Audit and Assurance

Expand all | Collapse all

Audit Testing to verify DE.DP-3 Detection Processes (NIST)

  • 1.  Audit Testing to verify DE.DP-3 Detection Processes (NIST)

    Posted 28 Aug, 2019 07:38
    Hello.

    I was wondering if someone would be able to give advice on what audit testing they would perform to verify detection processes are tested per the NIST Framework (DE.DP-3).

    Thank you!

    ------------------------------
    Becky Johnson
    Internal Audit Administrator
    ------------------------------


  • 2.  RE: Audit Testing to verify DE.DP-3 Detection Processes (NIST)

    Online Forum Topic Leader
    Posted 28 Aug, 2019 15:13
    @Becky Johnson,

    This is covered in the NIST Cyber Framework where DE.DP-3 points to the following as "informative references".
    • COBIT 5 APO13.02, DSS05.02
    • ISA 62443-2-1:2009 4.4.3.2
    • ISA 62443-3-3:2013 SR 3.3
    • ISO/IEC 27001:2013 A.14.2.8
    • NIST SP 800-53 Rev. 4 CA-2, CA-7, PE-3, SI-3, SI-4, PM-14

    These can be used to build your tests.

    Best Regards,

    Ian


    ------------------------------
    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist
    ------------------------------



  • 3.  RE: Audit Testing to verify DE.DP-3 Detection Processes (NIST)

    Posted 10 Sep, 2019 08:27
    Hello all.

    Just wanted to share a follow-up question and response for all to see in the event the information is helpful to anyone else.

    Thank you!
    Becky

    ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Becky,

    The answer is, it depends. If the alerts are captured and analysed by an intelligent SIEM which after analysis re-acts or further alerts then yes, they may be meeting these requirements. Just being logged, then no.

    Ian

    Message From: Becky Johnson

    Thank you for your response.  The references have been reviewed.

    Do you consider live events triggering alerts and being logged as testing detection processes per the requirements?  I do not, but I am still learning.  Your thoughts would be greatly appreciated.  

    Thank you!

    ------------------------------
    Becky Johnson
    Internal Audit Administrator
    ------------------------------



  • 4.  RE: Audit Testing to verify DE.DP-3 Detection Processes (NIST)

    Posted 29 Aug, 2019 09:28

    CA-2 ::: SECURITY ASSESSMENT AND AUTHORIZATION
    The assessment they are talking about here is the vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Note: External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control.

    CA-7 Continuos monitoring
    From my understanding it would be deploying SIEM tools which continious monitor and flag logs and give alert if something goes wrong.

    PE-3 Physical access control
    Detection would be here when you maintain and review the physical access logs where you can detect an unauthorized user.

    SI-3 Malicious code protection
    Mostly talks about malicous code scanning and protection during change management to detect the changes.
    so basically controls scanning controls.

    SI-4 Information system monitoring
    could be technical monitoring tools you add in the network.

    PM-14 Testing, training and monitoring
    Could be security training activies. Testing, training, and monitoring plans and activities are informed by current threat and vulnerability assessments.

    Please provide your comments if you find my answers are useful. I have provided only the summary based on my understanding.



    ------------------------------
    Marat Kaisseov
    ------------------------------