Other Blogs
There are no items in this list.
Knowledge & Insights > ISACA Now > Categories
Perimeters Aren’t Dead – They’re Valuable

Marcus RanumSince I first began building internet firewalls in the late 1980s, I have periodically encountered claims that “the perimeter is dead” or “firewalls don’t work.” These claims are rather obviously wrong: your firewall or perimeter are simply a way of separating things so you can organize them better. An internet firewall is an organizing principle between “stuff that’s not your problem” (the internet) and “stuff that’s your problem” (your network).

At a finer level of detail, you might apply other organizing principles such as “my data center” and “the unmanaged cloud of desktops” or “our PCI cloud.” If you think of firewalls or perimeters as a way of organizing the various entities you deal with, you’ll be able to better understand your strategic objectives for where data moves, how it moves and where it sits. Without that type of organization, the idea of a network that is “yours” is purely imaginary.

If you think about firewalls and perimeters as an organizing principle, you’ll be able to see how single servers can be a “cloud of one” whether they’re on premise or off, and you can think about the trust relationships between remote servers and internal services. It’s a valuable mental tool, in other words.

We (or rather management) also can make mistakes by forgetting there is a persistent management cost for design. Organizing your computers and thinking about where data moves and how it is stored is expensive. It takes understanding and thought to design this stuff, and if it’s not done right, you wind up with a mess. A typical mess might be: “everything can talk to everything,” which is certainly easy to set up, requires no ongoing management, and is – for all intents and purposes – impossible to secure. It seems to me that a lot of executives expect tremendous cost-savings from moving to the cloud, but they don’t realize that you still need good systems people (to manage the cloud systems using the cloud providers’ interfaces) and governance/analysis (to think about where your data is moving and why). In other words, the thinking is the hard part.

Beyond security, it’s important to think about performance and reliability. If you figure out where your most important servers and data are, you can optimize your network architecture to guarantee best performance where it needs to be. Otherwise, in an “everything can talk to everything” network, your only option for performance tuning is to make everything faster. That’s an important distinction to keep in mind as we collectively move to software-defined networks. The organizing principle that leads to securing your data is also the organizing principle that allows you to optimize your data paths.

A senior IT person at a large enterprise told me, “We have web services all over the place. We use a vulnerability scanner to identify systems that are offering up data on port 80, then we track them down and analyze them.” Think about that for a second! If the organization has a purely reactive governance model like this, how will that enterprise move to a high-performance software-defined network? To map out your performance requirements, you need to know where the data is going to flow. You cannot do that if you’re permanently reverse-engineering your design using what I call “forensic network architecture.”

When we talk about disaster recovery or data backups, the same reasoning applies: you can’t back up your data if you don’t know where it is (organizing principle: data perimeter), and you can’t identify which systems need to be recoverable/reliable if you don’t know which they are (organizing principle: data center perimeter). None of this is a new problem, but, unfortunately, a lot of organizations are going to keep kicking the can down the road, so they can preserve their hard-won ignorance about what’s going on inside their perimeter.

Editor’s note: For more of Marcus Ranum’s insights on this topic, download The Vaguely Defined Perimeter.

Beyond GDPR Compliance – How IT Audit Can Move from Watchdog to Strategic Partner

Omo OsagiedeIT auditors can act as strategic but independent partners to businesses currently working toward compliance with the European Union General Data Protection Regulation (GDPR), scheduled to come into enforcement on 25 May 2018.

Executive management increasingly expects the audit function to add more value to the business as a subject matter expert in all areas of risk management, as well as by supporting key business objectives and strategic initiatives. GDPR compliance is fundamentally a risk management exercise, which the audit function is well equipped to support.

Technology breaks down organizational silos
GDPR requirements require attention and remediation expertise from various functions within the business, including human resources, legal, compliance, marketing, communications and IT. For compliance efforts to succeed, the unintentional walls that often exist between these functions need to be broken.

While GDPR compliance is not solely a technology issue, technology acts as a common denominator across business processes and plays a significant role in the collection, processing, storage and transfer of personal data. This is the reason IT auditors in particular can use their overarching view of technology across the organisation to highlight interdependencies and gaps in GDPR compliance efforts.

In addition to supporting a robust control environment, IT auditors can act as risk consultants while maintaining their auditor independence.

During remediation activity made necessary by GDPR compliance, IT auditors should establish strategic partnerships within the business through:

  • Leveraging their understanding of the technology landscape to provide a big picture view of data risk beyond individual remediation workstreams;
  • Highlighting control interdependencies and escalating potential control design gaps through early identification;
  • Advocating for data privacy risk to be considered and prioritized within IT transformation activities.

Below are five examples of GDPR compliance workstreams and technology domains where IT audit can add value by providing an independent view.

1. Data Protection Impact Assessments (DPIA)
IT auditors acting as subject matter experts can help facilitate discussions so that the risks and impact of processing personal data are considered as early as possible when initiating new IT projects or vendor relationships.

The early identification of data protection risks through DPIA exercises is a significant step for successful implementation of privacy-by-design within:

  • The existing data processing estate;
  • In-flight IT projects (development and acquisition); and
  • Future technologies and longer-term IT changes.

Beyond merely satisfying compliance requirements, IT auditors should help the business take a longer-term view by institutionalising data protection impact assessments (Article 35) and fostering new ways of thinking about the impact of privacy on data processing activities.

2. Data Governance and Data Flows
Organizations (data controllers and data processors) must demonstrate their compliance with GDPR by maintaining records of processing activities under their responsibility and implementing technical and organizational measures (Article 32).

This requirement aligns perfectly with the main objective of data governance – to ensure the management of data as a strategic business asset in order to derive maximum value.

Effective data governance involves understanding data flows within business processes and ensuring the stewardship of data through activities such as developing data architectures, implementing quality management, data integration and meta-data management.

As organizations develop and maintain records of their personal data processing, IT auditors can provide a view on data flow mapping activities. Key questions to ask business representatives include:

  • What personal data items are being collected and in what formats?
  • At what point in the data flow is lawful processing of personal data determined? 
  • Can storage locations and formats easily facilitate the enforcement of data subject rights, including subject access requests, right-to-erasure, rectification and portability?

IT auditors can help facilitate evaluations of the completeness of data flows by sharing good practices from their experience in mapping business processes during scoping activity.

Tech Assurance for GDPR

3. Risk-Based Data Protection Controls
While it may be tempting to rush toward implementing encryption and pseudonymisation as solutions to data protection, it is important to question whether these controls are necessary in the first place (see GDPR Recital 28). Other protection strategies might be more appropriate, depending on the risk.

Where a risk assessment determines that pseudonymization is required as a method of data protection, IT auditors can help the business consider whether:

  • System design permits the attribution of pseudonymized data to natural persons (data subjects) through inadvertent data enrichment;
  • Domain segregation is applied to separate attribution data from pseudonymized data; and
  • Access to meta-data is appropriately restricted.

By challenging the business to consider the real risks to data, it is possible to arrive at pragmatic solutions for data protection, which may include applying controls like pseudonymization.

4. Big Data and Machine Learning
According to the EU Agency for Network and Information Security (ENISA), “The extensive collection and further processing of personal information in the context of big data analytics has given rise to serious privacy concerns, especially relating to wide scale electronic surveillance, profiling, and disclosure of private data.”

While unlocking the business value of data is a critical part of any digital agenda, businesses must thoroughly consider the potential impact on data subjects from unfair/biased data models, inaccurate analysis and prediction of future events (such as using methods such as machine learning), and profiling (Article 22).

IT auditors can challenge data scientists within their organizations to consider questions such as:

  • Fairness: How do you ensure that big data algorithms are not repurposed in unexpected ways to draw unexpected conclusions about data subjects?
  • Data minimization: How do you avoid excessive data collection, manage data retention (including secondary uses of data) and guarantee data subject rights?
  • Data protection: How do you ensure privacy enhancing technologies (PETs) are designed by default into big data solutions?

5. Data Processing in the Cloud
While IT auditors’ focus on cloud computing is not new, GDPR compliance requires renewed attention on data processing performed by third parties, including cloud service providers (CSPs).

Data privacy/protection-related control considerations for cloud-based data processing include:

  • Maintaining accurate records of cloud-based processing;
  • Establishing data processing location controls within cloud architectures;
  • Ownership of master keys for encrypting data-at-rest and data-in-transit;
  • Contractual definitions of controller, processor and sub-processor responsibilities; and
  • CSP support for the enforcement of data subject rights (e.g., right-to-erasure).

Rather than a sprint to the finish line, organizations must see GDPR compliance as a marathon toward the goal of institutionalizing data privacy and data protection in the corporate culture. IT auditors can support this cultural change by looking beyond annual IT audit calendars and one-off GDPR-related audit engagements.

Through early and consistent engagement with the business through conversations, training and workshops, the IT audit function can mature from its traditional focus as a control watchdog to become a strategic business partner supporting longer-term organizational objectives.

CIS Audit/Assurance Program Helps Enterprises Navigate Risk

Paul PhillipsWe live in a world full of risk, and nowhere is risk more prevalent than in technology.

The Center of Internet Security (CIS) has recommended 20 critical security controls to respond to threats and vulnerabilities associated with the internet. The premise is that proper implementation of these controls will mitigate the risks of damage, unauthorized alteration or theft of information and technology assets. However, when it comes to risk mitigation, how much is enough? How much reduction of risk is required? In other words, what is the risk appetite of the enterprise?

This varies from company to company depending on multiple factors, such as the industry in which it operates, the type of service or product provided, the current economic climate and companies’ financial position. Risk appetite also depends on the overall risk landscape. As evidenced by a continual wave of news reports, the cyber arena is full of threats designed to steal, destroy, alter or simply gain unauthorized access to information assets.

In this digital world, it stands to reason that managements are more and more cognizant of cyber threats that endanger their assets. Managing these risks could benefit immensely from a cybersecurity audit. While the CIS Controls Audit/Assurance Program is not designed to provide assurance beyond the security program of an enterprise, the controls are presented in a prioritized fashion to assist the enterprise in leveraging its potentially limited resources to protect key assets and realize the most benefit.

The purpose of an audit is to assess the efficiency and effectiveness of current controls and provide a level of assurance that assets are adequately protected and accessible to authorized users when needed.

To ensure proper safeguards are in place, management should not rely solely on the CIS Controls IS Audit/Assurance Program. Audits of other pertinent operational processes should take place. A holistic approach is necessary and requires a strategic partnership between the board of directors, senior management, IT and functional business units, and audit. While the board of directors provides guidance and direction, management is responsible for executing based on those directives. This holistic approach can result in the creation and implementation of policies and processes that are designed for business value, as well as the security of all company assets.

PowerShell: A Powerful Tool for Auditors

Adam KohnkeSome auditors may not know it, but a useful audit tool has been sitting right at your fingertips all along. The tool is PowerShell, a command-line utility you can use to answer many useful audit questions during your engagements. The benefits to the auditor are at least twofold: it allows you to save time by directly gathering authoritative information from the environment, and it helps you develop a useful industry skill with universal appeal.

First, you must be provided access to the tool on your desktop. Second, you must point PowerShell to directly query Active Directory for the information you want. This is accomplished using the set-location AD: command after launching PowerShell. Once issued, your cursor should change to reflect that you are executing queries against an Active Directory domain controller, so it looks like this: PS AD :\>.  All the below commands can be paired with Out-GridView or Out-File to provide report-based output.

Get-ADPrincipalGroupMembership: This command generates a complete list of security groups where a particular user account is a member. From an audit perspective, you can identify potential segregation of duty conflicts or assess the appropriateness of access based on defined job responsibilities.

Get-ADGroupMember: This is the inverse of the previous command, and provides a list of user accounts that exist in a particular security access group. This command also can be useful to test access authorizations for appropriateness.

Get-ADUser <username> -property*:  A slightly more complex example, the following command would provide a more detailed output for a single, specific user account. From an audit perspective, this helps determine when an account was created, if the account is enabled, when the account last logged onto the network, and if and when bad password attempts occurred. This command can be combined with other PowerShell commands using the vertical pipe symbol (|) above the enter key to generate more complex data sets. Similar commands exist for Organizational Units, Service Accounts and Groups – just swap User in the above command with these terms.

Get-Hotfix: This simple and effective command provides a list of Microsoft patches applied to a specific machine or set of specified machines, which is helpful when auditing compliance with patch cycles and the overall patch management process. The command provides the specific type of installed items (whether it’s an actual hotfix, update or security update), the time the item was installed and the user account that installed the patch.

Get-ADObject: Using the -Filter and -Property switches with this command allows an auditor to understand when certain object classes, such as security groups, initially came into existence, among other useful information. This information can be compared to monitored groups to detect changes and determine the effectiveness of logging controls.

Honorable mentions: Get-Forest, Get-Domain, Get-GPResultantSetOfPolicy and Get-GPO all allow successful profiling of the current AD environment. As a result, an auditor can understand functional levels of the forest and domain, which servers are acting in flexible single master operation (FSMO) roles, which servers serve as catalog servers and much more. These commands are a useful basis for planning any Active Directory audit.

Does the HIPAA Privacy Rule Apply to Elementary and Secondary Schools?

Pamela BurksThe Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule requires covered entities to protect individuals’ health records and other identifiable health information. This protection is achieved through implementing appropriate privacy safeguards and by setting limits and conditions around the uses and disclosures of that information that may be made without patient authorization.

An organization’s obligation to meet these requirements under HIPAA may be created from engaging in covered transactions or being a covered entity. Defined by the U.S. Department of Health and Human Services, covered transactions are those involving the transmission of health information electronically in connection with certain administrative and financial transactions (45 CFR § 160.103 and 45 CFR Part 162, Subparts K–R). Similarly, an organization is a covered entity if the organization is a health plan, a healthcare clearinghouse, or a healthcare provider that transmits any health information in electronic form in connection with covered transactions 45 CFR § 160.103.

Given the criteria for covered entities and covered transactions, are elementary and secondary schools subject to HIPAA? In making this determination, consider covered entities first. Even though a school employs nurses, physicians, psychologists or other healthcare providers, the school is not generally a HIPAA-covered entity because the providers do not engage in any covered transactions, such as billing a health plan electronically for their services. Looking secondly at covered transactions, there may be instances where the practitioners listed above (school nurses, physicians, psychologists or other health providers) may conduct one or more covered transactions, such as electronically transmitting healthcare claims to a health plan for payment. If so, the school becomes a HIPAA-covered entity and must comply with the HIPAA Transactions and Code Sets and Identifier Rules with respect to such transactions.

Even in these cases, however, some schools would not be required to comply with the HIPAA Privacy Rule due to an exception created through the Family Educational Rights and Privacy Act (FERPA). FERPA applies to educational agencies and institutions that receive funds under any program administered by the U.S. Department of Education (DOE). This includes virtually all public schools and school districts, as well as most private and public postsecondary institutions, including medical and other professional schools.  Under FERPA, schools are deemed to maintain health information only in student health records that are classified as “education records.” As education records, public elementary or secondary school student health information is excluded from HIPAA due to protection of those records under FERPA.

For private and religious schools at the elementary and secondary level that generally do not receive funds from the Department of Education (DOE), exclusion for HIPAA requirements due to FERPA does not apply. It is worth noting that a private school is not made subject to FERPA just because its students and teachers receive services from a local school district or state educational agency that receives funds from the DOE. The school itself must receive funds from a program administered by the Department of Education to be subject to FERPA. For example, if a school district places a student with a disability in a private school that is acting on behalf of the school district with regards to providing services to that student, the records of that student are subject to FERPA; the records of the other students in the private school are not covered under FERPA.

So, in most cases, elementary schools are neither covered entities nor do they engage in covered transactions that would require them to comply with HIPAA. However, the type of school (public or private) as well as receipt of funds from a program administered by the Department of Education, are considerations in making a final determination of an obligation to comply with HIPAA.

Editor’s note: For additional resources on this topic, download ISACA’s HIPAA Audit/Assurance Program.

Five Questions with Best-Selling Author and North America CACS Keynoter Erik Wahl

Erik WahlEditor’s note: Erik Wahl, internationally recognized artist and best-selling author, will deliver the opening keynote address at North America CACS 2018, to take place 30 April-2 May, 2018, in Chicago, Illinois, USA. Wahl, whose new book, The Spark and the Grind, explores translating ideas into action, visited with ISACA Now to provide his artist’s perspective on embracing innovation and risk. The following is an edited transcript:

ISACA Now: What are the biggest keys for enterprises to successfully translate ideas into action?
The biggest keys are discipline and structure. The fun paradox about creativity is that structure creates freedom. The more disciplined we are about the process of generating ideas, the more momentum we have to translate those ideas into actionable substance. Creativity without discipline is like a river without banks.

ISACA Now: Some might consider innovation to be an overused word in the enterprise context – what does innovation mean to you?
Innovation is how we differentiate from the competition and create unique customer experiences. Innovation is not a single event or design, but rather innovation is a way of thinking, a way of processing information, exploring and solving problems. Innovation is the ability to see what everyone else sees logically with their eyes but thinking like no one has ever thought before.

ISACA Now: What keeps many businesses from operating in more agile fashion?
Historical precedent and complacency are the recipe for business failure.

ISACA Now: Which new technologies do you consider to be most promising for society?
Artificial intelligence will have the greatest impact on our future. AI will automate our lives and free up our most valuable resource – time.

ISACA Now: How can an artistic inclination be helpful in a business context?
Artistic inclinations are like “exercises” that stretch our mind. Art leads us into expansive solutions and how to think laterally (like how to navigate ambiguity and how to master complexity). Art awakens our humanity and raises our intuition and emotional intelligence in an increasingly automated world.

Windows File Server Versions – Are Functionality Changes Necessarily a Headache?

Robin LyonsThe security risk of running an unsupported version of Windows File Servers is not at the top of the IT topic debate list. Most will concur that enterprises electing to use an unsupported version of Windows may expose themselves to security vulnerabilities.

These vulnerabilities arise because the patches and fixes that were formerly provided by Microsoft are no longer available. As a result, the enterprise may incur additional operational costs as it identifies (and sometimes purchases) its own solutions to vulnerabilities. Beyond that, there may also be compliance implications of running an unsupported version of Windows. For example, under section 6.2 of the Payment Card Industry Data Security Standard (PCI DSS), there is a requirement that organizations complying with PCI DSS must “ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.” So, for the IT auditor, this means that assurance around Windows File servers is broader than security: operational and compliance considerations should be on the radar as well.

IT auditors should also remain cognizant of functionality changes in different versions of Windows. For those who have been in the Information Technology realm for some time, Windows File Server functionality changes appear to be steady and, at times, significant. These functionality changes present opportunities to audit familiar areas such as access management, authentication, patch management, incident response, and physical security. In looking at these areas, IT auditors may consider the following:

  • Access control management – Domain membership and exclusion from the perspectives of aligning administrator access with the administrator’s particular role, as well as the period of time that the administrator needs the access.
  • Network security – Configuration management topics such as separation of virtual machines, port restriction and remote server management.
  • Operating system security ¬– Hardening, encryption, logging/monitoring and patch management.
  • Incident management – In addition to intrusion monitoring, this section also considers emergency change management.
  • Physical security – Physical security policies and procedures that lend greater assurance of data integrity, confidentiality and availability.

Beyond the audit, there are opportunities for IT auditors to collaborate with their organizations. For example, organizations do not automatically apply each patch that Microsoft provides. Given that, IT auditors may have an opportunity to partner with management to assess the risks and benefits of applying certain patches. Also, Windows File Server functionality changes can provide career development opportunities for IT auditors. Looking at remote server management may be a learning moment for IT auditors whose experience has been primarily in a physical server environment. Lastly, IT auditors can assist with identification of those compliance-related server issues – before they become issues.

Editor’s note: For more resources on this topic, download ISACA’s Windows File Server Audit/Assurance Program.

Evolving Technology Calls for More Disciplined Approach From Auditors

Mohammed J. KhanThe concept of Software Development Life Cycle (SDLC) is a natural mechanism of an organization that develops, co-manages and supports digital code as part of its technology ecosystem. The many rules and theories behind the SDLC processes have existed since the very first time we embarked as humankind to program logic into machines.

As the maturity of our technology increases, along with the ability of humankind to traverse into faster and more efficient coding, an even more disciplined approach to how we approach code in our environments is required. The basic premise of SDLC processes is not only to achieve, maintain and audit compliance with regulations, but also to ensure all code management in the ecosystem follows good management and development practices. It drives common practice across portfolios of code, and it consistently helps drive the single rule of thumb, which is to reduce cost and increase efficiency, all while being compliant and risk-averse. Delivery in a common methodology, and consistent deliverables to the stakeholders – regardless of the type of platform that is getting developed, enhanced and maintained – is another critical component.

The objectives of the ISACA-developed Software Audit/Assurance Program is primarily to inform management regarding the effectiveness of software assurance governance, application development, verification and review, and deployment. The audit/assurance review will rely upon other IT governance audits, including those covering identity and access management, operational areas and third-party management of software assurance. The software audit/assurance program seeks to::

  • Provide developers and auditors with a methodology for managing and evaluating end-to-end software development
  • Identify control areas in the categories of governance, software development, verification and review, and deployment
  • Evaluate the effectiveness of the enterprise’s existing software development methodology

The software audit/assurance program encompasses the following domains:

  • Governance
  • Software development
  • Verification and review
  • Deployment

Keep in mind there needs to be a framework to abide by and discipline in order to achieve maximum conformance to the rules of code management. Pragmatically, challenging one’s organization not to create red tape that impedes creativity is important. However, one must also regulate the creativity in a streamlined channel, which results in a better environment that is balanced for maximum efficiency of the transformation and the “keeping the lights on” process of a company’s typical software ecosystem.

Understanding Your Core Values - A Key to an Authentic YOU

Ookeditse Kamau,I was chatting with a colleague from our legal team, and he made a remark that he was “learned.” This is how the legal counselors refer to each other when they’re in a jovial mood.

I answered back and said auditors are the most ethical professionals. Although intended as a joke, I believe that, as auditors, we ought to understand our core values in order to provide quality service to our stakeholders. I asked myself what values resonate with being ethical. Before I Googled the values that resonate with acting in an ethical manner, I decided to test myself. I Googled a good resource on what values are and took a journey of discovery. I found a good piece written by MindTools, and then decided to select my top 10 values. The process was iterative, and I had to go through several rounds to come close to what I classified as my top 10 values. At first, I selected more than 10. To narrow the list to 10, I had to deal with the following challenges:

Selecting similar values
The greatest challenge came from selecting very similar values. I had to streamline some of these values, such as belonging and teamwork, which are very much related. The root value for my belief in teamwork is the need to belong. If you belong, you need to contribute. Related values in a way identify your true core values. Use similar values to understand why things matter to you. It is critical that you analyze the strength of the relation and where similarity exists but there is no deep root, and drop such a value from the list.

Conflicting values
There are other values that seem to conflict, but you know they both belong to your core values. As already noted, I value belonging, but I am very much self-reliant. I don’t like asking for help. I love to figure it out on my own. Although it might seem contradictory to my views on belonging and teamwork, the values are very much complementary to each other. You need to contribute. Teamwork is not necessarily burdening others or you doing things for others, but it means each party working toward a common goal. So, don’t disregard those values that seems like they may be conflicting. Thoroughly analyze each value and its meaning to you.

Ideal values
The last challenge I faced was the “ideal” values – those values you wish to fight for to the core but when looking through your decisions, they don’t reflect that. I guess they fall in the “weakness” bucket. You do have it somewhere in you. For example, in the list of generic values by MindTool, there was a value defined as structure. The audit process in itself is a structured approach, but structure is not in my top list of values. Other than keeping a clean audit file, I tend to be a bit unstructured, but I have benefited from the structured thinking that comes from being an auditor. So, it’s an ideal value. 

The next phase in my journey was comparing my top 10 values to ISACA’s professional code of ethics.

ISACA Code of Professional Ethics     My Values
Objectivity Belonging
Due diligence Expertise
Professional care Faith
Honest Growth
Confidentiality Practicality
Professionalism Self-Reliance
Privacy Teamwork
Confidentiality Hard-work
Independence Honesty
Professional Education Making a difference

If you have time, you can also check your values against your organization’s values. Human resource experts will say this is something you should have done before accepting your job offer, but organizational culture does not always align to its values. As mentioned earlier, this is an iterative process. There is need to once in a while take time to review your values. This is also necessitated by the fact that your values are always challenged by the need for survival. A stressful time can be a sign to revisit your value score.

To make the right decisions and take correct actions when discharging your duties as an auditor, your values must be in line with your professional code of ethics. This is critical, as it is important in ensuring that you are less stressed and happier with the outcome of your assignments. When met with challenges during the audit, take time to evaluate your core values. Understanding your values and making decisions that align to values is the first step to the authentic YOU.

SSH Keys: The Unknown Access Gap

Fouad KhalilAs an audit practitioner, you know better than most the need to ensure the effectiveness of risk management, control and governance processes in your organization. This need is only amplified by the rapid development of technology solutions being deployed as they add additional layers, which makes ongoing compliance even more challenging.

But what about your current environment? A hidden challenge to many audit and compliance professionals has been a 20-year-old “tool” granting elevated or privileged access to all types of production environments known as the Secure Shell (SSH). Awareness of this unknown access gap has been on the rise primarily by practitioner guidance and industry events discussing the protocol, and unfortunately because of large security breaches (such as the Sony breach) resulting from poorly managed SSH environments.

Security, audit and compliance professionals engaged in business-as-usual daily events struggle to maintain control and oversight. Blending in the threat world events along with unknown access controls is simply a disaster waiting to happen if all access is not properly accounted for and assessed.

This has been highlighted by ISACA’s new guidance, “SSH: Practitioner Considerations.” In collaboration with industry experts, practitioners and ISACA subject matter experts, the guidance provides an excellent overview of what SSH is, its background, assurance considerations and practitioner impacts and suggested controls.

The guidance helps to educate the audit community about the SSH protocol and what steps auditors need to take to ensure proper governance and continuous compliance of SSH keys environments. It is imperative that organizations follow the outline in the guide that walks you through the SSH keys life cycle management, including usage procedures, configuration management, ownership and accountability, deployment, provisioning, and governance.

Let us ask ourselves, “Why should we implement these controls?” It is simply to secure and protect our critical and sensitive data, and also to ensure the confidentiality, integrity and availability of our systems and data at all times.

SSH keys have been deployed for years without detection, ownership, provisioning or governance. In many cases, managing SSH keys has become a mundane task due to the sheer volume of keys that exist on every server, database, network appliance, etc. All organizations must adopt best practices, leverage automation, establish ongoing monitoring and auditing, and govern all access equally to ensure SSH access is authorized and that access falls within governance guidelines used for privileged access.

Given the pervasiveness and type of access granted by SSH, all audit professionals need to consider the insights from SSH: Practitioner Considerations: “Attesting to the state of access compliance is potentially incomplete without incorporating SSH keys. Ramifications of poorly managed SSH keys environments may lead to audit infractions and possibly a security breach.”

1 - 10 Next