Vulnerability Self-Assessments

Audits are generally very time consuming and require a great degree of planning and coordination before they can be successfully completed. Comprehensive audits consist of thorough review controls detailed in policies, procedures, standards, and vulnerability testing. These steps are expensive and for this reason audits are generally performed annually at best. Many organizations need to design more expedient methods by which they can assess their risks, enter the self-assessment. Self-assessments can be used as checklists helping senior managers address vulnerability elements during systems design phases and after the system goes into production, before they become findings in the next audit.

In the perfect world, application vulnerability assessments actually begin in the planning stages of the Systems Development Life Cycle. When the system design phase begins, vulnerabilities should be identified and addressed before the system goes through the acquisition and implementation phases.

Vulnerability Self-Assessment

It is important in vulnerability self-assessments that all steps document policies and procedures addressing risk-elements. It is also important that if system vulnerabilities are identified during the course of the self-assessment, they should be made part of the company's risk management and audit processes.

The following discussion is a checklist that can be used in system vulnerability self-assessment.

  • Describe the system infrastructure. Is there a diagram illustrating the topology? Is there an organizational chart reflecting job description and hardware responsibilities?

  • Document and describe the data outlets for servers, workstations, printers, modems, video cameras, CSU/DSU (network interface equipment), switches, hubs, load balancing, routers, firewalls, gateways, VPN appliances, etc.

  • Document and describe the cabling between the major hardware components.

  • Describe the location, organization, and person responsible for the relevant hardware documentation.

  • When was the date of the last hardware inventory? Was all hardware accountable? Were there any instances of unauthorized hardware installed?

  • Is all hardware authorized?

  • Is there a policy addressing official use of personal equipment?

  • Document and describe all pertinent hardware components that have software installed with default configurations. Why?

  • Document and describe access control lists, ACLs, for the firewall configurations including interior and exterior firewalls.

  • Document and describe perimeter router filtering policies, rules, and enforcement.

  • Document and describe the standard software installation policies and procedures for each hardware platform.

  • Document workstation access measures such as: BIOS passwords, Screensaver Passwords, Tokens, Biometrics, and Smart Card requirements.

    Physical Security
  • Document and describe the location of fire suppression equipment.

  • Document any and all equipment that is not physically secure. Why?

  • Describe server and workstation boot processes. Do these equipment configurations have floppy drives (A) disabled for booting processes?

  • Are there BIOS, Basic Input/Output Information System, passwords? Do workstations have screensaver passwords? Are hard drives of mobile computing devices encrypted? Does mobile equipment have antitheft devices?

  • Are hard drives and removable media, containing sensitive information, secured in approved receptacles during idle periods?

  • Describe safeguards protecting equipment/media from theft.

  • Describe the location and safeguards of all publicly accessible equipment, including mobile units, e.g., laptops, PDAs, cellular telephones, PBX (Telephone Branch Exchange) equipment.

    Emergency Power Management
  • Are there sufficient resources in the form of auxiliary power generators, uninterruptible power supplies, and electrical power conditioners for all user needs?

  • Is there individual hardware protection for power surges and voltage spikes?

    Environmental Conditions
  • Are specific environmental needs met for employees, data, and equipment?

  • Are heating, air conditioning, and ventilation equipment in conformity with building and safety codes?

  • Is the employee work environment safe?

    Configuration Management
  • Describe hardware and software configuration management. Who is responsible for configuration approval?

  • Are the protected interior systems connected to systems, through modems, terminal equipment, or PBX equipment having weak security procedures?

  • Are IP or IPX addresses accountable? When was the last inventory?

  • Are telephone numbers accountable? When was the last inventory?

  • Is information, within the organization, classified relative to its sensitivity?
  • Does information have an owner?

  • What is the means by which access is granted to information resources?

    Network Protocols
  • Have all nonessential network services been disabled or removed on all relevant equipment?

  • Can any system be accessed by telephone, and if so, why?

  • Can any system be accessed wirelessly, and if so, why?

  • What security precautions have been implemented in wireless environments? Is there adequate supporting documentation?

  • Are wireless security precautions adequate for the traffic?

  • Are cabling cabinets/closets secured? Who has access, and why?

  • Are rooms containing networking equipment secured with restricted access? Who has access, and why?

  • Document all network equipment with remote configuration. Why?

  • Is network equipment accessible from consoles other than those located immediately next to the equipment? Why?

  • Have Web services been placed in a DMZ?

  • Are interior networks protected by firewalls?

  • Are sensitive interior networks partitioned by firewalls?

  • In the case of sensitive information, what is the justification of having open-ended networks connected?

  • Has intrusion detection technology been installed at the network and host levels?

  • Is there a procedure to respond to IDS alarms?

    Disaster Recovery and Business Resumption
  • Have critical assets been identified and prioritized?

  • Has there been a risk management program implemented? Has this risk plan been thoroughly tested in the past 12 months?

  • Do employees know of shut-off procedures for water, electricity, and gas?

  • Is there a business resumption program? Has it been tested in the past 12 months?

  • Is there a critical incident management program?

  • Is there a Critical Incident Response Team?

  • Is there a business resumption plan? Has it been tested in the past 12 months?

  • Are there application and network transaction logs? With what frequency are they reviewed?


  • Is there a list of authorized software to be installed on systems? Document authorized software lists.

  • Is there a policy regarding employees authorized to install software?

  • When was the last software inventory? Did this inventory include version numbers?

  • Is there a policy that addresses personally owned software?

  • Is there a standard configuration procedure for all authorized software installations?

  • What are the procedures for remote access to network/applications/workstations?

  • Are nonessential ports and services disabled?

  • Has antivirus software been installed and updated? How often is it run?

  • Have all applications and operating systems been updated with appropriate security patches?

  • Are software licenses audited regularly? When?

  • Are applications/operating systems protected by access control procedures?

  • Who are the employees having access to data? Why?

  • Who are the employees having access to production systems? Why?

  • Who is capable of accessing production code/applications/operating systems?

  • Do engineers/programmers/help desk employees have access to data? Why?

  • Are there system maintenance accounts? Who has access?

  • What justification is needed for user accounts?

  • Are departing employees' accounts audited before exiting? Are former employees' accounts disabled appropriately?

  • Are media containing sensitive information appropriately secured during use and in idle periods?

  • Is there a policy regarding the use of personally owned media?

  • Is there a policy regarding scanning all media antivirus software?

  • Are media regularly backed up with copies secured offsite?

  • Is there a test of the integrity of backed-up media?

  • Is backed-up media tested for systems recovery? How long do recovery steps take?

  • Is printer output protected?

  • Is media, containing sensitive information, appropriately labeled?

  • Is there a procedure for media destruction and disposal?

  • Are there efforts requiring passwords to be changed regularly, minimum length, and containing special characters and capital letters? Are passwords required for application and operating system access? Are biometrics used to grant system access? Are Tokens/Smart Cards required for system access?

  • Are there documents showing that user authentication mechanisms are installed to limit system, building, and workspace access?

  • Are procedures requiring employee background investigations in place? Have the professional and personal references of all employees been verified? Have the professional qualifications of all employees been verified?

  • Is there appropriate separation of duties and least privilege?

    Employee Security Awareness Training
  • Have employees been trained relative to risks and their management?

  • Is security awareness training mandatory for all employees? Are there documented attendance records?
  • Audit Conferences: More (but Important) Meetings You Need to Attend

    Opening Conferences
    Opening conferences occur at the initiation of the audit and should communicate the scope of the audit, the audit's objectives, introduce the audit staff, agendas, schedules, and relevant handouts. In part it is an opportunity to explain in professional terms the purpose and expected results of the audit to the employees who are going to be going to be participating in the audit. The entrance conference should be conducted with the following in attendance: Directors, or department heads responsible for the area being audited, managers and their subordinates who work in the specific audit target and any appropriate senior employees.

    A typical entrance conference will have an agenda similar to the following:


    Introduce auditors and related audit participants

    Review audit objectives

    Review audit steps

    Review time schedule

    Identify relevant points of contact for each step

    Describe the audit process from the auditor's and target's perspective

    Set up first contact appointments


    Other Conferences
    During the course of the audit, there will likely be reasons for other conferences. For example, if an auditor finds there is something of a fraudulent nature, this should be brought to the attention of senior managers immediately. This meeting will take place behind closed doors. It is recommended that conferences between the entrance and exit conference take place away from the eyes of employees. If held before employees' view, they tend to foster unwarranted speculation, and damaging rumors can be fomented. Conferences of this type should be scheduled away from the work area being audited. In the case of reporting potential criminal activities, it is strongly recommended that the persons participating in this conference communicate through out-of-band means. Cellular telephones and communications methods, not using the organization's communication networks, are the best out-of-band communications. Involve the appropriate levels of staff including senior managers, legal unit, security unit, and risk managers in all conferences.

    One point of professional due diligence is the discussion of the audit findings somewhere toward the end of the audit with the senior managers of the unit being audited. This gives them a chance to see any "hot grounders" headed their way. Responding to the auditor's findings is an effective way of determining if the auditors "hit their marks" with their work. Most senior managers realize their strengths and weaknesses before the audit takes place. Often the audit results merely provide them with the motivation to take corrective action.

    An end of audit conference provides a formal means for a meeting of the minds and makes a matter of record of the audit's performance in the eyes of the responding managers. If there are serious differences between the auditor's findings and the manager's responses, it may be the auditors did not have a sufficient grasp of their material or they were not diligent in their efforts. In a worst-case scenario, it could mean the senior managers were out of touch with their business processes. In the former case, it is the responsibility of the audit managers to see that audit team members receive training to bring their skills up to par or find ways to motivate them to diligently perform their tasks.

    Meetings whose purpose it is to preliminarily discuss their findings, allow senior managers an informal opportunity to discuss the audit findings and recommendations. This is a useful technique in addressing significant findings and permits the meeting's participants to determine if a follow-up audit is going to be needed.

    Usually, follow-up audits are very narrow in their scope focusing entirely on those significant findings of the previous audit. Follow-up audits are much abbreviated, do not have opening or closing conferences and are staffed only with enough auditors to review the findings for compliance.

    Exit Conferences

    The auditors have completed their work, the report is done, and it is time to bring the audit to a close. Often, auditors deliver a performance survey to the managers of the target business unit. Such surveys have the purpose of collecting information about the performance of the auditors and the audit in general. Audit managers commonly use these surveys in completing the auditors' performance appraisals.

    The agenda below is typical of a closing conference:


    Review audit objectives

    Review audit steps

    Briefly review controls adequacy

    Briefly review controls recommendations

    Present draft report

    Field any questions from the attendees


    Summary of Audit Steps
    By way of summary, here are some steps to successfully completing audits:


    Predication for audit, routinely scheduled or based on an allegation

    Form audit team from qualified employees

    Prepare audit management plan

    Prepare and deliver preliminary questionnaires

    Prepare audit program

    Prepare audit budget

    Field work

    Entrance conference

    Audit field work

    Audit status conference

    Prepare draft of report including senior management responses

    Exit conference


    Prepare final audit report

    Complete audit performance survey

    Schedule follow-up audit, if necessary

    Popular Posts