Secured View: Audit Compliance

Preparing for Audit

In this last installment of the BS 7799 series let's take a look at the crucial issues one should consider when taking the prudent approach to audit. by Avinash W. Kadam

We began the quest for an Information Security Management system by stating the security goals. To achieve these goals, we created a security organization. The imaginary security organization we devised identified all the critical information assets that we possessed. It also defined personnel security policies, physical and environmental security policies; communication and operations management policies; access control policies; system development and maintenance policies; business continuity management policies. But we need to look at everything in a skeptical manner and step into a critic's shoes. The critic could be an auditor, a government regulatory authority or even a law enforcement authority. Let's assume that these hawk-eyed persons are eager to know whether we have complied with every audit, statutory or legal provision that falls within the jurisdiction of our country. This last article in the BS 7799 series is about this crucial aspect.

Compliance with legal requirements

Let's begin by first identifying various legislation that may govern the information systems we design and operate. An advocate who happens to be a close friend was very helpful in giving me a 'partial' list of the applicable laws. These are:

• IT Act 2000
• Trademark Act 1958
• Copyright Act 1957
• Law of Torts
• Indian Penal Code
• Indian Contracts Act 1887
• Sale of Goods Act

In addition to this if you have…

• …clients in Europe, the European Union's Data Protection Directive for Protection of individual's data is applicable.
• …US based hospitals or HMO's as your clients, the HIPAA (Health Insurance Portability and Accountability Act ) is applicable.And if you are keeping data about any Californian resident in your database, California's Security Breach Disclosure Law is applicable.

So, it's advisable to consult an advocate for all the applicable legislation—that's if you don't want to be caught by surprise later.

Intellectual property rights

One of the important acts, which finds place as a specific control, is Intellectual Property Right (IPR). One needs to ensure that one does not violate the software copyright in any form. This simply means that one should use only authorized software. All employees should read the copyright statement carefully before they download any software or information from the Internet. Also ensure that your website does not breach any copyright. There are a number of interesting cases, which prohibit you from providing links to other sites, use the icons, use graphics or images, which are available, freely on the Internet. In fact, some sites have protected even the color schemes for their sites. So, be very careful against getting 'inspired' by a website on Internet—you may be breaching an IPR.

Safeguarding organizational records

Ask your accounts department how long they retain financial records. Every company has some musty store-room where records are kept for seven years or more, depending on what is the statutory requirement. Based on the guidelines, your predecessor has faithfully kept the old tapes in the same store-room. If you get a summon from the Income Tax department to produce the pay slip of an employee who was working for you seven years ago, will you be able to produce it? Will you have the computer, the computer program, and the tape drive to read that 9-track, 12-inch spool tape? Will the tape itself be readable? Or has it got fungus deposited on it?

This and other crucial questions need to be answered to satisfy this control. If you have selected an electronic storage medium, you need to ensure that you have the ability to access data throughout the desired retention period, and you should be able to retrieve the data in a manner "acceptable to a court of law."

Prevention of misuse of information processing facilities

Do you have MP3 songs on your hard disk? Do you listen to these while working? Do you share these with colleagues? Beware! This could be misuse of information processing facility, especially if you are not in the business of recording, storing and distributing MP3 files. Your management would have asked you to abide by the 'acceptable use policy' and indulging in any activity contrary to it may invite disciplinary action.

There is a famous case of a hacker who managed to get inside a corporate network and was caught by the vigilant security officer. The hacker pleaded not guilty in the court. His argument was, when he logged on the corporate network, a welcome sign greeted him. If he was welcome to enter the network, then he has not broken any law by entering. After that, the security officers have started putting a stern warning message forbidding unauthorized entry.

So, you have to ensure that there is no misuse of the information processing facilities by any person, insider as well as the outsider.

Cryptography

Cryptography immediately grabs our attention. More so because it was placed under International Traffic in Arms Regulations (ITAR) by USA and as such any export of cryptography was a crime treated on par with exporting nuclear weapons. Phil Zimmerman was the crusader who took up the crusade against the mighty USA for free use of cryptography to protect privacy. His motto was, if privacy is outlawed, only outlaws have privacy. His Pretty Good Privacy (PGP) e-mail security package is the most used e-mail encryption package today.

Against this background, unless you are a Zimmerman, check the government rules about use of cryptography. You may be sending encrypted information to other countries that may have different laws. In fact, some countries do not allow any data to be encrypted. So, if you are traveling with your notebook PC where you have stored encrypted files, you may be breaking a few laws of the land.

Collection of evidence

Cyber crime is a crime committed with the help of a computer. The computer may have been used to carry out a cyber attack, to send malicious e-mail, to store company confidential files before sending them across, or to commit financial fraud. If you know that a particular computer was used for criminal activities, how do you preserve all the telltale signs?

Computer forensics is a new branch of criminal investigation. The computer evidence is very fragile. It can very easily lose its credibility. Normal methods of taking backup do not work here as the date and time stamps associated with the last access to a computer file change in the next backup. The evidence thus collected will not be accepted in the court. Special software is used to make a complete bit-by-bit image of the disk without altering a single bit of information. The entire process of collecting evidence has to be documented and witnessed. Multiple copies of the evidence should be made so that one copy is always maintained in safe custody while the investigation could be done using other copies. The concern here is to ensure that the evidence is admissible in the court—the quality and completeness of evidence is beyond doubt and you are really able to nail the cyber criminal.

Review of security policy and technical compliance

At the end of a BS 7799 exercise, an organization establishes a number of security policies and standards. The initial audit has the enthusiastic participation of all IT staff, end-users as well as senior management. The real test of commitment is only after this initial euphoria dies down. Does the organization always comply with all the policies? Is there a mechanism to monitor the compliance? Is there a review mechanism? Are the managers taking their responsibility seriously to ensure compliance with all the security polices and procedures?

Existence of internal audit teams who are regularly reviewing various areas of security policy compliance, as well as review of internal audit teams' work by senior management, ensures that there is a continued seriousness about security in the organization. For best results, form peer review groups and try introducing healthy competition for being declared "The Most Secured Department".

Apart from adherence to procedural aspects of security, also ensure that periodic technical compliance checks are done. This may require conducting tools-based vulnerability testing as well as penetration testing. For best results, ask knowledgeable and trustworthy outsiders to carry out these tests. Technical compliance gives additional assurance that all the security holes have been plugged.

System Audit

To quote Ron Weber, the author of the classic book on Information Systems Control and Audit, information systems auditing evaluates whether computer-based information systems safeguard assets, maintain data integrity, achieve organizational objectives effectively, and consume resources efficiently.

Auditing is a responsible task as it may involve accessing live systems, and you have to ensure that there is minimum interference to the business. The scope of the Audit should be very clearly defined, and the entire audit process should be closely monitored and documented. Audit may involve tools, which bypass the normal authentication mechanisms or software controls. Care has to be taken that no data is altered or in any way compromised.

Access and use of the system audit tools should be properly controlled and these should not be available to normal users. You may use a password-cracking tool to check and report the strength of passwords. Availability of this tool to general users may not be a good idea. In fact, possession of these tools should be strictly forbidden as per the security policy.

Lastly, all audits should be conducted only with prior approval of the management. You do not want to be 'caught' using audit tools and be accused of theft, do you? It actually happened to Randall L. Schwartz , a well-known security consultant and writer of two books on Perl. He was employed by Intel to conduct a system audit. He ran a program called 'crack' to test the strength of passwords at another division of Intel where he had previously worked. His actions were not covered by specific written scope statements. Schwartz was charged with altering a computer and a computer network without authorization; using a computer and computer network for the purpose of committing a theft; committing theft of individual passwords. The jury convicted him under Oregon's Computer Crime Law. His sentence included five years of probation, 480 hours of community service, 90 days of deferred jail time, and $68,000 of restitution to Intel. At the end of trial, his legal bill exceeded $170,000.

Our own IT Act 2000 is also very clear on the issue of computer crime. As per section 70 (3): Any person who secures access or attempts to secure access, to a protected system, in contravention of the provisions of this section shall be punished with imprisonment of either description, for a term that may extend ten years, and shall also be liable to fine."

So, the moral of the story is: be very careful when you conduct the system audits and ensure that it is covered by the audit scope and authorized by the management in writing.

Avinash Kadam is Director, Miel e-Security, Pvt. Ltd. He can be reached at awkadam@mielesecurity.com