IS Auditing Guideline: G33 General Considerations on the Use of Internet 

 
Follow us:
        

  Download (166K)

1. BACKGROUND

1.1 Linkage to Standards

1.1.1  Standard S4 Competence states, “The IS auditor should be professionally competent, having the skills and knowledge to conduct the audit assignment”.
1.1.2 Standard S5 Planning states, “The IS auditor should plan the information systems audit coverage to address the audit objectives and comply with applicable laws and professional auditing standards”.
1.1.3 Standard S6 Performance of Audit Work states, “The audit process should be documented, describing the audit work and the audit evidence that supports the IS auditor's findings and conclusions”.

1.2 Linkage to Complementary Guidelines and Procedures

1.2.1 Guidelines:

  • G22 B2C E-commerce Reviews
  • G24 Internet Banking

1.2.2 Procedures:

  • P2 Digital Signatures and Key Management
  • P3 IDS Review
  • P6 Firewalls
  • P8 Security Assessment—Penetration Testing and Vulnerability Analysis
  • P9 Evaluation of Management Controls Over Encryption Methodologies

1.3 Linkage to COBIT

1.3.1 Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s control objectives and associated management practices. To meet the responsibility, authority and accountability requirement of IS auditors, the processes in COBIT most likely to be relevant, selected and adapted are classified below as primary and secondary. The process and control objectives to be selected and adapted may vary depending on the specific scope and terms of reference of the assignment.
1.3.2 Primary:

  • M2—Assess internal control adequacy.
  • M3—Obtain independent assurance.
  • M4—Provide for independent audit.

1.3.3 Secondary:

  • PO6—Communicate management aims and direction.
  • PO7—Manage human resources.
  • PO8—Ensure compliance with external requirements.
  • DS1—Define and manage service levels.
  • DS2—Manage third-party services.
  • DS10—Manage problems and incidents.
  • M1—Monitor the process.

1.3.4 The information criteria most relevant to Internet use are:

  • Primary: effectiveness, efficiency and confidentiality
  • Secondary: availability, integrity and reliability

1.4 Need and Purpose for Guideline

1.4.1 IS auditors play a crucial role in responding to rapidly changing information technology, its associated vulnerabilities and potential exposures. The purpose of this guideline is to describe the recommended practices in performing a review of Internet use, access to and/or connections. An IS auditor should be able to identify, document, test and evaluate the controls and the associated risks to achieve relevant control objectives to protect an organisation’s assets.
1.4.2 This guideline provides guidance in applying IS Auditing Standard S6 Performance of Audit Work to obtain sufficient, reliable, relevant and useful evidence during review of Internet connections. The IS auditor should consider it in determining how to achieve implementation of the above standard, use professional judgement in its application and be prepared to justify any departure.
1.4.3 The Internet is becoming more and more a part of the infrastructure in enterprises and is frequently used for several purposes. In general, use of the Internet can be split into four parts. The Internet can be used as:

  • A source for collecting and sharing information
  • A communication channel
  • A window for presentation of enterprises, organisations or persons
  • As an electronic marketplace for trading

This guideline encompasses primarily the use of the Internet as a communication channel and as a source of information for enterprises and organisations. The guideline also, to a certain degree, deals with the Internet as a presentation and trade channel.
1.4.4 An enterprise is exposed to many threats by connecting to the Internet. To deal with those threats, it is important to run a risk analysis and take the necessary security precautions. It is also important to be aware that the Internet is not static. It changes frequently and so do the threats and need for security measures.
1.4.5 For every service, examples regarding different threats are mentioned. In such an overall and brief document, the risk picture is not covered completely. New hacker tools appear and new security weaknesses in IT systems are constantly disclosed. Therefore, it is important to obtain updated information about threats and security measures before connecting to the Internet.
1.4.6 There is no overall or international centralised control connected with the use of the Internet. It is a matter for every single enterprise to take the necessary security precautions. 

1.5 Guideline Application

1.5.1 When applying this guideline, the IS auditor should consider its guidance in relation to other relevant ISACA standards, guidelines and procedures. This guideline is not necessarily exhaustive or up to date over time.

2. GENERAL CONSIDERATIONS ABOUT INTERNET CONNECTIONS

2.1 Ways of Connecting to the Internet

2.1.1 There are several ways of connecting to the Internet and each has a different need for security measures. Some examples are:

  • Detached PCs with modems connected through an Internet service provider (ISP)
  • PCs in local networks with modems connected to the Internet through an ISP
  • Detached PCs with cellular data connections
  • PCs in local networks with cellular data connections
  • Local networks connected to the Internet via a router
  • Local networks connected to the Internet via a firewall
  • Two separate networks—one local network with PCs, which are being used for organisation activities, and one network with PCs for Internet communication

2.1.2 Some of these connections can be combined with service delivery or use of the Internet as an information channel, such as:

  • A local network connected to the Internet offering internal/external services from a server in the local network
  • A local network connected to the Internet where internal/external services are offered from a server installed in a DMZ
  • Two local networks in the same enterprise connected using the Internet as a communication channel
  • A local network in an organisation connected to a collaborating partner’s network where the Internet is being used as a communication channel (extranet)

2.2 Threats

2.2.1 Threats in a closed network without external connections will, in general, include technical failures, user errors, misuse of systems or disloyal employees spreading confidential information. This risk picture changes when an enterprise connects permanently to the Internet.
2.2.2 Attacks can be divided into the following groups:

  • Passive attacks, such as:
    – Network monitoring—Reading usernames and passwords transferred via the Internet by using sniffer software
    – Tapping data—Obtaining confidential information by reading/copying incoming or outgoing e-mail
    – Spyware use—Using a broad category of malicious software to intercept or take partial control of a computer's operation without the user's informed consent. Users ordinarily get infected by visiting certain web sites.
  • Active attacks, such as:
    – Attempts to get access through weaknesses in security measures—Accessing local networks and internal IT systems without authorisation when security measures are not properly implemented
    – Obtaining passwords—Using freeware to access password files
    – Masking—Configuring a computer with a trusted network address to obtain access to confidential information
    – Virus infection—Spreading a malicious code that incorporates itself into an IT system and often spreads to other systems and computers when the system is running
    – Trojan horse—Using a malicious program that seems to have a useful function, but carries a virus or an operation that catches passwords that can be used for unauthorised access to the system
    – Introducing worms—Using malicious code that spreads from one IT system to another without any action from the user
    – Exploiting faults and weaknesses in operating systems and applications—Using faults or weaknesses, contained in most systems, to carry out unauthorised activities
    – Exploiting misconfigured IT systems and communication units—Accessing systems because of mistakes made by the system administrators during system configuration or failure to update the configuration after installation of new software or hardware
  • Service attacks, such as:
    – Attempting to stop or prevent services—Exploiting errors in data streams to transfer larger amounts of data than that for which the service is prepared. This may result in a data crash.
    – Occupying system capacity—Sending continuous requests to online service computers that are not properly configured to reduce system capacity
    – Terminating IT systems—Overloading a computer by sending larger amounts of data than it is designed to handle to cause a data crash. There are many ways to provoke an unexpected system termination, called denial of service (DoS).
    – Rerouting transactions—Copying homepages from a service provider to a remote server that is configured with the service provider’s network address to get credit card numbers from e-business transactions
    – Social engineering—Pretending to be a trusted associate to manipulate an authorised user to provide access to confidential business secrets or information about usernames and passwords

2.3 Internet Services

2.3.1 There are several services available on the Internet and new services appear frequently. The most popular services today are:

  • E-mail
  • World Wide Web (WWW)
  • File transfer protocol (FTP)
  • News
  • Telnet/remote interactive access
  • Internet relay chat (IRC)/Instant messaging

2.3.2 E-mail is the most frequently used service on the Internet. This service has become more and more a replacement for ordinary letters and fax because of its speed, lower cost and user friendliness. E-mail was not designed to be a secure service and has several security weaknesses. The most striking points of weakness are:

  • Sender—No one can be sure that the sender of an e-mail is the real sender. It is simple to change a name and there is no identity control of the sender. This weakness can be eliminated by using digital signatures, which are often used between business associates; however, this feature is not common in the exchange of e-mails between occasional partners.
  • Messages in plaintext—Messages sent via the Internet are sent in plaintext. This makes it possible for all Internet users to read a message and change the message. One can never be sure that a message passes over the Internet without being changed. This weakness can be eliminated by encrypting the message.
  • Message delivery—Another e-mail weakness is that there are no guarantees for secure delivery. A message will ordinarily be delivered in a few seconds or minutes, but in some cases the delivery takes several hours if delivered at all. If one of the servers in the delivery chain is unavailable for some reason, messages can remain on that server until it is online again. Depending on how the e-mail system is configured, it ordinarily takes some time before the sender receives a message about the failure. Most e-mail systems have a certificate of posting function. However, lack of compatibility amongst different e-mail systems can result in missing feedback.
  • Attachments—Most enterprises that use e-mail via the Internet allow mail to contain attachments. If those attachments are large, they will fill up the e-mail system and server in such a way that e-mail users are prevented from receiving other mail. To avoid this situation, the enterprise can put limits on how large the attachments are that the e-mail is allowed to receive and make guidelines for archiving and deletion of e-mails.
  • Spam—An increasing problem is unwanted e-mails, called spam. This may be unwanted advertising and service offerings, including product offerings that may be embarrassing. This spam fills servers and steals time from the recipients. Spam is not regarded as a plain security problem, but can result in reduced availability of the IT systems.

2.3.3 WWW is a worldwide network of servers that offers information in plaintext, sound and pictures. Different kinds of services, such as financial services and trading are available to the international community. Access to WWW goes through a browser, such as Internet Explorer, Opera and others. WWW features are:

  • Information quality—WWW contains an enormous amount of information; however, the information quality varies. There is a lack of superior control over the information that is placed on WWW. Every person who transfers information to WWW is responsible for quality assurance. Therefore, there is no guarantee of credibility, accuracy or that the information is up to date.
  • Tracks—An Internet user leaves behind several tracks when he/she visits web sites, primarily the network address, but in some cases also the username. By accessing inappropriate sites on the Internet from an organisation computer and leaving tracks behind, the organisation can be associated with web sites, such as those offering pornography, extreme political movements and others. Therefore, many enterprises choose to block addresses to such web sites.
  • Browser—There are many browsers available with different functionalities, strengths and weaknesses. New security weaknesses in browsers are disclosed frequently. Some of these weaknesses can cause serious problems for enterprises. Data criminals can create homepages that contain malicious code that exploits security weaknesses and executes unauthorised tasks on an organisation’s PCs.
  • Plug-ins—In the most used browsers, it is possible to install minor additional programs (plug-ins), which provide increased functionality, such as improved sound, extended video functionality or games. Programming errors in some plug-ins have made it possible for intruders to get access to data in IT systems.
  • Cookies—Small pieces of information used by the browser and transferred to the hard disc for logging and documentation purposes, such as the date of the last visit on the WWW, what homepages were visited and what products were bought (if an e-marketplace is visited). E-marketplaces are often based on use of cookies. Cookies can also store passwords; however, the use of cookies represents no known security threats but can be regarded more as a privacy violation as long as web sites store the information about users and user activities. Whether to allow the use of cookies is a policy matter. In most browsers, it is possible to choose whether to accept cookies. There is also freeware available that gives an opportunity to use cookies during Internet surfing, but removes user information by logoff.

2.3.4 FTP is a service that enables data transfer between computers. It is often used to download files from WWW. FTP has basically no security. Username and passwords are transmitted in plaintext over the network. When used, it is very important to configure the service correctly. FTP service characteristics include:

  • Anonymous FTP—A service which allows outsiders to download data or programs from an enterprise server. For an enterprise that wants to offer this service, it is crucial to configure the systems correctly. If not, intruders can get access to enterprise data. The server can also be used to store illegal data or programs. In such cases, the user logs in with the username (anonymous or ftp) and password. However, few systems control whether the username, which is ordinarily an e-mail address, and password are correct.
  • Active/passive communication—Unlike other services, FTP uses two gateways for communication. In addition, connection can be made in two ways—active or passive. In active mode, the user decides what gateway to use. In this mode it is possible to control and filter receiving data. If passive mode is used, the connected server decides what gateway to use. Passive mode is difficult for many firewalls to handle in a secure way.

2.3.5 News is a kind of a bulletin board where users can discuss any item. When a letter is sent to news, it is placed on the bulletin board with the author’s name and address. The letter is often dispersed to different news servers all around the world. This makes it almost impossible to remove a letter after being sent to news. A letter sent from an organisation’s computer can be regarded as the organisation’s official view. It is also a risk that an employee could expose organisation secrets. It is possible to block access to news. This is a matter of organisational policy.
2.3.6 Telnet is a service that makes it possible to log on to other computers on the network. Telnet gives the user a character-based virtual terminal. During logon, the username and password are sent in plaintext. It is rather simple for intruders to read user information and use it for unauthorised access. To avoid this, one-time passwords and encryption can be used. It is also possible for hackers to intercept the terminal connection (session hijacking). After user logon, the hacker takes over the session with the user’s accesses. This can be avoided by using encryption. Remote interactive access with SSH, remote x-windows VNC and Remote Desktop are expected to take over for Telnet as de facto methods of remotely accessing systems.
2.3.7 IRC and instant messaging are real-time conference systems. Users communicate by using a common area—a channel—where all users can participate in discussions. Many IRC/instant messaging programs have security weaknesses that enable intruders to obtain illegal access to an organisation’s files. It is also possible for intruders to use those channels to spread viruses and to obtain access via “social engineering”.

3. SECURITY MEASURES

3.1 Policy, Products and Follow-up

3.1.1 Secure Internet connections should be built upon the enterprise information security policy. It is important that there are guidelines to ensure correct and secure use of the Internet, and that security awareness is a major focus of leadership. If employees do not live up to security guidelines, the security measures will not work as expected. There should be procedures for authorisation and change control in place. In addition, the security guidelines should encompass ethical behaviour for use of the Internet.
3.1.2 There are many products on the market that can improve Internet security. To achieve the right level of security, it is necessary to implement several complementary products. Selection of products should be based upon a risk assessment.
3.1.3 It is of great importance that security measures are followed up. Operating instructions for monitoring and follow-up to security measures to ensure effectiveness and compliance with guidelines should be in place.

3.2 Firewalls

3.2.1 A firewall is the most common security measure used when establishing a connection from a local network to the Internet. A firewall is a combination of hardware and software that prevents any illegal penetration. The firewall should reflect the enterprise’s security policy. Only authorised services should pass through it.
3.2.2 A firewall can be one of the following:

  • Packet filtering routers—Examine packets of data entering or leaving a network.
  • Application gateways—Apply security mechanisms to specific applications such as FTP or Telnet.
  • Circuit level gateways—Supply security mechanisms when a TCP or UDP connection is established.
  • Proxy servers—Intercept messages entering or leaving a network enabling the true IP address to be hidden.

The type of firewall deployed may be software-based or hardware-based, the latter being designed primarily for commercial environments, and it may employ a number of the techniques mentioned.
3.2.3 These firewalls deliver different kinds of security and require follow-up and maintenance.
3.2.4 There are two security concepts for data control through a firewall:

  • Everything is fully restricted—Only services allowed by management pass through.
  • No general restrictions—Only services considered high-risk by management are prevented.

3.2.5 The enterprise’s security needs, request for user friendliness and capacity in the IT department should be considered when choosing a firewall solution. Configuration of the firewall should be correct and in compliance with the security policy before users can access the Internet.

3.3 One-time Password

3.3.1 There are many programs available that can be used to unveil passwords. Such programs are used by data criminals and hackers. Users often make passwords that are simple to guess and use for unauthorised purposes. However, even a good password that is hard to guess can be unveiled. Computers today are so powerful that it is possible to unveil even the most complex passwords. To prevent intruder access to an enterprise system, a possible solution is to use one-time passwords. These can be generated either by a password generator or via a challenge/response system, which is based upon numbers punched on a unit similar to a calculator. One-time passwords should preferably be combined with encrypting software to make a secure solution.

3.4 Penetration Testing and Test Software

3.4.1 It is recommended to research currently known web application vulnerabilities due to the increasing complexity and severity of these vulnerabilities. There is a lot of software, both for sale and freeware, which can be used to test IT systems for different kinds of vulnerabilities/security weaknesses. Some of those are developed by serious persons or companies that want to contribute to a more secure Internet. However, the majority of those programs are developed by data criminals to break into enterprise systems. By using trusted penetration testing software, it is possible to test the quality of security measures in an enterprise’s Internet connection.

3.5 Intrusion Detection and Prevention Systems

3.5.1 Intrusion detection systems (IDSs) are used to analyse local networks and business systems to disclose illegal attacks before any damage occurs. An IDS will detect any known attacks whilst they are in progress and send messages to the enterprise’s IT personnel or security manager who can put security measures into effect. An IDS should be updated quickly after discovery of new threats and attacks.
3.5.2  Intrusion prevention systems (IPSs) are a concept unlike other security tools, which rely on signature files to identify an attack as (or after) it happens, intrusion prevention software predicts an attack before it can take effect. It does this by monitoring key areas of a computer system, and looks for “bad behaviour”, such as worms, Trojans, spyware, malware and hackers. It complements firewall, antivirus and antispyware tools to provide complete protection from emerging threats. It is able to block new (zero-day) threats that bypass traditional security measures as it is not reliant on identifying and distributing threat signatures or patches.

3.6 Encryption

3.6.1 Data transferred over the Internet is, in principle, open to everyone. This means that unprotected sensitive data can be captured and used illegally. A method to ensure integrity and confidentiality of a system is encryption. Encryption can be used on different levels. The most secure solution is to encrypt on the application level, which means that confidentiality and integrity are maintained all the way to the end user. However, this solution is dependent upon compliant software between users.

3.7 Digital Signatures

3.7.1 By using digital signatures, message integrity can be maintained. This is especially useful in trading over the Internet. Digital signatures are based on a pair of keys, one private and one public key. The sender makes a fingerprint (copy) of the message that is being encrypted together with the private encryption key and the receiver’s public key. The receiver reverses the process by decrypting the sender’s public key and his/her own private key. This generates a new fingerprint that can be compared to the sender’s fingerprint. If they are equal, nothing is changed.

3.8 Virtual Private Network (VPN)

3.8.1 VPN is a means to establish a secure communications channel between two or more computers over a shared, unsecured, physical network or networks. Computers can be physically connected in networks, but only those being members in the same virtual network can exchange data. The communication channels can be secured by encryption.

3.9 Antivirus Programs

3.9.1 Data virus is an increasing problem, especially after introduction of macro viruses. Data viruses are being spread through several sources, including e-mails, pirated copies of games and downloaded programs from the Internet. All enterprises that receive e-mail with attachments or permit employees to download from the Internet should have antivirus software on the servers and/or on PCs. It is of great importance that there are routines in place to keep antivirus software up to date.

3.10 Antispyware programs

3.10.1 Spyware differs from viruses and worms in that it does not ordinarily self-replicate. Like many recent viruses, spyware is designed to exploit infected computers for commercial gain. Typical tactics furthering this goal include delivery of unsolicited pop-up advertisements, theft of personal information (including financial information such as credit card numbers), monitoring of web-browsing activity for marketing purposes or routing of HTTP requests to advertising sites. To avoid this exposure, every enterprise should install antispyware programs that are designed to block or remove spyware.

3.11 Logging and Monitoring

3.11.1 The logging and monitoring of Internet traffic itself are not security measures, but are prerequisites to detecting attacks and maintaining security in networks and business systems. To be efficient, logging and monitoring should be carried out in communication nodes such as the firewall. Events that require follow-up should be based upon a risk assessment and enterprise policy. Logging results in large amounts of data, which is hard to follow-up manually. Therefore, it is practical to obtain a tool/software to filter, analyse and present relevant log data.

4. INTERNET USED FOR AN ENTERPRISE PRESENTATION CHANNEL

4.1 Internet Used as a Window

4.1.1 The Internet has been used as a window for an enterprise since the introduction of the WWW. This guideline will not deal with how to present an enterprise, but gives some reflections regarding what to consider before and after transmitting information to the WWW.

4.2 Before Transmitting Information to the WWW

4.2.1 It seems to be a must for most enterprises to be represented on the WWW. Information is often placed on home pages without paying attention to the security aspects. By giving detailed information about the business and employees, an enterprise is exposed to social engineering committed by data criminals. There are also examples of data criminals breaking into web servers to change the content on home pages.
4.2.2  Before an enterprise develops a home page, it should perform a need analysis as background material to decide what kind of information is appropriate to present and determine the level of risk that having that data present represents to the enterprise.

4.3 After Transmitting Information to the WWW

4.3.1 Home pages that are not updated soon lose common interest. Maintenance and development is crucial. Furthermore, the server should be followed up on a daily basis to detect potential illegal or unauthorised activities. If data criminals get access, the content of the home page can be changed in different manners. For instance, a change of telephone number to a competitor’s number can result in lost sales for the owner of the home page. Through access to the WWW, it is also possible to exchange pirate copied software or use the server as storage for illegal information.

4.4 Internet as a Trade Channel

4.4.1 Trading products over the Internet (e-business) is a service that is growing all over the world. This trading activity, which includes payment, requires strict security measures. A consumer must be able to provide his/her credit card number to the vendor with confidence that it will not be misused. On the other hand, vendors must be confident that orders are real to avoid unnecessary costs or to be held economically responsible for misuse.
4.4.2 There are several solutions for secure trading over the Internet. Amongst the most common solutions are the Secure Sockets Layer (SSL) and Secure Electronic Transaction (SET) protocols.

4.5 Electronic Money

4.5.1 Trading via the Internet has increased the need for secure electronic money transactions. Many people are reluctant to expose their credit card number, and when transferring small amounts of money, it is not profitable to use credit cards. Therefore, several e-commerce companies have developed solutions to deal with electronic money. E-commerce trading chains consist of three parties: the customer, the vendor and the bank. Before a customer can use e-money, he/she has to download an electronic wallet from the bank. This wallet can be installed on a PC, a personal digital assistant (PDA) or a smartcard. After downloading, the money is ready for use. Digital signatures are used to secure the transactions.

4.6 Trusted Third Party (TTP)

4.6.1 Internet-based trading or exchange of enterprise critical data or information will ordinarily require traceability. To secure the trace integrity, third parties are being used to witness authenticity of the transaction. These are ordinarily big service providers within IT business, which use a technology called public key infrastructure (PKI). The main functions are authentication, encryption and digital signature.
4.6.2 During the last few years, solutions which enable an enterprise to manage its own security without engaging a third party have been launched.

5. PERFORMANCE OF AUDIT WORK/SECURITY REVIEW

5.1 Planning

5.1.1 The IS auditor should gain an understanding of the organisation’s access and use of the Internet. The IS auditor should conduct a risk analysis of Internet access and use with respect to the organisation and its mission.
5.1.2 An audit programme should be developed, including the scope, objectives and timing of the audit. Reporting arrangements should be clearly documented in the audit programme. Consideration should be given to the nature and size of the organisation and its stakeholders. The IS auditor should gain an understanding of the organisation’s mission and business objectives, the types of technical infrastructure and business critical data.
5.1.3 Also, an understanding of the organisational structure is needed, specifically of the roles and responsibilities of key staff, including the information managers and owners.
5.1.4 A primary objective of the audit planning phase is to understand the threats and risks that the organisation faces when connecting to the Internet.

5.2 Steps to Perform

5.2.1 The IS auditor should consider whether connecting to the Internet is based upon a total enterprise need assessment. The board and management should be aware of risks and what changes in threats mean for the enterprise to make the right decisions regarding use of the Internet. When defining the scope of the review, the IS auditor should also take into account factors such as the type of information collected, stored and used for various purposes within the organisation.
5.2.2 The IS auditor should determine whether the organisation has the following in place:

  • An Internet policy
  • A guideline for monitoring and follow-up network connection, firewalls, etc.
  • An incident reporting procedure
  • A guideline for homepage updates
  • Training and awareness programmes

These, if available, should be assessed by the IS auditor to provide reasonable assurance that use of Internet is in accordance with policies and procedures.

5.3 Performing a Detailed Review

5.3.1 The IS auditor should assess the following administrative aspects:

  • Management responsibility
  • The purpose of giving access to the Internet
  • Whether the enterprise has confidential/privacy data, which means that connection to the Internet should be restricted or not allowed
  • The type of connection
  • If there have been need assessments used as a basis for employee access
  • Whether access is restricted to certain hours or time of day/week
  • If there are any restrictions regarding where employees are given permission to surf/collect information
  • If the enterprise sells products or services via the Internet, and whether payment is made via the Internet
  • If the enterprise has the necessary competence, time and capacity to install, follow up and maintain an Internet connection

5.3.2 Risk assessment should cover the following as a minimum:

  • Threats
  • Changes in threats when connecting to the Internet
  • Whether the existing information security policy covers the use of the Internet
  • Whether the enterprise is interesting to data criminals or a target of industry espionage
  • Consequences if internal/confidential information is exposed to intruders
  • Cost if a security incident occurs
  • Probability for a security incident to occur
  • Security measures to be carried out to secure the Internet connections

5.3.3 Guidelines for use of the Internet should contain as a minimum:

  • A connection to the security policy
  • Documentation of services that are allowed
  • Rules for acceptable use of those services and sanctions if rules are broken
  • Description of procedures for network monitoring of compliance with laws and regulations
  • Documentation of ethical attitudes
  • Rules for sending and storing of e-mail
  • Requirements for user training
  • Potential agreements between collaborating partners
  • An agreement that all employees sign to confirm that guidelines are read, understood and will be followed, which is important to prevent potential violations of laws regarding logging and monitoring of Internet traffic

5.3.4 Documentation for Internet operation should contain as a minimum:

  • All technical equipment and infrastructure
  • Rules for logging and monitoring
  • Alarm setup
  • Routines for logging and incident follow-up

5.3.5 Documentation of the Internet connection should contain as a minimum:

  • Description of network perimeters
  • Descriptions of access points
  • Description of all modem connections
  • Configuration of routers and potential proxy servers
  • Configuration of firewalls
  • Configuration of other security measures, such as encryption and digital signatures
  • Description of secure storage of log files, for instance to write once read many (WORMs), external discs or tape
  • Description of procedures to recreate log files

5.3.6 Documentation of routines for monitoring should contain as a minimum:

  • Description of responsibility for administration and maintenance of the Internet connection, including back-up resources
  • Review of log files from the firewall
  • Review of transactions from current servers
  • Review of log files from user activities
  • Review of network statistics
  • Following up on potential security incidents or attempts

5.4 Responsibilities

5.4.1 User responsibilities include:

  • Complying with IS policy, guidelines and ethical standards
  • Respecting existing laws and regulations in the countries where information is collected
  • Never giving a password on the telephone or e-mail
  • Never changing passwords by request via telephone or e-mail from an unknown person
  • Never using the same username and password on the Internet as used on the local network
  • Verifying data downloaded from the Internet before using it as a basis for business decisions, trading or payment, etc.

5.4.2 Responsibilities of IT management include:

  • Maintaining and following up on Internet firewalls, routers, servers and other IT equipment in use. This includes responsibility to ensure that the correct version of system software and applications are properly installed and maintained. Furthermore, IT management should make sure that firewall logs are followed up on a daily basis and that configuration is in accordance with written guidelines.
  • Being updated on threats and vulnerabilities in conjunction with systems and applications in use, a prerequisite for proper maintenance of the security level

5.4.3 Responsibilities of security management include:

  • Restricting the person in charge of information security from having additional functions, such as IT operator, systems analyst or programmer
  • Working out the guidelines for use of the Internet and giving information about acceptable and ethical use to the users, which is the security manager’s main task
  • Acting as a resource for top management within information security
  • Reviewing logs from the firewall
  • Reviewing reports from security systems
  • Making sure that security measures are regularly tested
  • Making sure that continuity and disaster plans cover enterprise services
  • Following up on security incidents or attempts
  • Reporting serious security incidents to management
  • Being updated on threats and vulnerabilities in conjunction with systems and applications in use, as is the IT manager

5.4.4 Responsibilities of senior management include:

  • Formulating an overall Internet policy
  • Monitoring the policy and the related processes
  • Providing adequate resources
  • Empowering IT management to implement the policy

5.5 Technical Issues and Security Measures

5.5.1 Technical issues include:

  • Security alarms and logging of unauthorised incidents should be activated in system software.
  • The connection between the local network and the Internet should be protected through a firewall.
  • Only those services allowed by management should pass through the firewall.
  • The firewall should stop all non-allowed network protocols.
  • The firewall should stop all access when an system error or disruption in production occurs.

5.5.2 Service related measures include:

  • E-mail
    – Critical messages should be encrypted.
    – Time critical messages should be followed up manually.
    – Attachments should be scanned to avoid damage from malicious code.
    – Passwords should not be sent by e-mail.
  • WWW
    – When using Internet services, one should use usernames and passwords other than those used on the local network.
    – Information downloaded from the WWW should be verified and controlled before use.
    – Only an approved Internet browser should be used, and changes in configuration or installation of plug-ins should not be allowed.
    – All files downloaded from the Internet should be scanned for viruses or similar malicious code, such as spyware.
  • FTP
    – All files downloaded from the Internet should be scanned for viruses or similar malicious code, such as spyware.
  • News
    – Users should not be allowed to participate in “flame wars”.
    – Users should not be allowed to write articles which can give a negative image of the enterprise, employees, collaborating partners, vendors or competitors.
    – Information collected from news should be verified and controlled before use.
  • Telnet
    – One-time passwords should be used, if possible.
  • IRC/Instant messaging
    – IRC and instant messaging should only be allowed from a stand-alone PC
    – IRC and instant messaging should not be allowed to give internal enterprise information

5.5.3 Other security measures include:

  • Logging on from a home office or other external logon should use a VPN connection with secure authentication, such as one-time password.
  • Servers dedicated to external users should be installed in the DMZ.
  • CGI scripts and other code used, which receive data from the Internet, should be quality assured and tested for errors and weaknesses.

6.     EFFECTIVE DATE

 6.1 This guideline is effective for all information systems audits beginning on 1 March 2006. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary .