Audit Network Security. University System of New Hampshire

Similar documents
UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Recommendations for Implementing an Information Security Framework for Life Science Organizations

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Access to University Data Policy

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Altius IT Policy Collection Compliance and Standards Matrix

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

Maher Duessel Not for Profit Training July Agenda

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

Altius IT Policy Collection Compliance and Standards Matrix

Payment Card Industry - Data Security Standard (PCI-DSS) v3.2 Systems Security Standard

Information Security Policy

Tips for Passing an Audit or Assessment

Information Technology Standard for PCI systems Syracuse University Information Technology and Services PCI Network Security Standard (Appendix 1)

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

the SWIFT Customer Security

Agenda. BYOD, Texting & Social Media How to Keep BYODFrom Becoming OMG! Introduction BYOD Defined Trends By the Numbers

Because Security Gives Us Freedom

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Out-of-Band Management

Security Metrics and Their Importance

How to Use PCI DSS for a Stronger IT Security Posture and Streamline your Compliance Efforts. April 24, 2018

Integrigy Consulting Overview

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

Cybersecurity Overview

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Chapter 5: Vulnerability Analysis

Information Technology General Control Review

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

Total Security Management PCI DSS Compliance Guide

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Annual Report on the Status of the Information Security Program

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Auditing IT General Controls

Auditing the Cloud. Paul Engle CISA, CIA

Cloud Customer Architecture for Securing Workloads on Cloud Services

Virtualization Security & Audit. John Tannahill, CA, CISM, CGEIT, CRISC

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

Contracting for an IT General Controls Audit

Effective Strategies for Managing Cybersecurity Risks

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Education Network Security

Texas A&M University: Learning Management System General & Application Controls Review

LOGmanager and PCI Data Security Standard v3.2 compliance

Advent IM Ltd ISO/IEC 27001:2013 vs

NIST Cybersecurity Framework Protect / Maintenance and Protective Technology

PCI PA-DSS Implementation Guide Onslip PAYAPP V2.1.x for Onslip S80, Onslip S90

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

SDR Guide to Complete the SDR

The Prioritized Approach to Pursue PCI DSS Compliance

University of Sunderland Business Assurance PCI Security Policy

Compliance with NIST

Network Access Control and VoIP. Ben Hostetler Senior Information Security Advisor

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

SYSTEMS ASSET MANAGEMENT POLICY

Cybersecurity Today Avoid Becoming a News Headline

Mark Littlejohn June 23, 2016 DON T GO IT ALONE. Achieving Cyber Security using Managed Services

Morningstar ByAllAccounts Service Security & Privacy Overview

Objectives of the Security Policy Project for the University of Cyprus

ISSP Network Security Plan

IT Audit Process Prof. Liang Yao Week Two IT Audit Function

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

HIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department

Part 11 Compliance SOP

Virtual Machine Encryption Security & Compliance in the Cloud

INFORMATION SECURITY BRIEFING

PCI DSS Compliance. Verba SOLUTION GUIDE. Introduction. Verba and the Payment Card Industry Data Security Standard

Payment Card Industry and Citrix XenApp and XenDesktop Deployment Scenarios

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

K12 Cybersecurity Roadmap

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

Payment Card Industry (PCI) Data Security Standard

Security analysis and assessment of threats in European signalling systems?

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Applying Oracle Technologies in PCI DSS certification process

SOFTWARE DEMONSTRATION

Next Generation Policy & Compliance

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Computer Administrative Rights Report No

Rev.1 Solution Brief

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

IT Vulnerabilities: What an IT Auditor Should be Thinking About

Internet of Things. Internet of Everything. Presented By: Louis McNeil Tom Costin

Juniper Vendor Security Requirements

Cybersecurity in Higher Ed

General Information System Controls Review

PCI DSS and the VNC SDK

Institute of Internal Auditors 2018 IIA CHICAGO CHAPTER JOIN NTAC:4UC-11

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Transcription:

Audit Network Security Presenter Ashish Jain, CPA, CIA, CISA, CA Director of Internal Audit University System of New Hampshire 1 University System of New Hampshire 34,000 enrolled students 4 institutions 15 locations Largest provider of postsecondary education in NH Produces 61% of STEM graduates in state Lowest student loan default rate in US Degree completion 78% - US average is 63% 2 1

Why Audit Network Security High-risk area Higher education culture Cybersecurity Often overlooked in internal audit plan Complexity Wide scope Internet of things (IoT) 3 Agenda Approaching the audit Key risk identification Common design gaps and issues Resources Key areas to cover Common issues and hurdles 4 2

What is Network Security? Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment. 5 Where to Start? Network diagram Inventory of network devices Copy of recent penetration testing Organization chart Network security policies, procedures, and standards 6 3

Risk Assessment Key risk areas Physical security Configurations Change management Access Risk analysis and monitoring 7 Audit Approach Looks for overall control environment for securing the network Select network devices based on: Location Sensitivity of data Type of device When put in service 8 4

Research and Knowledge Development Develop knowledge on selected device NIST or vendor recommendations Federal Information Processing Standard (FIPS) mode Configuration guide Policies and procedures PCI-DSS 9 Key Audit Areas 5

Physical Security Physical security network closets, rooms data centers Lock vs key card 11 Generic IDs Default passwords Access justification Password encryption Console Access 12 6

Password Policy Password parameter are configured in accordance with policy 13 Password Security Encryption settings Proper algorithm used Commonly used algorithm Best practices 14 7

Key Management Pre-shared keys are used for authentication between two network resources Settings key length, encryption, protocols Change protocols of keys Who knows and maintains these keys? Unencrypted keys/passwords in configuration files 15 Test: Current time is accurate Daylight time settings Clock Settings 16 8

Patches Compare OS patch level against recommended by vendor Understand upgrade procedures 17 Remote Login Protocols Inquire on existing practices and see policies & standards Is activity logged? Best Practices Dedicated management interface Two-factor authentication Dedicated VPN Procedures to confirm the integrity of device configurations 18 9

Services Which services are really needed Who ensures these services are appropriate Look for commonly exploited services Benchmark against organization s policy on allowed services Standards and periodic review of key configurations 19 Simple Network Management Protocol (SNMP) Default community names Version used (version 3 is currently recommended) Authentication Encryption used Common audit finding version 1 or 2c is active while version 3 is mainly used 20 10

ICMP Used to gather information about a network device ICMP should be limited to hosts with a business need 21 Other Areas Anti spoofing settings Authentication, authorization, and accounting (AAA) Login banners IP fragmentation Access Control Lists (ACL) Session time outs Enable logs and monitoring 22 11

Common Issues Default settings Inadequate network security policies, procedures, and standards No periodic review of configurations Generic IDs or shared accounts Lack of accurate network device inventory Segregation of duties between maintenance and security 23 Summary Security standards Periodic review of key configurations Segregation between security and maintenance Physical security Key management Remote access 24 12

Thank you! Questions? 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback