Creating your checklist and Summary

One of the most important tools is to have an up-to-date checklist for your system. Learn how to create a checklist for your system here refresh the topics learned in this chapter excerpt with the summary.

By: Craig S. Wright

Service provider takeaway: Regulatory and standards compliance can provide several challenges from both a business and a technical perspective. This section of the chapter excerpt from the book The IT Regulatory and Standards Compliance Handbook:: How to Survive Information Systems Audit and Assessments will focus on creating and up-to-date checklist for your system.

Download the .pdf of the chapter here.

The most important tool that you can have is an up-to-date checklist for your system. This checklist will help define your scope and the processes that you intend to check and validate. The first step in this process involves identifying a good source of information that can be aligned to your organization's needs. The integration of security check lists and organizational policies with a process of internal accreditation will lead to good security practices and, hence, to effective corporate governance.

The first stage is to identify the objectives associated with the systems that you seek to audit. Once you have identified the objectives, a list of regulations and standards to which the organization needs to adhere may be collated. The secret is not to audit against each standard, but rather to create
a series of controls that ensure you have a secure system. By creating a secure system you can virtually guarantee that you will comply with any regulatory framework.

The following sites offer a number of free checklists that are indispensable in the creation of your firewall audit framework.

CIS (Center for Internet Security)

CIS provides a large number of benchmarks, not only for operating systems, but also for network devices and even firewalls. (CIS is mentioned throughout this book.) CIS offers both benchmarks and tools that may be used to validate a system. The site is www.cisecurity.org. Part of the CIS checklist for checkpoint firewalls is shown in Figure 11.16.

SANS

The SANS Institute has a wealth of information available that will aid in the creation of a checklist and many documents that detail how to run the various tools. The SANS reading room (www.sans.org/reading_room/) has a number of papers that have been made freely available:

SANS SCORE (Security Consensus Operational Readiness Evaluation) is directly associated with CIS.

NSA, NIST and DISA

The US government through the National Security Agency (NSA), Defense Information Systems
Agency (DISA) and National Institute of Standards and Technology (NIST) has a large number of security configuration guidance papers and benchmarks.

NIST runs the US National Vulnerability Database (see http://nvd.nist.gov/chklst_detail.cfm?config_id=58), which is associated with a number of network and operating system Security Checklists from DISA (http://iase.disa.mil/stigs/checklist). These are covered in more detail in each of the sections for the operating systems. (See the UNIX and Windows chapters for more information.)

Summary

Many people and groups such as Gartner (www.gartner.com) have come out stating that firewalls are dead. The truth is that this is far from reality. It may be true that firewalls are changing, but they are an essential component of security. Though protocols such as RPC over HTTP and peer-to-peer networks eat away at the effectiveness of the firewall, allowing traffic inside the network, it is difficult to think about securing a site without a firewall. It is impossible to meet the compliance requirements of any system without one.

It is better and easier to defend a small subset of network traffic and access through a limited number of choke points that to think about everything at once. This is what firewalls have traditionally done, and they still add to the security of any site. An administrator without a firewall is putting out fires. This is where the validation of a firewall is so important. It is not enough to have one; it must be effective. This means auditing and testing.


The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments
  Introduction
  Working with firewall builder
  System administration
  Packet flow from all networks
  Validated firewalls
  Creating your checklist and Summary

About the book

The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments provides detailed methodology of several techincally based and professional IT audit skills that lead to compliance. Purchase the book from Syngress Publishing.

Printed with permission from Syngress, a division of Elsevier. Copyright 2008. "The IT Regulatory and Standards Compliance Handbook: How to Survive Information Systems Audit and Assessments" by Craig S. Wright. For more information about this title and other similar books, please visit www.elsevierdirect.com.

This was first published in August 2008
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

MicroscopeUK

SearchCloudProvider

SearchSecurity

SearchStorage

SearchNetworking

SearchCloudComputing

SearchConsumerization

SearchDataManagement

SearchBusinessAnalytics

Close