Information Security Audits and Controls Effectiveness
Gap Assessments and Internal Audits
Large organisations already well progressed on their compliance and certification journey, often engage us to provide an independant perspective. Depending on the certification the client’s are targeting and / or their status, our engagements can be either a Gap Assessment or take the form of an Internal Audit.
This is typically relevant for client targeting ISO 27001:2022 certification or surveillance audits.
Clients targeting a SOC2 certification typically engage us for a type 1 report initially with a follow-up engagement for a type 2 report.
We have regularly helped clients complete their SAQ’s for their PCI-DSS compliance.
For NSW public sector organisations we have carried out mandatory compliance reporting assessments, every year since 2019. this includes the state of their maturity against the ACSC Essential 8 controls.
We have also helped a member owned bank assess their compliance to APRA’s CPS 234.
Data & Privacy Impact Assessments
Centropy’s Privacy Impact Assessment engagements are performed in line with the process recommended by the NSW Information and Privacy Commissioner under section 36(2) of the Privacy and Personal Information Protection Act 1998 (PPIP Act.), or alternatively the Health Records and Information Privacy Act (NSW) 2002 (HRIP Act.).
The PIPP Act provides guidance to promote the adoption of, and compliance with, the Information Protection Principles (IPPs) and protection of personal information and the privacy of individuals. Similarly, the HRIP Act provides guidance to comply against Health Privacy Principles (HPPs).
Our approach for the Privacy Impact Assessment will include a mapping of potential data flow considering:
- Who will collect what information from whom and for what purpose;
- How will the information be used or processed, and whether the collection of any identifiable health information is excessive;
- How will the information be stored and kept secure;
The processes for ensuring information quality;
Centropy has been at the forefront of establishing data protection controls for many organisations.
- Appropriate policies and principles have been established in line with the NSW Government Privacy and Personal Information Protection Act 1998 (PPIP Act).
- Appropriate data classification and ownership allocation has been determined.
- Appropriate role-based access and authentication controls (including remote access) have been established within the key council business application to enable protection and security of data capture, data processing, storage and dissemination of data classified as sensitive.
- User access logging and audit trails of key transactions within the key council business application have been implemented.
- Application white-listing and antivirus malware and macro protection controls have been implemented in line with the ACSC essential eight requirements.
- Effective processes have been established to identify and report on data breaches.
- Whether the information will be disclosed to another agency or organisation, and to whom and for what purpose;
- If the information is to be disclosed to and used by secondary users (for example, another organisation, service providers, system or application developers), how well will those secondary users protect that information or whether they will pass it on to others;
- Whether identifiable health information will be transferred to another organisation in another jurisdiction either in Australia or outside Australia;
- Whether individuals will be able to access and correct their identifiable health information;
- How long the information be retained and when and how will the information be disposed
Vulnerability assessment and penetration testing
Centropy perform 3 types of vulnerability assessments and penetration testing services
A network level vulnerability assessment will be performed from within the internal network to simulate internal attacks. Assuming the first line of perimeter defence using firewalls and routers is compromised, these tests will address any residual weaknesses associated with the local servers, identifying any internal access points and insecure hosts or workstations, including security provided by network configuration. This gives an indication of whether the internal network is resilient to external hacker and insider attacks. We will use commercial and open source tools as required. We may also consider the current OWASP top 10 vulnerabilities during this review.
Centropy’s external penetration testing reviews will involve a strategic assessment to evaluate the overall level of security that has been implemented and to ensure that “best practice” controls are being used to mitigate known security risks, through direct probing and performing controlled network scanning activities, including discovery and vulnerability assessment, based on the past experiences in the industry.
In general, the objective of an External Penetration Testing is to analyse external firewalls, Internet routers, other networked systems and applications visible from the Internet at large. Our aim is to ascertain security configuration through empirical methods in order to assess the level of susceptibility to Internet-initiated attacks. This is accomplished by performing a controlled and managed simulation of an actual attack/intrusion attempt against the network and security devices supporting the Internet provided business services. The attack simulation tests the various infrastructure components against all possible attack scenarios, taking into consideration different levels of potential external attackers and resources available to them. This risk-based approach will provide our clients with results relevant to their business, by identifying real-world threats and risks jeopardizing their business.
We will use commercial and open source tools as required for this testing exercise.
Employing a wireless solution offers great flexibility, but it comes with the potential for attack as it expands Councils’ logical perimeter. From rogue access points to weak encryption algorithms, threats to wireless networks are unique and the risks can be significant. Wi-Fi can provide opportunities for attackers to infiltrate an organisation’s secure environment – irrespective of security access controls. Penetration testing can help identify weaknesses in the wireless infrastructure. We will use commercial and open source tools as required for this testing exercise, and will include:
- Identifying Wi-Fi networks, including wireless fingerprinting, information leakage and signal leakage;
- Determining encryption weaknesses, such as encryption cracking, wireless sniffing and session hijacking;
- Identifying opportunities to penetrate a network by using wireless or evading WLAN access control measures; and
- Identifying legitimate users’ identities and credentials to access otherwise private networks and services.
Incident Response Plan Testing
An organisation’s Incident Response Plan is designed to establish and designate the members, define the roles and responsibilities as well as include the framework for assessing and mitigating the risk of harm to individuals and entities potentially affected by a breach. It also provides guidance on whether and how to provide notification and services to those individuals.
The purpose of the Plan is to ensure that the organisation responds in a timely, consistent, and appropriate manner to suspected and confirmed breaches, in order to protect information and assets and to minimise harm to individuals and entities that may be affected by the breach.
- Organisation specific data breach scenarios were selected for the simulation exercise
- Role play was conducted to enable the attendees to actively participate in the testing
- Centropy team members facilitate and observe to record the proceedings of the simulation exercise.
- Lessons learnt and key actions, suggestions, updates recorded during the exercise are provided in a formal testing report
IT DR and Business Continuity Testing
Centropy has decades of experience in performing Business Impact Assessment for various NSW government agencies and helping them uplift their business continuity management processes in the following manner:
- Develop an annual review program:
Develop an annual review program (rolling) to ensure Business Impact Analyses (BIAs) and Business Continuity Plans (BCPs) are reviewed, maintained and tested.
Develop a checklist to facilitate review by Corporate Governance (including guidance for reviewing outsourced functions), which will also assist with reporting to management. Develop review reporting templates that can be provided to business units to facilitate required actions. Feedback into a framework for continuous improvement of the BCM.
- BCP Training:
Deliver face-to-face training, eLearning modules and slides for Business Continuity Coordinators (BCCs) that includes an overview of Departmental requirements per policies and procedures, as well as the roles and responsibilities of the Business Continuity team.
- Monitoring and Reporting:
Develop reports to support management, Executives, and Audit and Risk Committees that suggests metrics to enable an assessment of whether BCM objectives have been met.
- IT Disaster Scenario testing
Perform tabletop or live scenario-based testing of the predetermined business impacts and its BCM activities to ensure planned recovery options will work effectively and efficiently for minimal risk and impact to the business.
.
IT General Controls testing
Centropy performs audits of IT functions against an IT assurance control framework which is in line with COBIT based controls. These covers:
· general IT controls,
· identity and access controls,
· privileged rights review,
· user access monitoring and auditing,
· change management controls,
· software development controls,
· incident and problem management controls,
· business continuity and disaster recovery controls.
Our reviews assess the maturity and effectiveness of controls deployed by our client organisations.