Page 160 - Courses
P. 160

Logical Security: The Network Layer

            •  A third-party monitoring vendor may be contracted during non-business hours to notify
               appropriate security staff in the event of a problem, and in some situations, is allowed to take
               action for the organization. Based on specific criteria, the third-party vendor would notify
               appropriate security staff. Sometimes, the third-party vendor is allowed to take specific actions
               on the organization’s network.
            •  The activity of these third-party vendors should also be monitored by the organization.
            •  SIEM policies are regularly evaluated to ensure false positives are minimized.

            Security Risks

            Security risks include:
            •  Logs are disabled and not sent to SIEM.
                   •  Incorrect log configurations.
                   •  The logging event and/or job was incorrectly scheduled.
                   •  The job experienced an abend before completion.
            •  Necessary actions triggered by alert notifications are delayed due to SIEM not being monitored
               24/7.
            •  Breakdowns in communication protocols or functionality cause delays in alert notifications.
            •  Insufficient administration staff.
            •  Vendor-supplied default passwords, configurations, and access rules are not modified, resulting
               in unrestricted (or less restricted) access to the SIEM.

            Controls

            Controls include:
            •  Formal policies and procedures exist to ensure appropriate escalation and alert-event mitigation
               activities occur.
            •  Default vendor settings are disabled or modified.
            •  Policy changes adhere to the organization’s change control process.
            •  Access to the SIEM is restricted.
            •  The console is monitored 24/7. Alerts are reviewed in a timely manner, and followed up with
               appropriate remediation activities.

            Suggested Audit Procedures

            Suggested audit procedures include:
            •  Review the manner in which the SIEM administrator ensures all logs are completely and
               accurately processed for the SIEM.
                   •  Based on the network diagram, select a test sample of network components, appliances,
                       and servers.
                   •  Test to ensure logs are captured in the SIEM.
            •  Observe a user attempting to log into the SIEM with vendor-supplied default passwords.
            •  Test the appropriateness of access to SIEM.



            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   155   156   157   158   159   160   161   162   163   164   165