Information security audit of a company

Information security of a company takes a significant place in modern business world. Non-compliance with information security rules leads to data leaks damaging the market reputation of the company. There are cases when companies are forced to leave the market due to data leaks, and this almost al-ways leads to the collapse of the business.

Due to its complexity and specific working conditions, full-fledged information security can’t be en-sured only by the means of a company. Yes, a company may have a competent IT department. But even high-qualified IT specialists can’t always provide the necessary level of information security. The matter is, information security is much more complex and multidimensional than information tech-nology, and it can’t be limited to the trouble-free operation of IT equipment (servers, workstations, switches, gateways, routers, file storages etc.). Therefore, the work of the specialists of the infor-mation technology division in the concept of information security organization should be reduced to helping the staff of the information security division or involved information security specialists with knowledge in this area at the expert level.

Ensuring of information security in the company is ensuring the safety and secure processing of any information within the business model of the company. Processing of some types of information (for example, personal data of employees) is regulated by the corresponding legislation.

Information security audit of a company is a process of corporate information security analysis. But what are the threats here?

All threats in the field of information security are divided into external and internal.

External information security threats are coming from outside the corporate network. These are hacker attacks and attacks of virus and trojan programs. Attack of virus and trojans belong to external threats, because they are not created within the organization, and come from outside. But they are launched from within the company by a user who received a malicious email or clicked on a malicious link.
Internal threats are related to the employees of the organization, i.e. to the human factor. There are four types of internal threats: removal or damage of information, information leakage, physical de-struction of IT infrastructure and actions of employees committed using the methods of social engi-neering.

Unproductive work of employees can be also considered an information security threat: visiting inter-net resources that are not related to the job functions, the use of communication means of the com-pany for personal issues, the use of corporate equipment for personal purposes (for example, printing books downloaded from the Internet) etc. This kind of activity quite often is a violation of internal reg-ulations and abuse of corporate resources. On the other hand, with properly configured hardware (gateways/routers) and software (filters, antiviruses, proxy servers), these threats are easily mini-mized.

Like any business process, audit of information security of the company consists of a number of stag-es. In the best practices of information security there are 4 stages:

— define what needs to be investigated. At this stage, the initial data for the audit is formulated, the tasks are set;
— determine how to investigate. At this stage, the research methods are determined — in what ways the research will be carried out, an audit plan is drawn up;
— the process of audit (research). At this stage, the research-audit is carried out, according to the plan drawn up at the previous stage;
— forming the research results (audit results). At this stage, the results of the information security au-dit (description of the detected vulnerabilities) are formed and recommendations for their elimination are issued.

Let’s consider the stages of audit of information security of the company in more detail.

1. What to investigate
The answer to this question is quite simple, though it seems naive — EVERYTHING! Everything related to storing and processing of information in the company. Accordingly, we can divide our object of study (the information environment of the company and the concept of its security) into a number of issues. Let us comment on the peculiarities of each issue.

(a) Information stored and processed in the company

For this point, it is necessary to structure information and build streams of its processing. We have to answer the following questions:
— What information is processed within the corporate infrastructure?
— Is it structured? If not, we should define a way to structure it — for example, the information in the public access, trade secret and confidential information^; is there information which represents official or state secrets, is it processed in accordance with applicable law?
— If there’s information which represents trade secrets and confidential information (usually internal financial reports, patented technologies) then, how is it processed, what flows of this information ex-ist?
— Has the company built a scheme of information processing with the main and additional flows de-fined? If it still doesn’t exist — such a scheme should be built.

Then, on the basis of the information processing scheme, it is necessary to determine the information resources (servers, file and cloud storages etc.) where the information is stored, with a special focus on information resources storing data recognized as confidential and trade secret, as well as official and state secrets.

(b) Information resources on which information is stored

For this investigating issue, a list of corporate information resources is formed — servers, file and cloud storages, removable and portable devices for storing files. You should pay special attention to remov-able and portable devices for storing files — with these devices information can be taken out of the company. A list of such media should be drawn up and it should be defined what kind of information they may contain: if there is information on the list that is subject to special protection, it is a possible channel of data leakage.
© Information channels
For this investigating issue, a list of information channels (networks, routing nodes, gateways etc.) is formed based on the scheme of information channels. It is necessary to pay special attention to the gateways that are beyond the control of the IT Department of the company, but still satiated within the company perimeter: usually it is the communication equipment of the internet provider. If sensi-tive information passes through these gateways, it may become a channel of data leakage.

(d) Software used for information processing

Here we should make up a list of software used in the company. Particular attention should be paid to the detection of unlicensed software, because the tools used to bypass licenses very often contain «in-jections» that under certain conditions can be used to download malware or to directly steal infor-mation.
We should also pay attention to anti-virus applications (regularly and in a timely manner updated base of virus signatures) and the firmware of security gateways (regularly and in a timely manner updated database of malicious websites to be blocked).

(e) Documentation: legal and technical

Here we should make a list of legal and technical documentation on hardware and software. It is obvi-ous that it is necessary to follow the rule «Every action on information processing should be described by regulations or documentation».
To cover this issue we should also make a full list of internal regulations of processing data within the company.

(f) Physical protection of information

Here we should closely cooperate with the security service.
The rooms with the information storage equipment should be checked for the following issues: — Is there a video surveillance system at the enterprise? If so, do they control the rooms where this equipment is located?
— Does the company have an access management system (ACS)? If so, are the rooms with the infor-mation storage equipment connected to it? Does ACS continue functioning in full in case of power down of the devices, controllers and access control servers?
— Is there a fire-extinguishing system that does not use conductive liquids (gas, powder) in the rooms where the information storage equipment is located?
— Are these rooms equipped with a system of maintaining a constant temperature (air cooling)?
— Are these rooms equipped with backup power systems?
All the three points — access control, fire safety and energy security — are equally important, so exclud-ing of any object from the audit is not recommended. The air conditioning system is usually a compo-nent of any server room.

2. How to investigate

Earlier we have split audit into separate issues. On this basis, it is necessary to develop a research methodology — audit methodology. For convenience, when describing the recommended technique (the technique is proposed considering best practices and recommendations for information security.

(a) Information stored and processed in the company. When the first stage of investigation is completed, the specialists conducting the information security audit will have the scheme of information distribution across the corporate information channels. When they have this scheme at hands they should define the possibility of data leaks caused by hu-man factor. By comparing this scheme with the working schedules of employees, it should be deter-mined whether any of the employees have access to information that is not necessary for his job re-sponsibilities. Then, it should be determined which of the employees has access to the sensitive information, and whether access to that information is consistent with the position of the employee. Based on the comparison of the information processing scheme with the scheme of the company’s IT infrastructure (such a scheme should be stored in the IT Department) it is possible to determine whether the sensitive information can be accessed openly. If it can — this channel can be used, mali-ciously or unintentionally, as the channel of data leak.

(b) Resources of data storage It is necessary to analyze the list of information resources used in the company. By comparing this list, the information that is stored on these devices with the working schedule and the list of user logins taken from the operating systems that provide the functioning of information resources, you can de-termine how well the matrix of user access to information resources is composed, whether any user has access to rights that are redundant to perform his work. It is also necessary to check whether the passwords of users and administrators meet the security requirements: the best practice when choos-ing a password is to follow the Microsoft standard — at least 8 characters length (and better 16), the use of at least one digit, minimum one uppercase letter and minimum one lowercase, as well as mini-mum one special character, and the password should not be meaningful (i. e. not represent a word from the dictionary). Particular attention should be paid to cloud storage. Based on best practices and recommendations in the field of information security, it is not recommended to place sensitive information in cloud storage outside the corporate network. It’s worth remembering an old rule: «Closed information placed in a public cloud, even provided individually to the company by the provider in the data center, is not suffi-ciently protected». Nowadays, the situation is changing for the better — the resources of providers in data centers are becoming more secure. But it’s always better to store sensitive data on the servers within the company, even if it leads to additional costs for equipment and services of specialists. Information that is classified as being in the free (open) access can be placed on public cloud storage without restrictions. To control user access to information resources, it is recommended to use specialized software that records all actions of the user when processing information on the information resource. Among such software is the StaffCop Enterprise software package that allows you to record absolutely all user ac-tions on the information resource used for storing and processing of information. User actions can be presented in the form of an event log, which can then be analyzed by administrators or auditors.

© Information channels

The investigation of information channels is closely related to the study of software (point «d»). The fact is, that the connections between the networks can be organized using both hardware and soft-ware means (the so-called «software VPN-solutions»).

You should pay special attention to the ways of building channels between networks: if you plan to transfer sensitive information, it is unacceptable to use the connection without encryption — it is nec-essary to establish an encrypted SSL connection with the use of existing (perhaps self-signed within the company, but better confirmed by root authentication centers) certificates, as well as login and pass-word that meets the security requirements. If there are gateways installed on the territory of the company, but controlled by the internet provider — you should find out whether the transfer of sensitive information over these gateways is carried out in the encrypted form. In this case, you should use a VPN channel with encryption over an SSL connec-tion to make possible the transferring of sensitive information over this channel. — Wireless network must support encryption standards, such as WPA2 or WPA-PSK (cur-rently developed a more secure standard — WPA3, but it is not recommended for use as not finally tested)^; — The wireless network must be closed, which means that the connection of new devices to this network should not be automatically performed, even if the new user knows the network password — the administrator must add new devices manually. — An important consequence of the second condition is that the wireless network should not be public, which means that it is impossible to use public wireless networks (cafes, restaurants, hotels etc.) without a special communication channel. Only internal wireless networks are allowed.

Best practices and recommendations for information security

recommend that you use connections that provide SSL encryption of the transmitted information on the certificate in combination with a login and a secure password (VPN connections) for the transmission of information to be protected over wireless channels. Specialized software is used to find vulnerabilities on information channels, gateways and routers. One of the most common software systems is Kali Linux, which allows you to detect vulnerabilities, including those related to the protection of gateways and routers. You should also check whether the gateway/router firmware is regularly updated and whether the lists of malicious sites are regularly updated. It is also necessary to check whether the passwords of the administrative accounts used to manage the gateways/routers meet the previously described security criteria. To control the transferring of information by users over communication channels, it is recommended to use specialized software that records all user actions when working with the communication chan-nel. We have already mentioned the StaffCop Enterprise software package as an example of such spe-cialized software. StaffCop Enterprise allows you to record absolutely all user actions on communica-tion channels, including e-mail forwarding, correspondence in Internet messengers (Skype, Telegram Desktop, Internet pagers, SIP-telephony). User actions can be presented in the form of an event log, which can then be analyzed by administrators or auditors.

(d) Software used for information processing

As we mentioned earlier, the main criterion for choosing the software is it licensing. For free (or open source) software, there must be a GNU/GPL license. In addition, the Kali Linux software package mentioned above can be used to detect vulnerabilities in the software. Its main purpose is to detect vulnerabilities in operating systems, database management systems, file storage systems etc. In fact, this software package is a complex for detecting «holes» and backdoors in hardware and software: testing the means of protection, it reports the detected vulnera-bilities. If the use of the software involves password authentication, you should check whether the password meets the previously announced security criteria. Particular attention should be paid to antivirus systems and malware detection systems. If the data-bases with virus and malware signatures are not regularly updated — you should probably stop using such software, as it is not capable of resisting newly emerging viruses and malware. To determine and analyze the software used in the company, special software packages, for example StaffCop Enterprise, can be used. Any user actions in any application can be documented and con-firmed by screenshots, and events are presented in the form of a log, which can then be analyzed by both administrators and auditors.

(e) Documentation: legal and technical

As already mentioned in the analysis of the first stage, there should be a complete set of documenta-tion for all used software and hardware, and the version of the documentation should correspond to the version of the software used. It is necessary to verify the information processing scheme: each event of processing or transmission of information must comply with the regulations describing the actions of the user or processing of information by the software. The best practice for maintaining documentation is to update it regularly following changes in infor-mation processing algorithms at the company.

(f) Physical protection of information

It is necessary to define who has access to the rooms with the information processing and storage equipment, whether unauthorized persons have access there. The list of staff with access to these fa-cilities should be strictly limited. It is necessary to check whether the ACS system and video surveillance system maintain their function-ing in full when the power is turned off. If these systems stop functioning when the power is turned off — physical information leakage (theft of physical media) is possible when the power is turned off. It is necessary to make sure that the room with information processing and storage facilities is equipped with an automatic fire extinguishing system that does not use conductive liquids. It is necessary to make sure that the room with information processing and storage facilities is equipped with a backup power system that automatically turns on when the main power source is dis-connected. It is necessary to make sure that the room with information processing and storage facilities is equipped with a constant temperature system (air cooling system).