Page 394 - ITGC_Audit Guides
P. 394
Operations Phase (continued)
Activity/Controls CERT Practice Function
- Firewalls located in front of critical systems and configured to restrict 13 Protect
workstation connection to only those authorized. Detect
- Internal network segmentation and network control restrictions require 13 Protect
attention. Information systems that house sensitive organizational data
should have access restricted to only those with a business need for the
information. This segmentation could include separate virtual local area
network (VLAN) assignments, access controls lists or firewall rule sets
that isolate those systems, and physically secure locations to house the
servers from direct tampering or obstruction.
- External network segmentation and network access restrictions. This 13 Protect
segmentation could include the use of demilitarized zones (DMZs), Detect
virtual private networks (VPNs), honeypots, and proxy servers to control
the interaction between trusted and untrusted environments.
- Security information and event management (SIEM) software solutions 13 Detect
combine security information management (SIM) and security event Respond
management (SEM) to retroactively examine and log unique user
actions against an individual system, data set, or general network
activities (shared connections) and create alerts.
The resulting logs should be actively reviewed and assessed for
abnormalities. Further, these logs should be comprehensive enough to
support incident response activities in the event of an IT security incident.
- Security monitoring programs augmented by data analytics tools such as 12, 14 Detect
user and entity behavior analytics (UEBA) to determine standard
business operational activities on an individual system, data set, or
network resources. Understanding routine, common tasks performed
on the network on a daily basis will help administrative staff to identify
abnormalities or unusual behavior that may indicate malicious activity
(red flags).
- Alerting technologies that effectively capture changes, additions, or 17, 19 Detect
modifications to network resources, systems, applications, or security Respond
controls should be in place. These alerts should go directly to staff
responsible for the management of each technology to quickly identify
legitimate threats from false positives. These technologies include
intrusion detection/prevention systems (IDS/IPS).
- Escalation policies and procedures to ensure those alerts related to 3 Respond
credible threats are communicated to key organizational groups to Recover
minimize impact. For example, if an alert is received from an application
administrator that a new super user account has been created without
going through the normal vetting/approval process, this should be
immediately communicated to responsible staff such as business
owners, data owners, and security groups to prevent threats from
gaining deeper, unauthorized access.
www.theiia.org Auditing Insider Threat Programs 26
