S 2.360 Security audits and reporting for storage systems

Initiation responsibility: Top Management, IT Security Officer

Implementation responsibility: IT Security Officer, Administrator, Auditor

The scope and frequency of security audits on storage systems are determined according to the data processed on the particular storage system. For complex systems in which numerous applications store their data on the storage system, the business processes and the specification of the protection level required by these processes must be analysed. In the analysis, the protection level required for the applications and data supporting the essential business processes must be determined in order to obtain the requirements for the frequency and depth of the security audits. As usual, the application with the strictest requirements determines the requirements for the overall system.

A process must therefore be set up to monitor all security-relevant operations. The security reports to be produced regularly must be specified in this process. Since storage systems can be combined to create complex systems, security reports must collect and evaluate the relevant information from a variety of sources. Furthermore, the procedure for handling deviations from the specifications must also be defined. The security reports should be used to provide information to the auditors.

Contents of an audit

An audit compares the security policies to the current settings and data. Such an audit is used to check if the required security settings are properly set and if the required procedures are being followed.

Goal of the security audit

It is important to note that an audit should only serve to determine the facts and not who is at fault (see also S 2.199 Maintaining information security).

Security reporting

The results of an audit can be documented as a simple comparison of the required and actual states. The report should briefly present the specifications from the security policy, for example, and the results of the audit for each specification. If deviations from the requirements are detected and measures for improvement are known, these measures should be written directly in the report.

Independence of the auditors

The audits must be performed by independent auditors, which means someone performing an audit is not permitted to audit him/herself or his/her own work.

Even if the job of the auditors is supported by the administrators of the storage system, they need deeper knowledge of the storage system to perform their task. This knowledge must be obtained and/or updated through regular training measures.

Authorisation of the auditors

If the auditors are to perform their tasks alone without the support of the administrators, an "Auditor" role must be defined for all components of the storage system. This role should be granted "Read Only" rights to all settings and log files of the storage system.

If there are no concrete specifications available from the organisation, the auditors should check the following areas at a minimum:

• Is there a security concept for the technical layout and organisational regulation of the storage system?
• Was the protection level of the stored data defined and documented according to the user specifications in terms of availability and confidentiality?
• When put into operation for the first time, were the standard passwords changed on all components (storage, backup devices, possibly SAN switches), on the administration PC, and in the additional software?
• Are all components (storage, backup devices, possibly SAN switches) stationed in rooms with access protection and with an appropriate infrastructure (power supply, air conditioning)?
• Is administrative access to the storage systems only possible through a separate administration network?
• Is the administration network secured by a firewall, anti-virus software, and possibly an IDS?
• Are all connections used for administration purposes secure connections (e.g. via https, ssh)?
• Is access to the storage systems and their data sufficiently protected and suitably isolated from the rest of the organisation's network?
• Are the data transported and stored in encrypted form whenever this is required due to their protection level?
• Is the logging function set up in such a way that error events and attempted misuse of the system are logged? Are the log files checked regularly?
• Are the basic configuration and any relevant changes made later to the configuration documented in writing? -Is a network plan of the topology of the storage systems and their connections to the LAN available and up-to-date? Is this documentation available in case of an emergency?
• After changes, are the security-relevant settings of the storage system rechecked?
• Is the proper execution of the data backup procedure and the usability of backup media checked regularly?

Review questions:

• Is there a monitoring process for all security-relevant activities and sources of a storage system defining the security reports to be developed at regular intervals?
• Are there provisions as to how to handle deviations of specifications?
• Are the scope, the depth, and the frequency of the security audits on storage systems determined based on the data processed thereon and the protection requirements of their applications?