Min Sox req. for Network Vulnerability scanning 1397

  • Hi
    What is the minimum SOX requirement for Network Vulnerability scanning (both perimeter and interior) and what is a good reference for SOX and ongoing network management?

  • As with other facets of SOX, there are mixed thoughts about the relationship of Network Management and SOX.
    Some consider Network Management to be out of scope, but indirectly related as network management is connected to IT General Controls. The publication in which Network Management was considered not directly related to SOX identified Network Management as below:
    Infrastructure and Other

    • Facilities Management
    • Physical Security
    • Physical Records Management
    • Corporate Communications
    • Investor Relations
    • Public Relations
    • Receiving
    • Distribution/Logistics
    • Telecommunications
    • Network Management
      Thus, a case can be made to exclude Network Management for SOX purposes.
      However, in a document called, ‘Internal Controls’ published by GTAG (Global Technology Audit Guide), the following is stated:
      Once security requirements have been identified, controls from BS 7799 should be selected and implemented to ensure risks are reduced to an acceptable level. Controls should be selected based on the cost of implementation in relation to the risks being reduced and the potential losses if a security breach occurs.
      Nonmonetary factors, such as loss of reputation, should also be taken into account. For more information on BS 7799, see http://www.bs7799-iso17799.com/
      15.5.5 Topics Addressed in BS 7799
    1. Scope.
    2. Terms and definitions.
    3. Security policy:
      3.1 Information security policy document.
      3.2 Review and evaluation.
    4. Security organization:
      4.1 Information security infrastructure.
      4.2 Security of third-party access.
      4.3 Outsourcing.
    5. Asset classification and control:
      5.1 Accountability for assets.
      5.2 Information classification.
    6. Personnel security:
      6.1 Security in job definition and resourcing.
      6.2 User training.
      6.3 Responding to security incidents and malfunctions.
    7. Physical and environmental security:
      7.1 Secure areas.
      7.2 Equipment security.
      7.3 General control.
    8. Communications and operations management:
      8.1 Operational procedures and responsibilities.
      8.2 System planning and acceptance.
      8.3 Protection against malicious software.
      8.4 Housekeeping.
      8.5 Network management.
      8.6 Media handling and security.
      8.7 Exchanges of information and software.
    9. Access control:
      9.1 Business requirement for access control.
      9.2 User access management.
      9.3 User responsibilities.
      9.4 Network access control.
      9.5 Operating system access control.
      9.6 Application access control.
      9.7 Monitoring system access and use.
      9.8 Mobile computing and teleworking.
    10. Systems development and maintenance:
      10.1 Security requirements of systems.
      10.2 Security in application systems.
      10.3 Cryptographic controls.
      10.4 Security of system file.
      10.5 Security in development and support processes.
    11. Business continuity management:
      11.1 Business continuity management process.
    12. Compliance:
      12.1 Compliance with legal requirements.
      12.2 Reviews of security policy and technical compliance.
      12.3 System audit considerations.
      So you might find some useful information by reading the guidance found in Section 8.5.
      I’ve also seen Network Management as an area that is covered under ISO17799.
      Additionally, in a presentation from CISA, Network Management might be considered within scope considering the following categorization:
      IS Change Management
    • System Development Life Cycle
    • Production Change Control
      IS Operations
    • Production Processing / Problem Resolution
    • Systems and Network Management
    • Data Back up and Recovery
      IS Security
    • Access Controls
    • Network and Environmental Controls
      IS Management
    • Project Prioritization / Planning
      Someone else might have some applied experience or benchmarking to share about network vulnerability scanning.
      Hope this helps,

  • Regarding vulnerability testing of the perimeter firewall, the following document from SANS Institute might be overkill, but helpful:
    An Independent Auditor’s perspective
    GIAC System and Network Auditor (GSNA) Practical Assignment v2.1
    It should be noted that for effective control, continuous monitoring can be achieved with vulnerability tools. Hackers work 24/7 so it might be a little aggressive to test annually if only to address SOX concerns.
    For eCommerce transactions, I believe that the PCI standards call for quarterly vulnerability testing and compliance assessment must be performed by an external approved assessor.
    Hope this helps,

  • Figure 18(on page 78 0f 92) of the ITGI paper on IT Control Objectives for Sarbanes Oxley published in April 2004 discusses your query related to intrusion detection and vulnerability assessment.
    Accordingly, we have tested the sufficiency and appropriateness of perimeter security controls including firewall and IDS, independent assessment of controls within the past year, antivirus systems are used to protect the security and integrity of applications; encryption and PKI techniques used for confidentiality and non repudiation.
    Therefore, vulnerability assessment is a part of COBIT objective for SOX.
    I hope that this helps.

  • A few years ago, I worked in a senior level position in IT security. I’ve performed NVA assessements and penetration testing and just wanted to share the following brief points:

    1. Never do this in ‘surprise mode’, but always inform all administrators formally (e.g., email), prior to conducting this. For example, a monitoring agency might notify admins that they’re being probed/hacked. Also, one test associated with password strength almost expired accounts on one of our Windows server due to a bug in a release of the toolset. Even though I always notified in advance, I always found weaknesses everytime I performed a quarterly test. The element of surprise won’t play a major role in this process, and could in fact backfire.
    2. Document your toolsets and approaches thoroughly , whether you do this externally or internally. Some common areas to test include: VPN connectivity, weak passwords, open file shares on servers and workstations, open TCP/IP ports, web servers, etc.
    3. From a SOX compliancy standpoint test your complete network. It’s always best to be assess and test your controls from ‘head to toe’ within your network topology. In other words, start with from the 1st line defensive routers to the end users workstation, and all points in between. To me, any security weakness that can let the bad guys in, might be considered a SOX weakness.
    4. Assess and strengthen your incident response handling, escalation procedures, and documentation standards . Ensure you have contact points for local police or FBI. As part of our NVA policy, establish or update your documentation standards and recovery standards so they are thorough. As an overall goal, you want to capture information pertinent to an attack for authorities, change passwords, and recover all as quickly as possible (usually through a rebuild, so you don’t take chances).

Log in to reply