by Stephanie Dunn
November 28, 2016
Regulated institutions can be subject to a variety of statutory requirements that can vary in size, complexity, and risk. Not having an effective IT security risk management programme in place can result in the compromise of critical network assets and/or data, and can severely impact an organisation’s long-term growth and survival. The Australian Prudential Regulation Authority (APRA) and the associated Prudential Practice Guides (PPG) aim to assist regulated institutions by outlining prudent practices that can aid in managing security risks within specific elements of their business. This report has been developed to assist organisations with managing security risks and safeguard network assets, while achieving business objectives.
The APRA developed a series of PPGs specifically designed to address specific compliance requirements for regulated institutions. The CPG 234 - Management of Security Risk in Information and Information Technology PPG guide was developed to provide guidance for management and IT security specialists in identifying, targeting, and managing IT security risks.
This report provides valuable information for regulated institutions in the management of existing security risks, and can assist management and security teams on ways to safeguard network assets and data. Monitoring inbound and outbound network traffic may reveal malicious activity, suspicious connections, and compromised hosts. Analysts will be able to track and prevent unmanaged mobile devices from connecting to the network. Group membership changes can highlight rogue accounts, along with existing accounts that may have unnecessary privileges.
Vulnerabilities and compliance concerns can assist in detecting misconfigurations on security devices such as firewalls, intrusion detection/prevention devices, and anti-virus clients. The elements within this report can be modified to provide additional focus on potential areas of concern to identify suspicious activity across the enterprise. Using the information provided within this report, organisations will be able to institute a continuous process that will help to improve their overall security posture.
This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:
- Tenable.sc 5.3.1
- Nessus 8.5.1
- NNM 5.9.0
- LCE 6.0.0
Tenable Network Security transforms security technology for the business needs of tomorrow through comprehensive solutions that provide continuous visibility and critical context, enabling decisive actions to protect the organisation. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audit files. Active scanning examines running systems and services, detects vulnerable software applications, and analyses configuration settings. Passive listening collects data to continuously monitor traffic, collect information about user privilege changes, and administrative activity, along with the discovery of additional vulnerabilities. Monitoring the network to ensure that all systems are secured against vulnerabilities is essential to ongoing security efforts. Tenable enables powerful, yet non-disruptive, continuous monitoring that will enable organisations with the information needed to proactively respond to threats within the enterprise.
The following chapters are included in this report:
- Executive Summary: The Executive Summary chapter includes a comprehensive summary of data presented within the report. The information summarized in this chapter aligns with the CPG 234 - Management of Security Risk in Information and Information Technology PPG guide. Elements in this chapter provide valuable information that organisations can use to better defend against attacks, and continuously protect critical assets, data, and infrastructure.
- Overarching Framework: Information presented within this chapter aligns with the “An overarching framework” chapter in the CPG 234 guide. This data will highlight both inbound and outbound threatlist trend activity, potentially unknown assets and devices, and risk remediation opportunities. Using this information, organisations will be able to reduce risks associated with unauthorised devices and malicious activity on the network.
- Access Control: Information presented within this chapter aligns with the “Access control” chapter in the CPG 234 - Management of Security Risk in Information and Information Technology PPG guide, which highlights the importance of defence-in-depth controls, detection of unknown assets, monitoring group membership changes, and prevention of data leakage. Elements in this chapter can help organisations monitor for unauthorised account changes, group membership updates, and possible data leakage activity within the network.
- IT Asset Life-Cycle Management Controls: This chapter aligns with the “IT asset life-cycle management controls” chapter inside the PPG CPG 234 guide. Information presented inside this chapter summarizes the need to implement patch management controls and remediating vulnerabilities in a timely manner. Security solutions such as firewalls, detection/prevention devices, and anti-malware solutions are also addressed, which can assist security teams with assessing the effectiveness of these devices and services. Additionally, systems using outdated operating systems or software applications that need to be upgraded are also included in this chapter.
- Monitoring and Incident Management: The Monitoring and Incident Management chapter will present a summary of detected events and the status of logs collected from LCE clients or systems where syslogs are collected. These elements can be modified to detect unusual patterns of behaviour, monitor unauthorised activity, and help to ensure consistent and reliable logging of critical data. Analysts can use this information to obtain a real-time look at existing network events, which can help to ensure an accurate and complete audit trail.
- Change Management: This chapter presents valuable information that can be used by analysts to identify suspicious login events that have occurred on the network. These elements can help to identify activity such as login attempts using invalid or unknown user accounts, brute force attacks, and login attempts using an invalid password.
- Cryptographic Techniques: This chapter presents an overview of both encryption and cryptographic-based compliance concerns that have been discovered on the network. Analysts can use the information within this table to focus on systems using weak hashing algorithms, keys, or insecure encryption ciphers. Security teams should review the data to determine the risks are applicable to the organisation.