Infrastructure Audits
The primary focus of infrastructure audits is to evaluate whether the technology can meet the security, stability, and functionality requirements of the business applications deployed within the environment. The infrastructure technology audits focus on the the following core risk management activities:
• Technical configuration settings comply with standards and best practices
• Vulnerability/security patch deployment
• Security event log settings capture and retain adequate activity details
• Administrator/privilege rights access restriction and logging
• Software licensing compliance
• Local identity authentication (password) settings
Infrastructure audits cover the foundation layers of the application stack. The physical datacenter and server layers are typically covered during the facilities management operational audit.
Ultimately, responsibilities and mechanisms for governance are defined in the contract. There are no predefined mandates or uniform contracts throughout the industry; each contract will be different, so each set of rights and responsibilities will vary according to what the customer and provider negotiate. If the area of concern isn’t in the contract, there are no mechanisms available to enforce, and there is a governance gap.
According to the Gartner report published September 22, 2015 "Clouds are Secure: Are you using them securely?"
“Through 2020, 95 percent of cloud security failures will be the customer’s fault.”
Each layer of the application stack contain multiple technologies which can be audited separately or as a consolidated overall assessment. Additionally, the application stack layers closer to the actual business application tend to have less clearly defined boundaries and greater integration and co-dependencies between the layers. As a result, it common to address the middleware, runtime, container, and virtual network layers in a single hosting infrastructure audit.
Network: Routers, switches, wireless networks, and firewalls
Storage: Physical storage hardware, storage area networks, data mirroring/data backup
Virtualization: VMWare Operating Systems: Windows, Linux, MacOS, Android, Apple iOS, Mainframe z/OS Hosting Infrastructure:
Middleware (Message Queuing, Message Brokers, Tivoli Workload Scheduler Agent, Java Database Connectors, etc.)
Containers (Docker, Tectonic, Open Shift Container Platform, Rancher, etc.)
Runtime (WebSphere Application Server, Liberty, .Net Runtime, MuleSoft, WildFly, etc.)
Virtual Network (VMWare Distributed Virtual Switch, Cisco F5, VMWare NSX)
Data: SQL Server, Oracle DB2 LUW, MongoDB, MySQL
Why Engage CTSA?
For each technology audit CTSA personnel will –
Obtain an understanding of the activity being audited. The extent of the knowledge required should be determined by the nature of the enterprise, its environment, areas of risk, and the objectives of the engagement.
Consider subject matter guidance or direction, as afforded through legislation, regulations, rules, directives, and guidelines issued by government or industry.
Perform a risk assessment to provide reasonable assurance that all material items will be adequately covered during the engagement. Audit strategies, materiality levels and resource requirements can then be developed.
Develop the engagement project plan using appropriate project management methodologies to ensure that activities remain on track and within budget.
Include in the plan assignment-specific issues, such as:
Availability of resources with appropriate knowledge, skills, and experience
Identification of tools needed for gathering evidence, performing tests and preparing/summarizing information for reporting
Assessment criteria to be used – Reporting requirements and distribution
Document the technology audit or assurance engagement’s project plan to clearly indicate the:
Objective(s), scope, and timing
Resources
Roles and responsibilities
Areas of risk identified and their impact on the engagement plan
Tools and techniques to be employed
Fact-finding interviews to be conducted
Relevant information to be obtained
Procedures verify or validate the information obtained and its use as evidence