VPN Security Audit Assurance Program Icq Eng 1012
VPN Security Audit Assurance Program Icq Eng 1012
VPN Security Audit Assurance Program Icq Eng 1012
ISBN 978-60420-269-4
VPN Security Audit/Assurance Program
Acknowledgments
2012 ISACA. All rights reserved. Page 2
Table of Contents
I.
II.
III.
IV.
V.
VI.
Introduction.......................................................................................................................................5
Using This Document........................................................................................................................6
Controls Maturity Analysis................................................................................................................8
Assurance and Control Framework..................................................................................................10
Executive Summary of Audit/Assurance Focus...............................................................................11
Audit/Assurance Program................................................................................................................13
1. Planning and Scoping the Audit...................................................................................................13
2. Preparatory Steps.........................................................................................................................15
3. Governance..................................................................................................................................16
4. Policy...........................................................................................................................................17
5. Configuration...............................................................................................................................19
6. Maintenance and Monitoring.......................................................................................................26
VII. Maturity Assessment........................................................................................................................28
VIII. Maturity Assessment vs. Target Assessment....................................................................................33
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-setting
model. ITAF provides standards that are designed to be mandatory, and are the guiding principles under which
the IT audit and assurance profession operates. The guidelines provide information and direction for the practice
of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide
direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a specific
assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and
assurance practitioners with the requisite knowledge of the subject matter under review, as described in ITAF,
section 2200General Standards. The audit/assurance programs are part of ITAF, section 4000IT Assurance
Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework
specifically COBIT 4.1using generally applicable and accepted good practices. They reflect ITAF, sections
3400IT Management Processes, 3600IT Audit and Assurance Processes, and 3800IT Audit and Assurance
Management.
Many enterprises have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance
of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange
Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries.
Enterprises seek to integrate control framework elements used by the general audit/assurance team into the IT
2012 ISACA. All rights reserved. Page 5
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among audit and
assurance professionals. This ties the assurance work to the enterprises control framework. While the IT
audit/assurance function has COBIT as a framework, operational audit and assurance professionals use the
framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has
been included in this document and is a bridge to align IT audit/assurance with the rest of the audit/assurance
function. Many audit/assurance enterprises include the COSO control components within their report and
summarize assurance activities to the audit committee of the board of directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is
possible but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO issued the
Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM
framework has a business decision focus when compared to the 2004 Internal ControlIntegrated Framework.
Large enterprises are in the process of adopting ERM. The two frameworks are compared in figure 1.
Figure 1Comparison of COSO Internal Control and ERM Integrated Frameworks
Internal ControlIntegrated Framework
ERM Integrated Framework
Control Environment: The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is
the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values, managements operating style, delegation of
authority systems, as well as the processes for managing and
developing people in the organization.
Information for figure 1 was obtained from the COSO web site www.coso.org/aboutus.htm.
The 1992 Internal ControlIntegrated Framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication, and
monitoring. As such, ISACA has elected to include them as a reference in this document. When completing the
COSO component columns, consider the definitions of the components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified, and conclusions for each line item. The reference/hyperlink is to be used to crossreference the audit/assurance step to the work paper that supports it. The numbering system of this document
provides a ready numbering scheme for the work papers. If desired, a link to the work paper can be pasted into
this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to further
investigate or establish as a potential finding. The potential findings should be documented in a work paper that
indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used in
place of a work paper describing the work performed.
2 Repeatable but
Intuitive
3 Defined
4 Managed and
Measurable
5 Optimised
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and assurance
professional can address the key controls within the scope of the work program and formulate an objective
assessment of the maturity level of the control practices. The maturity assessment can be a part of the
audit/assurance report and can be used as a metric from year to year to document progress in the enhancement of
controls. However, the perception of the maturity level may vary between the process/IT asset owner and the
2012 ISACA. All rights reserved. Page 9
3450IT Processes
3490IT Support of Regulatory Compliance
3630.4Information Systems Operations
3630.7Information Security Management
3630.11Network Management and Controls
Refer to the IT Governance Institutes COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.
Feedback
Visit www.isaca.org/VPN-AP and use the feedback function to provide your comments and suggestions on this
document. Your feedback is a very important element in the development of ISACA guidance for its constituents
and is greatly appreciated.
2012 ISACA. All rights reserved. Page 12
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Control Activities
COBIT
Crossreference
Control Environment
COSO
1.4.1 Identify the business risk associated with the failure to implement VPN technologies
and the failure to implement VPN technologies securely.
1.4.2 Identify the technology risk associated with the failure to implement VPN
technologies and the failure to implement VPN technologies securely.
1.4.3 Determine if a VPN architecture threat assessment and modeling processing process
has been established and implemented.
1.4.4 Based on risk assessment, identify changes to the scope.
1.4.5 Discuss the risk with IT, business and operational audit management, and adjust the
risk assessment.
1.5 Define the change process.
The initial audit approach is based on the reviewers understanding of the operating
environment and associated risk. As further research and analysis are performed, changes to
the scope and approach will result.
1.5.1 Identify the senior IT audit/assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance
program, and the authorizations required.
1.6 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team,
other assurance teams and the enterprise is essential.
1.6.1 Identify the drivers for a successful review (this should exist in the audit/assurance
functions standards and procedures).
1.6.2 Communicate success attributes to the process owner or stakeholder, and obtain
agreement.
2012 ISACA. All rights reserved. Page 14
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Control Activities
COBIT
Crossreference
Control Environment
COSO
Security policy
Security strategy or strategies
Security procedures and standards
2012 ISACA. All rights reserved. Page 15
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Control Activities
COBIT
Crossreference
Control Environment
COSO
5. Interview the technical support team leader or equivalent responsible for VPN
architecture, design, implementation, and maintenance processes and procedures.
3. Governance
3.1 Executive Sponsor
Audit/Assurance Objective: The VPN implementation and maintenance is assigned to an
2012 ISACA. All rights reserved. Page 16
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
R
elevant legal and regulatory information related to security and information access
Control Activities
COBIT
Crossreference
Control Environment
COSO
PO4.6
ME1.5
ME2.5
ME4.1
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
executive sponsor, who is responsible for its effective implementation and operations.
Control Activities
COBIT
Crossreference
Control Environment
COSO
X X X
X X X
3.1.1.1 Identify the senior executive responsible for the VPN program.
3.1.1.2 Obtain the position description of the executive responsible for the VPN
program.
3.1.1.3 Determine if the position has cross-reporting to the business units and IT
management (security, administration, etc.)
3.1.1.4 Obtain meeting minutes and other documentation to support the responsibilities
and accountability of the executive sponsor.
3.2 Senior Management Involvement in VPN Programs
Audit/Assurance Objective: Senior management participates in key decisions related to VPN
programs.
7. Senior Management Oversight of VPN Programs
Control: Senior management provides oversight of the VPN programs, including
review and approval of policies affecting their respective operations.
3.2.1.1 Determine if business units affected by VPN implementation participate in the
review of policies affecting their business units.
3.2.1.2 Determine if support functions (e.g., HR, corporate communications,
compliance, information security) affected by VPN implementation participate
in the review of VPN policies.
ME1.5
4. Policy
Monitoring
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
PO6.3
PO6.4
PO4.8
ME3.1
ME3.3
X X X
PO4.8
ME3.1
ME3.2
X X X
PO6.3
PO6.4
DS5.1
ME2.5
ME3.4
PO2.3
Monitoring
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
5. Configuration
Monitoring
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
DS5.8
DS5.9
DS5.7
DS5.8
PO5.9
PO9.2
DS5.3
3 These are defined as site-to-site networks integrated into a wide-area local area network (LAN).
4 This generally applies to extranets and non-owned networks.
2012 ISACA. All rights reserved. Page 21
Monitoring
Risk Assessment
DS5.9
DS5.10
DS9.2
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Control Activities
COBIT
Crossreference
Control Environment
COSO
Two-factor authentication
Digital certificates
Smart cards
5.1.1.1.19 Determine if user computer identity verification has been
implemented:
Browser history
Cookies
Documents
5 This enables network traffic to traverse separate networks via the same network connection.
2012 ISACA. All rights reserved. Page 22
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
DS5.4
DS5.10
Control Activities
COBIT
Crossreference
Control Environment
COSO
DS1.6
DS7
Monitoring
Risk Assessment
X X X
DS9.2
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Passwords
5.1.1.1.22 Determine if the SSL VPN provides a keystroke logger detection
sweep prior to completing a connection.
5.1.1.1.23 Determine if session time-outs are implemented and what the
time-out period is and determine if it complies with security
policies, standards and procedures.
5.1.1.1.24 Determine if SSL verification is required prior to connection and
denied if the SSL version level is at a lower level that security
policy dictates.
5.1.1.1.25 Determine if server certificate support has been implemented and
will only permit connection with a valid, authenticated certificate.
5.1.1.1.26 Determine if resource availability, system functionality, and
application access are limited based on satisfying the configuration
parameters considered above.
5.1.1.1.27 Determine if public computers (e.g., Internet cafs, kiosks, etc.) are
permitted to connect to the SSL VPN.
5.1.1.1.28 Determine if client-side certificates are required, and if so,
connection is contingent upon client-side certificate verification and
authentication.
21. SSL VPN Awareness Program
Control: User education and security awareness is provided on a regular basis and
participation by all users of the enterprise's VPN facilities is required.
5.1.1.2 Determine that VPN awareness and security programs are routinely and
regularly offered.
5.1.1.3 Determine if the security awareness program addresses VPN use policy.
5.1.1.4 Evaluate how the follow-up process is maintained to assure user participation.
5.1.1.5 Determine if participation is documented in logs or sign-in sheets.
Control Activities
COBIT
Crossreference
Control Environment
COSO
DS5.7
DS5.9
DS5.10
DS9.2
DS5.4
DS5.5
DS9.2
DS10
Monitoring
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
DS5.9
DS5.10
DS9.2
DS5.4
DS5.10
Monitoring
Risk Assessment
PO2.3
DS9.2
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Control Activities
COBIT
Crossreference
Control Environment
COSO
AI6
AI7
DS9.2
Monitoring
Risk Assessment
PO2.1
PO3
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Control Activities
COBIT
Crossreference
Control Environment
COSO
6.1.1.2 Determine if the change management process implemented for VPN maintenance
is in compliance with the installation change management procedure.
6.2 Integration of VPN Technologies With the Help Desk
Audit/Assurance Objective: VPN support requests are processed routinely through the help
desk.
35. VPN Support Is Provided by the Help Desk
Control: VPN support is a help desk task with appropriate controls and procedures.
6.2.1.1 Obtain the help desk procedures.
6.2.1.2 Determine if VPN support tasks are included in the help desk Procedures.
6.2.1.3 Determine if VPN issues are reported in the incident reporting/issue monitoring
system.
6.2.1.4 Select VPN related incidents in the help desk, Incident Reporting, and/or Issue
Monitoring System.
6.2.1.5 Determine that the issues were closed on a timely basis in an effective manner.
DS8
DS10
DS3
Monitoring
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
Control Activities
COBIT
Crossreference
Control Environment
COSO
DS5.5
6 Due to high volume, logging should be automated and unusual activities should be defined in an automated extract process.
2012 ISACA. All rights reserved. Page 28
Assessed
Target
Maturity Maturity
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
Reference
Hyperlink
Comments
4
3
2
1
DS5.10
Network Security
Assessment
0Target
DS5.5
Security Testing, Surveillance and Monitoring