4

I am currently serving out an internship with a small MSP (4 employees, 50-100 clients with between a couple and 100 employees).

My main project is to work on a information/cyber security audit document that is to be used by the employees to perform audits for client networks. It contains a checklist of items to check (about 70 items) split into 12 sub-categories (Security Policy, Security Training, AV Measures, Firewall, Operating Systems/service[out-of-date], business contingency, Wi-Fi Access, etc).

The audit checklist seems comprehensive enough but I am unsure if I am missing anything. Even though I majored in cyber security, I don't seem to have any idea of resources for standards relating to this.

I basically wanted to ask how I should go about ensuring that this checklist is thorough enough to be able to develop a solid security posture baseline for the clients.

The current issue with this document is that it takes too long for the template to be used to produce an audit report from. So I have decided to streamline the report generation by pre-writing generic text for each checklist item that explains the consequence of failing that particular checklist item. Using a VB form, the auditor will tick what items have failed and the produced document will remove all the pre-filled writing for items that have passed.

Do you guys have any advice on where I can get information from regarding these items?

Vehicular IT
  • 41
  • 1
  • 1
    And you've looked up NIST CSF and CIS Top 20 and ISO 27001? – schroeder Aug 12 '20 at 06:42
  • I haven't seen NIST CSF or CIS Top 20 and they look like great resources, thank you for those, I will go through these. I have looked up ISO 27001 but have had issue getting access to its information due to paywall. Do you know of any resources that have information from that standard? – Vehicular IT Aug 12 '20 at 06:48
  • Don't try to get around the paywall. Your MSP should be ISO 27001 certified already or at least in the process to get it. As your Team Lead for access for the purposes of this project. – schroeder Aug 12 '20 at 06:52
  • I have asked him (owner) if he wants/needs any kind of certification/standardisation included in the document and his answer was no. I don't believe the MSP is or is in the process of being ISO 27001 certified as their scope for assisting their clients doesn't involve that much security at all. 90% of the clients are smaller than 5-10 employees and with only two employees to cover IT support, there isn't much in the way of security. The last few interns (all cyber students) have been working on this document, which I believe is the owners way of introducing security to the company for cheap. – Vehicular IT Aug 12 '20 at 07:03

1 Answers1

2

Your approach is not the best approach. Yes, there are well-known "lists", like:

  • NIST CSF
  • CIS Top 20
  • ISO 27001

And there are many others, too. Dumping all those items into a massive omni-list and trying to check each item is not going to be helpful.

You are missing a couple of important ideas in your approach:

  • scope
  • purpose

Without scope, you could come up with a list with a million items. And even if you merely come up with "a lot of" items, it will be difficult to work through and the findings might not be useful or might not relate to each other well.

Without purpose, even if you have a well-scoped and manageable list, the result may be useless. Knowing why you are auditing, and what process the results are supposed to inform will help you define and refine your audit list.

For example, CSF, CIS Top 20, and ISO 27001 have very, very different purposes and scope.

So, in the end, I would choose a standard list that meets the scope and purpose you have for the audit. If you try to think of all the things you might need to check yourself, you are sure to end up with a disjointed, multi-tentacled, monster list. You are free to add to your chosen standard if the lists are not complete for your purpose.

I also have another suggestion; don't just check to see if a list item is done or not (a yes/no binary choice). Rate the maturity of the items. I use a 1-5 scale based off of the CMMI scale modified for operations. It is likely that an organisation is doing most of the things on any list, in some way, somewhere in the org. But there is a difference between "that one intern does it when they think of it and they tell someone when there is a problem" and "it's company policy that we train people on and we audit that particular process and have KPIs to improve it".

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thank you for this as it gives me a new way of looking at how I can re-define this document. When you refer to scope, is this what the client asks to be specifically looked at? or a mix of the auditors thoughts on what should be check and the client? In terms of purpose I am a bit unsure. If I'm honest, I have a feeling that the main objective is to convince the client to approve of having work/fixes performed on their network. – Vehicular IT Aug 12 '20 at 07:13
  • "Scope" as in, technical? managerial? operations? network? devices? data? process/policy? end users? development? Security touches on every aspect of every function in an organisation both technical and human. "Check all the things!" is too unmanageable. This document is a telescope. Which part of the night sky do you want to focus on? – schroeder Aug 12 '20 at 07:17
  • If your purpose is to look for work to do for a client, then having interns come up with things to check is silly. Use an established standard, even if you aren't going for certification. Then you can assure (assurance is a good purpose) your clients that you are assessing and progressing them against a known, established and trusted standard. I'd throw out your current doc and focus on NIST CSF. It's well-scoped for this purpose. – schroeder Aug 12 '20 at 07:21
  • Thanks a lot for your time @schroeder I really appriciate it. I'm will start moving the document to a NIST CSF standard. I forgot to mention was that the document is using a tier system (bronze, silver, gold) which determined how much of the audit checklist was actually checked within the client network. Would you say this covers scope well enough or should the scope just be a more dynamic system where the client/auditor has more control on what to have checked specifically? For example, the bronze tier covers Security Policy, Security Training, AV, Firewall and Operating Systems. – Vehicular IT Aug 12 '20 at 08:47
  • Ah, you've touched on an important port: "target maturity". Once you assess the maturity of each control, you then need to determine what the maturity level should be. That's where you can apply a tier system. Some controls should be at a higher maturity than others. You could simply say that Bronze is a minimum maturity level of 2 across the board, Silver is 3, and Gold is 4. Or you could choose which controls are included in each tier (that requires clear scoping and purpose) or a hydrid. I do a hybrid. – schroeder Aug 12 '20 at 09:41
  • Shameless plug alert: I did a BSides talk on this very thing. It might be exactly what you are looking for: https://www.youtube.com/watch?v=z4camrPPRq8 – schroeder Aug 12 '20 at 09:42