The Environmental Audit is designed to conduct all security, compliance and policy/procedure assessments for companies looking to examine overall security levels in the environment and in policy/procedural areas. This audit routinely includes the following, which is detailed in each category below.
Network Security Policy Development
The policy is the framework guiding the client with procedures and rules/roles to follow to set up and manage a secure environment.In the EA, we look at existing policy framework to see how complete the policy is. When there is none at all, we write one. Where there is a weak or inefficient one, we upgrade it.
The following categories belong in any sound and complete policy. We developed these guidelines after studying the results of several U.S. regulatory audits under the Gramm-Leach-Bliley Act of 1999, SOX, HIPAA, ISO 27001, HSPD-12 Standards/Policies and security policy guidelines recommended for other industries such as healthcare, chemicals and utilities.
- Operational Security
- Physical Security
- Personnel Guidelines
- Intranet/Internet Security Policy
- Background Check Guidelines
- Remote Access Policy
- Extranet Policy
- Third Party Vendor Agreement Guidelines
- Disaster Recovery Plan/Business Continuity Plan
- Marketing/Telemarketing Plan
- Dealing with the Media
- Use of Inside/Outside Counsel
- Incident Response Plan
- Internet Banking Procedures and Security Guidelines
- Guidelines for Security Team
- Firewall Management
- Telecommunications Policy
- E-Mail Usage Policy
- Use of Corporate Property
- Rules and Guidelines/Management of Website
- Guidelines for Employee New Hire and existing employee security training
- Training Relating to Prevention of Money Laundering
The point is that the policy can take on any shape desired by the organization; we just recommend that at the minimum the above categories are included. All policies should be audited annually, by an internal security management person as well as by an outside firm.
REMEMBER: The network environment is as strong as its weakest link. EVERYTHING SHOULD START WITH AN EFFECTIVE POLICY!
Emergency Response/Disaster Recovery Plan
While SPI does not perform actual DR services, we do AUDIT and DEVELOP both DR plans and BC Plans and test them. We look for complete and up to date plans in place to “go?” at a moment’s notice. If we do not find them in this state we can develop them from start to finish and offer optional testing. The purpose of review during an EA of DR and BC Plans is to advise clients of READINESS, FUNCTIONALITY and COMPLETENESS of the existing plans at the time of the audit.
List of disasters
We are not just talking criminal events here but they are included:
- Key Person Death
- Systems Failure
- Power Failure
- Website hack
- Systems Compromise
- Telecommunications Failure
- Terrorist attack
- Negative Publicity
- Theft/Internet Banking
- ATM system compromise
We examine all Incident Response, Disaster Recovery and Business Continuity guidelines in place and will make recommendations for upgrades and additions as part of our final EA report. We are looking for a complete set of plans roughly encompassing the following:
- Complete inventory and breakdown all IT/Operations assets including servers, PCs including laptops, software licenses, firewalls, routers and any other device surrounding the network
- All Third Party Vendor Agreements with contact information, master contracts and complete sets of attachments/amendments, clearly spelling out confidentiality and liability language acceptable to client in order to respond to an emergency
Third Party Vendor Agreement Audit
A TPV is any agreement between the client and an outside provider of services which would give the vendor physical or electronic access to client assets/data or customer data in the course of its work for the client.
Examples of TPVs:
- Software Vendors/Hardware Vendors (This includes such vendors as Microsoft, Jack Henry, PeopleSoft)
- Telecommunications Providers
- Internet Service Providers
- Statement transport/stuffing services
- Cable Installers
- Outside Consulting Firms
- Automatic Clearing Houses
- Wire Transfer Service Providers
- Alarm Vendors
- ATM Vendors
- Security Camera Vendors
- Security Guard Providers
Physical Security Audit
In the Environmental Audit, we interview our key managers, upon arrival at the start of the audit, to determine their opinion of overall security in the environment.
Following that we conduct a WALK THROUGH AUDIT, looking for possible physical security weaknesses throughout the operations center, computer rooms, server rooms, disaster recovery facilities, and storage sites for the purpose of finding and correcting lax procedures. We also look at unescorted visitor policy to find out how easy it is to get past your front desk.
Experience shows us that these areas are poorly managed, from a security standpoint:
- UPS source not tested regularly
- Backup generators not tested and maintained properly
- Lax visitor policy, especially unescorted
- Weak or non-existent monitoring of computer rooms
- Building access too easy
- Obsolete cameras, alarms
- Improper security device logging
IT/Operations Managerial Interviews
SPI normally begins the Environmental Audit with sit down interviews onsite with all IT and Operational Management officers in the organization. These personnel are responsible for care, maintenance, operations and security of the network environment. This gives SPI a solid overview of existing security levels in the organization operations, both IT and environmental, as they are perceived by management at the time of the audit.
This is an in depth analysis of all IT assets, and includes a Business Impact Analysis to rank criticality and expense/loss of IT assets during a possible outage or any other type of disaster or loss. Due to the heavy involvement and input needed by the client to conduct this service, it is usually required as a standalone service, but it can be included in the EA if requested.
Liked What You Just Read? Join the Highest Level Newsletter in the InfoSec Industry.