Auditing IT Infrastructures for
Compliance
Chapter 14
Compliance Within the
System/Application Domain
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Describe information security systems
compliance requirements within the seven
domains of an IT infrastructure.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
How compliance law requirements relate to business
drivers for System/Application Domain
Devices and components found in the
System/Application Domain
Application traffic and performance issues, and how
to maximize confidentiality, integrity, and availability
(C-I-A) for the System/Application Domain
System/Application Domain policies, standards,
procedures, and guidelines
Best practices for System/Application Domain
compliance
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
System/Application Domain
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Business Drivers and
Compliance
System/Application Domain
• Provides environment for distributed
applications to run
• Centralizes core business functions
• Supports productivity
• Allows for sharing and collaboration
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Business Drivers and
Compliance
Data must be protected
Faulty application code presents security
holes
Lax access controls result in vulnerabilities
Centralization increases security
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Computers in the
System/Application Domain
Server
computers
Minicomputers
Mainframe
computers
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
More Devices in the
System/Application Domain
Data Storage
Devices
• Storage area
network
(SAN)
Auditing IT Infrastructures for Compliance
•
•
•
•
Application
Source Code
Data storage
Data access
Business logic
User Interface
• Programmers
create text
files for
programs
called source
code
• Source code
files compiled
into programs
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Databases and
Privacy Data
• Should be
center of
security
control efforts
• Restrict
access to the
sensitive data
in database
• Use controls
provided by
database
management
system
Page 9
System/Application Domain
Devices in Context
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
Access Controls
Protect confidentiality and integrity of data
• Operating system enforces the controls
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
General Attack Method
Access
data
Steal or
delete
data
Boot
computer
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Vulnerability and Change
Management
Applications and operating system are
susceptible to software vulnerabilities
Patch management “patches”
vulnerabilities
If you know about a vulnerability, chances are an
attacker knows about it, too.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
Software Configuration
Management (SCM)
SCM
Development occurs
on a separate server
from production
Developer completes
software changes
Changes moved to an
isolated testing and
quality assurance
(QA) environment
Testing/QA test
software to ensure
requirements
compliance
Approved changes
moved to production
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
DISCOVER: PROCESS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
Performance Monitoring Tool
Selection
High level of monitoring and analysis
Should provide proactive monitoring
Should alert administrator to issues
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Performance Monitoring and
Application Traffic
Set
thresholds for
alerts
Sample data
traffic
Analyze
packets
Readjust
thresholds
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
DISCOVER: ROLES
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
Role of Encryption in
System/Application Domain
File encryption
Folder/directory
encryption
Volume/drive
encryption
Application
encryption
Database
encryption
Backup
encryption
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
DISCOVER: RATIONALE
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Best Practices for Compliance
Requirements
Establish physical controls to protect the data
center.
Use at least one firewall to limit network traffic
from other domains to only authorized traffic.
Use network access control (NAC) devices to
restrict computers and other devices from
connecting to System/Application Domain
components.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Best Practices for Compliance
Requirements (Cont.)
Connect critical server computers using highspeed network media.
Define user- or group-based access controls
for each computer in the domain.
Use application-defined access controls to
limit access to data.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
Best Practices for Compliance
Requirements (Cont.)
Allow low-privilege users to establish
connections only between the Internet-facing
servers in the demilitarized zone (DMZ) and
System/Application Domain servers.
Allow only escalated privilege user
connections that originate from protected Web
servers where users can connect only by
using a secure VPN.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Best Practices for Compliance
Requirements (Cont.)
Update operating systems frequently with the
latest security patches on all computers.
Update all application software frequently with
the latest security patches.
Follow best practices of software development
or software modifications.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Best Practices for Compliance
Requirements (Cont.)
Create a BCP and DRP.
• Keep documents up to date
• Test BCP and DRP at least annually
Protect all backup media in transit and
storage.
Ensure all backup media is encrypted.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Best Practices for Compliance
Requirements (Cont.)
Encrypt all sensitive data when it is stored on
disks.
Use application-monitoring software to identify
performance or availability issues.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Summary
How Compliance law requirements relate to business
drivers for System/Application Domain
Devices and components found in the System/Application
Domain
Application traffic and performance issues, and how to
maximize confidentiality, integrity, and availability (C-I-A)
for the System/Application Domain
System/Application Domain policies, standards,
procedures, and guidelines
Best practices for System/Application Domain compliance
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Lab
Auditing the System/Application Domain for
Compliance
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Auditing IT Infrastructures for
Compliance
Chapter 13
Compliance Within the
Remote Access Domain
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Learning Objective
Describe information security systems
compliance requirements within the seven
domains of an IT infrastructure.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 2
Key Concepts
How compliance law requirements relate to
business drivers for Remote Access Domain
Devices and components found in the Remote
Access Domain
VPN tunneling and performance, and validating
Remote Access Domain configuration
Remote Access Domain policies, standards,
procedures, and guidelines
Best practices for Remote Access Domain
compliance
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 3
DISCOVER: CONCEPTS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 4
Remote Access Domain
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 5
Business Drivers and
Compliance
Remote users require access to internal
network
Organization provides the remote access
service
Secure data transmission required by law,
such as Health Insurance Portability and
Accountability Act (HIPAA)
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 6
Components in Remote Access
Domain
Remote users
Remote
workstations or
laptops
Remote access
controls and
tools
Authentication
servers
RADIUS
TACACS+
VPNs and
encryption
Internet service
provider (ISP)
WAN
connections
Broadband
Internet service
provider WAN
connections
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 7
Adhering to Policies, Standards,
Procedures, and Guidelines
Each organization has different needs,
uses different controls
Plans should address one or more C-I-A
properties
Controls should support organization’s
security policy
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 8
Common Compliance Controls
Preventive
• Proxy server
• Firewalls
• User-based
access
controls for all
resources
• Configuration
change
control
Auditing IT Infrastructures for Compliance
Detective
• Performance
monitoring
• Traffic
analysis
• Configuration
settings
monitoring
• Penetration
testing
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Corrective
• VPN/remote
access
component
patching
• Attack
intervention
• Business
continuity
planning
(BCP)
• Disaster
recovery
planning
(DRP)
Page 9
VPN Tunneling Concepts
VPN encrypts traffic transported through
VPN tunnel
Encryption is optional
“Private” part of VPN refers to private
addressing and not data privacy
Administrator must identify and validate
who is using remote access
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 10
DISCOVER: PROCESS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 11
C-I-A Triad
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 12
Maximizing C-I-A
Step 1
Step 2
Step 3
Step 4
Verify that traffic is encrypted.
Configure routers for IPSec encryption.
Validate packet encryption.
Schedule regular check-ups.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 13
VPN Monitoring
Creation of VPN connection
Remote access connection
Remote computer logon
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 14
Monitoring VPN Traffic
Step 1
Step 2
Step 3
Step 4
Monitor data for modification in transit.
Verify secure data transmission.
Use a proxy filter.
Log and review data.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 15
DISCOVER: ROLES
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 16
Role of Remote Access Tools
Authorize users and nodes
Verify privacy settings
Monitor VPN performance
Change configuration settings
Add necessary controls for security
Maintain components of recovery process
Add, change, and remove hardware
components
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 17
Role of Remote Access Tools
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 18
DISCOVER: CONTEXTS
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 19
Remote Access Domain Security
Compliance
Three main areas of concern:
• Client-side configuration
• Server-side configuration
• Configuration-management verification
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 20
Remote Access Domain Security
Compliance
Evaluate controls for coverage of C-I-A
Validate controls
Ensure data privacy
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 21
Remote Access Domain
Configuration Validation
Validate the following:
• VPN client definition and access controls
• TLS/VPN remote access via a Web browser
• VPN configuration management
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 22
DISCOVER: RATIONALE
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 23
Best Practices for Remote
Access Domain
Map your proposed remote access
architecture, including redundant and
backup connections.
Install at least one firewall between your
VPN endpoint and your internal network.
Select a VPN provider that your clients can
easily access.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 24
Best Practices for Remote
Access Domain (Continued)
Use global user accounts whenever
possible.
Use strong authentication for all user
accounts.
Create a limited number of administrative
accounts with permissions for remote
administration.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 25
Best Practices for Remote
Access Domain (Continued)
Develop a backup and recovery plan for
each component in the Remote Access
Domain.
Implement frequent update procedures for
all operating systems, applications, and
network device software and firmware in
the Remote Access Domain.
Monitor VPN traffic for performance and
suspicious content.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 26
Best Practices for Remote
Access Domain (Continued)
Carefully control any configuration setting
changes or physical changes to domain
nodes.
Require encryption for all communication in
the Remote Access Domain.
Enforce anti-malware minimum standards
for all remote computers as well as server
computers in the Remote Access Domain.
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 27
Summary
How compliance law requirements relate to business
drivers for Remote Access Domain
Devices and components found in the Remote Access
Domain
VPN tunneling and performance, and validating Remote
Access Domain configuration
Remote Access Domain policies, standards, procedures,
and guidelines
Best practices for Remote Access Domain compliance
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 28
Lab
Auditing the Remote Access Domain for
Compliance
Auditing IT Infrastructures for Compliance
© 2016 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page 29
Purchase answer to see full
attachment