Categories
Simplifying Firewall Audits and Ensuring Continuous Compliance: Part 1 of 6
Today’s business environment has become more regulated – with different mandates and requirements spanning multiple industries and regions. Some regulations require multiple audits per year and depending on your industry, you may have to comply with multiple regulations. Even if you don’t have to comply with the bevy of standards or requirements such as PCI-DSS, SOX, NERC CIP, HIPAA, and so on, you most likely still have (or you SHOULD have) internal reviews and checks of security policies.
While regulations and ensuing IT audits go beyond firewalls and firewall policies, these devices are often a good place to start when it comes to becoming “audit-ready” and gaining continuous visibility of what’s going on in your network.
In this blog series, we’ll examine what you need in order to successfully go through an audit of your firewall estate and most importantly how to ensure continuous compliance (this is where automation plays a big role). This blog will focus on step 1. This relates closely to what my colleague Josh Karp has blogged about in his series When PCI Compliance meets real world security, specifically the first step he has examined.
Step 1: Gathering Pertinent Information Before You Undergo an Audit
An audit has little chance of success if you do not have proper visibility of your network, including software, hardware, policies and risks. This sounds like an obvious statement, but many organizations do not have the necessary visibility of their IT environment.
Some examples of “quick wins” in the pre-audit phase would be to collect the following information:
- Make sure you have copies of all the relevant security policies.
- Ensure you can access the firewall logs – this is important so you can analyze the logs against the firewall rule base to understand what is actually being used.
- Obtain a diagram of the current network and firewall topologies.
- Gather and review documentation from previous audits, including firewall rules, objects and policy revisions. This can help you from repeating the same mistakes and hopefully key in on issues from the past that may not have been properly addressed.
- Identify all Internet Service Providers (ISP) and Virtual Private Networks (VPN).
- Obtain all relevant firewall vendor information including OS version, latest patches and default configuration.
- Understand all the key servers and key information repositories in the network and their relative values to the company.
Even though this is just the preparation for the audit, you’re not quite done. Once you have gathered this information, you must have a plan to aggregate and store this information in a way that will make analysis and reporting easier – and no spreadsheets don’t really count. Spreadsheet compliance is a surefire way to make the audit process painful. Document, store and consolidate this important information in a way that enables collaboration with your IT counterparts. Remember, you’re most likely going to have multiple audits per year.
Then and only then can you start reviewing policies and procedures and begin to track their effectiveness…
Subscribe to Blog
Receive notifications of new posts by email.
