With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.
Solved
It Auditing & Penetration Testing
Posted on 2015-01-02
Hi i want to start IT Business in IT Auditing & Penetration Testing field, i need guideline, like which service i can start in this field, what type of service i can provide, how many team members i need, is there any kind of license i need, i know question sound very ridiculous to ask here, but any kind of help will be appreciated.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5
4-
2
11 Comments
Active today
Just a few things:
SLA Service-level agreement
Change management procedures
Source code/document version control procedures
Software development life cycle standards
Logical access policies, standards and processes
Incident management policies and procedures
Problem management policies and procedures
Technical support policies and procedures
Hardware/software configuration
Disaster recovery/backup and recovery procedures,
Commitment and understanding (general):
Senior management’s commitment to information security initiatives. Management’s understanding of information security issues. Alignment of information security with the enterprise’s objectives. Executive and line management’s ownership and accountability for implementing, monitoring and reporting on information security.
Organizational structure:
Obtain an organizational diagram and establish there is sufficient segregation of duties, role and responsibilities. (not only departemental).
Who is granting access to what and how is this being done? Who is revoking access and how is this done?
(not only to systems but also Physical access).
Classification:
Classification of data and assets. Through classification of data, the security measurements taken will be in line with the importance of the data /assets. (if correctly implemented)
Physical access
Physical access (in general), factor in who has access to what and why?
Training in general
Security awareness training for all involved. Not only for sys admin but also for users in general. Users are the key in security. (not once or twice a year but frequently).
For IT Auditing I would recommend taking ISACA http://isaca.org/ as a frame work.
Read my document:
http://www.experts-exchange.com/Security/Operating_Systems_Security/A_17403-Information-Technology-General-Control.html
SLA Service-level agreement
Change management procedures
Source code/document version control procedures
Software development life cycle standards
Logical access policies, standards and processes
Incident management policies and procedures
Problem management policies and procedures
Technical support policies and procedures
Hardware/software configuration
Disaster recovery/backup and recovery procedures,
Commitment and understanding (general):
Senior management’s commitment to information security initiatives. Management’s understanding of information security issues. Alignment of information security with the enterprise’s objectives. Executive and line management’s ownership and accountability for implementing, monitoring and reporting on information security.
Organizational structure:
Obtain an organizational diagram and establish there is sufficient segregation of duties, role and responsibilities. (not only departemental).
Who is granting access to what and how is this being done? Who is revoking access and how is this done?
(not only to systems but also Physical access).
Classification:
Classification of data and assets. Through classification of data, the security measurements taken will be in line with the importance of the data /assets. (if correctly implemented)
Physical access
Physical access (in general), factor in who has access to what and why?
Training in general
Security awareness training for all involved. Not only for sys admin but also for users in general. Users are the key in security. (not once or twice a year but frequently).
For IT Auditing I would recommend taking ISACA http://isaca.org/ as a frame work.
Read my document:
http://www.experts-exchange.com/Security/Operating_Systems_Security/A_17403-Information-Technology-General-Control.html
Active today
First need to really identify the different from audit and pentest (short form), and in quick summary, the former check for policy/standard compliance and the latter check for security control effectiveness (which sometimes can be confused with vulnerability scanning which is passive verification and does not really associate closely with business context and impact. Pentest is more active validation and kind of no hold bar out to sieve out gap and further penetrate. It is to proof business risk is real and exposure need to be address holistically rather than just many cycles of find and patch. It should links multiple vulnerabilities to explore real business risk.
With this understanding, I believe you already see that audit has to really fully be apprise and well verse in the sort of policies and standard such as PCI-DSS, ISO/IEC 27001, SOX and others that you will want the audit to be lay with. It doesn't mean you need to be the policy owner or be digesting and memorising those material but must be able to ascertain what each clause meant and why each policy clause exist and how each clause are demonstrated and fulfilled to meet the rationale. It can be manual, paper based and walkthrough which mostly can be checklist driven.
However, pentest is set to drill into verify the scope of target to be assessed are duly protected and validate how effective the protection is able to prevent the penetration from a internal and external threat perspective. It also include the assessment how impactful and severe the risk involved upon vulnerability exposed. Those low hanging fruits can be surfaced straightforward and used to further "exploit" into the company to get the crown jewel to demonstrate the seriousness. It is kind of no hold bar but with set of rule of engagement that is concurred by the owner and senior executive before the whole activity starts.
The processes and team involved for both can be same or different but definitely the core set of ethics, project deliverable and competency with right skillset are required to run through and lead user in the activities throughut the cycle. The communication aspects to the end user and owner is the final piece to the whole puzzle as your team has to get all pieces in place and present the final picture to the company.
Also for any business, there should be a well established plan for long term goal and short term milestones. The small wins earns credibility especially in this line of business of security assessment and testing. It will be best get experienced folks and already have good relationship with the security community and know the works of Law enforcement on the legislative aspects for the conduct. This helps if they are in partnership or one of your core team. This needs time to nurture and not an one night efforts to establish security trustworthiness of the company. Going to security seminar and even trying out to present your know how in this area can kick start the awareness of you and company...
But one important point to note that such audit and pentest assessment is point in time assessment. They are never a continual analysis or monitoring aspects. Hence look into checking and advising the regime and period of these conduct. It is really very close to doing health check up. You do not only check your health when you sense (or already hit by) something wrong as it can be too late and an afterthought.
Below are some good sources that you can further check out and expect no lesser from your potential customers that this can be their baseline demands and expectation.
SANS - there are related training courses but I will say the networking with the folks and community is a good source and community to further your connection and sharing. SANS also has a reputable 20 critical controls which you may likely to see in the testing and auditing phases. Some materials include
Training (pentest) @ http://www.sans.org/curricula/penetration-testing & http://www.giac.org/certifications/audit & http://www.giac.org/certifications/security-administration
Conducting a Penetration Test on an Organization @ http://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67
An Overview of Threat and Risk Assessment @ http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
20 Critical controls @ https://www.sans.org/critical-security-controls/
Good to know from the methodology put up by public services on security audit and risk assessment (appendix and the checklist and guidelines) to minimally know the expectations too
@ http://www.ogcio.gov.hk/en/infrastructure/methodology/security_policy/doc/g51_pub.pdf
NIST - it came up with (SP) 800-115, which is a Technical Guide to Information Security Testing and Assessment that scope (or should I say most company into such service has this as baseline offering) and list out the hows and whats in the conduct for this testing and assessment. Also the SP800-53 rev4 is a must know as the security control will be the answer or guidance to the measures to comply each policy clause and effective control in place to withstand penetration.
Summary@ http://csrc.nist.gov/publications/nistbul/Dec2008_Testing-Assessment-SP800-115.pdf
(check out the Rules of Engagement Template in app B)
@ http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
Various good links @ http://www.pen-tests.com/nist-guideline-in-network-security-testing.html
CESG - initiative to help build up industry to be readily and capable for the public service to tap expertise to perform the security activities such as pentest and audit. Being a CHECK provider will open opportunities and gain more worthy queries on your services... @ http://www.crest-approved.org/industry-government/cesg-penetration-testing/index.html
Penetration testing standard which provide the technical mindmap and detailed activities involved. It also covers the key phases of Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation,
Post Exploitation and Reporting. These are pretty standard for most provider.
@ http://www.pentest-standard.org/index.php/Main_Page
Also you can catch my article about the activities and question asking in such security activities
Cyber playbook @ http://www.experts-exchange.com/Security/Misc/A_15099-Our-Cyber-Playbook-Are-we-ready-and-ahead-of-the-Cyber-chase.html
Savvy qns @ http://www.experts-exchange.com/Security/Digital_Forensics/A_15659-Ask-Cyber-Savvy-Question-s-There-are-many-ways-to-skin-a-cat.html
With this understanding, I believe you already see that audit has to really fully be apprise and well verse in the sort of policies and standard such as PCI-DSS, ISO/IEC 27001, SOX and others that you will want the audit to be lay with. It doesn't mean you need to be the policy owner or be digesting and memorising those material but must be able to ascertain what each clause meant and why each policy clause exist and how each clause are demonstrated and fulfilled to meet the rationale. It can be manual, paper based and walkthrough which mostly can be checklist driven.
However, pentest is set to drill into verify the scope of target to be assessed are duly protected and validate how effective the protection is able to prevent the penetration from a internal and external threat perspective. It also include the assessment how impactful and severe the risk involved upon vulnerability exposed. Those low hanging fruits can be surfaced straightforward and used to further "exploit" into the company to get the crown jewel to demonstrate the seriousness. It is kind of no hold bar but with set of rule of engagement that is concurred by the owner and senior executive before the whole activity starts.
The processes and team involved for both can be same or different but definitely the core set of ethics, project deliverable and competency with right skillset are required to run through and lead user in the activities throughut the cycle. The communication aspects to the end user and owner is the final piece to the whole puzzle as your team has to get all pieces in place and present the final picture to the company.
Also for any business, there should be a well established plan for long term goal and short term milestones. The small wins earns credibility especially in this line of business of security assessment and testing. It will be best get experienced folks and already have good relationship with the security community and know the works of Law enforcement on the legislative aspects for the conduct. This helps if they are in partnership or one of your core team. This needs time to nurture and not an one night efforts to establish security trustworthiness of the company. Going to security seminar and even trying out to present your know how in this area can kick start the awareness of you and company...
But one important point to note that such audit and pentest assessment is point in time assessment. They are never a continual analysis or monitoring aspects. Hence look into checking and advising the regime and period of these conduct. It is really very close to doing health check up. You do not only check your health when you sense (or already hit by) something wrong as it can be too late and an afterthought.
Below are some good sources that you can further check out and expect no lesser from your potential customers that this can be their baseline demands and expectation.
SANS - there are related training courses but I will say the networking with the folks and community is a good source and community to further your connection and sharing. SANS also has a reputable 20 critical controls which you may likely to see in the testing and auditing phases. Some materials include
Training (pentest) @ http://www.sans.org/curricula/penetration-testing & http://www.giac.org/certifications/audit & http://www.giac.org/certifications/security-administration
Conducting a Penetration Test on an Organization @ http://www.sans.org/reading-room/whitepapers/auditing/conducting-penetration-test-organization-67
An Overview of Threat and Risk Assessment @ http://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76
20 Critical controls @ https://www.sans.org/critical-security-controls/
Good to know from the methodology put up by public services on security audit and risk assessment (appendix and the checklist and guidelines) to minimally know the expectations too
@ http://www.ogcio.gov.hk/en/infrastructure/methodology/security_policy/doc/g51_pub.pdf
NIST - it came up with (SP) 800-115, which is a Technical Guide to Information Security Testing and Assessment that scope (or should I say most company into such service has this as baseline offering) and list out the hows and whats in the conduct for this testing and assessment. Also the SP800-53 rev4 is a must know as the security control will be the answer or guidance to the measures to comply each policy clause and effective control in place to withstand penetration.
Summary@ http://csrc.nist.gov/publications/nistbul/Dec2008_Testing-Assessment-SP800-115.pdf
(check out the Rules of Engagement Template in app B)
@ http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
Various good links @ http://www.pen-tests.com/nist-guideline-in-network-security-testing.html
CESG - initiative to help build up industry to be readily and capable for the public service to tap expertise to perform the security activities such as pentest and audit. Being a CHECK provider will open opportunities and gain more worthy queries on your services... @ http://www.crest-approved.org/industry-government/cesg-penetration-testing/index.html
Penetration testing standard which provide the technical mindmap and detailed activities involved. It also covers the key phases of Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation,
Post Exploitation and Reporting. These are pretty standard for most provider.
@ http://www.pentest-standard.org/index.php/Main_Page
Also you can catch my article about the activities and question asking in such security activities
Cyber playbook @ http://www.experts-exchange.com/Security/Misc/A_15099-Our-Cyber-Playbook-Are-we-ready-and-ahead-of-the-Cyber-chase.html
Savvy qns @ http://www.experts-exchange.com/Security/Digital_Forensics/A_15659-Ask-Cyber-Savvy-Question-s-There-are-many-ways-to-skin-a-cat.html
Active today
In Google search box write down: "site:isaca.org What IT Auditor should know"
You will be able to get lot of useful documents.
You will be able to get lot of useful documents.
Active today
You may want to also know about Information Assurance Support Environment (IASE) from US which stated in its DoD Directive 8570.01that drive the policy for the right skill set for Information assurance workforce. It came out with the summary of IA Workforce Qualification Requirements @ http://iase.disa.mil/iawip/Pages/summary_wf_requirements.aspx
This may be relevant and it mapped to certification recognised to meet each level @http://iase.disa.mil/iawip/Pages/iabaseline.aspx
Specific to Auditor - CISA, GSNA and CISSP are likely ones expected by customers..but certification not necessary means there is experience and skillsets for individual. Experience in past assignment in the credential will be more creditable.
I also find relevance and importance that service will need to ascertain compliance to standard. For PCI-DSS, below are necessary for qualification to perform the security assessment
- Qualified Security Assessor (QSA)
@ https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php
- Approved Scanning Vendors (ASVs)
@ https://www.pcisecuritystandards.org/approved_companies_providers/become_asv.php
- Internal Security Assessor (ISA)
@ https://www.pcisecuritystandards.org/approved_companies_providers/become_isa.php
Likewise another well recognised standard based is ISO2700. Typically you will expect ISO/IEC 27001 Lead Auditor certificated individual that is able to audti wrt to this standard. Look at the various seniority level@ http://en.wikipedia.org/wiki/ISO/IEC_27001_Lead_Auditor
In UK there is CESG Certified Professional (CCP) scheme is the UK Government’s approved standard of competence for cyber security professionals and provides an independent assessment and verification process for those working in Information Assurance (IA). The various roles and qualification is also stated in below and do see IA Auditor and Pen Tester roles @ http://certifications.bcs.org/category/16266
As a whole the team (for a start) is likely to be 2-3 pax with a lead and others being SME domain and specialised on their core competence in scripting, tool usage, scenario test plan and system/application specific test case. The team may varied based on the size of customer environment and scope of work (from global MNC network to specific website or policy check)
This may be relevant and it mapped to certification recognised to meet each level @http://iase.disa.mil/iawip/Pages/iabaseline.aspx
Specific to Auditor - CISA, GSNA and CISSP are likely ones expected by customers..but certification not necessary means there is experience and skillsets for individual. Experience in past assignment in the credential will be more creditable.
I also find relevance and importance that service will need to ascertain compliance to standard. For PCI-DSS, below are necessary for qualification to perform the security assessment
- Qualified Security Assessor (QSA)
@ https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php
- Approved Scanning Vendors (ASVs)
@ https://www.pcisecuritystandards.org/approved_companies_providers/become_asv.php
- Internal Security Assessor (ISA)
@ https://www.pcisecuritystandards.org/approved_companies_providers/become_isa.php
Likewise another well recognised standard based is ISO2700. Typically you will expect ISO/IEC 27001 Lead Auditor certificated individual that is able to audti wrt to this standard. Look at the various seniority level@ http://en.wikipedia.org/wiki/ISO/IEC_27001_Lead_Auditor
In UK there is CESG Certified Professional (CCP) scheme is the UK Government’s approved standard of competence for cyber security professionals and provides an independent assessment and verification process for those working in Information Assurance (IA). The various roles and qualification is also stated in below and do see IA Auditor and Pen Tester roles @ http://certifications.bcs.org/category/16266
As a whole the team (for a start) is likely to be 2-3 pax with a lead and others being SME domain and specialised on their core competence in scripting, tool usage, scenario test plan and system/application specific test case. The team may varied based on the size of customer environment and scope of work (from global MNC network to specific website or policy check)
Active today
You need to obtain an understanding of the entity's Information Technology environment and a preliminary understanding of the IT general controls and IT applications in place, so as to be able to evaluate the effectiveness of the Information Systems to address the IT risks and consider whether there are any implications; find attached a sample document that I use for Auditing
Audit.docx
Audit.docx
Active today
nice one from madunix. You can also check out the ISO 27001/2 implementation and guidelines (docx) that covers all 39 control objectives @ http://www.iso27001security.com/ISO27k_Guideline_on_ISMS_implementation_and_metrics_1v3.docx
- Risk assessment and treatment,
- Security policy,
- Organizing information security,
- Asset management,
- Physical and environmental security,
- Communications and operations management,
- Access control,
- Information systems acquisition,
- development and maintenance,
- Information security incident management,
- Business continuity management,
- Compliance
Also do take a look at the SP800-115 pdf (2nd Link) in prev posting, which is useful in various section. The section 6 on Security Assessment Planning covers such approach
A- minimizing risk from the assessment from identified vulnerabilities
> Step 1. Documentation Review
> Step 2. Ruleset and Security Configuration Review. I
> Step 3. Wireless Scanning.
> Step 4. Network Discovery and Vulnerability Scanning
B- validating controls that include attempts to exploit selected vulnerabilities
> Step 1. Ruleset and Security Configuration Review. I
> Step 2. Network Discovery and Vulnerability Scanning.
> Step 3. Penetration Test with Social Engineering.
C - evaluating effectiveness of the organization’s audit capabilities for
attacks against the system.
> Step 1. External Penetration Testing.
> Step 2. Log Review. R
Assessor skill set (as also in the section) include
- Risk assessment and treatment,
- Security policy,
- Organizing information security,
- Asset management,
- Physical and environmental security,
- Communications and operations management,
- Access control,
- Information systems acquisition,
- development and maintenance,
- Information security incident management,
- Business continuity management,
- Compliance
Also do take a look at the SP800-115 pdf (2nd Link) in prev posting, which is useful in various section. The section 6 on Security Assessment Planning covers such approach
A- minimizing risk from the assessment from identified vulnerabilities
> Step 1. Documentation Review
> Step 2. Ruleset and Security Configuration Review. I
> Step 3. Wireless Scanning.
> Step 4. Network Discovery and Vulnerability Scanning
B- validating controls that include attempts to exploit selected vulnerabilities
> Step 1. Ruleset and Security Configuration Review. I
> Step 2. Network Discovery and Vulnerability Scanning.
> Step 3. Penetration Test with Social Engineering.
C - evaluating effectiveness of the organization’s audit capabilities for
attacks against the system.
> Step 1. External Penetration Testing.
> Step 2. Log Review. R
Assessor skill set (as also in the section) include
significant security and networking knowledge, including expertise in network security, firewalls, intrusion detection systems, operating systems, programming, and networking protocols (such as TCP/IP)
Operational experience is preferred to classroom or laboratory training. Allowing inexperienced or untrained staff to conduct technical tests can negatively affect an organization’s systems and networks, potentially hindering its mission and damaging the credibility of its security program management office and assessors. It is also beneficial to have a technical writer or other individual on the team with strong technical writing skills.Likewise the key lead in the team should note this
The team’s leader should be selected based on overall technical knowledge and experience with the type of techniques being executed, and knowledge of the assets being assessed. Team leaders should also have strong communication, organization, planning, and conflict resolution skills.ISO27k-Toolkit-overview-and-contents-5v2
Active today
IT audits is really wide, however the COBIT 5 framework is a nice starting point for IT auditing.
I would suggest that you include essential areas in your document:
(1) Network configuration;
(2) Current operations procedures;
(3) Offsite data storage.
(4) Disaster recovery program..
Also, you should ask a manager about the Disaster Recovery objectives and the business continuity plan. if she/he's unable to provide you that, there isn't a plan for BCP and DR. The Management should look at business risks and technical risks and should be able to make the main BCP, take the following points/questions inconsideration:
1) During the course of a disaster or significant disruption, does your organization have written plans for business continuity and IT disaster recovery?
YES/No
2) If you answered “Yes” to question (1) do the established plans cover critical business functions with recovery priorities?
YES/NO
3) Have you performed a business impact analysis including Recovery Time Objective and Recovery Point Objective?
YES/NO
4) Does your Business Impact Analysis calculate and classify the financial risk of disturbances to all vital functions?
YES/NO
5) Have you taken actions to mitigate known risks and single points of failure (e.g. power loss, physical access, etc.)?
YES/NO
6) Do you have a dedicated team of professionals focused on business continuity and/or IT disaster recovery?
YES/NO
7) If you answered “No” to question (6), is there an established external business continuity and disaster recovery service provider to handle your planning needs?
YES/NO
8) Is senior management fully committed to disaster recovery and business continuity?
YES/NO
9) Are your disaster recovery costs, options, and disaster declaration procedures understandable?
YES/NO
10) Do you have a sufficient budget to support your disaster recovery program?
YES/NO
11) Is your business continuity plan updated regularly to keep it current with hardware, software, business and staffing changes?
YES/NO
12) Is there an organized training and awareness program for your employees?
YES/NO
13) Does your disaster recovery centre have an operation centre?
YES/NO
14) Is there remote accessibility to your disaster recovery centre?
YES/NO
15) If you answered “Yes” to question (1), is the plan periodically tested?
YES/NO
16) If you answered “Yes” to question (15), how often is the plan tested?
Annually -----------------------
Semi-annually -----------------------
Other (Please specify) -----------------------
17) Did you test the plan in 2008 and first half of 2009?
YES/NO
18) If you answered “Yes” to question (17), please specify the test dates and whether the tests were satisfactory or not?
Test Dates Yes No
(1) ------------------ …… ……
(2) ------------- …… …...
(3) ---------------- …… …...
(4) --------------- …… ……
(5) ---------- …… ……
(6) --------- …… ……
18.1) Who rates the success criteria of the executed tests?
Internally Rated
Other
19) Do the tests include market participants who have direct or indirect relations with your organizations?
YES/NO
19.1) Do you practice spontaneous tests to recover from a Disaster Recovery Site and resume the day from that location?
YES/NO
20) Have you tested your plan using a worst-case scenario?
YES/NO
21) Has your plan been tested for the possibility of facility loss?
YES/NO
22) If you answered “Yes” to questions (20) or (21), did testing prove that you can follow all Recovery Time Objective and Recovery Point Objective?
YES/NO
23) In the event of any disaster case how long does it take for you to stand up your system? (Please specify)
……………………………………………………………………
24) Does your organization have a documented crisis management process?
YES/NO
25) If you answered “Yes” to question (24), during the event of a crisis does the process cover internal and external communications?
YES/NO
26) In the case of a disaster are you prepared to address liabilities and responsibilities?
YES/NO
27) In the event of an outage or emergency do you provide detailed contact information?
YES/NO
28) Do you have a recovery strategy?
YES/NO
29) If you answered “Yes” to question (28), what is your organization recovery strategy?
Hot Sites
Warm Sites
Cold sites
Duplicate information processing facilities
Mobile sites
Reciprocal arrangements with other organizations
30) Where is your disaster recovery centre and please specify how many kilometers further away is it from your organization?
……………………………………………………………………
31) Do you have a backup strategy?
YES/NO
32) Do you have written backup and archive procedures?
YES/NO
33) Do you have industry-standard back-up solutions? (media, tape drives, library, software etc.)
YES/NO
34) To ensure sufficient permanent access do you have a migration policy to "refresh" tape technology and data formats every three to five years to?
YES/NO
35) Do you always use the "verify" option to ensure that your system backups are working?
YES/NO
36) Do you periodically test your back-up media?
YES/NO
37) Can you access to your past data with your back-up strategy?
YES/NO
38) Are backups fully automated for unattended operation (autoloaders, etc.)?
YES /NO
39) If your backups are manual, do you follow a sound process and written procedures?
YES/NO
40) If your backups are not manual, do you have online backup?
YES/NO
41) Does your current backup and recovery methodology fulfill management’s business uptime needs?
YES/NO
42) Do you regularly send your backup copy to a safe, off-site archive?
YES/NO
43) Do you have retention period on backup data for legal obligations?
YES/NO
44) Is media properly taken care of when shipped, handled, stored, and used?
YES/NO
45) Is your archive system designed to facilitate data format standards and an archive tape tracking method?
YES/NO
Links for reading:
http://searchstorage.bitpipe.com/
http://iase.disa.mil/index2.html
http://www.redbooks.ibm.com/redbooks/pdfs/sg246844.pdf
http://www.experts-exchange.com/Networking/Network_Management/Disaster_Recovery/Q_28081599.html
http://www.experts-exchange.com/Software/Backup_Restore/Q_27781899.html
http://www.isaca.org/cobit
I would suggest that you include essential areas in your document:
(1) Network configuration;
(2) Current operations procedures;
(3) Offsite data storage.
(4) Disaster recovery program..
Also, you should ask a manager about the Disaster Recovery objectives and the business continuity plan. if she/he's unable to provide you that, there isn't a plan for BCP and DR. The Management should look at business risks and technical risks and should be able to make the main BCP, take the following points/questions inconsideration:
1) During the course of a disaster or significant disruption, does your organization have written plans for business continuity and IT disaster recovery?
YES/No
2) If you answered “Yes” to question (1) do the established plans cover critical business functions with recovery priorities?
YES/NO
3) Have you performed a business impact analysis including Recovery Time Objective and Recovery Point Objective?
YES/NO
4) Does your Business Impact Analysis calculate and classify the financial risk of disturbances to all vital functions?
YES/NO
5) Have you taken actions to mitigate known risks and single points of failure (e.g. power loss, physical access, etc.)?
YES/NO
6) Do you have a dedicated team of professionals focused on business continuity and/or IT disaster recovery?
YES/NO
7) If you answered “No” to question (6), is there an established external business continuity and disaster recovery service provider to handle your planning needs?
YES/NO
8) Is senior management fully committed to disaster recovery and business continuity?
YES/NO
9) Are your disaster recovery costs, options, and disaster declaration procedures understandable?
YES/NO
10) Do you have a sufficient budget to support your disaster recovery program?
YES/NO
11) Is your business continuity plan updated regularly to keep it current with hardware, software, business and staffing changes?
YES/NO
12) Is there an organized training and awareness program for your employees?
YES/NO
13) Does your disaster recovery centre have an operation centre?
YES/NO
14) Is there remote accessibility to your disaster recovery centre?
YES/NO
15) If you answered “Yes” to question (1), is the plan periodically tested?
YES/NO
16) If you answered “Yes” to question (15), how often is the plan tested?
Annually -----------------------
Semi-annually -----------------------
Other (Please specify) -----------------------
17) Did you test the plan in 2008 and first half of 2009?
YES/NO
18) If you answered “Yes” to question (17), please specify the test dates and whether the tests were satisfactory or not?
Test Dates Yes No
(1) ------------------ …… ……
(2) ------------- …… …...
(3) ---------------- …… …...
(4) --------------- …… ……
(5) ---------- …… ……
(6) --------- …… ……
18.1) Who rates the success criteria of the executed tests?
Internally Rated
Other
19) Do the tests include market participants who have direct or indirect relations with your organizations?
YES/NO
19.1) Do you practice spontaneous tests to recover from a Disaster Recovery Site and resume the day from that location?
YES/NO
20) Have you tested your plan using a worst-case scenario?
YES/NO
21) Has your plan been tested for the possibility of facility loss?
YES/NO
22) If you answered “Yes” to questions (20) or (21), did testing prove that you can follow all Recovery Time Objective and Recovery Point Objective?
YES/NO
23) In the event of any disaster case how long does it take for you to stand up your system? (Please specify)
……………………………………………………………………
24) Does your organization have a documented crisis management process?
YES/NO
25) If you answered “Yes” to question (24), during the event of a crisis does the process cover internal and external communications?
YES/NO
26) In the case of a disaster are you prepared to address liabilities and responsibilities?
YES/NO
27) In the event of an outage or emergency do you provide detailed contact information?
YES/NO
28) Do you have a recovery strategy?
YES/NO
29) If you answered “Yes” to question (28), what is your organization recovery strategy?
Hot Sites
Warm Sites
Cold sites
Duplicate information processing facilities
Mobile sites
Reciprocal arrangements with other organizations
30) Where is your disaster recovery centre and please specify how many kilometers further away is it from your organization?
……………………………………………………………………
31) Do you have a backup strategy?
YES/NO
32) Do you have written backup and archive procedures?
YES/NO
33) Do you have industry-standard back-up solutions? (media, tape drives, library, software etc.)
YES/NO
34) To ensure sufficient permanent access do you have a migration policy to "refresh" tape technology and data formats every three to five years to?
YES/NO
35) Do you always use the "verify" option to ensure that your system backups are working?
YES/NO
36) Do you periodically test your back-up media?
YES/NO
37) Can you access to your past data with your back-up strategy?
YES/NO
38) Are backups fully automated for unattended operation (autoloaders, etc.)?
YES /NO
39) If your backups are manual, do you follow a sound process and written procedures?
YES/NO
40) If your backups are not manual, do you have online backup?
YES/NO
41) Does your current backup and recovery methodology fulfill management’s business uptime needs?
YES/NO
42) Do you regularly send your backup copy to a safe, off-site archive?
YES/NO
43) Do you have retention period on backup data for legal obligations?
YES/NO
44) Is media properly taken care of when shipped, handled, stored, and used?
YES/NO
45) Is your archive system designed to facilitate data format standards and an archive tape tracking method?
YES/NO
Links for reading:
http://searchstorage.bitpipe.com/
http://iase.disa.mil/index2.html
http://www.redbooks.ibm.com/redbooks/pdfs/sg246844.pdf
http://www.experts-exchange.com/Networking/Network_Management/Disaster_Recovery/Q_28081599.html
http://www.experts-exchange.com/Software/Backup_Restore/Q_27781899.html
http://www.isaca.org/cobit
Active today
also Mehari documentation has rich info in 27001 compliance which the checklist is useful for security auditor too. it serves the purpose of reviewing the questionaire in each of the domains in ISO/IEC 27002 controls, including its suggested measures and streamline into the risk assessment methodology (align to ISO/IEC 27005:2008) to identify, classify severity, suggest mitigation/remediation to complete the whole picture of assessment. I tend to see risk assessment is one worthy value add that you can consider in term of the assessment you are conducting. It should align to business context of your client and not generalised.
https://www.clusif.asso.fr/en/production/mehari/
Check out its knowledge base and documentation.
They stated 2010 but the assessment basis and scope will not change much
https://www.clusif.asso.fr/en/production/mehari/download/
https://www.clusif.asso.fr/fr/production/ouvrages/type.asp?id=METHODES
It covers the theme in the questionnaire which is applicable also for IT audit as a whole.
Roles and organization
Security awareness and training, Human resources management
Physical access control (sites, buildings and premises)
Miscellaneous Risks
Networks and Systems Architecture
Control of the exchanges
Logical access control
Security of data
Operational procedures
Management of data containers
Protection of documents and written information
Recovery Plans
Backups
Maintenance
Projects and developments
Incident management
Audit management
Compliance management
Information security management system
https://www.clusif.asso.fr/en/production/mehari/
Check out its knowledge base and documentation.
They stated 2010 but the assessment basis and scope will not change much
https://www.clusif.asso.fr/en/production/mehari/download/
https://www.clusif.asso.fr/fr/production/ouvrages/type.asp?id=METHODES
It covers the theme in the questionnaire which is applicable also for IT audit as a whole.
Roles and organization
Security awareness and training, Human resources management
Physical access control (sites, buildings and premises)
Miscellaneous Risks
Networks and Systems Architecture
Control of the exchanges
Logical access control
Security of data
Operational procedures
Management of data containers
Protection of documents and written information
Recovery Plans
Backups
Maintenance
Projects and developments
Incident management
Audit management
Compliance management
Information security management system
Active today
You may also want to be aware of the Statement on Standards for Attestation Engagements (SSAE) No. 16. It supersedes Statement on Auditing Standards (SAS) No. 70 with the professional guidance on performing the service auditor's examination. The main deliverable also widely used and required include SSAE 16 SOC report I and II. Likewise the controls and their effectiveness are evaluated and audited. http://ssae16.com/SSAE16_reports.html
There is another worthy mention on International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization. It provides an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors). Primarily focus on Financial reporting and associated support ICT systems in a service organization. Specifically, you may want to note this which covered Trust Services Principles and Criteria
For your case, I believe the SOC II report is more relevant and the latter is based upon the Trust Services Principles, specific drilling into controls relevant from the operations and compliance. SOC I is audit of a user entity’s financial statements mainly.
There is another worthy mention on International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization. It provides an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors). Primarily focus on Financial reporting and associated support ICT systems in a service organization. Specifically, you may want to note this which covered Trust Services Principles and Criteria
Public accounting firms and practitioners, who obtain a WebTrust business license from the AICPA or CICA, can provide assurance services to evaluate and test whether a particular eCommerce service meets the selected Trust Services principles and criteria. The WebTrust seal of assurance is placed on the organization's web site following the engagement and signifies the practitioner's unqualified opinion.http://isae3402.com/ISAE3402_trustservices.html
A SysTrust engagement allows public accounting firms and practitioners to provide assurance on the reliability of a system using any of the Trust Services Principles and Criteria with the exception of the Online Privacy Principle and Criteria. The Online Privacy Principle and Criteria can only be used for a WebTrust engagement.
For your case, I believe the SOC II report is more relevant and the latter is based upon the Trust Services Principles, specific drilling into controls relevant from the operations and compliance. SOC I is audit of a user entity’s financial statements mainly.
Featured Post
Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!
Learn how Concerto can help you.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things. So where are MSPs falling in this spectrum?
The Email Laundry PDF encryption service allows companies to send confidential encrypted emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses
Course of the Month10 days, 8 hours left to enroll
718 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.