The main purpose of this blog is to provide a detailed and clear description of the various controls to be evaluated to ensure that security requirements are met, including logical, physical, personnel and file security.
physical security
It refers to the physical controls you have in place. The most basic are: having means of fire prevention, access controls, etc...
o What are access lists?
Access lists are records that control which people are authorized to access certain areas or physical resources. They should be reviewed regularly to ensure that only authorized personnel maintain access, removing those who no longer require permissions.
o What are considered key areas?
Key areas are critical areas within a facility that require special protection, such as server rooms, confidential files or control centers. This helps prevent unauthorized access and facilitates rapid response to security incidents
o Who are the security personnel or guards?
Security personnel or guards are professionals responsible for physically monitoring the facilities to prevent intrusions, thefts or security incidents.
o What are the physical security measures?
Physical security measures are intended to protect information storage devices, such as servers and media drives, against unauthorized access or physical damage. These measures may include safe rooms, restricted access systems, surveillance cameras and environmental controls such as temperature and fire sensors.
o What is an asset inventory?
An asset inventory is a document that records and details all of an organization's assets, which may be physical or digital, with the aim of assisting in information security management. This inventory makes it possible to identify, assess and manage the risks associated with these assets in order to adequately protect them.
Logical security
It refers to technological controls that you have in place to secure your equipment (computers, etc.) from being accessed by a third party. The most basic ones are: having a password that has more than X characters, that must be changed every so often, that must contain special characters, etc.
o What is logical security?
Logical security is a set of measures aimed at protecting computer systems and digital data against various threats (unauthorized access, misuse, modification or destruction). These measures include the use of firewalls, anti-virus, strong passwords and security education. The main threats they combat are malware, denial of service (DDoS) attacks, and brute force attacks to crack passwords.
o What are access privileges?
Access privileges refer to the rights or permissions granted to users or systems to access specific resources within a network or computer system. These privileges determine what a user or process can do within the system, such as view, modify, delete, or run certain files or applications.
o What are security monitoring tools?
Security monitoring tools are systems that detect and log unusual or suspicious activity on networks, servers, and devices. They include intrusion detection systems (IDS), firewalls, audit logs, and traffic analysis tools. These tools help identify potential security threats and vulnerabilities in real time.
o Procedures to respond to security events and possible intrusions
Procedures for responding to security events and intrusions include protocols for detecting, containing, eradicating, and recovering from threats. These include notification to response teams, isolation of affected systems, analysis of the incident, and restoration of services. Further investigations are also carried out to prevent future incidents.
o Process established to manage and apply security patches
An established process for managing and applying security patches is an organized set of steps and practices that ensure that security updates and fixes provided by software manufacturers to address vulnerabilities, bugs, or security issues in applications, operating systems, or other components of the system, are managed and applied in a systematic, controlled and efficient manner in an organization.
o What are known vulnerabilities?
Known vulnerabilities are flaws or weaknesses in systems or software that can be exploited by attackers. Monitoring is done through security reports and manufacturer updates. To mitigate them, patches, software updates and strengthened security settings are applied.
o Safe practices during software development
Secure code development involves following a set of practices that minimize risks and vulnerabilities. First, it is critical to do input validations to prevent injection attacks. It is also necessary to ensure that the code adequately manages authentications and authorizations, avoiding unauthorized access. The use of encryption of sensitive data is essential to ensure its confidentiality. In addition, secure error handling that does not reveal critical information must be performed. Finally, the code must be regularly audited and tested to identify and correct vulnerabilities before they reach production.
o Security tests and vulnerability analysis
Security testing and vulnerability analysis are assessments that identify security flaws in internally developed applications. These tests include vulnerability scans, penetration tests, and code reviews for bugs. The goal is to patch weaknesses before they can be exploited by attackers.
o Post-incident monitoring
Post-incident monitoring and analysis is key to improving security measures and responding to future incidents. It allows you to identify the root cause of the problem, ensuring that specific actions are taken to prevent it from happening again. It also helps to understand the real impact of incidents, providing valuable lessons for the entire organization. In addition, this process contributes to reducing the time of detection, diagnosis and mitigation, improving the overall effectiveness against potential threats.
Staff safety
It refers to personnel-related controls. For example, termination procedures, training, etc.
o Procedure for reporting the loss or theft of devices that may contain confidential information
A lost or stolen notification procedure is a defined set of steps that must be followed when a device with sensitive information is discovered to have been lost or stolen. The aim is to minimize the risks associated with information loss and ensure a quick and effective response.
o Access permissions
Access permissions are the rights granted to employees to access certain areas, systems or information within an organization. This helps prevent unauthorized access and maintain information security.
o Final employment process
The end-of-employment process for revoking access and privileges is a set of steps that apply when an employee leaves the organization. It includes the immediate revocation of all access permissions to systems, areas and sensitive information, as well as the return of any equipment and credentials.
o Security responsibilities when leaving the organization
Security responsibilities when leaving the organization include ensuring that workers understand their obligations even after their employment has ended, helping to protect the organization against potential security risks.
File security
Refers to file related controls. For example, access controls, security processes.
o Are there clear policies on the handling of confidential files?
Confidential file handling policies are guidelines that set out how sensitive information should be managed, stored, shared and destroyed. The objective is to protect information against unauthorized access and ensure compliance with privacy regulations.
o Recovery tests to ensure that files can be restored effectively
Recovery tests are simulations or tests that are performed to verify that files and systems can be effectively restored after an incident, such as a data loss or system failure. These tests involve restoring data from backups and making sure they are working properly.
o Are there clearly defined authorization levels to limit access according to roles and responsibilities?
Authorization levels are classifications that determine who can access information or resources based on roles and responsibilities within the organization. These levels ensure that only authorized personnel can access sensitive data, minimizing the risk of exposure or inappropriate use.
Consult the audit questionnaire of the subscribing entities.
You might be interested in:
- Why an audit?
- Audit: requirements for document and archive management
- Audit: operational requirements
For any query you can contact the audit support email.