Top 10 Risk and Security Audit Findings

Top 10 Risk and Security Audit Findings



IT security has become increasingly important and is today the inevitable part of our daily lives. Because of the importance and emphasis that is being placed on IT security today, we have decided to write a guide for IT security auditors.

Throughout our professional conduct, we have identified 10 common risk and security audit findings that enterprises should avoid, and we bring our knowledge to you in this series of articles.

Our guide provides a review of 10 security areas together with best practices for each.

Data Classification

Typical Security Issue: Inability to find or produce an inventory of assets and associated classifications.

What It Means:

One would be surprised how many companies out there do not even know what assets they have. If your company does not know what it owns, then it probably does not even know how to protect it. And, if your organization does not know what it has, then it probably is unaware of the risks it is facing.

How to Avoid the Problem:

Traditional classification mechanisms and controls often fail, and classification is often a problem for enterprises, especially for the large ones. It is reasonable for an auditor to recognize that an enterprise has no idea where its sensitive data is held or how it is protected, but it is not reasonable to expect an enterprise wide classification and labeling scheme to be implemented.

Minimum Action Needed:

Create an ad hoc list of critical systems and publish a reasonable classification policy.

Recommendation:

Conduct an inventory and classification project. If possible, take advantage of automation of this process. Inventory and classification works best through a formal asset management process which utilizes automated mechanisms to identify sensitive data and use mandatory controls and content-aware mechanisms to prevent data leakage.

Change Management

Typical Security Issue: Evidence of change management on material systems cannot be found.

What It Means:

It is likely there is no one in your company whose job is to control mission-critical changes which means that the company probably does not know what problems might result from changes.

How to Avoid the Problem:

Unauthorized changes by privileged users represent a far greater risk than external threats, such as attacks of external hackers or malicious-code attacks. Change management is the area which can easily introduce unwanted risks into your information system and as such needs to be focused on more intensely. The U.S. Sarbanes-Oxley Act plays a major role in implementing controls into the corporate governance model.

Minimum Action Needed:

In order to mitigate change management risks, it is advised to maintain separate development, testing, and production environments together with implementing a robust and well documented change request process.

Recommendation:

Implement enterprise wide change management processes and best practices.

Advanced Recommendation:

Some companies with complex information systems implement a full change management database (CMDb) which enables configuration auditing and automated change recognition. Pay attention to segregation of duties.

Administrator Controls and Shared Accounts

Typical Security Issue: Administrator accounts are not tied to specific individuals.

What It Means:

Administrator accounts are not tied to particular individuals. Access controls and monitoring is ineffective.

How to Avoid the Problem:

Administrator accounts have high privileges, they can change critical configuration items or data. Administrator accounts are often used by administrators with little or no tracking control. They are often used by more than one administrator by just sharing the password. When the administrator leaves the company, the password often stays unchanged. These administrator accounts are frequently not tied to specific individuals, so the accounts can be used to do virtually anything with little or no possibility of detection. They are often used to gain uncontrolled access to systems. Knowing how, through which accounts, and when systems or data is administered and supporting it with sound policies which are enforced can easily reduce many risks in this area.

Minimum Remediation Required:

Avoid the sharing of accounts of any type by users. Tie each identity and each privileged account to a specific individual.

Recommendation:

It is best to reduce the number of privileged accounts by limiting them to those individuals that specifically need it.

Advanced Measures:

Reduce the number of administrators to as little as possible. The supervisor of the administrator or the management of the company should create unique password and store it in a sealed envelope in a safe. This password and the system-generated "administrator" account should be used only in emergency situations. For regular administrative work, the administrator's personal user account should have elevated privileges, and the administrator should use his own account to do administrative tasks. This will allow for admin access and admin activities to be monitored and tracked.

Identity and Access Management

Typical Finding: It is not possible to determine each user's privileges or to determine that each user has appropriate and appropriately approved privileges.

What It Means:

This means two things: We do not know to what systems or data the user has access, or we are unable to find out whether user's access is appropriate and approved.

How to Avoid the Problem:

This situation often happens when an effective identity and access management (IAM) process is not in place. An identity and access management process also needs to consider situations when users change roles, leave the company, change their working status. Auditors often find out that accounts of employees who leave the company are not disabled, and privileges of employees who change seats within the company are not reviewed.

Minimum Remediation Required:

Develop and implement processes for creating (provisioning) and removing (deprovisioning) users and their privileges.

Recommendation:

Automate the user provisioning/deprovisioning and identity auditing processes.

Advanced Measures:

Implement role management, privilege attestation or enterprise segregation of duties (SOD) detection and remediation.

User Activity Tracking and Log Analysis

Typical Finding: Activity logs are not being collected and analyzed.

What It Means:

It happens very often with both small and big companies that they are unable to track user activity and produce a record of which employees have accessed which systems or data and when.

How to Avoid the Problem:

It is important not only to know what the user can do, what systems and data he or she can access, but it is also important to know what the user has done. Activity tracking and analysis can help greatly in two ways: a) when analyzing suspicious behavior or breaches of rules, and b) as a deterrent to inappropriate behavior (if the user knows that he or she is being monitored, he or she is less likely to cross into the bad world).

Minimum Remediation Required:

Manually review logs for mission-critical systems.

Recommendation:

User activity tracking and log monitoring is often achieved through implementation of automation for centralization and report generation.

Advanced Measures:

Companies that understand the importance of user activity tracking and log monitoring implement security information and event management (SIEM) application.

You can find the next five typical IT security audit findings here: Typical IT Security Audit Findings (second part of this article)

.

Discuss this article or this topic in our discussion forum:
(The table bellow shows a list of 8 most recent topics posted in our discussion forum. Visit our discussion forum to see more. It is possible the links below are not related to this page, but you can be certain you will find related posts in the discussion forum. You can post one yourself too.)
Email this article to a friend:
TO: 
FROM: 
2 + 6 - 3 = 
.
How can I link to this web page?

It is easy, just include the code provided below into your HTML code.

<a href="http://www.maxi-pedia.com/top+10+risk+security+audit+findings" title="www.Maxi-Pedia.com: Top 10 Risk and Security Audit Findings" target="_blank">Top 10 Risk and Security Audit Findings</a>
.