PERFORMANCE OF THE VPN REVIEW 1 General

8.1.1 This section addresses the wide spectrum of aspects to be addressed during the execution of a VPN review. For a specific VPN review, aspects relevant to the review should be identified from this wide spectrum of aspects depending on the envisaged scope and objectives of the review.

8.1.2 The VPN review should be carried out as per the defined approach (with refinements as appropriate), so the envisaged objectives of the review are fulfilled.

8.1.3 In general, study of available documentation (such as, business case, system documentation, contracts, service level agreements and logs), discussions with the stakeholders and service providers, and observation should be used appropriately in gathering, analysing and interpreting the data. Where appropriate, the IS auditor should test the significant processes/functions in the VPN environment to verify that the processes/functions are performing as intended.

8.1.4 Where necessary and agreed upon with the organisation, external expert inputs could be used suitably in the collection, analysis and interpretation of the data.

8.1.5 The inferences and recommendations should be based on an objective analysis and interpretation of the data.

8.1.6 Appropriate audit trails should be maintained for the data gathered, analysis made, inferences arrived at and corrective actions recommended.

G25 Review of Virtual Private Networks cont.

8.2 Pre-implementation Review

8.2.1 The pre-implementation review, carried out before the VPN solution is implemented (during design stage), should address the appropriateness of the:



Requirements for a VPN solution



Cost-benefits of the proposed solution



Proposed VPN technology, such as VPN model, VPN architecture, VPN configuration/topology and VPN usage



Proposed security architecture and features, including the proposed encryption technologies



Redundancy and backup facilities planned



Management approvals



Proposed project management structures and monitoring mechanisms



Selection process for the choice of the service provider



Proposed contract, SLAs and metrics



Statutory requirements, if any, that need to be fulfilled

8.2.2 To address these aspects the IS auditor should:



Study the VPN requirements—business as well as technical



Study the business case (costs and benefits) and the approvals for the same



Review the VPN design document outlining the technology aspects



Review whether the proposed solution would conform to one of PPTP, L2TP and IPSec protocols



Review the proposed security architecture and encryption technology



Review the tender process, including the technical and commercial evaluation of the alternate proposals and the ultimate choice of the service provider



Study the proposed project management structure



Study the proposed contracts, SLA and metrics



Study the statutory requirements to be fulfilled



Evaluate the redundancy and backups proposed



Review the strategy proposed for integrating the VPN with the applications



Use external experts, where necessary, to evaluate the appropriateness of the technology and security aspects



Study the proposed training plans



Study any related audit/review reports



Evaluate the results of the above with reference to their appropriateness as well as their adequacy to mitigate the risks— security risk, third-party risk, business risk, implementation risk and operating risk



Evaluate how COBIT and CONCT criteria are being fulfilled



Highlight the risks and issues arising out of the review for necessary corrective action.

8.3 Implementation Review

8.3.1 The implementation review happens during the implementation, and accordingly, it should address whether the:



Implementation is progressing per the approved plans and within agreed time frames and costs



VPN technology—VPN model, VPN architecture, VPN configuration/topology and VPN usage—is implemented as intended



Security scheme and the encryption technologies used are robust and are as designed



The planned redundancy and backup facilities are implemented



The actual contracts, SLAs and metrics address the organisation’s requirements



The statutory requirements, if any, are addressed

8.3.2 To address the above referred aspects the IS auditor should:



Study the project progress reports and minutes of meetings



Evaluate the actual implementation of the technologies against the plans and identify the deviations, if any



Confirm whether the solution is certified to conform to one of PPTP, L2TP and IPSec protocols



Evaluate the actual security architecture and encryption technology implemented for conformance with the approved design



Study the actual contracts, SLA and metrics that were agreed upon



Evaluate the redundancy and backups established



Review the actual integration of the VPN with the applications



Use external experts, where necessary, to evaluate the appropriateness of the technology and security aspects actually implemented



Evaluate the adequacy of the testing and migration processes to assess whether they address all kinds of users and cover such things as capacity, bandwidth, access control and encryption in an appropriate manner



Evaluate the billing mechanisms being built



Assess whether the legacy connections are being retired, their billings discontinued and equipments disposed of progressively with the implementation of the VPN



Study the earlier pre-implementation audit report, if any, and any other related review reports to assess whether the risk mitigation actions recommended earlier are being implemented



Evaluate the results of the above with reference to their appropriateness as well as their adequacy to mitigate the risks— security risk, third-party risk, business risk, implementation risk and operating risk



Evaluate how COBIT and CONCT criteria are fulfilled



Highlight the risks and issues arising out of the review for necessary corrective action

8.4 Post-implementation Review

8.4.1 The post-implementation review occurs after the implementation of the VPN, and hence, it should address whether the:



Envisaged benefits are being achieved



One-time costs are as planned and reasonable



Ongoing billings are reasonable and as agreed



VPN technology is being used as intended



VPN and its usage are in conformance with the security policies and procedures including data classification



Third parties accessing the VPN via extranets have signed the relevant security and confidentiality agreements and are complying with the same



The users accessing through remote connection and using laptops use necessary security features including personal firewalls, where appropriate



There are appropriate processes for the management of digital certificates



The SLAs and metrics, including quality of service (QoS), are measured, monitored and escalated on a regular basis for timely actions



The data are sufficiently protected at entry and exit points as well as over unencrypted links using appropriate procedures



Appropriate security tools and processes are in place for such things as virus checking and intrusion detection



The services and costs are comparable and competitive



The redundancy and backup facilities are functioning appropriately



The statutory requirements, if any, are addressed

8.4.2 To address the above referred aspects the IS auditor should:



Study the project completion report



Review the VPN technology in actual use for its conformance with the approved design



Confirm whether the solution is certified to conform to one of PPTP, L2TP and IPSec protocols



Review the ongoing billings on a sample basis



Carry out sample checking of compliance with security policies and procedures



Check the third-party access as well as the agreements signed by third parties regarding extranet access



Check the remote and laptop access processes as well the laptops for appropriate security settings



Review the actual SLAs and metrics including QoS and the actual process of monitoring them



Check the security implementation across the network



Test the backup and redundant facilities



Carry out periodic benchmarking to provide reasonable assurance of continued reasonableness of charges and quality of services

G25 Review of Virtual Private Networks cont.



Use external experts, where necessary, to evaluate the appropriateness of the technology and security aspects in place



Use appropriate tools to test relevant aspects of the VPN solution



Review the help desk process supporting the VPN



Evaluate the results of the above with reference to their appropriateness as well as their adequacy to mitigate risks—security risk, third-party risk, business risk, implementation risk and operating risk



Evaluate how COBIT and CONCT criteria are fulfilled



Highlight the risks and issues arising out of the review for necessary corrective action

9. REPORTING 9.1 Report Content

9.1.1 The report on the VPN review should address the following aspects depending on the scope of its coverage:



The scope, objective, methodology followed and assumptions



Overall assessment of the solution in terms of key strengths and weaknesses as well as the likely effects of the weaknesses



Recommendations to overcome the significant weaknesses and improve the solution



The extent of compliance with COBIT’s information criteria and CONCT criteria, and the effect of any noncompliance



Recommendations regarding how the experience could be used to improve similar future solutions or initiatives

9.1.2 The observations and recommendations should be validated with the stakeholders and organisation, as appropriate, before finalising the report.

10. FOLLOW-UP

10.1 Tracking Actions Agreed

10.1.1 The actions agreed at the end of the VPN review should be assigned due dates and tracked for completion. Outstanding issues should be escalated to appropriate management for necessary action.

11. EFFECTIVE DATE

11.1 This guideline is effective for all information systems audits beginning on or after 1 July 2004. A full glossary of terms can be found on the ISACA web site at www.isaca.org/glossary.

APPENDIX COBIT Reference

Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT

processes and consideration of COBIT information criteria.

In a VPN, a communication infrastructure, the following aspects are more relevant:



PO1—Define a Strategic IT Plan



PO3—Determine Technological Direction



PO5—Manage The IT Investment



PO8—Ensure Compliance With External Requirements



PO9—Assess Risks



PO10—Manage Projects



AI3—Acquire and Maintain Technology Infrastructure



AI4—Develop and Maintain Procedures



AI5—Install and Accredit Systems



AI6—Manage Changes



DS1—Define and Manage Service Levels



DS2—Manage Third-party Services



DS3—Manage Performance and Capacity



DS4—Ensure Continuous Service



DS5—Ensure Systems Security



DS9—Manage the Configuration



DS12—Manage Facilities



DS13—Manage Operations



M1—Monitor the Processes

The information criteria most relevant to a VPN review are:



Primary: availability, confidentiality, effectiveness and integrity



Secondary: efficiency, compliance and reliability

References

Virtual Private Networking—New Issues for Network Security, IT Governance Institute, USA, 2001 Control Objectives for Netcentric Technology (CONCT), IT Governance Institute, USA, 1999

G26 Business Process Reengineering (BPR) Project Reviews

1. BACKGROUND 1.1 Linkage to Standards

1.1.1 Standard S6 Performance of Audit Work states, "During the course of the audit, the IS auditor should obtain sufficient, reliable and relevant evidence to achieve the audit objectives. The audit findings and conclusions are to be supported by appropriate analysis and interpretation of this evidence."

1.1.2 Guideline G17 Effect of Nonaudit Role on the IS Auditor’s Independence provides guidance.

1.1.3 Guideline G21 ERP Systems Review provides guidance.

1.2 Linkage to COBIT

1.2.1 COBIT Framework states, "It is management's responsibility to safeguard all the assets of the enterprise. To discharge this responsibility, as well as to achieve its expectations, management must establish an adequate system of internal control."

1.2.2 COBIT Management Guidelines provides a management-oriented framework for continuous and proactive control self-assessment

specifically focused on:



Performance measurement—How well is the IT function supporting business requirements?



IT control profiling—What IT processes are important? What are the critical success factors for control?



Awareness—What are the risks of not achieving the objectives?



Benchmarking—What do others do? How can results be measured and compared?

1.2.3 Management Guidelines provides example metrics enabling assessment of IT performance in business terms. The key goal indicators identify and measure outcomes of IT processes, and the key performance indicators assess how well the processes are performing by measuring the enablers of the process. Maturity models and maturity attributes provide for capability assessments and benchmarking, helping management to measure control capability and to identify control gaps and strategies for improvement.

1.2.4 Management Guidelines can be used to support self-assessment workshops, and they also can be used to support the implementation by management of continuous monitoring and improvement procedures as part of an IT governance scheme.

1.2.5 COBIT provides a detailed set of controls and control techniques for the information systems management environment. Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT processes and consideration of COBIT’s information criteria.

1.2.6 A COBIT reference is located in the appendix of this document for the specific objectives or processes of COBIT that should be considered when reviewing the area addressed by this guidance.

1.3 Need for Guideline

1.3.2 Manufacturing and service organisations are taking an increasing interest in business process reengineering (BPR) to support their evolution in a dynamic and rapidly changing business environment. BPR offers an invaluable opportunity to achieve a real breakthrough in business performance, but it also introduces risks, for example in the case of wrong reengineering choices or of inadequate implementation of the devised changes.

1.3.3 Reengineering involves comprehensive changes not simply to business processes but to management and support structures, people and organisation, technology and information systems, and policies and regulations. That means that BPR projects have a strong effect on the control system of the organisations that have implemented the BPR. Specifically, there is an increased risk that essential controls are reengineered out of the process to expedite business transactions. Accordingly, the IS auditor should be cognisant and espouse to management that controls, though they appear in nature to slow the process down, are a necessity to avoid risk that cannot be easily managed or measured in both likelihood or effect.

1.3.4 The purpose of this guideline is to provide IS auditors with the basic reengineering issues as a framework for assessing the key tasks and risks associated with BPR projects with special attention to the IS aspects.

2. BUSINESS PROCESS REENGINEERING PROJECTS

In document IS Standards, Guidelines and Procedures for Auditing and Control Professionals (Page 122-127)