During a remote access audit, there are several areas you'll want to assess. These include:
- Internet scanning and penetration testing: Look at what offerings the remote access service has exposed to the Internet, and whether there are any additional services that show up that shouldn't; these could include internal resources such as websites, databases or applications. . Also, look for standard Internet vulnerabilities and any additional abnormalities that may be obvious.
- Remote access devices: Review and assess whether there are any vulnerabilities in the inventory devices and components that will utilize the service. If required, ensure third-party background checks are run and periodically reviewed. Ascertain that there is adequate physical security at the third-party location(s). Ensure there is an established communication plan and services for access requests, credential management and incident/help desk support. Evaluate and assess the security policies of the third-party accessing the service.
- Implementation: Identify and review what protocols are available for the end users. Evaluate the authentication method being used. Ascertain if the physical security of the service is adequate and effective, as well as if the logical access control methods are adequate and effective. Ensure control functions can't be bypassed and that there's a change management process in place as additional functionality and/or problem resolution are addressed. Review architecture and technologies to ensure they meet enterprise standards.
- Governance: Ensure corporate and security policies are being enforced and business continuity practices are being followed. Evaluate the logging/reporting functions and ensure the service has an effective event-analysis methodology. Evaluate and assess any remote access disaster recovery plans and ensure they are periodically reviewed and updated as necessary.
While you should work with your audit and compliance team to come up with the final list, hopefully this information will be a good start.
This was first published in July 2010