Page 115 - ITGC_Audit Guides
P. 115

stored off-site with a software escrow service to be used in the event that files or hardware are
                   damaged or corrupted. An internal audit of business applications could verify whether
                   management has ever tested the ability to recover operations from an escrowed version of
                   production software and whether the in-service version has been escrowed.

                   •   COBIT 2019 Framework: Governance and Management Objectives  describes controls over
                       approved versions of software in practices:
                          o  BAI07.06 Promote to Production and Manage Releases.

                          o  APO10.04 Manage Vendor Risk.
                   •   In NIST SP 800-53r5, relevant guidance is found in controls:

                          o  CM-7 Least Functionality.
                          o  SA-10 Developer Configuration Management.
                          o  SC-34 Non-modifiable Executable Programs.

                   •   CIS Controls does not directly address controls over the release or off-site storage of
                       software versions.

                   Security in Development
                   In addition to the security-related steps mentioned previously, a vulnerability scan should be
                   performed on an application after launching it into the production environment (but before
                   opening it to full service) to identify configuration or component weaknesses. IT-IS personnel and
                   the business owner should evaluate the results of the scan to determine whether the residual
                   risk is acceptable. Other GTAGs will cover controls over vulnerability scanning more extensively.

                   In a business application ecosystem, vendor-provided software, including firmware, is often
                   updated to address security flaws in the code or interactions with component technologies in a
                   new version called a patch. The controls over implementing patches are generally the same as for
                   other new software versions, except there may be internal deadlines for patches that are not
                   expected of other updates. The IS team typically has some responsibility for monitoring or
                   enforcing those expectations.

                   Patch management controls are covered in:

                   •   COBIT 2019 Framework: Governance and Management Objectives in objectives:
                          o  BAI03 Managed Solutions Identification and Build.

                          o  DSS05 Managed Security Services.
                   •   NIST SP 800-53r5  control SI-2 Flaw Remediation.

                   •   CIS Controls  safeguard 7.4 Perform Automated Application Patch Management.












                   15 — theiia.org
   110   111   112   113   114   115   116   117   118   119   120