the facilities proximity to flood plains, rising water and flooding situations may be an occurrence for which the evacuation of power down procedures will need to be invoked to protect the staff and equipment. Water sensors should be tied to an alarm system that is monitored centrally for the notifi- cation and dispatch of corrective measures. Records of the testing and val- idation of the working systems should be part of the maintenance records you would expect to see during your assessment. Maintenance Maintenance of the environmental systems supporting the information processes should be evaluated during the evaluation of that system to ensure that the support is designed and built adequately to preserve its intended environmental support functions and is based on the IS opera- tions needs at the facility. These systems cannot be put in place and then forgotten because they will degrade from disuse and not work properly when called on to support emergency needs. You should expect to see rou- tine testing and recording of the results of those test procedures so that the relative health of these systems is known at all times and periodically vali- dated. Maintenance records, including recording the replacement of parts, system upgrades, and other processes you would expect to see mapped out through similar change control processes on an information system, also should be tracked and recorded relative to these systems as well. Due care to ensure that maintenance is performed by properly trained and qualified personnel will be important to accrediting the processes and in keeping the insurance carriers happy about relying on them as mitigants to limit losses they will ultimately cover should disasters occur. You should determine that similar quality of service controls are in place for your assurances as well. Evaluating Physical Access Controls and Procedures Physical access to systems and processes is an important aspect of evaluat- ing the overall control of the information assets. A portion of every security-related review should look at the physical security of the devices along with the logical aspects of control. Without good physical controls, a device can simply be unplugged and carried off. A denial of service and complete loss of current data will result. Physical security is hard to enforce with technical people because they see their functions as more intellectual 282 Chapter 4 and scientific than, well, physical. No one likes confrontation and physical security requires confrontation and deterrence to effectively turn back the attempts of unauthorized access, either directly through brute force or using social engineering techniques. Aggressive behavior often begets more aggressive behavior, which can escalate into violence and physical harm, causing someone to get hurt. The best way to prevent this from hap- pening is to ensure that the proper controls are in place and policies and procedures are thoroughly documented, communicated, and followed by everyone in the IS organization. Your evaluation can add value by assisting the management in seeing these control requirements as a way of minimizing risk to their employees as well as their information assets and as good business practice at the same time. Testing to ensure that the procedures are followed will be important, because the road to loss is paved with good procedures that are not followed. Always begin with an assessment of the requirements for physical security through tours and site visits. Compile a short list of con- cerns and needs that must be addressed in order to satisfy your review of the residual risk exposures from your initial inspection. Ask about the loca- tion and the history of events in the local community that may indicate the presence of risk that you may not have considered. Look at the situation from an attacker’s point of view and ask yourself how you would gain access if you were tasked with doing so without permission. Unauthorized access can be gained in very ingenuous ways and determined perpetrators will try them all in order to find the weakest entry point to gain access. You should review your list with the physical security management to deter- mine whether these risks have been considered or addressed by some con- trol that you may have overlooked. Attempt to qualify the risk for any gaps that may exist between your list of exposures and the controls that exist to mitigate the physical security risks. There are several risk-control scenarios and each one will differ, depend- ing on the situation and the organization’s appetite for risk. Some of the items that could be deployed to reduce risk include doors, locks, fences gates, monitoring access points with closed circuit televisions and record- ing devices, guards, access logs, badges, keys, walls that span the entire floor to ceiling space (raised-floor access cavities), man traps, anti-pass back mechanisms, data center anonymity, and discreet signage. Each and every one of these controls will not be effective without supporting policy and procedures that require personnel to keep them functional and effec- tive in performing the task for which they were designed. For example, propped open security doors cannot prevent access. As with all IS audit risks, the human factor cannot be overstated. Formally documenting the Protection of Information Assets 283 list of allowed access and thinking through procedures when situations are presented that are outside of these boundaries are human processes with- out which the physical controls will have limited effectiveness. In order to form an opinion on the effectiveness of any control you eval- uate, you will want to see examples of the control being successfully used to mitigate the risk its implementation was intended to control. This is more difficult to do with physical controls than logical ones, because audit trails are more difficult to obtain. Some of the physical controls have elec- tronic components, which may provide opportunities to automatically record access attempts, but control effectiveness of a fence is difficult to prove directly. Other systems must, therefore, be used to indirectly validate their effectiveness. Guard stations and the maintenance of security reports and sign in logs are very important measurement tools for this reason, and their consistent use and accuracy should be part of your test procedures. Sometimes, these records will be depended upon to reconstruct a sequence of events for a security investigation that, at the time of recording the access, seemed extremely routine and unnecessary. To summarize, you must identify the risks and threats, perform a gap analysis of the existing controls to those risks, identify opportunities to measure performance of those controls, and evaluate this performance against expectations for the effectiveness of the control. Be creative and flexible in looking for risks and opportunities to compromise the systems and challenge the performance against the documented procedures to gain assurance that they are being performed against consistently. Visitor and Vendor Access The physical security control process is complicated by the fact that physi- cal access is routinely necessary by many individuals who do not have an ongoing need to know or right to access the IS organization on a regular basis. Visitors and vendors fall into this category. The reasons for needing access are many, all of them legitimate to a point, and usually are valid for only a subset of the complete physical access range being controlled at the perimeter only. Identification badges and permission for restricted areas should be supported with physical controls. Unless there are ways to par- tition access and limit it through controls that subdivide the physical space into discrete units of physical access, other mitigating controls will be nec- essary to limit access while providing for the business needs of servicing equipment or showing clients around. The registration and recording the access needs are an important step in identifying the access requirements and authenticating the requestor. 284 Chapter 4 Prearranged expectations with entrance control guard stations is a good way of ensuring that social engineering attempts are not used to gain phys- ical access. No one should be allowed into a controlled area unless previ- ously authorized. Badges clearly identifying visitors and temporary access limitations should be used at all times. Employees should be required by policy to challenge anyone out of the bounds of their permitted access in a nonthreatening manner. Check in and check out times should be reviewed against the predetermined expectations by check point personnel who should alert the authorities of any suspected variances. Any equipment or material coming in or going out should be assessed for possible risks. This can be a difficult issue to manage with visitors and clients, but a vendor’s equipment should be reviewed to ensure that integrity of the change control process is maintained and the equipment leaving the premises does not contain sensitive data. If consistent inspec- tion is not seen as a control that is commensurate with the risk exposure, a random inspection of contents may be an option that provides some con- trol while permitting most access with lesser constraints. For example, this method of limited review has been adopted by the airline industry for pas- senger belongings since the terrorist attacks of September 11, 2001. The inspection results should be recorded and maintained as evidence of the effectiveness of the control for analysis and audit purposes. The Physical Location, Security Measures, and Visibility Profile The physical location is one place in information security practice where security by obscurity is an acceptable practice. High profile computer oper- ations provide an obvious target for terrorists, political activists, or anyone who is looking for a place to start when launching an attack. No different than the grade school sign taped to the back stating “Kick me,” drawing attention to computer processing is asking for trouble. Your evaluation should identify signs, phonebook listings, lobby marquees, and registra- tion desk areas that clearly point the way to a data center as risks that need to be addressed. Only those with a need to know should be provided direc- tion to the processing facilities. In addition, you also will want to evaluate the location itself for putting the process in harms way. Locating a processing facility in a flood plain, next to a hazardous or flammable material storage site, on an earthquake fault line, or where airline or rail traffic provides potential dangers are examples of poor planning that create risk for the IS organization. If any physical risk situations are identified during your review, determine Protection of Information Assets 285 whether these risks have been recognized and what compensating controls have been considered and deployed. Also, you should review the insur- ance coverage to ensure that these risks are covered by the policy. Alterna- tive processing and contingency planning considerations also will play a big role when locations are less than ideal. Accessibility to and availability of the supplies needed to continue operations may be part of this consider- ation as well, especially for critical operations that could impact the physi- cal safety of people if they were to be cut off. Of course, you also will want to evaluate the physical protection pro- vided from the environment where the processing is located as well. Fenc- ing and gates should be adequate based on the location’s risk. Guards or attendants that check credentials and log activity are a best practice for controlling access and deterring theft. Lighting and surveillance cameras will enable the guards to observe trouble from a safe location. Recording and monitoring will provide an audit trail of people coming and going and equipment movement, which should be reviewed for completeness and accuracy along with the associated procedures that describe the authoriza- tions and any escalation practices. Man trap entrance controls and other key card processes should be used to ensure that physical security of the processing personnel and information also is provided. Personnel Safety The safety of personnel will be an aspect of the physical security evaluation that is almost assumed to be an integral part of any security process. As you tour the facility and look for areas of risk or poor controls, you will nat- urally have an eye open to physical dangers to personnel—you do it with- out thinking or your own personal safety. There may not even be policy that describes personnel safety as a priority, because it is assumed to be the case without being documented. Some areas to be aware of may be worth mentioning here, however. Emergency evacuation plans and procedures should exist that prioritize personnel safety above physical and intellectual assets and include floor plans and evacuation routes. These plans and procedures should be tied closely to the contingency planning procedures and ensuring everyone’s safety should be a primary concern. Handicap evacuation and access, first aid kit locations and instructions, and call trees and authority notification procedures for adverting a shut down in case of a false alarm should all be included in this plan. Emergency procedure awareness and training should be part of the training that everyone receives periodically. Escape and emergency exit doors should be available and include fail safe and override controls to meet the local building and safety codes on doors. You 286 Chapter 4 will want to be familiar with these local requirements and check them for compliance. Exits should not be locked or chained, even when that makes sense from a physical security of assets perspective. Alarms can be put in place to alert door opening while still providing for safe passage in case of fire or other disaster. Testing of the procedures and safety mechanisms should be routinely performed and documented. Working conditions should be reasonable and provide break times and locations where employees can rest and eat. Schedules should be reasonable as well. Some of this will be a judgment call and you will need to be familiar with comparable situations in order to substantiate any recommendations in this area. Policies should exist that ensure that people do not feel threatened or harassed in the workplace, and policies related to workplace violence, abuse, drug and alcohol use, and sexual harassment should all be part of the human resource process. This concern may extend beyond the immediate work place, for example, where employees come and go at all hours sup- porting the operations process in remote areas or ones where crime rates are high. If employees are not treated well, the quality of the work will suffer and should be easily supportable, should you recognize weaknesses in this subject area. Make sure that you fully explore all of the circumstances and available options before announcing your review findings and recommen- dations, which may be based only on partial investigations. Hard Copy Information Protection The security controls of information in hard copy form should mirror that of electronic copies because the data valuation is the same. This is often overlooked in an IS evaluation and is seen as being more related to the management of the business process than the IS security’s area of respon- sibility. Once a hard copy is generated and carried away from the printing device, electronic controls have no effect on the protection of the data’s confidentiality. A few things that the information systems can do should be reviewed, however. Departmental and business process procedures should document the proper handling of the printed material and base the expected behavior on the value or classification of the data. Devices that routinely receive sensitive or classified information for printing, such as a fax or printer, should be in a physically secure location and be marked in some way to differentiate them from output devices that do not receive sensitive information so they are not mistaken. Suppressing the ability to print or forward information may be a control worth considering in some sensitive locations. All output should be labeled either through special stock paper based on the data’s classification or through watermarks, headers, or footers within Protection of Information Assets 287 the documents to clearly identify the data’s value and who is authorized to handle or read it. Users should be instructed on how to dispose of printed material properly and be provided with ways of reporting violations anonymously, should they observe them occurring. Shredding stations or separate disposal provisions should be created for areas where large vol- umes of confidential material are routinely processed and disposed of. For example, light tables may be worth considering in order to ensure that the inadvertent disposal of important documentation does not occur by inspecting discarded envelopes for overlooked documents. When evaluat- ing the security controls for output, you will need to interview the business users to understand their routines and for what their output is used. You also should ask about storage, retention, and physical controls to under- stand where the physical exposure of the information might create weak- ness. Also, you should review the disposal and retention policies to ensure that they require proper handling and compare those requirements to the field observations you have made. Resources Handbook of Information Security Management, Micki Krause and Harold F. Tipton, eds. (CRC Press / Auerbach Publications, 1999). The CISSP Prep Guide—Mastering the Ten Domains of Computer Security, Ronald Krutz and Russell Vines (John Wiley & Sons, 2001). Secrets and Lies: Digital Security in a Networked World, Bruce Schneier (John Wiley & Sons, 2000). Information Security Policies Made Easy Version 9, Charles C. Wood (PentaSafe, 2002). Hacking Exposed, Stuart McClure, Joel Scambray, and George Kurtz (Osborne/McGraw Hill, 1999). Surviving Security—How to Integrate People, Process, and Technology, Mandy Andress (Sams Publishing, 2002). Information Security Architecture—An Integrated Approach to Security in the Organization, Jan Killmeyer Tudor (CRC Press / Auerbach Publi- cations, 2001). Information Security Architecture—Design, Deployment & Operations Christopher M. King, Curtis E. Dalton, and T. Ertem Osmanoglu (Osborne/McGraw Hill, 2001). NIST Special Publication 800-18—Guide for Developing Security Plans for Information Technology Systems, Marianne Swanson, December 1998. 288 Chapter 4 Sample Questions Here is a sampling of questions in the format of the CISA exam. These questions are related to the protection of information assets, and will help test your understanding of this subject. Answers with explanations are provided in Appendix A. 1. What is the most important aspect of performing an evaluation of information security controls on a process or system? A. Ensuring that the best practice control techniques are being uti- lized properly B. Understanding the businesses functional requirements of the process to ensure that they can be accomplished C. Ensuring that the deployed controls work as part of the overall security architecture program D. Making sure that access is strictly controlled based on a need to know 2. The concept of data integrity implies that A. Access has not been given to those who do not have a need to know B. Data can be accessed by processes when necesssary to support the business function C. Data has not been altered or modified outside of the expected and approved processing steps D. Data has not been made available to processes for which the data classification has not been accredited 3. When reviewing security and business risks, it is most important to keep in mind that A. Business risks are not as important as the security exposures to potential hackers. B. The customer’s expectation of privacy should take precedent over the businesses risk tolerance when considering security controls. C. Data classification should determine the security controls requirements. D. Some compromise of the security controls to accommodate the businesses risk tolerance is a necessary part of doing business. Protection of Information Assets 289 4. When evaluating the role of the information security officer, you should be most concerned to find that A. The security officer’s role was not well documented as part of the job description. B. The security officer’s role is defined as a key decision maker on a new product review committee. C. Part of the defined role was the accountability for ensuring that the security controls kept any security breaches from occurring. D. The authority for carrying out the role of a security officer was not explicitly tied to the organization’s policy. 5. When reviewing an information system to assess its privacy risks, an IS auditor would consider all of the following except A. Ensuring that the appropriate consent has been obtained from the customer before the release of sensitive data B. The business needs for the client data within the processes C. Proper disclosures to the customer of what the data is used for and how it will be protected D. The laws and regulations relevant to the industry for privacy controls on customer data 6. While reviewing an information security program, the IS auditor determines that the best practices have not been followed as guide- lines for developing the program. Which of the following would be the least important factor to consider when determining the recom- mendation related to changes for the program? A. Whether a risk assessment was part of the determination of what the program elements should be B. Whether the security officer had documented polices and proce- dures to direct the program C. Whether the architectural design of the security deployed an in- depth state-of-the-art defense D. Whether any inventory of the existing controls for managing security threats has been done 290 Chapter 4 7. Policy for information security is a primary requirement for estab- lishing control in an IS organization. Which of the following is not a reason why this is the case? A. A policy establishes the steps required to put security in place. B. A policy establishes the authority and accountability to get the security job done. C. A policy sets the expectations for the employee’s behavior as it relates to security. D. The policy provides the mandate for putting the security pro- gram elements in place. 8. During an IS audit, the IS auditor determines that there is a control weakness due to the lack of available standards. When developing the findings and recommendation for the audit report, which of the following items should not be considered for inclusion as reasons for improving standards in the organization? A. Standards provide common ground that will increase the effi- ciency of the operations B. Standards creation is an industry best practice C. Standards ensure that individual policy interpretation will not result in the establishment of weaker security overall by lowering the minimum security level D. Standards provide simplified solutions to problems, enabling leverage of fewer solutions and economies of scale 9. During your review of an information security risk assessment, which of the following elements would you be least concerned with if no evidence was available to substantiate it? A. The exercise of risk assessment is reperformed periodically. B. The threats and vulnerabilities have been determined. C. The existing controls have been inventoried and assessed for their effectiveness. D. The risk assessment included a tactical as well as a strategic ini- tiatives assessment. Protection of Information Assets 291 [...]... unacceptable to the business The IS auditor should A Immediately notify the IS organization management so corrections can be made to prevent further vulnerability B Discuss the issue with audit management and prepare the findings and a recommendation for their report C Point out the deficiency to the firewall support staff, but note the state the controls were found in at the time of the review D Look at the rest... inventory of all of the computers, systems, and other related resources I I Document telecommunication requirements I I Document plan maintenance and testing procedures I I Provide information from the last few tests and their results Maintain the plan Maintenance of the plan will be triggered by the testing and evaluation of the plan as well as by the change procedures 307 308 Chapter 5 within the IS organization... describe the content, and what your expectations should be of them The introduction to the manual should state clearly what assumptions were made in the development of the manual so that the reader can quickly ascertain any gaps or discrepancies between the disaster they are trying to recover from and the one the manual was developed to address Change logs and dates depicting the currentness of the documentation... evaluating these programs? I Proper staff levels and training of the staff to react and respond to issues as they present themselves II Establishment of a need for using either of these techniques based on the possibility of them actually being required III The response time requirements and the ability of the program in place to meet those needs IV Management’s commitment to the programs and their support... for the recovery plan preparation process that moves from the strategic direction to the tactical follow through of the detailed plan testing and training The concept that makes this process most successful is to have the plan built with the end user’s perspective in mind Regardless of what is going on with the man behind the curtain,” if the end user or customers see the process as equivalent to their... validation of the certificate used at the time when the transaction occurred B The user’s certificate was compromised or was expired when the time the transaction occurred C In reviewing the transaction flow and the security related to the use of the certification, it cannot be conclusively proven that no other person could have possibly been responsible for the transaction that had occurred D The transaction... relevant information is gathered about the person establishing the identity B Proof is provided to strongly tie the individual presenting themselves as the person for whom the ID is being established C Authorization is obtained for all accounts provided for the individual who is requesting access D The individual is given the opportunity to change their password immediately upon first log in 12 The security... locally at the processing facility may become unavailable if the facility becomes unusable The testing plans must consider the complete recall time frame, which includes staging, loading, and acclimatizing the media before it can be used in the recovery process All of these considerations will influence the size of the gap between what is actually available to recover from and the state of the information. .. one of these instances of change creates a need to update the recovery plans and associated procedures The concern that little may be known of the processes or changes recently occurring in the IS organization must be addressed within the DRP’s development and maintenance, and it should be reviewed by the IS auditor in their evaluation of the process As an IS auditor, you should evaluate how the determination... an interim staging availability to the full recovery manual documentation set should be evaluated for the completeness of the documentation and the timeliness of the updates Media with no corresponding documentation related to it at the recovery location will slow down the recovery process and possibly introduce data integrity errors or worse Documentation related to the processes and procedures will . All of the relevant information is gathered about the person establishing the identity. B. Proof is provided to strongly tie the individual presenting them- selves as the person for whom the ID. Point out the deficiency to the firewall support staff, but note the state the controls were found in at the time of the review. D. Look at the rest of the controls to ensure that the risk has. security review, the IS auditor determines that the firewall rule set is incorrectly built to protect the organization from the risks that are unacceptable to the business. The IS auditor should A.