VPN Security Audit Assurance Program Icq Eng 1012

VPN Security Audit/Assurance Program

About ISACA
With more than 100,000 constituents in 180 countries, ISACA (www.isaca.org) is a leading global provider of knowledge,
certifications, community, advocacy and education on information systems (IS) assurance and security, enterprise
governance and management of IT, and IT-related risk and compliance. Founded in 1969, the nonprofit, independent ISACA
hosts international conferences, publishes the ISACA Journal, and develops international IS auditing and control standards,
which help its constituents ensure trust in, and value from, information systems. It also advances and attests IT skills and
knowledge through the globally respected Certified Information Systems Auditor (CISA), Certified Information Security
Manager (CISM), Certified in the Governance of Enterprise IT (CGEIT) and Certified in Risk and Information Systems
Control (CRISC) designations.
ISACA continually updates and expands the practical guidance and product family based on the COBIT framework.
COBIT helps IT professionals and enterprise leaders fulfill their IT governance and management responsibilities,
particularly in the areas of assurance, security, risk and control, and deliver value to the business.
Disclaimer
ISACA has designed and created VPN Security Audit/Assurance Program (the Work) primarily as an educational resource
for governance and assurance professionals. ISACA makes no claim that use of any of the Work will assure a successful
outcome. The Work should not be considered inclusive of all proper information, procedures and tests or exclusive of other
information, procedures and tests that are reasonably directed to obtaining the same results. In determining the propriety of
any specific information, procedure or test, governance and assurance professionals should apply their own professional
judgment to the specific circumstances presented by the particular systems or information technology environment.
Reservation of Rights
2012 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified, distributed,
displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical, photocopying,
recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of all or portions of this
publication are permitted solely for academic, internal and noncommercial use and for consulting/advisory engagements,
and must include full attribution of the materials source. No other right or permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
Email: info@isaca.org
Web site: www.isaca.org
Provide feedback: www.isaca.org/VPN-AP
Participate in the ISACA Knowledge Center: www.isaca.org/knowledge-center
Follow ISACA on Twitter: https://twitter.com/ISACANews
Join ISACA on LinkedIn: ISACA (Official), http://linkd.in/ISACAOfficial
Like ISACA on Facebook: www.facebook.com/ISACAHQ
ISBN 978-60420-269-4
Acknowledgments
2012 ISACA. All rights reserved. Page 2

ISACA wishes to recognize:
Author
Norm Kelson, CISA, CGEIT, CPA, CPE Interactive, Inc., USA
Expert Reviewers
Michael Castro, CISA, ResMor Trust Co, Canada
Joanne De Vito De Palma, BCMM, The Ardent Group LLC, USA
Russell K. Fairchild, CISA, CRISC, CISSP, PMP, SecureIsle, USA
Alek Geldenberg, CISA, CRISC, CISSP, MSMM, USA
Francis Kaitano, CISA, CISM, CISSP, ITIL, MCAD.Net, MCSD, Contact Energy, New Zealand
Kamal Khan, CISA, CISSP, CITP, Saudi Aramco, Saudi Arabia
Lily M. Shue, CISA, CISM, CGEIT, CRISC, LMS Associates LLC, USA
Babu Srinivas, CISA, CISM, SP AusNet, Australia
David A. Williams, CRISC, PMP, OceanFirst Bank, USA
ISACA Board of Directors
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, International President
Allan Boardman, CISA, CISM, CGEIT, CRISC, ACA, CA (SA), CISSP, Morgan Stanley, UK, Vice
President
Juan Luis Carselle, CISA, CGEIT, CRISC, Wal-Mart, Mexico, Vice President
Christos K. Dimitriadis, Ph.D., CISA, CISM, CRISC, INTRALOT S.A., Greece, Vice President
Ramses Gallego, CISM, CGEIT, CCSK, CISSP, SCPM, 6 Sigma, Quest Software, Spain, Vice President
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Vice
President
Jeff Spivey, CRISC, CPP, PSP, Security Risk Management Inc., USA, Vice President
Marc Vael, Ph.D., CISA, CISM, CGEIT, CISSP, Valuendo, Belgium, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Past International President
Emil DAngelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd. (retired), USA, Past International
President
John Ho Chi, CISA, CISM, CRISC, CBCP, CFE, Ernst & Young LLP, Singapore, Director
Krysten McCabe, CISA, The Home Depot, USA, Director
Jo Stewart-Rattray, CISA, CISM, CGEIT, CRISC, CSEPS, BRM Holdich, Australia, Director
Knowledge Board
Marc Vael, Ph.D., CISA, CISM, CGEIT, CRISC, CISSP, Valuendo, Belgium, Chairman
Steven Andrew Babb, CGEIT, CRISC, UK
Thomas E. Borton, CISA, CISM, CRISC, CISSP, Cost Plus, USA
Phil James Lageschulte, CGEIT, CPA, KPMG LLP, USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Steven E. Sizemore, CISA, CIA, CGAP, Texas Health and Human Services Commission, USA
Guidance and Practices Committee
Phil James Lageschulte, CGEIT, CPA, KPMG LLP, USA, Chairman
Dan Haley, CISA, CGEIT, CRISC, MCP, Johnson & Johnson, USA
Yves Marcel Le Roux, CISM, CISSP, CA Technologies, France
Aureo Monteiro Tavares Da Silva, CISM, CGEIT, Pelissari, Brazil
Jotham Nyamari, CISA, Deloitte, USA
Connie Lynn Spinelli, CISA, CRISC, CFE, CIA, CMA, CPA, GRC Solutions LLC, USA
John William Walker, CISM, CRISC, CITP, FBCS, ITPC Secure Bastion Ltd., UK
Siang Jun Julia Yeo, CISA, CPA (Australia), Visa Worldwide Pte. Limited., Singapore
Nikolaos Zacharopoulos, CISA, DeutschePostDHL, Germany
ISACA and IT Governance Institute (ITGI) Affiliates and Sponsors
Information Security Forum

Institute of Management Accountants Inc.
ISACA chapters
ITGI France
ITGI Japan
Norwich University
Socitum Performance Management Group
Solvay Brussels School of Economics and Management
Strategic Technology Management Institute (STMI) of the National University of Singapore
University of Antwerp Management School
ASIS International
Hewlett-Packard
IBM
Symantec Corp.
Table of Contents
I.
II.
III.
IV.
V.
VI.
Introduction.......................................................................................................................................5
Using This Document........................................................................................................................6
Controls Maturity Analysis................................................................................................................8
Assurance and Control Framework..................................................................................................10
Executive Summary of Audit/Assurance Focus...............................................................................11
Audit/Assurance Program................................................................................................................13
1. Planning and Scoping the Audit...................................................................................................13
2. Preparatory Steps.........................................................................................................................15
3. Governance..................................................................................................................................16
4. Policy...........................................................................................................................................17
5. Configuration...............................................................................................................................19
6. Maintenance and Monitoring.......................................................................................................26
VII. Maturity Assessment........................................................................................................................28
VIII. Maturity Assessment vs. Target Assessment....................................................................................33
I. Introduction
Overview
ISACA has developed the IT Assurance FrameworkTM (ITAFTM) as a comprehensive and good practice-setting
model. ITAF provides standards that are designed to be mandatory, and are the guiding principles under which
the IT audit and assurance profession operates. The guidelines provide information and direction for the practice
of IT audit and assurance. The tools and techniques provide methodologies, tools and templates to provide
direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a specific
assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and
assurance practitioners with the requisite knowledge of the subject matter under review, as described in ITAF,
section 2200General Standards. The audit/assurance programs are part of ITAF, section 4000IT Assurance
Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework
specifically COBIT 4.1using generally applicable and accepted good practices. They reflect ITAF, sections
3400IT Management Processes, 3600IT Audit and Assurance Processes, and 3800IT Audit and Assurance
Management.
Many enterprises have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The importance
of the control framework has been enhanced due to regulatory requirements by the US Securities and Exchange
Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and similar legislation in other countries.
Enterprises seek to integrate control framework elements used by the general audit/assurance team into the IT

audit and assurance framework. Since COSO is widely used, it has been selected for inclusion in this
audit/assurance program. The reviewer may delete or rename these columns to align with the enterprises control
framework.
Governance, Risk and Control of IT

Governance, risk and control of IT are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management oversight
controls. Risk plays an important role in evaluating what to audit and how management approaches and manages
risk. Both issues will be evaluated as steps in the audit/assurance program. Controls are the primary evaluation
point in the process. The audit/assurance program will identify the control objectives and the steps to determine
control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals

IT audit and assurance professionals are expected to customize this document to the environment in which they
are performing an assurance process. This document is to be used as a review tool and starting point. It may be
modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is
assumed that the IT audit and assurance professional has the necessary subject matter expertise required to
conduct the work and is supervised by a professional with the CISA designation and/or necessary subject matter
expertise to adequately review the work performed.
II. Using This Document

This audit/assurance program was developed to assist the audit and assurance professional in designing and
executing a review. Details regarding the format and use of the document follow.
Work Program Steps

The first column of the program describes the steps to be performed. The numbering scheme used provides builtin work paper numbering for ease of cross-reference to the specific work paper for that section. The physical
document was designed in Microsoft Word. The IT audit and assurance professional is encouraged to make
modifications to this document to reflect the specific environment under review.
Step 1 is part of the fact gathering and pre-fieldwork preparation. Because the pre-fieldwork is essential to a
successful and professional review, the steps have been itemized in this plan. The first-level steps, e.g., 1.1, are
in bold type and provide the reviewer with a scope or high-level explanation of the purpose for the sub-steps.
Beginning in step 2, the steps associated with the work program are itemized. To simplify use, the program
describes the audit/assurance objectivethe reason for performing the steps in the topic area and the specific
controls follow. Each review step is listed after the control. These steps may include assessing the control design
by walking through a process, interviewing, observing or otherwise verifying the process and the controls that
address that process. In many cases, once the control design has been verified, specific tests need to be
performed to provide assurance that the process associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last section of
the program.
The audit/assurance plan wrap-upthose processes associated with the completion and review of work papers,
preparation of issues and recommendations, report writing and report clearinghas been excluded from this

document because it is standard for the audit/assurance function and should be identified elsewhere in the
enterprises standards.
COBIT 4.1 Cross-reference

The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the specific
COBIT 4.1 control objective that supports the audit/assurance step. The COBIT control objective should be
identified for each audit/assurance step in the section. Multiple cross-references are not uncommon.
Subprocesses in the work program are too granular to be cross-referenced to COBIT. The audit/assurance
program is organized in a manner to facilitate an evaluation through a structure parallel to the development
process. COBIT provides in-depth control objectives and suggested control practices at each level. As
professionals review each control, they should refer to COBIT 4.1 or the IT Assurance Guide: Using COBIT for
good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among audit and
assurance professionals. This ties the assurance work to the enterprises control framework. While the IT
audit/assurance function has COBIT as a framework, operational audit and assurance professionals use the
framework established by the enterprise. Since COSO is the most prevalent internal control framework, it has
been included in this document and is a bridge to align IT audit/assurance with the rest of the audit/assurance
function. Many audit/assurance enterprises include the COSO control components within their report and
summarize assurance activities to the audit committee of the board of directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed. It is
possible but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO issued the
Enterprise Risk Management (ERM) Integrated Framework, which includes eight components. The ERM
framework has a business decision focus when compared to the 2004 Internal ControlIntegrated Framework.
Large enterprises are in the process of adopting ERM. The two frameworks are compared in figure 1.
Figure 1Comparison of COSO Internal Control and ERM Integrated Frameworks
Internal ControlIntegrated Framework
ERM Integrated Framework
Control Environment: The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is
the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values, managements operating style, delegation of
authority systems, as well as the processes for managing and
developing people in the organization.
Risk Assessment: Every entity faces a variety of risks from external

and internal sources that must be assessed. A precondition to risk
assessment is establishment of objectives, and thus risk assessment is
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Internal Environment: The internal environment encompasses the

tone of an organization, and sets the basis for how risk is viewed and
addressed by an entitys people, including risk management
philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entitys mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entitys objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channeled back to managements strategy or objective-setting
processes.
Risk Assessment: Risks are analyzed, considering the likelihood and
impact, as a basis for determining how they could be managed. Risk
areas are assessed on an inherent and residual basis.

Figure 1Comparison of COSO Internal Control and ERM Integrated Frameworks
Internal ControlIntegrated Framework
ERM Integrated Framework
Control Activities: Control activities are the policies and procedures

that help ensure management directives are carried out. They help
ensure that necessary actions are taken to address risks to achievement
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key
role in internal control systems as they produce reports, including
operational, financial and compliance-related information that make it
possible to run and control the business. In a broader sense, effective
communication must ensure information flows down, across and up
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitoreda
process that assesses the quality of the systems performance over
time. This is accomplished through ongoing monitoring activities or
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Risk Response: Management selects risk responsesavoiding,

accepting, reducing, or sharing riskdeveloping a set of actions to
align risks with the entitys risk tolerances and risk appetite.
Control Activities: Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried
out.
Information and Communication: Relevant information is

identified, captured, and communicated in a form and timeframe that
enable people to carry out their responsibilities. Effective
communication also occurs in a broader sense, flowing down, across,
and up the entity.
Monitoring: The entirety of enterprise risk management is monitored

and modifications made as necessary. Monitoring is accomplished
through ongoing management activities, separate evaluations, or both.
Information for figure 1 was obtained from the COSO web site www.coso.org/aboutus.htm.
The 1992 Internal ControlIntegrated Framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication, and
monitoring. As such, ISACA has elected to include them as a reference in this document. When completing the
COSO component columns, consider the definitions of the components as described in figure 1.
Reference/Hyperlink
Good practices require the audit and assurance professional to create a work paper that describes the work
performed, issues identified, and conclusions for each line item. The reference/hyperlink is to be used to crossreference the audit/assurance step to the work paper that supports it. The numbering system of this document
provides a ready numbering scheme for the work papers. If desired, a link to the work paper can be pasted into
this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to further
investigate or establish as a potential finding. The potential findings should be documented in a work paper that
indicates the disposition of the findings (formally reported, reported as a memo or verbal finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used in
place of a work paper describing the work performed.
III. Controls Maturity Analysis

One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire to
understand how their performance compares to good practices. Audit and assurance professionals must provide
an objective basis for the review conclusions. Maturity modeling for management and control over IT processes

is based on a method of evaluating the organization, so it can be rated from a maturity level of non-existent (0) to
optimized (5). This approach is derived from the maturity model that the Software Engineering Institute (SEI) of
Carnegie Mellon University defined for the maturity of software development.
The IT Assurance Guide Using COBIT, Appendix VIIMaturity Model for Internal Control (figure 2) provides
a generic maturity model showing the status of the internal control environment and the establishment of internal
controls in an enterprise. It shows how the management of internal control, and an awareness of the need to
establish better internal controls, typically develops from an ad hoc to an optimized level. The model provides a
high-level guide to help COBIT users appreciate what is required for effective internal controls in IT and to help
position their enterprise on the maturity scale.
Maturity Level
0 Non-existent
1 Initial/ad hoc
2 Repeatable but
Intuitive
3 Defined
4 Managed and
Measurable
5 Optimised
Figure 2Maturity Model for Internal Control

Status of the Internal Control Environment
Establishment of Internal Controls
There is no recognition of the need for internal control.
Control is not part of the organisations culture or mission.
There is a high risk of control deficiencies and incidents.
There is some recognition of the need for internal control.
The approach to risk and control requirements is ad hoc and
disorganised, without communication or monitoring.
Deficiencies are not identified. Employees are not aware of
their responsibilities.
Controls are in place but are not documented. Their operation
is dependent on the knowledge and motivation of individuals.
Effectiveness is not adequately evaluated. Many control
weaknesses exist and are not adequately addressed; the
impact can be severe. Management actions to resolve control
issues are not prioritised or consistent. Employees may not be
aware of their responsibilities.
Controls are in place and adequately documented. Operating
effectiveness is evaluated on a periodic basis and there is an
average number of issues. However, the evaluation process is
not documented. While management is able to deal
predictably with most control issues, some control
weaknesses persist and impacts could still be severe.
Employees are aware of their responsibilities for control.
There is an effective internal control and risk management
environment. A formal, documented evaluation of controls
occurs frequently. Many controls are automated and regularly
reviewed. Management is likely to detect most control issues,
but not all issues are routinely identified. There is consistent
follow-up to address identified control weaknesses. A
limited, tactical use of technology is applied to automate
controls.
An enterprisewide risk and control program provides
continuous and effective control and risk issues resolution.
Internal control and risk management are integrated with
enterprise practices, supported with automated real-time
monitoring with full accountability for control monitoring,
risk management and compliance enforcement. Control
evaluation is continuous, based on self-assessments and gap
and root cause analyses. Employees are proactively involved
in control improvements.
There is no intent to assess the need for internal control.

Incidents are dealt with as they arise.
There is no awareness of the need for assessment of what is
needed in terms of IT controls. When performed, it is only on
an ad hoc basis, at a high level and in reaction to significant
incidents. Assessment addresses only the actual incident.
Assessment of control needs occurs only when needed for
selected IT processes to determine the current level of control
maturity, the target level that should be reached and the gaps
that exist. An informal workshop approach, involving IT
managers and the team involved in the process, is used to
define an adequate approach to controls for the process and
to motivate an agreed-upon action plan.
Critical IT processes are identified based on value and risk
drivers. A detailed analysis is performed to identify control
requirements and the root cause of gaps and to develop
improvement opportunities. In addition to facilitated
workshops, tools are used and interviews are performed to
support the analysis and ensure that an IT process owner
owns and drives the assessment and improvement process.
IT process criticality is regularly defined with full support
and agreement from the relevant business process owners.
Assessment of control requirements is based on policy and
the actual maturity of these processes, following a thorough
and measured analysis involving key stakeholders.
Accountability for these assessments is clear and enforced.
Improvement strategies are supported by business cases.
Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organised occasionally.
Business changes consider the criticality of IT processes and
cover any need to reassess process control capability. IT
process owners regularly perform self-assessments to
confirm that controls are at the right level of maturity to meet
business needs and they consider maturity attributes to find
ways to make controls more efficient and effective. The
organisation benchmarks to external best practices and seeks
external advice on internal control effectiveness. For critical
processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and assurance
professional can address the key controls within the scope of the work program and formulate an objective
assessment of the maturity level of the control practices. The maturity assessment can be a part of the
audit/assurance report and can be used as a metric from year to year to document progress in the enhancement of
controls. However, the perception of the maturity level may vary between the process/IT asset owner and the

auditor. Therefore, an auditor should obtain the concerned stakeholders concurrence before submitting the final
report to the management.
At the conclusion of the review, once all findings and recommendations are completed, the professional assesses
the current state of the COBIT control framework and assigns it a maturity level using the six-level scale. Some
practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity model. As a further
reference, COBIT provides a definition of the maturity designations by control objective. While this approach is
not mandatory, the process is provided as a separate section at the end of the audit/assurance program for those
enterprises that wish to implement it. It is suggested that a maturity assessment be made at the COBIT control
level. To provide further value to the client/customer, the professional can also obtain maturity targets from the
client/customer. Using the assessed and target maturity levels, the professional can create an effective graphic
presentation that describes the achievement or gaps between the actual and target maturity goals. A graphic is
provided as the last page of this document (section VIII), based on sample assessments. It is suggested that the
maturity assessment for this review be included in the IT information security review, which would focus on the
Deliver and Support (DS) domain, IT process DS5 Ensure systems security.
IV. Assurance and Control Framework

ISACA IT Assurance Framework and Standards
The following sections in ITAF are relevant to virtual private network (VPN) Security:
3450IT Processes
3490IT Support of Regulatory Compliance
3630.4Information Systems Operations
3630.7Information Security Management
3630.11Network Management and Controls
ISACA Control Framework

VPN Security is primarily a configuration and security issue. This audit is of narrow scope, focusing on specific
VPN-related controls. The primary COBIT areas for this evaluation have a wider scope; in preparing and
evaluating the results of this audit, consider the scope limitation of controls directly related to VPN technologies
and implementation. They include:
DS5.3 Identity managementEnsure that all users (internal, external and temporary) and their activity on IT
systems (business application, IT environment, system operations, development and maintenance) are
uniquely identifiable. Enable user identities via authentication mechanisms. Confirm that user access rights
to systems and data are in line with defined and documented business needs and that job requirements are
attached to user identities. Ensure that user access rights are requested by user management, approved by
system owners and implemented by the security-responsible person. Maintain user identities and access
rights in a central repository. Deploy cost-effective technical and procedural measures, and keep them
current to establish user identification, implement authentication and enforce access rights.
DS5.4 User account managementAddress requesting, establishing, issuing, suspending, modifying and
closing user accounts and related user privileges with a set of user account management procedures. Include
an approval procedure outlining the data or system owner granting the access privileges. These procedures
should apply for all users, including administrator (privileged users) and internal and external users, for
normal and emergency cases. Rights and obligations relative to access to enterprise systems and information
should be contractually arranged for all types of users. Perform regular management review of all accounts
and related privileges.
DS5.7 Protection of security technologyMake security-related technology resistant to tampering, and do

not disclose security documentation unnecessarily.
DS5.8 Cryptographic key managementDetermine that policies and procedures are in place to organise the
generation, change, revocation, destruction, distribution, certification, storage, entry, use and archiving of
cryptographic keys to ensure the protection of keys against modification and unauthorised disclosure.
DS5.9 Malicious software prevention, detection and correctionPut preventive, detective and corrective
measures in place (especially up-to-date security patches and virus control) across the organisation to protect
information systems and technology from malware (e.g., viruses, worms, spyware, spam).
DS5.10 Network securityUse security techniques and related management procedures (e.g., firewalls,
security appliances, network segmentation, intrusion detection) to authorise access and control information
flows from and to networks.
DS9.2 Identification and maintenance of configuration itemsEstablish configuration procedures to support
management and logging of all changes to the configuration repository. Integrate these procedures with
change management, incident management and problem management procedures.
Refer to the IT Governance Institutes COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, published in 2007, for the related control practice value and risk drivers.
V. Executive Summary of Audit/Assurance Focus

A virtual private network (VPN) is a technology to protect data as they travel through public networks.
The Internet has modified the manner in which enterprises interconnect their information networks. Access can
be over the Internet (public access) or over an extranet (trusted parties, e.g., suppliers, customers, partners).
Previously, an enterprise would lease dedicated communications lines between sites or trusted business partners.
The Internet permits ubiquitous connectivity; however, any data traversing a public network can be captured by
unintended parties, thereby potentially disclosing data. A VPN provides a means to encrypt data between
communicating parties.
VPNs address two primary types of connectivity:
Site-to-siteIn a site-to-site connection, the parties direct their communications through the Internet to
intermediate routers. The VPN technology will vary: casual or arms-length relationships will use a VPN
technology based on asymmetric encryption (i.e., a public key infrastructure [PKI] that utilizes digital
certificates) to prevent the transmitting party from being able to decrypt transmissions from other partners.
When connecting transmissions between trusted parties, including branch offices, etc., the site-to-site
connection can utilize a shared encryption key (symmetric) that must be kept confidential.
User workstation to siteBusiness partners and employees need to communicate securely. This requires a
VPN that is easily configured and initiated with minimal maintenance. The two most common alternatives
are a software program installed on the users workstation with the appropriate cryptography keys or using
the standard Secure Sockets Layer (SSL) protocol, which is built into all major Internet browsers. The latter
capability is known as an SSL VPN.
Independent of the type of connectivity, the primary issues are:
Security of transmissions, including preventing hijacking of transmissions and preventing malware from
entering the network
Managing the technology
Configuration management
Ensuring information is unaltered and maintains accuracy and reliability
Business Impact and Risk

The impact on the business transmitting data through public networks and the accompanying risk are significant.
Depending on the industry, enterprises may experience outages and intrusion attempts for financial gain, to
obtain intellectual property, to create business disruption, to obtain sensitive private information, or to
compromise national security. The perpetrators of an intrusion can be external or internal, private government
sponsored. This activity may increase the enterprises risk of:
Public relations issues with the customers or the public (reputational risk)
Inability to comply with regulatory processing requirements (regulatory and financial risk)
Inability to perform critical business functions (operational and financial risk)
Inability to maintain payroll and employee privacy (regulatory and reputational risk)
Loss of physical or informational assets (reputational and financial risk)
Inability to meet contractual service level agreements (SLAs) with third parties or customers (contractual
risk)
VPN technology, if properly configured, will reduce the risk associated with privileged data traversing a public
network.
Objective and Scope

ObjectiveThe objective of the audit/assurance review is to provide management with an independent
assessment of the VPN implementation and ongoing monitoring/maintenance of the effectiveness of the
supporting technology.
ScopeThe audit/assurance review will focus on VPN standards, guidelines and procedures as well as the
implementation and governance of these activities. The review will rely upon other operational audits of the
incident management process, configuration management and security of networks and servers, security
management and awareness, business continuity management, information security management, governance
and management practices of IT and business units, and relationships with third parties.
For an auditee that incorporates its own PKI infrastructure into the VPN environment, it may be necessary to
extend the scope of the audit/assurance review to include encryption technologies and the use of PKI. For this
purpose, consult the ISACA E-commerce and Public Key Infrastructure (PKI) Audit/Assurance Program for
additional audit steps. It is not necessary to do so, however, if the main objective of the audit/assurance review
focuses on VPN implementation and ongoing monitoring/maintenance.
Minimum Audit Skills

The IT audit and assurance professional must have an understanding of good-practice information security
processes and understand the various VPN technologies, solutions and deficiencies. Because this is a dynamic
field, professionals performing this audit should ensure that they have performed the necessary research to
ensure that they understand the underlying technologies employed by VPNs and current control mechanisms.
Feedback
Visit www.isaca.org/VPN-AP and use the feedback function to provide your comments and suggestions on this
document. Your feedback is a very important element in the development of ISACA guidance for its constituents
and is greatly appreciated.
VI. Audit/Assurance Program
1.1 Define audit/assurance objectives.

The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance
program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe,
annual plan and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer must understand the operating
environment and prepare a proposed scope, subject to a later risk assessment.
1.2.1 Perform a high-level walk-through of the network architecture using VPN-technology.
1.2.2 Establish initial boundaries of the audit/assurance review.
1.2.2.1 Identify limitations and/or constraints affecting the audit.
1.3 Define assurance.
The review requires two sources of standards. The corporate standards defined in the policy
and procedure documentation establish the corporate expectations. At minimum, corporate
standards should be implemented. The second source, a good-practice reference, establishes
industry standards. Enhancements should be proposed to address gaps between the two.
1.3.1 Determine if COBIT and the appropriate security incident management framework
will be used as a good-practice reference.
Monitoring
Risk Assessment
Reference
Issue
HyperCross- Comments
link
reference
CommunicationInformation and
1. Planning and Scoping the Audit
Control Activities
COBIT
Crossreference
Audit/Assurance Program Step
Control Environment
COSO
1.4.1 Identify the business risk associated with the failure to implement VPN technologies
and the failure to implement VPN technologies securely.
1.4.2 Identify the technology risk associated with the failure to implement VPN
technologies and the failure to implement VPN technologies securely.
1.4.3 Determine if a VPN architecture threat assessment and modeling processing process
has been established and implemented.
1.4.4 Based on risk assessment, identify changes to the scope.
1.4.5 Discuss the risk with IT, business and operational audit management, and adjust the
risk assessment.
1.5 Define the change process.
The initial audit approach is based on the reviewers understanding of the operating
environment and associated risk. As further research and analysis are performed, changes to
the scope and approach will result.
1.5.1 Identify the senior IT audit/assurance resource responsible for the review.
1.5.2 Establish the process for suggesting and implementing changes to the audit/assurance
program, and the authorizations required.
1.6 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team,
other assurance teams and the enterprise is essential.
1.6.1 Identify the drivers for a successful review (this should exist in the audit/assurance
functions standards and procedures).
1.6.2 Communicate success attributes to the process owner or stakeholder, and obtain
agreement.
Monitoring
Risk Assessment
Reference
Issue
link
reference
1.4 Identify and document risk.

The risk assessment is necessary to evaluate where audit resources should be focused. The
risk-based approach assures utilization of audit resources in the most effective manner.
Control Activities
COBIT
Crossreference
Control Environment
COSO
1.7.1 Determine the audit/assurance skills necessary for the review.

1.7.2 Determine the estimated total resources (hours) and time frame (start and end dates)
required for the review.
1.8 Define deliverables.
Deliverables are not limited to the final report. Communication between the audit/assurance
teams and the process owner is essential to assignment success.
1.8.1 Determine the interim deliverables, including initial findings, status reports, draft
reports, due dates for responses and the final report.
1.9 Communicate.
The audit/assurance process is clearly communicated to the customer/client.
1.9.1 Conduct an opening conference to discuss the review objectives with the executive
responsible for operating systems and infrastructure.
2. Preparatory Steps
2.1 Obtain and review the current organization chart for the system and network
administration areas.
1. Identify the key network administration staff, the security manager and the key network
user stakeholders.
2. Obtain a copy of the latest network security risk analysis, including any information on
system, data and service classifications.
3. Obtain and review a copy of the enterprises:
Security policy
Security strategy or strategies
Security procedures and standards
Monitoring
Risk Assessment
Reference
Issue
link
reference
1.7 Define audit/assurance resources required.

The resources required are defined in the introduction to this audit/assurance program.
Control Activities
COBIT
Crossreference
Control Environment
COSO
5. Interview the technical support team leader or equivalent responsible for VPN
architecture, design, implementation, and maintenance processes and procedures.
3. Governance
3.1 Executive Sponsor
Audit/Assurance Objective: The VPN implementation and maintenance is assigned to an
Monitoring
Risk Assessment
Reference
Issue
link
reference
Network architecture documentation
Network inventory or schematic of physical network components
Network problem tracking, resolution and escalation procedures
VPN-related documentation and vendor contracts
Copies of signed user security and awareness documents
New employee training materials relating to security
R
elevant legal and regulatory information related to security and information access
VPN supplier contracts, SLAs
Supplier due diligence selection criteria, process
Business impact analysis (BIA), business continuity plans

(BCPs),disaster recovery plans (DRPs) and all continuity of operations plans
Human resources (HR) onboarding/offboarding procedures and standards
Information security remote access policies, procedures and standards
Information security mobile computing policies, procedures and

standards
Information security wireless networking standards
Information security acceptable use policies, procedures and standards
Encryption policies, procedures and standards
Incident response policies, procedures, standards
Monitoring and audit policies, procedures, standards

4. Interview the senior security officer and the IT security administrator regarding VPN
implementation.
Control Activities
COBIT
Crossreference
Control Environment
COSO
6. Executive Responsibility and Accountability of VPN-related Processes

Control: A senior executive within the IT organization is responsible for the VPN
implementation, maintenance and oversight.
PO4.6
ME1.5
ME2.5
ME4.1
Monitoring
Risk Assessment
Reference
Issue
link
reference
executive sponsor, who is responsible for its effective implementation and operations.
Control Activities
COBIT
Crossreference
Control Environment
COSO
X X X
X X X
3.1.1.1 Identify the senior executive responsible for the VPN program.
3.1.1.2 Obtain the position description of the executive responsible for the VPN
program.
3.1.1.3 Determine if the position has cross-reporting to the business units and IT
management (security, administration, etc.)
3.1.1.4 Obtain meeting minutes and other documentation to support the responsibilities
and accountability of the executive sponsor.
3.2 Senior Management Involvement in VPN Programs
Audit/Assurance Objective: Senior management participates in key decisions related to VPN
programs.
7. Senior Management Oversight of VPN Programs
Control: Senior management provides oversight of the VPN programs, including
review and approval of policies affecting their respective operations.
3.2.1.1 Determine if business units affected by VPN implementation participate in the
review of policies affecting their business units.
3.2.1.2 Determine if support functions (e.g., HR, corporate communications,
compliance, information security) affected by VPN implementation participate
in the review of VPN policies.
ME1.5
4. Policy
Monitoring
Reference
Issue
link
reference
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
4.1 HR Policies Aligned With and Support VPN Policies

Audit/Assurance Objective: VPN policies align with and are integrated into HR policies.
8. HR Policies Include Related VPN Policies
Control: HR policies include VPN disclosures, usage requirements as part of initial
"onboarding" process and the annual employee acknowledgement of use policies.
4.1.1.1 Obtain a selection of HR policies relating to VPN usage.
4.1.1.2 Determine if VPN usage policies are incorporated in the HR policies.
PO6.3
PO6.4
PO4.8
ME3.1
ME3.3
X X X
4.2 VPN Policies in Compliance With Corporate Policies

Audit/Assurance Objective: VPN policies align with corporate compliance policies.
9. VPN Policies Are in Compliance With Corporate Compliance and Related Policies
Control: Corporate compliance (financial reporting, regulatory and statutory)
functions review VPN policies prior to implementation to assure adherence to
appropriate requirements.
4.2.1.1 Obtain the corporate compliance policies relating to data security and privacy.
4.2.1.2 Determine if VPN requirements are a component of the policies.
4.2.1.3 Obtain a selection of VPN policy proposals or modifications.
4.2.1.4 Determine if corporate compliance representatives have reviewed and provided
documented approval of VPN policies.
4.3 VPN Policies in Compliance With Legal and Regulatory Policies and Requirements
Audit/Assurance Objective: VPN policies align with legal and regulatory policies and
requirements.
10. VPN Policies Are in Compliance With Legal Regulatory Requirements
Control: VPN technologies are defined to satisfy legal and regulatory requirements
within the enterprise's industry.
4.3.1.2 Determine if the enterprises legal representatives have reviewed and provided
PO4.8
ME3.1
ME3.2
X X X

4.4 VPN Policies Align With Information Security
Audit/Assurance Objective: VPN policies are in compliance with information security
policies
11. VPN Policies Are Approved by the Information Security Function
Control: The information security function assures compliance with information
security policy by reviewing information security-related VPN policies prior to their
adoption and implementation.
4.4.1.2 Determine if information security representatives have reviewed and provided
4.5 VPN Policy Integrated With Enterprises Data Classification Policy
Audit/Assurance Objective: Data Classification Policy includes VPN usage and configuration
requirements.
12. Data Classification Policy VPN Requirements
Control: The data classification policy identifies VPN requirements and
configuration for each data classification.
4.5.1.1 Obtain the data classification policy.
4.5.1.2 Determine if the data classification policy includes VPN configuration and
usage requirements.
4.5.1.3 Determine if the VPN configuration and usage policy includes specific
applications or data elements requiring VPN usage.
4.5.1.4 Determine if VPN configuration and usage policy identifies functions that must
be executed using a VPN, and functions that must be excluded from execution,
with or without a VPN.
PO6.3
PO6.4
DS5.1
ME2.5
ME3.4
PO2.3
Monitoring
Reference
Issue
link
reference
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
5. Configuration
Monitoring
Reference
Issue
link
reference
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
5.1 VPN Architecture

Audit/Assurance Objective: Best security practices are implemented for the various VPN
architectures.
PO2.1
DS5.9
DS5.10
13. Edge Routers1

14. Edge Router Termination
Control: Edge routers terminate at the network firewall and an effective firewall
configuration applies appropriate filtering.
5.1.1.1.1 Identify edge routers within the network architecture.
5.1.1.1.2 Determine that the edge router terminates (a) at or in front of the
DMZ or (b) at an inline Intrusion Prevention System (IPS) deployed
between the edge router and the firewall.
5.1.1.1.3 Select a sample of edge routers.
5.1.1.1.4 Determine if the edge routers selected terminate at the firewall or in
the DMZ.
15. Edge Router Encryption
Control: Edge routers use asymmetric keys supported by a Public Key
Infrastructure or alternatively, one of the two standard symmetric key
technologies, 3DES or AES2
5.1.1.1.5 Select a sample of edge routers.
5.1.1.1.6 Identify the encryption configuration in use to protect the data.
5.1.1.1.7 Determine the effectiveness of the control of keys and digital
certificates.
DS5.8
DS5.9
1 These are defined as untrusted site-to-site connected networks.

2 Consider performing an audit of the PKI implementation using the ISACA E-commerce and Public Key Infrastructure (PKI) Audit/Assurance Program.
Encryption controls, including key storage, key maintenance, security, etc., should be reviewed.
DS5.7
DS5.8
PO5.9
PO9.2
DS5.3
3 These are defined as site-to-site networks integrated into a wide-area local area network (LAN).
4 This generally applies to extranets and non-owned networks.
Monitoring
Risk Assessment
DS5.9
DS5.10
DS9.2
Reference
Issue
link
reference
5.1.1.1.8 Determine if an untrusted partner would have the ability to

compromise the private key structure.
16. Trusted Routers3
17. Trusted Router Termination
Control: Trusted routers terminate in a trusted DMZ or within the network,
subject to appropriate firewall filtering.
5.1.1.1.9 Identify trusted router terminations within the network architecture.
5.1.1.1.10 Determine that the trusted router terminates in a designated DMZ
designed with firewall filtering appropriate to the data classification
of the data traversing the network segment.
5.1.1.1.11 Determine that the designated DMZ is designed with firewall
filtering appropriate to the data classification of the data traversing
the network segment.
18. Trusted Router Encryption
Control: Trusted routers use symmetric keys supported by appropriate key
length, security of key storage and, where appropriate, contracts/agreements4
5.1.1.1.12 Select a sample of trusted router networks.
5.1.1.1.13 Identify the encryption configuration in use to protect the data.
5.1.1.1.14 Determine the effectiveness of the control of keys.
5.1.1.1.15 Determine if appropriate SLAs, contracts and other legal remedies
have been executed between nonrelated parties.
5.1.1.1.16 Determine if a trusted partner would have the ability to
compromise the key structure.
19. SSL VPN
20. Secure SSL VPN Configuration
Control: SSL VPN is installed with a secure configuration which mitigates its
inherent weaknesses.
Control Activities
COBIT
Crossreference
Control Environment
COSO
1.1.1.17 Obtain the SSL VPN Configuration Policy.

5.1.1.1.18 Determine if strong user authentication has been implemented.
Consider:
Two-factor authentication
Password AND hardware tokens
Digital certificates
Smart cards
5.1.1.1.19 Determine if user computer identity verification has been
implemented:
User computer validated to be in compliance with enterprise

security requirements and policies prior to connection.
Validation of user computer identity and configuration includes:

Personal firewall configuration
Antivirus/malware configuration and currency of pattern
files
Required security patches
Limitation of split tunneling 5
Evaluation of registry entries
5.1.1.1.20 Determine if a secure desktop solution or sandboxing has been
implemented for connections not satisfying or unable to validate
computer identity verification.
5.1.1.1.21 Determine if the SSL VPN provides for deletion of all session data
from the clients cache, including:
Browser history
Internet temporary files
Cookies
Documents
5 This enables network traffic to traverse separate networks via the same network connection.
Monitoring
Risk Assessment
Reference
Issue
link
reference
DS5.4
DS5.10
Control Activities
COBIT
Crossreference
Control Environment
COSO
22. VPN Appliances

23. VPN Appliance Configuration and Vendor Support
Control: VPN appliances are maintained with the most current configuration,
DS1.6
DS7
Monitoring
Risk Assessment
X X X
DS9.2
Reference
Issue
link
reference
Passwords
5.1.1.1.22 Determine if the SSL VPN provides a keystroke logger detection
sweep prior to completing a connection.
5.1.1.1.23 Determine if session time-outs are implemented and what the
time-out period is and determine if it complies with security
policies, standards and procedures.
5.1.1.1.24 Determine if SSL verification is required prior to connection and
denied if the SSL version level is at a lower level that security
policy dictates.
5.1.1.1.25 Determine if server certificate support has been implemented and
will only permit connection with a valid, authenticated certificate.
5.1.1.1.26 Determine if resource availability, system functionality, and
application access are limited based on satisfying the configuration
parameters considered above.
5.1.1.1.27 Determine if public computers (e.g., Internet cafs, kiosks, etc.) are
permitted to connect to the SSL VPN.
5.1.1.1.28 Determine if client-side certificates are required, and if so,
connection is contingent upon client-side certificate verification and
authentication.
21. SSL VPN Awareness Program
Control: User education and security awareness is provided on a regular basis and
participation by all users of the enterprise's VPN facilities is required.
5.1.1.2 Determine that VPN awareness and security programs are routinely and
regularly offered.
5.1.1.3 Determine if the security awareness program addresses VPN use policy.
5.1.1.4 Evaluate how the follow-up process is maintained to assure user participation.
5.1.1.5 Determine if participation is documented in logs or sign-in sheets.
Control Activities
COBIT
Crossreference
Control Environment
COSO
and support is readily available from the vendor.

5.1.1.5.1 Verify that the most current configuration of the VPN appliance has
been applied.
5.1.1.5.2 Determine that a vendor support contract or vendor support option
is available.
24. VPN Appliance Configuration Best Practices
Control: Vendor-suggested and other best practices are applied to VPN
appliance configuration.
5.1.1.5.3 Determine if the VPN appliance vendor offers best practice
guidance.
5.1.1.5.4 Determine if the VPN appliance configuration is in compliance
with vendor guidance.
25. VPN Clients Installed on Specific Computers
26. VPN Clients Are Securely Configured
Control: VPN clients are configured using vendor-suggested and other best
practices in compliance with organization security policies.
DS5.7
DS5.9
DS5.10
DS9.2
DS5.4
DS5.5
DS9.2
DS10
5.1.1.5.5 Determine if strong user authentication has been implemented:

Two-factor authentication
Password AND hardware tokens, digital certificates or smart
cards
implemented:
User computer is in compliance with organization security
requirements and policies
Validation of user computer identity and configuration:
files
Monitoring
Reference
Issue
link
reference
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
DS5.9
DS5.10
DS9.2
DS5.4
DS5.10
Monitoring
Risk Assessment
PO2.3
DS9.2
Reference
Issue
link
reference
Limitation of split tunneling5

Evaluation of registry entries
5.1.1.5.7 Determine if resource availability, system functionality and
application access are limited to authorized individuals, based on
satisfying the configuration parameters considered above.
27. VPN Clients Are Installed Based on Job Functional Need
Control: VPN clients are installed on user computers based on data
classification policy of applications installed on computer or on another
request.
5.1.1.5.8 Determine if the data classification policy requires a VPN be
installed as a condition of accessing specific sensitive data.
5.1.1.5.9 Select a sample of computers with the VPN installed and determine
if the data classification policy/VPN policy is practiced.
28. VPNs Installed on Bring Your Own Device Adhere to Information Security
Policy
Control: VPNs installed on non-enterprise owned equipment subscribe to
minimum security standards.
implemented:
User computer in compliance with enterprise security

requirements and policies
Validation of user computer identity and configuration:

files
Limitation of split tunneling5
Evaluation of Registry entries
29. VPN Access Is Removed Upon Termination or Transfer
Control: VPN access is terminated or removed as part of the user
deprovisioning process.
5.1.1.5.11 Obtain the deprovisioning procedure.
Control Activities
COBIT
Crossreference
Control Environment
COSO
6.1 Patch Management

Audit/Assurance Objective: VPN technology is included in the routine patch management
process.
34. Patch Management Administration
Control: Patch management of VPN technology is included in the configuration
change management processes.
6.1.1.1 Scan the change management system for configuration changes affecting the
VPN technologies.
AI6
AI7
DS9.2
Monitoring
Risk Assessment
PO2.1
PO3
Reference
Issue
link
reference
5.1.1.5.12 Determine that the VPN deactivation is part of the deprovisioning

process.
5.1.1.5.13 Obtain a sample of recent user terminations and determine that the
VPN privileges for the terminated users have been deactivated.
30. VPN Installation List Review
Control: The list of installed VPNs is reviewed at least annually.
31. Determine if a list of computers or users with VPNs installed exists.
32. If the list exists, determine if the list is reviewed at least annually to ensure that
only authorized users have access to and have an installed VPN.
5.2 VPN Architecture
Audit/Assurance Objective: The VPN architecture is reviewed on a regular basis to ensure the
solution is current and addresses the risk and vulnerability issues identified in risk
assessments.
33. VPN Architecture Review
Control: VPN architecture review is conducted on a regular basis.
5.2.1.1 Determine if the VPN architecture review process is documented.
5.2.1.2 Determine the date of the most recent VPN architecture review.
5.2.1.3 Evaluate the effectiveness of the most recent review.
5.2.1.4 Determine if a vulnerability exists due to out-of-date technology.
6. Maintenance and Monitoring
Control Activities
COBIT
Crossreference
Control Environment
COSO
6.1.1.2 Determine if the change management process implemented for VPN maintenance
is in compliance with the installation change management procedure.
6.2 Integration of VPN Technologies With the Help Desk
Audit/Assurance Objective: VPN support requests are processed routinely through the help
desk.
35. VPN Support Is Provided by the Help Desk
Control: VPN support is a help desk task with appropriate controls and procedures.
6.2.1.1 Obtain the help desk procedures.
6.2.1.2 Determine if VPN support tasks are included in the help desk Procedures.
6.2.1.3 Determine if VPN issues are reported in the incident reporting/issue monitoring
system.
6.2.1.4 Select VPN related incidents in the help desk, Incident Reporting, and/or Issue
Monitoring System.
6.2.1.5 Determine that the issues were closed on a timely basis in an effective manner.
DS8
DS10
DS3
6.3 VPN Capacity Planning

Audit/Assurance Objective: VPN utilization and resources requirements are integrated into
the installation capacity plan.
36. VPN Capacity Planning
Control: The capacity plan incorporated VPN required resources and such resources
are actively monitored.
6.3.1.1 Obtain the installation capacity plan.
6.3.1.2 Determine that VPN technologies are included in the plan.
6.3.1.3 Evaluate capacity reports to determine that VPN resource utilization is monitored
and the necessary adjustments are implemented in a timely manner.
Monitoring
Reference
Issue
link
reference
Risk Assessment
Control Activities
COBIT
Crossreference
Control Environment
COSO
37. VPN Monitoring

Control: VPN usage is monitored for unauthorized use.
6.4.1.1 Determine the process for reviewing VPN usage.6
6.4.1.2 Select a sample of VPN usage violations. Determine how the violations were
investigated and the actions taken.
Monitoring
Risk Assessment
Reference
Issue
link
reference
6.4 VPN Monitoring

Audit/Assurance Objective: Processes exist to monitor VPN usage and identify unauthorized
activities and VPN usage.
Control Activities
COBIT
Crossreference
Control Environment
COSO
DS5.5
6 Due to high volume, logging should be automated and unusual activities should be defined in an automated extract process.
VII. Maturity Assessment

The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance
reviews, and the reviewers observations, assign a maturity level to each of the following COBIT 4.1 control practices. When completing this assessment,
focus the evaluation on how the VPN implementation relates to each of the issues identified in the following table.
COBIT 4.1 Control Practice
Assessed
Target
Maturity Maturity
DS5.3 Identity Management

1. Establish and communicate policies and procedures to uniquely identify, authenticate and
authorise access mechanisms and access rights for all users on a need-to-know/need-to-have
basis, based on predetermined and preapproved roles. Clearly state accountability of any user
for any action on any of the systems and/or applications involved.
2. Ensure that roles and access authorisation criteria for assigning user access rights take into
account:
Sensitivity of information and applications involved (data classification)
Policies for information protection and dissemination (legal, regulatory, internal policies
and contractual requirements)
Roles and responsibilities as defined within the enterprise
The need-to-have access rights associated with the function
Standard but individual user access profiles for common job roles in the organisation
Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorising users to establish responsibility and
enforce access rights in line with sensitivity of information and functional application
requirements and infrastructure components, and in compliance with applicable laws,
regulations, internal policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the
system owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people in,
people out, people change). Grant, revoke and adapt user access rights in co-ordination with
human resources and user departments for users who are new, who have left the organisation,
or who have changed roles or jobs.
2012 ISACA All rights reserved. Page 29
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
DS5.4 User Account Management

1. Ensure that access control procedures include but are not limited to:
Using unique user IDs to enable users to be linked to and held accountable for their actions
Awareness that the use of group IDs results in the loss of individual accountability and are
permitted only when justified for business or operational reasons and compensated by
mitigating controls. Group IDs must be approved and documented
Checking that the user has authorisation from the system owner for the use of the
information system or service, and the level of access granted is appropriate to the
business purpose and consistent with the organisational security policy
A procedure to require users to understand and acknowledge their access rights and the
conditions of such access
Ensuring that internal and external service providers do not provide access until
authorisation procedures have been completed
Maintaining a formal record, including access levels, of all persons registered to use the
service
A timely and regular review of user IDs and access rights
2. Ensure that management reviews or reallocates user access rights at regular intervals using a
formal process. User access rights should be reviewed or reallocated after any job changes,
such as transfer, promotion, demotion or termination of employment. Authorisations for
special privileged access rights should be reviewed independently at more frequent intervals.
DS5.5 Security Testing, Surveillance and Monitoring
1. Implement monitoring, testing, reviews and other controls to:
Promptly prevent/detect errors in the results of processing
Promptly identify attempted, successful and unsuccessful security breaches and incidents
Detect security events and thereby prevent security incidents by using detection and
prevention technologies
Determine whether the actions taken to resolve a breach of security are effective
2. Conduct effective and efficient security testing procedures at regular intervals to:
Verify that identity management procedures are effective
Verify that user account management is effective
Validate that security-relevant system parameter settings are defined correctly and are in
compliance with the information security baseline
Validate that network security controls/settings are configured properly and are in
compliance with the information security baseline
Validate that security monitoring procedures are working properly
Consider, where necessary, obtaining expert reviews of the security perimeter
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
DS5.7 Protection of Security Technology

1. Ensure that all hardware, software and facilities related to the security function and controls,
e.g., security tokens and encryptors, are tamperproof.
2. Secure security documentation and specifications to prevent unauthorised access. However,
do not make security of systems reliant solely on secrecy of security specifications.
3. Make the security design of dedicated security technology (e.g., encryption algorithms)
strong enough to resist exposure, even if the security design is made available to
unauthorised individuals.
4. Evaluate the protection mechanisms on a regular basis (at least annually) and perform
updates to the protection of the security technology, if necessary.
DS5.8 Cryptographic Key Management
1. Ensure that there are appropriate procedures and practices in place for the generation, storage
and renewal of the root key, including dual custody and observation by witnesses.
2. Make sure that procedures are in place to determine when a root key renewal is required
(e.g., the root key is compromised or expired).
3. Create and maintain a written certification practice statement that describes the practices that
have been implemented in the certification authority, registration authority and directory
when using a public-key-based encryption system.
4. Create cryptographic keys in a secure manner. When possible, enable only individuals not
involved with the operational use of the keys to create the keys. Verify the credentials of key
requestors (e.g., registration authority).
5. Ensure that cryptographic keys are distributed in a secure manner (e.g., offline mechanisms)
and stored securely, that is:
In an encrypted form regardless of the storage media used (e.g., write-once disk with
encryption)
With adequate physical protection (e.g., sealed, dual custody vault) if stored on paper
6. Create a process that identifies and revokes compromised keys. Notify all stakeholders as
soon as possible of the compromised key.
7. Verify the authenticity of the counterparty before establishing a trusted path.
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
DS5.9 Malicious Software Prevention, Detection and Correction

1. Establish, document, communicate and enforce a malicious software prevention policy in the
organisation. Ensure that people in the organisation are aware of the need for protection
against malicious software, and their responsibilities relative to same.
2. Install and activate malicious software protection tools on all processing facilities, with
malicious software definition files that are updated as required (automatically or semiautomatically).
3. Distribute all protection software centrally (version and patch-level) using centralised
configuration and change management.
4. Regularly review and evaluate information on new potential threats.
5. Filter incoming traffic, such as email and downloads, to protect against unsolicited
information (e.g., spyware, phishing emails).
DS5.10 Network Security
1. Establish, maintain, communicate and enforce a network security policy (e.g., provided
services, allowed traffic, types of connections permitted) that is reviewed and updated on a
regular basis (at least annually).
2. Establish and regularly update the standards and procedures for administering all networking
components (e.g., core routers, DMZ, VPN switches, wireless).
3. Properly secure network devices with special mechanisms and tools (e.g., authentication for
device management, secure communications, strong authentication mechanisms). Implement
active monitoring and pattern recognition to protect devices from attack.
4. Configure operating systems with minimal features enabled (e.g., features that are necessary
for functionality and are hardened for security applications). Remove all unnecessary
services, functionalities and interfaces (e.g., graphical user interface [GUI]). Apply all
relevant security patches and major updates to the system in a timely manner.
5. Plan the network security architecture (e.g., DMZ architectures, internal and external
network, IDS placement and wireless) to address processing and security requirements.
Ensure that documentation contains information on how traffic is exchanged through systems
and how the structure of the organisations internal network is hidden from the outside world.
6. Subject devices to reviews by experts who are independent of the implementation or
maintenance of the devices.
Reference
Hyperlink
Comments
Assessed
Target
Maturity Maturity
DS9.2 Identification and Maintenance of Configuration Items

1. Define and implement a policy requiring all configuration items and their attributes and
versions to be identified and maintained.
2. Tag physical assets according to a defined policy. Consider using an automated mechanism,
such as barcodes.
3. Define a policy that integrates incident, change and problem management procedures with
the maintenance of the configuration repository.
4. Define a process to record new, modified and deleted configuration items and their relative
attributes and versions. Identify and maintain the relationships between configuration items
in the configuration repository.
5. Establish a process to maintain an audit trail for all changes to configuration items.
6. Define a process to identify critical configuration items in relationship to business functions
(component failure impact analysis).
7. Record all assetsincluding new hardware and software, procured or internally developed
within the configuration management data repository.
8. Define and implement a process to ensure that valid licences are in place to prevent the
inclusion of unauthorised software.
VIII. Maturity Assessment vs. Target Assessment

This spider graph is an example of the assessment results and maturity target for a VPN security assessment.
Reference
Hyperlink
Comments
DS5.3 Identity Management
DS9.2 Identification and Maintenance of Configuration Items
DS5.4 User Account Management
4
3
2
1
DS5.10
Network Security
Assessment
0Target
DS5.5
Security Testing, Surveillance and Monitoring
DS5.9 Malicious Software Prevention, Detection and Correction
DS5.7 Protection of Security Technology
DS5.8 Cryptographic Key Management

VPN Security Audit Assurance Program Icq Eng 1012

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

VPN Security Audit Assurance Program Icq Eng 1012

Transféré par

Droits d'auteur :

Formats disponibles

VPN Security Audit/Assurance Program