vpn review

8/14/2019 VPN Review

1/8

The specialised nature of information systems (IS) auditing and the skills necessary to perform such audits require standards that applyspecifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA ) is to advance globallyapplicable standards to meet its vision. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA

professional contribution to the audit community. The framework for the IS Auditing Standards provides multiple levels of guidance.

Standards define mandatory requirements for IS auditing and reporting. They inform: IS auditors of the minimum level of acceptable performance required to meet the professional responsibilities set out in the ISACA Code

of Professional Ethics for IS auditors Management and other interested parties of the professions expectations concerning the work of practitioners Holders of the Certified Information Systems Auditor (CISA ) designation of requirements. Failure to comply with these standards may

result in an investigation into the CISA holder's conduct by the ISACA Board of Directors or appropriate ISACA committee and, ultimately,in disciplinary action.

Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieveimplementation of the standards, use professional judgment in their application and be prepared to justify any departure. The objective of the IS Auditing Guidelines is to provide further information on how to comply with the IS Auditing Standards.

Procedures provide examples of procedures an IS auditor might follow in an audit engagement. The procedure documents provideinformation on how to meet the standards when performing IS auditing work, but do not set requirements. The objective of the IS AuditingProcedures is to provide further information on how to comply with the IS Auditing Standards.

C OBI T resources should be used as a source of best practice guidance. Each of the following is organised by IT management process, asdefined in the C OBIT Framework . C OBIT is intended for use by business and IT management as well as IS auditors; therefore, its usageenables the understanding of business objectives, and communication of best practices and recommendations, to be made around acommonly understood and well-respected standard reference. C OBIT includes: Control Objectives High-level and detailed generic statements of minimum good control Control Practices Practical rationales and guidance on how to implement the control objectives Audit Guidelines Guidance for each control area on how to obtain an understanding, evaluate each control, assess compliance, and

substantiate the risk of controls not being met Management Guidelines Guidance on how to assess and improve IT process performance, using maturity models, metrics and critical

success factors

Glossary of terms can be found on the ISACA web site at www.isaca.org/glossary . The words audit and review are used interchangeably.

Disclaimer: ISACA has designed this guidance as the minimum level of acceptable performance required to meet the professionalresponsibilities set out in the ISACA Code of Professional Ethics for IS auditors . ISACA makes no claim that use of this product will assure asuccessful outcome. The publication should not be considered inclusive of any proper procedures and tests or exclusive of other proceduresand tests that are reasonably directed to obtaining the same results. In determining the propriety of any specific procedure or test, thecontrols professional should apply his/her own professional judgment to the specific control circumstances presented by the particular systems or information technology environment.

The ISACA Standards Board is committed to wide consultation in the preparation of the IS Auditing Standards, Guidelines and Procedures.Prior to issuing any documents, the Standards Board issues exposure drafts internationally for general public comment. The StandardsBoard also seeks out those with a special expertise or interest in the topic under consideration for consultation where necessary. TheStandards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties toidentify emerging issues requiring new standards. Any suggestions should be e-mailed ( [email protected] ), faxed (+1.847. 253.1443) or mailed (address at the end of document) to ISACA International Headquarters, for the attention of the director of research standards andacademic relations.

This material was issued on 1 April 2004.

Information Systems Audit and Control Association 2003-2004 Standards Board Chair, Claudio Cilli, Ph.D., CISA, CISM, CIA, CISSP Value Partners, Italy

Svein Aldal Scandinavian Business Security AS, NorwayJohn W. Beveridge, CISA, CFE, CGFM, CQA Commonwealth of Massachusetts, USA

Sergio Fleginsky, CISA PricewaterhouseCoopers, UruguayChristina Ledesma, CISA, CISM Citibank NA Sucursal, Uruguay

Andrew MacLeod, CISA, FCPA, MACS, PCP, CIA Brisbane City Council, AustraliaRavi Muthukrishnan, CISA, CISM, FCA, ISCA NextLinx India Private Ltd., India

Peter Niblett, CISA, CA, CIA, FCPA WHK Day Neilson, AustraliaJohn G. Ott, CISA, CPA Aetna Inc., USA

IS AUDITING GUIDELINEREVIEW OF VIRTUAL PRIVATE NETWORKS

DOCUMENT G25


2/8

Page 2 Review of Virtual Private Networks Guideline

1. BACKGROUND

1.1 Linkage to Standards1.1.1 Standard S6 Performance of Audit Work states, "During the course of the audit, the IS auditor should obtain sufficient, reliable and

relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysisand interpretation of this evidence."

1.1.2 Guideline G16 Effect of Third Parties on an Organisations IT Controls provides guidance.1.1.3 Guideline G17 Effect of Nonaudit Roles on the IS Auditors Independence provides guidance.

1.2 Linkage to C OBI T1.2.1 COBIT Framework states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this

responsibility, as well as to achieve its expectations, management must establish an adequate system of internal control." 1.2.2 COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self-assessment

specifically focused on:Performance measurementHow well is the IT function supporting business requirements?IT control profilingWhat IT processes are important? What are the critical success factors for control?AwarenessWhat are the risks of not achieving the objectives?BenchmarkingWhat do others do? How can results be measured and compared?

1.2.3 Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goalindicators identify and measure outcomes of IT processes, and the key performance indicators assess how well the processes areperforming by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessmentsand benchmarking, helping management to measure control capability and identify control gaps and strategies for improvement.

1.2.4 Management Guidelines can be used to support self-assessment workshops and can also be used to support the implementation

by management of continuous monitoring and improvement procedures as part of an IT governance scheme.1.2.5 COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection

of the most relevant material in C OBIT applicable to the scope of the particular audit is based on the choice of specific C OBIT ITprocesses and consideration of C OBITs information criteria.

1.2.6 The C OBIT references located in the appendix of this document offer the specific objectives or processes of C OBIT to consider when reviewing the area addressed by this guidance.

1.3 Need for Guideline1.3.1 The purpose of this guideline is to describe the recommended practices in carrying out the review of virtual private network (VPN)

implementations so that the relevant IS Auditing Standards are complied with during the course of the review.

2. VIRTUAL PRIVATE NETWORK (VPN)

2.1 Definition 2.1.1 Virtual Private NetworkingNew Issues for Network Security , published by the IT Governance Institute, defines VPN as a:

network of virtual circuits that carries private traffic through public or shared networks such as the Internet or those provided bynetwork service providers (NSPs). For the purpose of this guideline, this definition of VPN is used.

2.1.2 In the context of VPN, the terms tunnel and tunneling are often used. The process of encapsulating one type of packet inanother packet type so the data can be transferred across paths that otherwise would not transmit the data is called tunneling. Thepaths the encapsulated packets follow in an Internet VPN are called tunnels.

2.2 VPN Models2.2.1 There are three common VPN models for deployment. The major differences among the models are in the location of their service

end points or tunnel end points, the level of management required, quality of service, and the reliance on direct service provider involvement. The three most common models are:

Pure provider modelHybrid provider modelEnd-to-end model

2.2.2 In the pure provider model, most of the VPN functionality is built into the service provider infrastructure and not in the network of the organisation. This model is often deployed over one service providers network. There is a clear line of distinction between theorganisations network and the service providers network. Remote access to the organisations network is typically provided by adedicated circuit (such as, T1, T3), ATM connections or dedicated frame relay connections. The customer owns and operates theremote access VPN-related equipment and software in the network, while equipment and software inside the service providersnetwork, from the physical circuit out, is owned and operated by the service provider. The service provider initiates VPN tunnelsfrom edge-to-edge of the network and relies on the private circuits on either end for security. In this model, the provider has a highlevel of control over the network and is responsible for capacity planning, design, configuration, diagnostics and troubleshooting.


3/8


4/8


2.5.5 Hardware and software VPNs are stand-alone devices designed to implement VPN technology algorithms. A VPN device isordinarily behind the firewall on the internal network. Data packets flow through the firewall and the VPN device. As the packetspass through these devices, they can be encrypted. Generally in software encryption models like the SSL protocol, the specialdevices (authentication) are not required and the packet flow is encrypted by the software.

2.5.6 VPN technologies and protocols include:PPTP (point to point tunneling protocol)L2TP (layer 2 tunneling protocol)IPSec (Internet protocol security)SSL (secure socket layer)

3. RISKS ASSOCIATED WITH VPNs

3.1 Types of Risks3.1.1 Since VPN is a communication infrastructure for the business that uses third-party services, the risks associated with it could be

categorised as:Security riskThird-party riskBusiness riskImplementation riskOperating risk

3.2 Security and Legal Risk3.2.1 The security risks relating to VPNs include:

Inadequate assessment of security and legal risks arising out of using VPNsInsufficient security programs to mitigate risks to information assets arising out of VPNsInadequate protection of data while they are at the point before entering the VPN, or once they arrive at the point on leavingthe VPNFailure to secure information while unencrypted over a given network path (internal networks before encryption device or external networks after decryption device)Lack of implementation that could result in confidentiality, integrity, nonrepudiation and/or availability i ssues.

3.3 Third-party Risk3.3.1 The reliance on third-party service providers could result in risks such as:

Choice of an inappropriate provider Inadequate relationship managementInadequacies in service level agreements (SLA) and metricsInappropriate governance and management processInadequate measuring and monitoring of SLAs and metricsInadequate backup/redundancy strategy

Insufficient benchmarking of the relationship and services Abuse of access to data on the VPN

3.4 Business Risk 3.4.1 Risks such as the following could lead to nonfulfillment of the management or business expectations:

Inadequate alignment to business strategyInadequate cost savingsFailure to achieve security requirementsInsufficient ease of useFailure to address scope and span of user needsLoss/degradation of service in other areas of the organisation or process

3.5 Implementation Risk3.5.1 Risks such as the following could lead to the implementation of an ineffective and inefficient solution:

Inadequate attention to and investment in up-front designInappropriate selection of the VPN model for organisationInadequate use of the third parties where appropriateInsufficient attention to security in designInappropriate recovery processesFailure to design service level expectations and measurementsInappropriate integration strategyIneffective change, project or implementation management processesVPN client risk (same interface accept Internet and VPN traffic)

3.6 Operating Risk3.6.1 Risks such as the following result in ineffective and inefficient utilisation/operation of the VPN:

Inadequate resources to operate effectivelyLack of reliability


5/8

Review of Virtual Private Networks Guideline Page 5

Impairment of quality of serviceLack of interoperabilityFailure to encapsulateInadequate capacityFailure to provide redundancy or back upUse of personal devices (home computing) for business purpose (lack of security configurations, antivirus software, personalfirewalls)Lack of confidentiality on operation parameters or data

4. CHARTER

4.1 Mandate 4.1.1 Before commencing a review of a VPN, the IS auditor should provide reasonable assurance of the requisite mandate by virtue of

the IS auditors position or the required written mandate provided by the organisation, to carry out the envisaged review. In casethe review is initiated by the organisation, the IS auditor also should obtain reasonable assurance that the organisation has theappropriate authority to commission the review.

5. INDEPENDENCE

5.1 Professional Objectivity 5.1.1 Before accepting the assignment, the IS auditor should provide reasonable assurance that the IS auditors interests, if any, in the

VPN solution being reviewed would not in any manner impair the objectivity of the review. In the event of any possible conflict of interests, the same should be communicated explicitly to the organisation, and a written statement of the organisationsawareness of the conflict should be obtained before accepting the assignment.

5.1.2 In case the IS auditor has/had any nonaudit roles in the VPN being reviewed, the IS auditor should consider guideline G17 Effectof Nonaudit Roles on the IS Auditors Independence.

6. COMPETENCE

6.1 Skills and Knowledge 6.1.1 The IS auditor should provide reasonable assurance of the necessary technical knowledge to review the VPN. A clear

understanding of the business requirements and the technical aspects of the VPN is necessary while reviewing the VPNimplementation in an organisation.

6.1.2 The IS auditor also should provide reasonable assurance of access to the relevant technical skill and knowledge to carry out thereview of the VPN. Review of VPN would call for good technical knowledge to evaluate aspects such as the encryptiontechnologies used, network security architecture and security technologies. The IS auditor should have adequate knowledge toreview these aspects. Where expert inputs are necessary, appropriate inputs should be obtained from external professionalresources. The fact that external expert resources would be used should be communicated to the organisation in writing.

7. PLANNING

7.1 High-level Risk Assessment 7.1.1 The IS auditor should gather information regarding the business and its requirements for the VPN to carry out a high-level risk

assessment.7.1.2 The VPN-related risks referred to in section three should be considered depending on the stage at which the review is being

carried out, such as during design (pre-implementation), implementation or post-implementation.7.1.3 The relevant C OBIT information criteriaeffectiveness, efficiency, confidentiality, integrity, availability, compliance and reliability

that need to be reviewed and confirmed should also be identified.7.1.4 The relevant aspects of Control Objectives for Net Centric Technology (CONCT) should also be considered in this context, since

these are extensions of C OB IT criteria to network-centric environments such as those supported by VPNs.7.1.5 This high-level risk assessment will help determine the scope and coverage of the review.

7.2 Scope and Objectives of the Review

7.2.1 The IS auditor, in consultation with the organisation where appropriate, should clearly define the scope and objective of the reviewof the VPN. The aspects to be covered by the review should be explicitly stated as part of the scope. The high-level riskassessment referred to in section 7.1.1 would dictate which aspects need to be reviewed and the extent and depth of the review.

7.2.2 For the purpose of the review, the stakeholders in the solution also should be identified and agreed upon with the organisation.7.2.3 Any key concerns of the stakeholders should also be included, as appropriate, in the scope and objectives of the review.7.2.4 In case the review scope includes third-party providers, the IS auditor must assure the audit clause was included in the contract.

7.3 Approach 7.3.1 The IS auditor should formulate the approach in such a way that the scope and objectives of the review could be fulfilled in an

objective and professional manner. The approach followed should depend on whether the review is pre-implementation, at theimplementation stage or post-implementation. The approach should be appropriately documented. When and where external


6/8


expert inputs would be used also should be specified as part of the approach. Any planned use of testing/monitoring tools shouldalso be stated as part of the approach.

7.4 Sign-off for the Plan 7.4.1 Depending on the organisational practices, the IS auditor may obtain the concurrence of the organisation for the plan and

approach.

8. PERFORMANCE OF THE VPN REVIEW

8.1 General 8.1.1 This section addresses the wide spectrum of aspects to be addressed during the execution of a VPN review. For a specific VPN

review, aspects relevant to the review should be identified from this wide spectrum of aspects depending on the envisaged scopeand objectives of the review.

8.1.2 The VPN review should be carried out per the defined approach (with refinements as appropriate), so the envisaged objectives of the review are fulfilled.

8.1.3 In general, study of available documentation (such as, business case, system documentation, contracts, service level agreementsand logs), discussions with the stakeholders and service providers, and observation should be used appropriately in gathering,analysing and interpreting the data. Where appropriate, the IS auditor should test the significant processes/functions in the VPNenvironment to verify that the processes/functions are performing as intended.

8.1.4 Where necessary and agreed upon with the organisation, external expert inputs could be used suitably in the collection, analysisand interpretation of the data.

8.1.5 The inferences and recommendations should be based on an objective analysis and interpretation of the data.8.1.6 Appropriate audit trails should be maintained for the data gathered, analysis made, inferences arrived at and corrective actions

recommended.

8.2 Pre-implementation Review 8.2.1 The pre-implementation review, carried out before the VPN solution is implemented (during design stage), should address the

appropriateness of the:Requirements for a VPN solutionCost-benefits of the proposed solutionProposed VPN technology, such as VPN model, VPN architecture, VPN configuration/topology and VPN usageProposed security architecture and features, including the proposed encryption technologiesRedundancy and backup facilities plannedManagement approvalsProposed project management structures and monitoring mechanismsSelection process for the choice of the service provider Proposed contract, SLAs and metricsStatutory requirements, if any, that need to be fulfilled

8.2.2 To address these aspects, the IS auditor should:Study the VPN requirementsbusiness as well as technicalStudy the business case (costs and benefits) and the approvals for the sameReview the VPN design document outlining the technology aspectsReview whether the proposed solution would conform to one of PPTP, L2TP and IPSec protocolsReview the proposed security architecture and encryption technologyReview the tender process, including the technical and commercial evaluation of the alternate proposals and the ultimatechoice of the service provider Study the proposed project management structureStudy the proposed contracts, SLA and metricsStudy the statutory requirements to be fulfilledEvaluate the redundancy and backups proposedReview the strategy proposed for integrating the VPN with the applicationsUse external experts, where necessary, to evaluate the appropriateness of the technology and security aspectsStudy the proposed training plansStudy any related audit/review reports

Evaluate the results of the above with reference to their appropriateness as well as their adequacy to mitigate the riskssecurity risk, third-party risk, business risk, implementation risk and operating riskEvaluate how C OBIT and CONCT criteria are being fulfilledHighlight the risks and issues arising out of the review for necessary corrective action.

8.3 Implementation Review 8.3.1 The implementation review happens during the implementation, and accordingly, it should address whether the:

Implementation is progressing per the approved plans and within agreed time frames and costsVPN technologyVPN model, VPN architecture, VPN configuration/topology and VPN usageis implemented as intendedSecurity scheme and the encryption technologies used are robust and are as designedThe planned redundancy and backup facilities are implementedThe actual contracts, SLAs and metrics address the organisations requirements


7/8

Review of Virtual Private Networks Guideline Page 7

The statutory requirements, if any, are addressed

8.3.2 To address the above referred aspects the IS auditor should:Study the project progress reports and minutes of meetingsEvaluate the actual implementation of the technologies against the plans and identify the deviations, if anyConfirm whether the solution is certified to conform to one of PPTP, L2TP and IPSec protocolsEvaluate the actual security architecture and encryption technology implemented for conformance with the approved designStudy the actual contracts, SLA and metrics that were agreed uponEvaluate the redundancy and backups establishedReview the actual integration of the VPN with the applicationsUse external experts, where necessary, to evaluate the appropriateness of the technology and security aspects actuallyimplementedEvaluate the adequacy of the testing and migration processes to assess whether they address all kinds of users and cover such things as capacity, bandwidth, access control and encryption in an appropriate manner Evaluate the billing mechanisms being builtAssess whether the legacy connections are being retired, their billings discontinued and equipments disposed of progressively with the implementation of the VPNStudy the earlier pre-implementation audit report, if any, and any other related review reports to assess whether the riskmitigation actions recommended earlier are being implementedEvaluate the results of the above with reference to their appropriateness as well as their adequacy to mitigate the riskssecurity risk, third-party risk, business risk, implementation risk and operating riskEvaluate how C OBIT and CONCT criteria are fulfilledHighlight the risks and issues arising out of the review for necessary corrective action

8.4 Post-implementation Review

8.4.1 The post-implementation review occurs after the implementation of the VPN, and hence, it should address whether the:Envisaged benefits are being achievedOne-time costs are as planned and reasonableOngoing billings are reasonable and as agreedVPN technology is being used as intendedVPN and its usage are in conformance with the security policies and procedures including data classificationThird parties accessing the VPN via extranets have signed the relevant security and confidentiality agreements and arecomplying with the sameThe users accessing through remote connection and using laptops use necessary security features including personalfirewalls, where appropriateThere are appropriate processes for the management of digital certificatesThe SLAs and metrics, including quality of service (QoS), are measured, monitored and escalated on a regular basis for timely actionsThe data are sufficiently protected at entry and exit points as well as over unencrypted links using appropriate proceduresAppropriate security tools and processes are in place for such things as virus checking and intrusion detectionThe services and costs are comparable and competitiveThe redundancy and backup facilities are functioning appropriatelyThe statutory requirements, if any, are addressed

8.4.2 To address the above referred aspects the IS auditor should:Study the project completion reportReview the VPN technology in actual use for its conformance with the approved designConfirm whether the solution is certified to conform to one of PPTP, L2TP and IPSec protocolsReview the ongoing billings on a sample basisCarry out sample checking of compliance with security policies and proceduresCheck third-party access as well as the agreements signed by third parties regarding extranet accessCheck the remote and laptop access processes as well the laptops for appropriate security settingsReview the actual SLAs and metrics including QoS and the actual process of monitoring themCheck the security implementation across the networkTest the backup and redundant facilitiesCarry out periodic benchmarking to provide reasonable assurance of continued reasonableness of charges and quality of servicesUse external experts, where necessary, to evaluate the appropriateness of the technology and security aspects in place

Use appropriate tools to test relevant aspects of the VPN solutionReview the help desk process supporting the VPNEvaluate the results of the above with reference to their appropriateness as well as their adequacy to mitigate riskssecurityrisk, third-party risk, business risk, implementation risk and operating riskEvaluate how C OBIT and CONCT criteria are fulfilledHighlight the risks and issues arising out of the review for necessary corrective action

9. REPORTING

9.1 Report Content9.1.1 The report on the VPN review should address the following aspects depending on the scope of its coverage:

The scope, objective, methodology followed and assumptions


8/8


Overall assessment of the solution in terms of key strengths and weaknesses as well as the likely effects of the weaknessesRecommendations to overcome the significant weaknesses and improve the solutionThe extent of compliance with C OBITs information criteria and CONCT criteria, and the effect of any noncomplianceRecommendations regarding how the experience could be used to improve similar future solutions or initiatives

9.1.2 The observations and recommendations should be validated with the stakeholders and organisation, as appropriate, beforefinalising the report.

10. FOLLOW-UP

10.1 Tracking Actions Agreed101.1 The actions agreed at the end of the VPN review should be assigned due dates and tracked for completion. Outstanding issues

should be escalated to appropriate management for necessary action.

11. EFFECTIVE DATE11.1 This guideline is effective for all information systems audits beginning on or after 1 July 2004. A full glossary of terms can be

found on the ISACA web site at www.isaca.org/glossary.

APPENDIX

C OBI T ReferenceSelection of the most relevant material in C OBIT applicable to the scope of the particular audit is based on the choice of specific C OBIT ITprocesses and consideration of C OBIT information criteria.

In a VPN, a communication infrastructure, the following aspects are more relevant:PO1Define a Strategic IT PlanPO3Determine Technological DirectionPO5Manage the IT InvestmentPO8Ensure Compliance With External RequirementsPO9Assess RisksPO10Manage ProjectsAI3Acquire and Maintain Technology InfrastructureAI4Develop and Maintain ProceduresAI5Install and Accredit SystemsAI6Manage ChangesDS1Define and Manage Service LevelsDS2Manage third-party servicesDS3Manage Performance and CapacityDS4Ensure Continuous ServiceDS5Ensure Systems SecurityDS9Manage the ConfigurationDS12Manage FacilitiesDS13Manage OperationsM1Monitor the Processes

The information criteria most relevant to a VPN review are:Primary: availability, confidentiality, effectiveness and integritySecondary: efficiency, compliance and reliability

ReferencesVirtual Private NetworkingNew Issues for Network Security , IT Governance Institute, USA, 2001 Control Objectives for Netcentric Technology (CONCT), IT Governance Institute, USA, 1999

Copyright 2004Information Systems Audit and Control Association3701 Algonquin Road, Suite 1010Rolling Meadows, IL 60008 USATelephone: +1.847.253.1545Fax: +1.847.253.1443E-mail: [email protected] Web site: www.isaca.org

vpn review

Documents