Island, and
Senator Jon Kyl, a Republican from Arizona, introduced a bill acknowledging that “businesses in
the United States are bearing enormous losses as a result of criminal cyber attacks, depriving
businesses of hard-earned profits that could be reinvested in further job-producing innovation.”
The bill is entitled the Cyber Security Public Awareness Act of 2011. If enacted, this bill S.813,
1
NIST Special Publication 800-61 Revision 1
An Introduction to Computer Security – The NIST Handbook SP 800-12
3
The World Technology Risk Checklist 7.3
4
FinCen - Financial Crimes Enforcement Network – a U.S. government agency established by the U. S. Department
of Treasury in 1990 to provide multi-source financial intelligence and analysis.
2
Security Information Management
will require the Department of Homeland Security along with various branches of the
government to report to Congress on the frequency and impact of cyber security incidents and
the number of prosecutions for cybercrimes occurring in the United States. It will also require “a
summary of the plans of the Secretary of Homeland Security to enhance public awareness of
common cyber security threats, including a description of the metrics used by the Department of
Homeland Security for evaluating the efficacy of public awareness campaigns” to be submitted
to Congress.5
Information Security is an area that will require organizations to continually monitor and
reassess for potential risks, and remain aware of new threats and technologies to mitigate their
exposure to vulnerabilities in their Information Systems.
Key Success Factors
 Senior management commitment to Information security
 Management’s understanding of Information security issues
 Information Security centrally-based
 Integration between security objectives and business objectives
 Proactive security plan which includes awareness training of staff
 Automated risk management process which includes definition of risk limits and risk
tolerance
 Performance measurements
 Up-to-date Protective Techniques
 Enforcement of Security Policies
 Ability to cost-justify information security
 Avoid over-control that may reduce the efficiency of the system
 Applications are secured before implementation
 Service Level Agreements (SLAs) are utilized with suppliers to promote awareness and
co-operation relative to security
 IT Governance fosters ethical behavior
 Measurements of control effectiveness should align with regulation and laws and be
reported to the board quarterly and annually (ISACA, 2005)
 Implement layered security (Campbell, 2003)
 Security conscious culture among end users within the organization (IIA, 2011)
5
http://ezp.bentley.edu/login?url=http://search.proquest.com/docview862230
Page 6 of 44
Security Information Management
PS2 Selection of Client or Selection of Knowledgeable Sources
Client
Our client, Image Polymers Company, LLC, is a small manufacturing business
established in 1991 with their headquarters located in Andover, Massachusetts and their
manufacturing facility located in Mount Pleasant, Tennessee. They are a wholly owned
subsidiary of Mitsui Chemicals America, Inc. Their corporate mission is adopted from their
parent company and includes the following:
Contribute broadly to society by providing high-quality products
and services to customers through innovations and the creation of
materials and products while keeping in harmony with the global
environment.
Image Polymers Company outsources their IT functions to Covisia Solutions, Inc. The
software they currently use is Windows XP Professional operating system and Sage Software, a
SQL server-based enterprise management software system, MAS500 Version 7.30.40. They also
use Sage Fixed Assets System software, and Microsoft Office 2007(Excel, Word, Outlook, and
PowerPoint).
Image Polymers Company LLC as a total of five servers; there is a virtualized server with
three distinct server areas. The first one contains a domain controller section for access control
(confirming usernames and passwords), the exchange section (for the e-mail system) and the file
storage and print section. The second is the Citrix server which is used for virtual networking.
The third is the MAS500 server which houses the MAS500 database. There is also a back-up
server for the Domain controller and another Back-up Business Disaster Recovery (BDR) server.
PS3 Prepare Statement of Control Objectives
To ensure preventative, detective, and corrective measures are in place and working as intended
to protect the Information System from intrusion.
To ensure proper controls are in place to safeguard assets and prevent, detect and mitigate
fraudulent activity.
Page 7 of 44
Security Information Management
To control access to the Information Systems to prevent unauthorized use and to restrict
authorized use.
To ensure proper controls are in place to ensure data and system availability in order for the
Information Systems to fully support the organization’s objectives.
Page 8 of 44
Security Information Management
PS4 Identification of Control Criteria
Master List of Controls
Firewall Management
Control
Resource
Firewall Policy6
NIST SP 800-41 Revision 1, Tufin
System Security Plan
NIST SP 800-41 Revision 1
Segregation of Duties
NIST SP 800-41 Revision 1
Testing – Configuration Compliance Analysis
NIST SP 800-41 Revision 1
Apply Patches
NIST SP 800-41 Revision 1
Logs & Alerts
NIST SP 800-41 Revision 1
Firewall Policy Back-up
NIST SP 800-41 Revision 1
Ruleset Back-up
NIST SP 800-41 Revision 1
Review of Firewall Policy
NIST SP 800-41 Revision 1
Penetration Testing
NIST SP 800-41 Revision 1
Configuration compliance with Network Security
Skybox Security
Policies
Network Access Policy
Skybox Security
Periodic reviews of configurations (at least every six
Skybox Security
months)
PCI DSS Compliance Requirements
Skybox Security
Manage Changes (Change Impact Analysis) (2x/month)
Skybox Security, CobiT AI6
Configuration Compliance Analysis (1x/qtr)
Skybox Security
Configuration Optimization (1x/year)
Skybox Security
Intrusion Detection, Intrusion Prevention and Security Management
Control
Resource
IPDS System
NIST SP 800-94
Restrict network access to IPDS components
NIST SP 800-94
Limit direct access to IPDS components
NIST SP 800-94
Update IPDS System
NIST SP 800-94
6
A complex set of rules defining access privileges and restrictions for specific users and services.
Page 9 of 44
Security Information Management
Protect IPDS management communication
NIST SP 800-94
Log System (Reporting Module)
NIST SP 800-94, ISACA P3
Maintain Log Files in secure location
NIST SP 800-94
Perform vulnerability tests
NIST SP 800-94
Conduct penetration tests
NIST SP 800-94
Intrusion Detection, Intrusion Prevention and Security Management (continued)
Antivirus Software
Anti-Spyware
Training
Response Procedure
Back-up Procedure
Security Policy
ISACA G40
Unique user ID and password for each individual network
user
Automated enforcement of password change
Policy and Procedures related to Third Party Access
Implement and annually evaluate physical security access
Segregation of Duties
Inactive session shutdown
Periodic Review of Security System
ISACA G40
Asset Classification
ISACA G40
Background Screening of Employees
ISACA G40
Encryption
Page 10 of 44
Security Information Management
PS5 Control Identification Form
CONTROL OBJECTIVE:
To ensure preventative, detective, and corrective measures are in place and working as intended to protect the Information
System from intrusion.
To ensure proper controls are in place to safeguard assets and prevent, detect and mitigate fraudulent activity.
Control
IPDS System (Intrusion
Prevention and Detection
System)
Control
Category
Mechanism
Create unique passwords
for IPDS users and
administrator
Restrict network access
to IPDS components
Mechanism
Limit direct access to
IPDS components
Mechanism
Update Intrusion
Detection System (IPDS)
when new threat is
detected and regularly
Mechanism
Protect IPDS
management
communication through
physical or logical
separation or encryption
Control
Mechanism
Type of
Control
General
Primary
Preventative
Detective
General
Secondary
Preventative
General
Secondary
Preventative
General
Secondary
Preventative
Control Benefit
To prevent the
unauthorized access and
minimize possibility of
undetected intrusions.
Limited access to
authorized users only in
order to safeguard assets.
Preservation of the IPDS
components.
Adverse Impact of Control
Not In Place/Effect
Intrusion i.e. malware or spyware – loss of
confidentiality and integrity.
Compromised Information System.
Disclosure of proprietary information.
Unauthorized access:
Compromised system integrity and
availability by disabling the IPDS system.
Useless IPDS System.
Preservation of the IPDS
components.
Useless IPDS System.
General
Primary
Preventative
Most up-to-date intrusion
detection available to fight
newly recognized potential
intrusions.
Vulnerable to new intrusion techniques.
Mechanism
General
Secondary
Preventative
Protection from
unauthorized changes
Manipulation of communication log.
Control
Type of
Control Benefit
Page 11 of 44
Adverse Impact of Control
Security Information Management
Log System to record
logins, activities and
intrusions
Maintain Log System
files in secure location
Perform vulnerability
assessments/tests
Conduct penetration tests
Firewall Policy
Network firewall
Antivirus Software
Anti-Spyware/Malware
Control
Category
Mechanism
Control
Application
Primary
Detective
Policy
General
Secondary
Preventative
Mechanism
General
Primary
Detective
Mechanism
General
Primary
Detective
Organizational General
Secondary
Preventative
Mechanism
General
Primary
Preventative
Mechanism
General
Primary
Preventative
Mechanism
General
Primary
Preventative
Control
Type of
Keep a log of login and
activities to determine
patterns—aiding in
detection of intrusions and
malicious code
To keep a record for future
management/audit
reference
To confirm the system is
functioning as designed
and intended
To confirm the system is
functioning as it should
Rules for the Firewall to
follow
To complement the IPDS
System; filter network
traffic
To complement the IPDS
System; detect many
threats the IPDS cannot
To complement the IPDS
System in a multi-layered
approach.
Control Benefit
Page 12 of 44
Not In Place/Effect
Altered or missing log file; no audit
trail/history available.
Altered or missing log file; no audit
trail/history available—unaware of log
activity.
Do not know if the current system is
functioning as it should—no assurance
mechanisms.
Do not know if the current system is
functioning as it should; increased risk of
system being compromised.
Ineffective firewall either allowing a
threat in or slowing down the Information
System.
Unauthorized access to Information
Systems; compromised system and data
integrity.
Infected with malware i.e. virus, worms,
Trojan horse, malicious mobile code,
blended threats, keystroke logger,
backdoors.
Infection with malware and non-malware
forms of spyware; slows the system,
considerably affecting system
functionality and availability.
Adverse Impact of Control
Security Information Management
Training
Category
Policy
Response Procedure
Procedure
Back-up Procedure
Procedure
Control
General
Secondary
Preventative
General
Primary
Preventative
General
Secondary
Personnel have the skills
required to deal with the
security issues
Provide uniform response
if a threat is detected
Current back-up if needed.
Page 13 of 44
Not In Place/Effect
Unqualified personnel could lead to
security compromise.
Incorrect measure taken when threat is
detected.
Unnecessary extended downtime.
Security Information Management
Control Identification Form
CONTROL OBJECTIVE:
To control access to the Information Systems to prevent unauthorized use and to restrict authorized use.
To ensure proper controls are in place to ensure data and system availability in order for the Information Systems to fully support the
organization’s objectives.
Control
Security Policy
Unique user ID and
password for each
individual network user
(proper length; mix of
letters, numbers, &
symbols)
Automated enforcement
to changing passwords
Control
Type of
Category
Control
Organizational General
Secondary
Preventative
Policy
General
Secondary
Preventative
Policy
Policy & Procedures
regarding Third Party
Access
Policy
Policy & Procedure to
deactivate access prior to
employee termination
Policy
Control Benefit
To communicate the
Policies authorized by
Management.
Controls access to the
system and fosters system
security.
General
Secondary
Preventative
General
Secondary
Preventative
Frequent password changes
limit the likelihood of
unauthorized access.
Controls, limits and
restricts outside access to
the system ensuring system
integrity.
General
Secondary
Preventative
Ensures only active
employees have access to
the system, limiting the
possibility of retaliation or
sabotage of system.
Page 14 of 44
Adverse Impact of Control
Not In Place/Effect
Lack of awareness of Security Policy;
compromised system and data integrity.
Unauthorized access to information which
could affect the security of information.
Possible password theft and unauthorized
access to the system.
System could be compromised due to no
controls as to how the system could be
accessed by outside parties (example:
guest password would ensure employees
do not share their passwords with guest
users); avoid group passwords, as this
erodes accountability
Disgruntled employees may access the
system and compromise the data and
security of the system or obtain
proprietary information.
Security Information Management
Control
Written Acceptable Use
Policy with required
Signature of employee
Implement and annually
evaluate physical
security (i.e. locks,
alarms systems, etc.)
Properly segregate duties
regarding the
Information System to
limit access
Inactive sessions shutdown after a defined
period of inactivity
Control
Category
Legal
Type of
Control
General
Secondary
Preventative
General
Primary
Preventative
Detective
Organizational General
Secondary
Preventative
Prevent unauthorized
access
Adverse Impact of Control
Not In Place/Effect
System could be vulnerable to
unauthorized access due to password
sharing or weak password selection, also
email usages (downloads, links);
peripheral devices, such as laptops and
USBs, etc.
Increased risk -- Unauthorized access
gained
Limit access based on job
descriptions and
appropriate access
Too many people with unlimited access,
which can lead to unauthorized access and
affect the reliability of the data.
Mechanism
Prevent unauthorized
access when a system is
left idle for a period of
time
Gain unauthorized access.
Mechanism
General
Secondary
Preventative
Control Benefit
Ensures employee
knowledge of and
responsibility to properly
safeguard the system.
Page 15 of 44
Security Information Management
PS6 Control Evidence Form
Control
IPDS System (Intrusion Prevention
and Detection System)
Evidence that Control
Would be in Place
Third party confirmation. Documentation
of procedure for IPDS system, review
audit security log.
Create unique passwords for IPDS
users and administrator
List of users and administrators.
Documentation of policy/procedures
Restrict network access to IPDS
components
List of users and administrators. List of
restrictions per user
Limit direct access to IPDS
components
Physical lock or method of restriction
from accessing components i.e. sensors or
agents, management server, database
server. Visible security.
Updated Log File. List of updates from
vendor. Policy/procedure for updating.
Update Intrusion Detection System
(IPDS) when new threat is detected
and according to vendor
recommendations
Protect IPDS management
communication through physical or
logical separation or encryption
Log System to record log-ins and
intrusions
Maintain Log System files in secure
location
Third party confirmation. Encryption
coding exists.
Log file.
Physical security around Log System
files.
Page 16 of 44
Evidence that Control
Would be in Effect
System availability. No disruption or minimal
disruption of service due to detected intrusions.
Audit security log, documentation of system review
and response.
Log of incorrect password entries, system
shutdown/block for users that enter wrong
password more than once, password for one user
name will not work for any other user
System notification when unauthorized use is being
attempted, restrictions per user should be visible on
the system, no one will be capable of getting
through their user restriction.
Any security key or password is only available to
limited personnel. No one can easily get passed
guard, lock, or alarm system.
Policies/procedures are strictly followed.
Documentation of response to threats detected.
Latest version of IPDS will match
recommendations of vendor.
Communication is encrypted. Only management is
communicated with and capable of reading IPDS
communication.
No dates/times will be missing from log. All
intrusions will be documented on log system. Each
computer and/or system will be connected to the
log system
Access to location will be limited as result of
effective physical security. All Log files will be in
one place.
Security Information Management
Control
Perform vulnerability
assessments/tests
Conduct penetration tests
Network firewall
Evidence that Control
Would be in Place
Third Party Confirmation.
Documentation of vulnerability test.
Policies/procedures
Third Party confirmation. Documentation
of policies/procedures and penetration
test.
Software License. Should appear in
program files on equipment i.e. laptop
server.
Antivirus Software
Software License. Should appear in
program files on equipment i.e. laptop,
server.
Anti-Spyware/Malware
Software License. Should appear in
program files on equipment i.e. laptop,
server.
Training
Physical written documentation.
Sign-in list of employees attending
training.
Documents used in training classes.
Page 17 of 44
Evidence that Control
Would be in Effect
Documentation of test will be dated quarterly.
Someone will have responsibility for administering
and reporting results of test. Documentation of test
results.
Documentation should be dated bi-annually.
Someone will have responsibility for performing
and reporting results of penetration test.
Pop ups will appear when attempting to access
unsecure websites. Log will show all attempts to
enter the private network and produce alarms if
unauthorized or hostile attempts to enter the private
network. Program administrator will have
documentation of criteria/controls used by the
firewall.
Notifications will appear when something harmful
is detected. Some sort of log will exist that lists all
issues that have been detected as well as how they
were resolved by the software. Pop-ups regarding
harmful downloads will appear as prevention.
Log of system sweeps will exist. There will be no
presence of spyware on the computer/system.
Computer/system will be programmed to run
spyware scan on some time interval (i.e. once a
month)
Employees will have knowledge of training that
took place. All personnel that require the training
will have attended. Documentation of
exercises/participation in the training and results of
training will exist.
Security Information Management
Control
Response Procedure
Back-up Procedure
Evidence that Control
Would be in Place
Written documentation of procedure.
Documentation readily available in
hardcopy or online.
Written documentation of procedure.
Documentation readily available in
hardcopy or online.
Page 18 of 44
Evidence that Control
Would be in Effect
Documentation of responses to incidents reported
will exist. Personnel involved in response
procedure will have knowledge of the procedure
and ideally experience with using it.
All data will be properly backed up. Personnel
responsible for back-up procedure will have
knowledge of procedure and documentation of all
back-ups that occur.
Security Information Management
Control
Security Policy
Unique user ID and password for
each individual network user (long in
length, mix of letters, numbers, &
symbols)
Automated enforcement to change
password within a predetermined
period
Evidence that Control
Would be in Place
Documented Policy. Policy is readily
available in hardcopy and online.
Evidence that Control
Would be in Effect
Understanding of Policy by Management. All
employees will have knowledge of policy.
Someone will have responsibility of implementing
and evaluating the policy.
List of UserIDs. List of active employees. Number of employees matches the number of
UserIDs. No passwords will be the same.
Documented Policy.
Automated program alert.
Policy & Procedures regarding Third
Party Access
Documented Policy.
SLA
Policy & Procedure to deactivate
access prior to employee termination
Documented Policy
Documentation of procedure
Written Acceptable Use Policy with
required Signature of employee
Implement and annually evaluate
physical security (i.e. locks, alarms
systems, etc.)
Documented Policy.
Document with Employee’s signature.
Documented procedure. Evaluation
material/documentation will exist.
Documentation of initial purchase of
security items.
RACI Chart.
Organization Chart
Properly segregate duties regarding
the Information System to limit
access
Inactive sessions shut-down after a
defined period of inactivity
Documented Policy.
Computer returns to log-in screen.
Page 19 of 44
Understanding of Policy by Management and staff.
Users will be unable to log into the system until
password has been changed. System will have
program instructions to initiate the automated alert
during the predetermined period.
Understanding of Policy by Management and Third
Party. Documentation and/or logs regarding third
party access will exist and comply with policy.
Understanding of Policy by Management and staff.
Documentation of procedure taking place will exist.
No terminated employees will still have access.
Understanding of Policy by Employees. File of
signed policies will exist.
Understanding of Procedure by Management.
Documented review. Locks, alarms, systems etc
will be fully functionally and prevent access.
Appropriate access rights dependent upon duties.
Log-in required to access system after designated
allotment of time. After allotted time, session will
shut down. System will show requirement/control
that makes the shut down occur.
Security Information Management
PS8 Formulate Audit Objectives
To determine whether controls are in place and in effect to provide reasonable assurance that
preventative, detective, and corrective measures are in place and working as intended to protect the
Information System from intrusion.
To determine whether controls are in place and in effect to provide reasonable assurance that assets
are safeguarded and fraudulent activity is prevented, detected and mitigated.
To determine whether controls are in place and in effect to provide reasonable assurance that
unauthorized access to the Information Systems is prevented and authorized use is restricted.
To determine whether controls are in place and in effect to provide reasonable assurance that data
and system availability is maintained in order for the Information Systems to fully support the
organization’s objectives.
PS9 Formulate Audit Steps to Gather and Analyze Evidence
Page 20 of 44
Security Information Management
Audit Evidence Form for Assessment of Controls in Place
IPDS System (Intrusion
Prevention and Detection
System)
Create unique passwords for
IPDS users and administrator
Control Criteria
Evidence that Would Show the
Control to be in Place
(Control Evidence)
Third party confirmation. Documentation
of procedure for IPDS system, review
audit security log.
List of users and administrators.
Documentation of policy/procedures
Restrict network access to IPDS
components
List of users and administrators. List of
restrictions per user
Limit direct access to IPDS
components
Physical lock or method of restriction
from accessing components i.e. sensors or
agents, management server, database
server. Visible security.
Updated Log File. List of updates from
vendor. Policy/procedure for updating.
Observation of physical security. Review
documentation regarding
purchasing/receiving of any physical
security.
Review updated log file, list of updates
from vendor, and policy/procedure
documentation for updating.
Third party confirmation. Encryption
coding exists.
Send third party request. View encryption
coding program etc.
Log file.
Locate/review log file
Control
Update Intrusion Detection
System (IPDS) when new threat
is detected and per vendor
recommendations
Protect IPDS management
communication through
physical or logical separation or
encryption
Log System to record log-ins
and intrusions
Maintain Log System files in
secure location
Audit Evidence
Evidence Obtained as to Whether
the Control is in Place
(Audit Evidence)
Send request to third party. Read/review
documentation of procedure and audit
security log.
Obtain and review list of
users/administrators. Review
documentation of policy/procedure
Review list of restrictions per user and
check system for restrictions.
Control in
Place
Y/P/N
Y
Y
Y
P
Y
Y
Y
Physical security around Log System
files.
Page 21 of 44
Observation of physical security around
log system. . Review documentation
regarding purchasing/receiving of any
physical security.
Y
Security Information Management
Perform vulnerability
assessments/tests
Control
Conduct penetration tests
Network firewall
Antivirus Software
Spyware
Training
Response Procedure
Back-up Procedure
Security Policy
Third Party Confirmation.
Documentation of vulnerability test.
Policies/procedures
Control Criteria
Evidence that Would Show the
Control to be in Place
(Control Evidence)
Third Party confirmation. Documentation
of policies/procedures and penetration
test.
Software License. Should appear in
program files on equipment i.e. laptop
server.
Software License. Should appear in
program files on equipment i.e. laptop,
server.
Software License. Should appear in
program files on equipment i.e. laptop,
server.
Physical written documentation.
Sign-in list of employees attending
training.
Documents used in training classes.
Written documentation of procedure.
Documentation readily available in
hardcopy or online.
Written documentation of procedure.
Documentation readily available in
hardcopy or online.
Documented Policy. Policy is readily
available in hardcopy and online.
Unique user ID and password
List of UserIDs. List of active employees.
for each individual network user
Page 22 of 44
Send request to third party. Review
documentation of test as well as
policy/procedure.
Audit Evidence
Evidence Obtained as to Whether
the Control is in Place
(Audit Evidence)
Send request to third party. Review
documentation of test as well as
policy/procedure.
Obtain/review software license. Check
program files.
Control in
Place
Y/P/N
N
Y
Obtain/review software license. Check
program files.
Y
Obtain/review software license. Check
program files.
Y
Obtain/review all documentation with
regard to policy/procedure and actual
training programs. Review sign-in sheets.
N
Review written documentation of
procedure and search for online copy.
P
Review written documentation of
procedure and search for online copy.
Y
Review written documentation of
procedure and search for online copy.
N
Review list of active employees and check
UserIDs.
Y
Security Information Management
(long in length - mix of letters,
numbers, & symbols)
Automated enforcement to
changing passwords
Control Criteria
Evidence that Would Show the
Control to be in Place
(Control Evidence)
Documented Policy.
Automated program alert.
Audit Evidence
Evidence Obtained as to Whether
the Control is in Place
(Audit Evidence)
Review documentation of policy and
check system for automated alert.
Policy & Procedures regarding
Third Party Access
Documented Policy.
SLA
Policy & Procedure to
deactivate access prior to
employee termination
Written Policy re: proper use of
Information System with
required Signature of employee
Implement and annually
evaluate physical security (i.e.
locks, alarms systems, etc.)
Documented Policy
Documentation of procedure
Review documentation of
policy/procedure and obtain/review all
SLAs.
Review documentation of
policy/procedure.
Control
Properly segregate duties
regarding the Information
System to limit access
Inactive sessions shut-down
after a defined period of
inactivity
Documented Policy.
Document with Employee’s signature.
Documented procedure. Evaluation
material/documentation will exist.
Documentation of initial purchase of
security items.
RACI Chart.
Organization Chart
Documented Policy.
Computer returns to log-in screen.
Page 23 of 44
Review documentation of policy and
check for signatures of all active
employees.
Review documentation of procedure and
purchase of security items as well as
obtain evaluation material/documentation.
Obtain/review RACI and organizational
charts.
Review documentation of policy and
check to see if computer returns to log-in
screen.
Control in
Place
Y/P/N
Y
P
P
Y
P
P
Y
Security Information Management
Audit Evidence Form for Assessment of Controls in Effect
Control
IPDS System (Intrusion
Prevention and Detection
System)
Create unique passwords for
IPDS users and administrator
Restrict network access to IPDS
components
Limit direct access to IPDS
components
Update Intrusion Detection
System (IPDS) when new threat
is detected
Protect IPDS management
communication through
physical or logical separation or
encryption
Control Criteria
Evidence that Would Show the
Control to be in Effect
(Control Evidence)
System availability. No disruption or
minimal disruption of service due to
detected intrusions. Audit security log,
documentation of system review and
response.
Log of incorrect password entries, system
shutdown/block for users that enter wrong
password more than once, password for
one user name will not work for any other
user
System notification when unauthorized
use is being attempted, restrictions per
user should be visible on the system, no
one will be capable of getting through
their user restriction.
Any security key or password is only
available to limited personnel. No one can
easily get passed guard, lock, or alarm
system.
Policies/procedures are strictly followed.
Documentation of response to threats
detected. Latest version of IPDS will
match recommendations of vendor.
Communication is encrypted. Only
management is communicated with and
capable of reading IPDS communication.
Page 24 of 44
Audit Evidence
Evidence Obtained as to Whether
the Control is in Effect
(Audit Evidence)
Check system availability and any
documentation regarding times of
unavailability. Review the audit security
log and documentation of system review
and response and evaluate.
Review log of incorrect entries and test
system by inputting incorrect passwords.
Make an unauthorized attempt to check
system notification and review restrictions
per user within the system.
Interview personnel about responsibility of
security keys/passwords and check to see
who has knowledge about them. Test
physical security.
Interview employees about
policy/procedure. Review documentation
of responses to detected threats. Check to
see if IPDS is most updated version.
Check for encryption. Interview
management. Test and review
documentation of IPDS communication.
Control in
Place
Y/P/N
Security Information Management
Control
Log System to record log-ins
and intrusions
Maintain Log System files in
secure location
Perform vulnerability
assessments/tests
Conduct penetration tests
Network firewall
Anti-Virus Software
Control Criteria
Evidence that Would Show the
Control to be in Effect
(Control Evidence)
No dates/times will be missing from log.
All intrusions will be documented on log
system. Each computer and/or system will
be connected to the log system
Access to location will be limited as result
of effective physical security. All Log files
will be in one place.
Documentation of test will be dated
quarterly. Someone will have
responsibility for administering and
reporting results of test. Documentation of
test results.
Documentation should be dated biannually. Someone will have
responsibility for performing and reporting
results of penetration test.
Pop ups will appear when attempting to
access unsecure websites. Log will show
all attempts to enter the private network
and produce alarms if unauthorized or
hostile attempts to enter the private
network. Program administrator will have
documentation of criteria/controls used by
the firewall.
Notifications will appear when something
harmful is detected. Some sort of log will
exist that lists all issues that have been
detected as well as how they were
resolved by the software. Pop-ups
regarding harmful downloads will appear.
Page 25 of 44
Audit Evidence
Evidence Obtained as to Whether
the Control is in Effect
(Audit Evidence)
Review log for missing dates/times. Check
for connectivity to log system and test
system.
Test physical security. Observe/review log
files to make sure that are all in one place.
Check dates of test documentation.
Interview employees about responsibility
for test and review/evaluate
documentation of results.
Check dates of documentation. Interview
employees about responsibility for test.
Test firewall. Review/evaluate log of
intrusions etc. Interview program
administrator and review documentation
of criteria.
Test software. Review log of issues
reported and how they were resolved.
Control in
Place
Y/P/N
Security Information Management
Control
Anti-Spyware/Malware
Training
Response Procedure
Back-up Procedure
Security Policy
Unique user ID and password
for each individual network user
(long in length - mix of letters,
numbers, & symbols)
Control Criteria
Evidence that Would Show the
Control to be in Effect
(Control Evidence)
Log of system sweeps will exist. There
will be no presence of spyware on the
computer/system. Computer/system will
be programmed to run spyware scan on
some time interval (i.e. once a month)
Employees will have knowledge of
training that took place. All personnel that
require the training will have attended.
Documentation of exercises/participation
in the training and results of training will
exist.
Documentation of responses to incidents
reported will exist. Personnel involved in
response procedure will have knowledge
of the procedure and ideally experience
with using it.
All data will be properly backed up.
Personnel responsible for back-up
procedure will have knowledge of
procedure and documentation of all backups that occur.
Understanding of Policy by Management.
All employees will have knowledge of
policy. Someone will have responsibility
of implementing and evaluating the policy.
Number of employees matches the number
of UserIDs. No passwords will be the
same.
Page 26 of 44
Audit Evidence
Evidence Obtained as to Whether
the Control is in Effect
(Audit Evidence)
Review/evaluate log of system sweeps.
Check for existence of any spyware/test
program. Check program settings to make
sure time interval is set appropriately.
Interview employees about training.
Verify sign-in sheets with interviews.
Review documentation of
exercises/participation in training and
results.
Review/evaluate documentation of
responses to reported incidents. Interview
employees to verify their knowledge of
procedure and usage.
Test and verify the existence of back-up
data stores. Interview employees to
determine responsibilities and accountable
party for back-up.
Interview management and employees to
check for knowledge and understanding of
policy and for responsibility of
implementation and evaluation.
Check list of employees and IDs and make
sure number matches. Evaluate passwords
for uniqueness.
Control in
Place
Y/P/N
Security Information Management
Control
Automated enforcement to
changing passwords
Policy & Procedures regarding
Third Party Access
Policy & Procedure to
deactivate access prior to
employee termination
Written Policy re: proper use of
Information System with
required Signature of employee
Implement and annually
evaluate physical security (i.e.
locks, alarms systems, etc.)
Properly segregate duties
regarding the Information
System to limit access
Inactive sessions shut-down
after a defined period of
inactivity
Control Criteria
Evidence that Would Show the
Control to be in Effect
(Control Evidence)
Understanding of Policy by Management
and staff.
Users will be unable to log into the system
until password has been changed. System
will have program instructions to initiate
the automated alert during the
predetermined period.
Understanding of Policy by Management
and Third Party. Documentation and/or
logs regarding third party access will exist
and comply with policy.
Understanding of Policy by Management
and staff. Documentation of procedure
taking place will exist. No terminated
employees will still have access.
Understanding of Policy by Employees.
File of signed policies will exist.
Audit Evidence
Evidence Obtained as to Whether
the Control is in Effect
(Audit Evidence)
Interview employees. Test system and
check settings for automated alerts.
Interview management and send third
party requests. Review/evaluate
documentation/logs regarding third party
access.
Interview employees and review
documentation of procedure taking place.
Interview terminated employees and test
system access with recently terminated
users.
Interview employees and review file of
signed policies.
Understanding of Procedure by
Management.
Documented review. Locks, alarms,
systems etc will be fully functionally and
prevent access.
Appropriate access rights dependent upon
duties.
Interview management and
review/evaluate documentation of reviews.
Test physical security.
Log-in required to access system after
designated allotment of time. After
allotted time, session will shut down.
Test system for shut down and check
timing. Review settings in the system that
implement this requirement.
Page 27 of 44
Check access rights for proper segregation
and test system.
Control in
Place
Y/P/N
Security Information Management
System will show requirement/control that
makes the shut down occur.
Page 28 of 44
Security Information Management
PS10 Prepare Audit Strategies and Audit Work Programs
Audit Strategy
Firewall Management, Intrusion Detection, Intrusion Prevention
Control Objectives:
 To ensure preventative, detective, and corrective measures are in place and working as
intended to protect the Information System from intrusion.
 To ensure proper controls are in place to safeguard assets and prevent, detect and mitigate
fraudulent activity.
Audit Objectives:
 To determine whether controls are in place and in effect to provide reasonable assurance
that preventative, detective, and corrective measures are in place and working as intended to
protect the Information System from intrusion.
 To determine whether controls are in place and in effect to provide reasonable assurance
that assets are safeguarded and fraudulent activity is prevented, detected and mitigated.
Type of IT Audit: combination of application system audit and general control examination
Audit entity: network
Sources and related type of evidence:
Key components, tasks, activities that are being reviewed/examined:
 IPDS overall system and its access security, passwords, and communication
 Log systems and its access security
 Vulnerability and penetration tests
 All security software and corresponding policies/procedures
 Training
 Response and back-up procedures
Audit techniques:
 Third party confirmations
 Documentation review/evaluation
 Observations
 System searches
 Re-performance (or testing?)
 Interviews
 File comparisons
Types of systems of record:
Security Information Management
Page 29 of 44
Security Information Management
Control Objectives:
 To control access to the Information Systems to prevent unauthorized use and to restrict
authorized use.
 To ensure proper controls are in place to ensure data and system availability in order for the
Information Systems to fully support the organization’s objectives.
Audit Objectives:
 To determine whether controls are in place and in effect to provide reasonable assurance
that unauthorized access to the Information Systems is prevented and authorized use is
restricted.
 To determine whether controls are in place and in effect to provide reasonable assurance
that data and system availability is maintained in order for the Information Systems to fully
support the organization’s objectives.
Type of IT Audit: general control examination
Audit entity: business organization
Sources and related type of evidence:
Key components, tasks, activities that are being reviewed/examined:
 Policies and procedures for security, user IDs and passwords, third party access, and
acceptable use
 Procedure for reviewing/evaluating physical security
 Segregation of duties regarding Information Systems
 Automated programs regarding system shutdown and passwords protection
Audit techniques:
 Documentation review/evaluation
 Data extraction and analysis
 System searches
 Re-performance (or should I say testing?)
 Interviews
 File comparisons
 Third party confirmations
Types of systems of record:
Page 30 of 44
Security Information Management
1. PLANNING AND SCOPING THE AUDIT
Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
Review the audit/assurance objectives
Modify the audit/assurance objectives to align with the audit/business objectives
Define boundaries of review.
The review must have a defined scope. The reviewer must understand the operating
environment and prepare a proposed scope, subject to a later risk assessment.
Perform a high-level walkthrough of the processes affected by information security.
1.2.1.1 Determine the applications and/or operating environments serviced (or should
be serviced) specifically, protection of systems via the firewall/intrusion detection,
intrusion prevention and security information management.
Obtain and review the enterprise network diagram to gain an overall
understanding of the network components likely to impact/support
the security information management system.
Establish initial boundaries of the audit/assurance review.
Identify limitations and/or constraints affecting the audit of specific systems.
Define assurance.
The review requires two sources of standards. The corporate standards defined in policy
and procedure documentation establish the corporate expectations. At minimum,
corporate standards should be implemented. The second source, a good-practice
reference, establishes industry standards. Enhancements should be proposed to address
gaps between the two.
Obtain company security management policy and standards documentation.
Page 31 of 44
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
Issue
Crossreference
Comments
Security Information Management
Obtain the written acceptable usage policy.
Determine if COBIT/ISACA/NIST/COSO and the appropriate security management
framework will be used as a good-practice reference.
Identify and document risks.
The risk assessment is necessary to evaluate where audit resources should be focused.
The risk-based approach assures utilization of audit resources in the most effective
manner.
Identify the business risk associated with the security management threats.
Identify the technology risks associated with the security management threats.
Evaluate business and technology risks and vulnerabilities.
Based on the risk assessment, identify changes to the scope.
Discuss the risks with IT, business and operational audit management, and adjust
the risk assessment.
Based on the risk assessment, revise the scope.
Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating
environment and associated risks. As further research and analysis are performed,
changes to the scope and approach will result.
Identify the senior IT audit/assurance resource responsible for the review.
Establish the process for suggesting and implementing changes to the
audit/assurance program, and list the authorizations required.
Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance
team, other assurance teams and the enterprise is essential.
Page 32 of 44
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
Issue
Crossreference
Comments
Security Information Management
Identify the drivers for a successful review (this should exist in the audit/assurance
function’s standards and procedures).
Communicate success attributes to the process owner or stakeholder, and obtain
agreement.
Define audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
Determine the audit/assurance skills necessary for the review.
Determine any need for additional professionals, if necessary.
Estimate the total resources (hours) and time frame (start and end dates) required
for review.
Define deliverables.
The deliverable is not limited to the final report. Communication between the
audit/assurance teams and the process owner is essential to assignment success.
Determine the interim deliverables, including initial findings, status reports, draft
reports, due dates for responses and the final report.
1.1 Communications
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the
executive responsible for operating systems and infrastructure.
. UNDERSTANDING SUPPORTING INFRASTRUCTURE
Security management is supported by entity standards, processes and procedures.
To properly evaluate the process, the supporting infrastructure needs to be
reviewed and evaluated.
Obtain and review the current organizational chart (RACI) for the IT department
and the business units.
Page 33 of 44
DS5
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
Issue
Crossreference
Comments
Security Information Management
Interview the senior security officer and the IT security administrator.
Identify who has responsibility for security management.
Obtain a copy of the following:
 IT information security strategy and architecture documentation
 Identify firewall protection
 Identify Instruction Detection, Intrusion Prevention and Security
Information Management systems (if applicable)
 Identify licenses and contracts
 Identify update policies and procedures
 Verify most recent update and next due date.
 List of external entities with access to network and applications,( e.g., third
party security providers, vendors, partners and customers, employees who
access the system outside firewall/network)
 Role owners
 Role procedures
 Role policies
. INFORMATION SECURITY MANAGEMENT
Deploy and keep current efficient and effective information security management
systems.
Security Management Strategy
Audit/assurance objective: identify security management system-- should be in alignment
with IT architecture.
Information Security Management systems
Control: The Information Security Management system considers the IT
strategy and infrastructure, and addresses firewall and intrusion
prevention/detection requirements and standards
Verify that the information security management system selected protects
Page 34 of 44
PO2.3
PO2.4
PO3.4
P6
X
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
Issue
Crossreference
Comments
Security Information Management
the IT operating platforms and applications in use or planned in the
IT strategy.
Obtain information about data ownership; appropriate security levels and
protection controls; a brief description of data archiving or
encryption.
Determine if there are interfaces to the authentication system; if so, obtain
and review specifications.
Determine policies and procedures to ensure the integrity and consistency of
all data stored in electronic form, such as databases, data
warehouses and data archives.
Determine compliance standards and practices based on business relevance
and compare with external requirements (where applicable).
Information Security Identity Management
Control: Implement Information Security Identity Management and physical
security procedures
Review list of active employees and verify user IDs.
Test and evaluate passwords for uniqueness.
Ensure automated password change enforcement.
Review documentation of policy and procedure of third party access.
Obtain and review all service level agreements (SLA).
Verify access rights are appropriate in accordance with least privilege
criteria.
Test physical security.
Test and verify inactive session shut-down.
Page 35 of 44
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
Issue
Crossreference
Comments
Security Information Management
Review and verify existence and effectiveness of employee termination
deactivation through documentation and testing.
Information Security Management Training
Control: Implement Information Security Management training for all personnel
including a security awareness program
Obtain and review all documentation with regard to the policy/procedure and
training programs
Interview employees about their training experience
Review and verify sign-in sheets in comparison with interviews
Information Security Management Back-up Procedure
Control: Develop and implement information security management back-up plans
and procedures
Review written documentation of procedure
Interview employees to determine responsibilities and accountable party for
back-up procedures
Test and verify the existence of back-up data stores
Page 36 of 44
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
Issue
Crossreference
Comments
Security Information Management
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
INTRUSION PREVENTION AND DETECTION SYSTEM (IPDS)
To ensure preventive, detective and corrective measures are in place and working as
intended to protect the information system from intrusion.
IPDS
Control: The IPDS are the security components (firewall, anti-virus software,
anti-spyware software) for preventing and detecting intrusion to the network
and operating systems.
DS5.5
DS5.6
DS5.7
X
DS5.9
X
Obtain the documentation of policy/procedures for access requirements to
the IDPS
Obtain the policy for security documentation disclosure
Obtain log/ system notifications of unauthorized access attempts.
IPDS Updates
Control: Update Intrusion Detection System (IPDS) when new threat is
detected and according to vendor recommendations.
Obtain log files listing update schedules and confirming successful
implementation.
Log file for operating system patches
Log file for IPDS system updates
Log file for antivirus software updates
IPDS Tests
Control: Test Intrusion Detection System (IPDS) to determine whether threats
can be detected.
Determine the procedures for testing the intrusion detection system.
Verify that intrusion detection systems tests were performed
Page 37 of 44
DS5.5
X
Issue
Crossreference
Comments
Security Information Management
IPDS Incident Response
Control: Define and communicate potential security incidents and
classify and ensure proper response procedures are followed.
Obtain incident response policies & procedures
Interview employees to check verify their knowledge of the procedure and its
usage
Review & evaluate documentation of the responses to reported incidents
Determine if the disabling of the user ID is confirmed by the identity
management administrator to the terminated user’s supervisor.
Page 38 of 44
DS5.6
DS8
Monitoring
Information and
Communication
Control Activities
Audit/Assurance Program Step
Risk Assessment
ISACA
NIST
COBIT
CrossCrossCrossreference reference reference
Control Environment
COSO
Issue
Crossreference
Comments
Security Information Management
PS11 Obtain External Input
A telephonic interview was conducted with Jason Allen, Network Engineer, from Covisia
Solutions, Inc. The Intrusion Detection/Intrusion Prevention System in place at Image Polymers
Company is a SonicWALL Firewall, a hardware appliance that although not protected by a physical
lock, is password protected. This particular type of firewall cannot be accessed without the userID
and password and is only known by the IT Vendor; no one at the organization is aware of the
userID or password. It is not possible to reset the userID or password; if the password needs to be
changed the hardware will need to be reconfigured; that is a security feature of the SonicWALL.
Although the communication closet is not locked if the firewall were somehow disconnected
Covisia will receive an alert and will contact the VP of Admin and Accounting at Image Polymers
to troubleshoot the problem. Covisia has the userID and password and must first log into CRM
(Customer Relations Management) software before logging into the firewall so there is the ability to
track accountability within Covisia as the CRM userID is specific to each Covisia employee. The
Firewall has three settings low, medium and high. The firewall is automatically updated daily
(some firewalls may be updated hourly). The firewall produces a log that is reviewed for intrusion
activity on a quarterly basis. Unfortunately Jason was not at the sight so it was not possible to see
the logs produced by the Firewall. Intrusion detection and prevention is a layered method using a
firewall in this instance but also implementing and maintaining anti-virus software and antispyware software; these programs are installed on each user’s laptop and the servers and are
updated daily upon restarting the computer. There is a log that can be viewed that verifies the
updates have been installed (Allen, 2011).
The best sources for the project in addition to the NIST publications was speaking with the IT
Vendor and the VP from Image Polymers since this provided some feedback although limited due
to time constraints on the controls.
PS12 Client Control Review
A review of our Audit Strategy was performed with Jonathan Yorke, Vice President of
Administration and Accounting at Image Polymers in addition to the interview with Covisia. The
questions we had devised for management were reviewed and it was suggested they be broken
down into two parts, one for the individual responsible at Image Polymers and one for the
individual responsible at Covisia. We reviewed some of the controls and discussed the risk
Page 39 of 44
Security Information Management
assessment that contributed to the decisions made regarding the type of intrusion detection and
prevention systems should be in place.
The external threats to IPC are limited; they do not have their own website or web server
(they are featured on their parent site’s website) so they are not subject to external DoS attacks and
they do not accept orders and/or payment through a website so they are not subject to PCI DSS
requirements. They also have a very small staff of one expatriate and 9 employees so their threats
from employees although would not be non-existent is quite small. It could include an introduction
of malicious code through e-mail, USB storage devices and/or the Internet. Another threat is
through third party access. Their manufacturing facility in Tennessee is staffed by one Image
Polymers’ employee and employees from a third party, Cytec Industries, and the MAS500 database
system is accessed through a VPN; Least Privilege Policy is implemented here so these employees
only have access to what they need access to in order to fulfill their job duties. The Least Privilege
Policy is also used for access by the R & D department located in Tennessee (Yorke, 2011).
According to the COBIT maturity model the level that Image Polymers Company is at is
somewhere between # 2 Repeatable but Intuitive and # 3 Defined. Some controls are documented
but some are not and although management is able to deal predictably with most control issues,
some weaknesses persist and impacts could still be severe. Employees are aware of their
responsibilities for control.
Page 40 of 44
Security Information Management
Audit Conclusion
Instruction: Ensure that there is sufficient, competent and appropriate evidence to support audit conclusions and audit findings.
Review control tables and Audit Results Comparison Sheets.
Is there an adequate combination of controls in place to address the control objective from a “process” audit perspective? Are the
controls in place appropriate in design to address the control objective?
Is there an adequate combination of controls in effect to provide reasonable assurance that the control objective would be achieved, or
met? Is there sufficient, competent evidence to support the audit conclusion and to demonstrate that the controls are in effect?
Completed by:
Date:
Reviewed by:
Date:
Page 41 of 44
Security Information Management
Audit Results Comparison Sheet – Control Criteria to Review or Test Results
Control
Control Evidence that Would
Demonstrate the Control
Would be in Place
Control in
Place
Y/P/N
Page 42 of 44
Control Evidence that Would
Demonstrate the Control
Would be in Effect
Control in
Effect
Y/P/N
Security Information Management
Audit Conclusion
Instruction: Ensure that there is sufficient, competent and appropriate evidence to support audit conclusions and audit findings.
Review control tables and Audit Results Comparison Sheets.
Is there an adequate combination of controls in place to address the control objective from a “process” audit perspective? Are the
controls in place appropriate in design to address the control objective?
Is there an adequate combination of controls in effect to provide reasonable assurance that the control objective would be achieved, or
met? Is there sufficient, competent evidence to support the audit conclusion and to demonstrate that the controls are in effect?
Completed by:
Date:
Reviewed by:
Date:
Page 43 of 44
Security Information Management
Works Cited
COBIT 4.1. (2007). Rolling Meadows, Illinois, United States of America: IT Governance
Institute.
Firewall Operations Management, Auditing and Compliance. (2011, February). Retrieved April
2011, from Tufin Secure Track Web site: http://www.tufin.com
ISACA. (2010). IT Standards, Guidelines,and Tools and Techniques for Audit and Assurance
and Control Professionals. Rolling Meadows.
Scarfone, K., & Hoffman, P. (2009, September). National Institute of Standards and Technology
Guidelines on Firewalls and Firewall Policy SP800-41 Revision1. Gaithersburg, Maryland,
United States of America.
Scarfone, K., & Mell, P. (2007, February). National Institute of Standards and Technology Guide
to Intrusion Detection and Prevention Systems (IPDS) SP 800-94. Gaithersburg, Maryland,
United States of America.
Scarfone, K., Grance, T., & Masone, K. (2008, March). Computer Security Incident Handling
Guide NIST SP 800-61 Revision 1. Gaithersburg, Maryland, United States of America.
Skybox Security, Inc. (2010, May). Retrieved April 2011, from Skybox Security Web Site:
http://www.skyboxsecurity.com
http://www.cloudave.com/wordpress/wp-content/uploads/2010/09/bitglobe-security.jpg
Page 44 of 44