1 Purpose
A security review provides an overview of the state of information technology security in a University department / organization in comparison with University policies and accepted best practice. This document provides an overview of the processes involved in performing such a review. It documents the tasks involved and serves as a guide for performing the review. It requires a strong prior understanding of operating systems, active directory, and security applications and products in general, and in particular, those deployed by the University. The review focuses on risks that pose a threat to security and integrity of network operations, system security, and data protection and also covers topics such as IT Disaster Recovery and Business Continuity Planning.
2 Security Review
This section documents the specific steps and processes involved in performing a security review. Unless otherwise noted, each step is performed during the review process. The steps and processes included in this document are for the current IT infrastructure at Tulane University; however, as changes take place, the Information Security Office (ISO) will update this document.
2.1 Audience
The intended audiences of the review are the ISO and the organization’s technical staff. In addition, the final report is provided to the executive management of Information Technology and the reviewed department.
2.2 Security Review Team
The Chief Information Security Officer (CISO) shall form a team for each review. The Security Review Team shall comprise of staff chosen from within the ISO and any non-ISO staff as may be required.
2.3 Review Process
Any organization or department on campus can request a security review from the ISO. The ISO can also pro-actively initiate a review of an organization or department due to a security incident or upon request from the Vice President of Information Technology (VPIT). The time needed to complete the review depends on the size and scope of the review. However based on prior experience, on average, a typical department review should take no longer than 6 weeks.
2.3.1 Scoping Document and Meeting
As a first step in any review, the Review Team should obtain all relevant information concerning systems and the IT environment at the organization to be reviewed. The Review Team will provide the Scoping Document to the Organization’s IT staff. The Organization’s IT Staff must complete the document in a reasonable time (1-2 weeks depending on the size of the organization). The document contains 9 categories:
- General Information
- Physical and Network Infrastructure
- Active Directory
- Personally Identifiable Information (PII)
- Training and Education
- Asset Management
- Security
- Disaster Recovery
- Support
2.3.2 Analysis by the Review Team
Upon receiving the completed Scoping Document from the organization, the Review Team must identify focus areas. The team must review the scoping document to identify those categories that did not have sufficient information. Once this is completed, an initial review meeting must be conducted between the Review team and the department’s IT Staff to address insufficient information. During the initial review meeting, the review team should also ask the department’s IT staff if there are areas in the organization that they would like the review to focus on.
2.3.3 Responsibilities of the Review Team
The review team must perform the following tasks during the Review to assess the security level of the department.
2.3.3.1 Physical Security
A walkthrough of the organization must be completed to assess the physical security of the organization’s assets. As the critical assets have been identified prior to performing the walkthrough, special attention must be placed on the physical security of those assets. It must be determined if any physical security (locks, access pad, key access, etc.) exists and if so, is there still a threat to the physical security of the assets.
2.3.3.2 Network Vulnerability
A network vulnerability scan of the organization’s subnets must also be performed using nCircle, Nessus or any other application the ISO deems appropriate. This will allow the Review Team to determine the vulnerable assets and threats to the network infrastructure.
2.3.3.3 Servers
When performing a security review of a server, please refer to the Basic Server Review Checklist. In addition to the checklist, the Review Team must also rely on Network Vulnerability Scans of the servers, a Spider scan (PII), and other tools.
2.3.3.4 Workstations
Workstations are great in numbers when performing a security review. For the purpose of including workstations in the review, a vulnerability assessment of the workstations must be done through Network Vulnerability Scans (nCircle, Nessus, etc.). In addition, a random sample of computers will be selected from the list and a security review of these workstations will be performed. Please refer to Basic Workstation Checklist.
2.3.3.5 Social Engineering
This aspect of the Security Review deals with the ability of the Review Team to obtain information from the users of the organization without properly identifying (Tulane University Splash Card) themselves. The Review Team Member must try to obtain information such as passwords and/or sensitive data related to the organization. In addition, other aspects of Social Engineering can be incorporated into the review.
2.4 Report
After performing the security review, the review team will make recommendations based on their findings. The recommendations have to be prioritized. Please refer to previous security review reports for format.
2.4.1 Initial Report and Exit Meeting
The initial report is provided to the organization’s technical staff and recommendations can have their priority rating changed based on the requests of the organization’s technical staff. It is strongly suggested that no recommendations be removed from the review report. The review team must meet with department’s IT staff to explain the findings in an exit interview. At this interview, please ensure that it is explained that the only thing that can be done to the review is reprioritization of recommendations and not removal. Upon receiving any request for changes, the review team must create a final report copy for the organization.
2.4.2 Final Report
The final report is provided to technical and executive staff of both the department and Information Security Office. The purpose of the report is to provide recommendations to the organization to improve their security posture.
2.5 Follow-up Review
As is the nature of Information Technology, the state of IT security of an organization changes constantly. Thus, the Review Team must conduct a follow-up review to assess the progress the organization has made based on the recommendations in the Final Report. It is recommended that the first follow-up review be conducted after six months of the exit interview.