Page 149 - Courses
P. 149

Logical Security Applications

              Antivirus software is updated.
              The organization receives notifications regarding current malware incidents, including malware
               variants that current antivirus software does not track or disable.
              The computer (server) is segmented, avoiding large scale malware contamination.

            User Access

            User access capability and systems are monitored through periodic reviews, and any discrepancies
            are corrected. This includes privileged and standard access users.

            ACLs

            ACLs limit users’ access to only that which is required to perform their job function (allows for
            separation of duties [SoDs]). Users are assigned to groups, and then groups are assigned to ACLs. A
            series of ACLs could be grouped together.

            Access to the OS is limited to those with privileged capability. These mostly include IT personnel. The
            OS environment for web servers, application servers, and database servers is usually limited to a
            small number of IT personnel who have privileged access.

            OS Security Configuration

              OS security configuration is hardened prior to being placed into production.
                   o  Hardening reduces risks and threats by reducing areas of vulnerability, often through
                       removal of non-essential functions, changing default passwords, and maintaining an up-
                       to-date OS configuration
              An organization usually has many servers (e.g., Windows servers) of the same type. Typically, one
               template is created that is security-hardened, and then used. As security threats are identified,
               the template, as well as all servers, are updated.
              Maintaining the hardened OS is dependent upon the organization’s configuration practices.
               Documented procedures ensure that a repeatable process produces a secure OS.
              Vulnerability scans are periodically performed and results are corrected as applicable.
                   o  Note: Results are categorized from high to low, such that some of the lower risk results
                       may not require correction. This is organizationally dependent (also for penetration
                       tests).
              Annual penetration tests occur and the results are reviewed and corrected as applicable.
                   o  Penetration tests are used to simulate attacks that identify and measure the extent of
                       network and application control weaknesses; also known as pen testing.
              The OS receives system security patches in a timely manner.

            Passwords

              Password features comply with policy:
                     Each organization has a written password policy.
                     Password features for an OS will be set in accordance with the written policy.

            Copyright © 2022 by The Institute of Internal Auditors, Inc. All rights reserved.
   144   145   146   147   148   149   150   151   152   153   154