Audit and Assurance

Expand all | Collapse all

SD-WAN Audit

  • 1.  SD-WAN Audit

    Posted 24 Mar, 2020 05:01
    Hi all,

    I hope you're all safe.

    I need to perform an audit on SD-WAN from the security and governance perspective. I've spent several hours looking for resources that would be of use (work programs, checklists, etc.) but so far I've not seen anything useful enough to help me building a testing plan.

    Do you / have any resources that would help me on that, please?

    Thank you very much for you support!

    Regards,

    Ruben

    ------------------------------
    Ruben Davila Faundez
    IT/IS Audit Manager
    ------------------------------


  • 2.  RE: SD-WAN Audit

    Posted 13 Apr, 2020 13:51
    Hi Ruben,

    What risks and security controls are you auditing?   Additional information greatly appreciated for the Community.

    Thanks.
    Sal

    ------------------------------
    Sal Rodriguez
    Director of Internal Audit
    CISA, CIA, CRMA, CCSA, CGAP, CICA, MBA, MS
    ------------------------------



  • 3.  RE: SD-WAN Audit

    Posted 18 Apr, 2020 09:59
    Ruben:

    This is a very complex product, but my presumption is to start with the following skeleton:

    1. Access control (includes authentication)
    2. Connection management to dispersed data centers
    3. Software Licensing Management
    4. Scope of multi cloud choice and control ( Iaas, Paas, Saas)
    5.Routing authorized traffic (check process of routing traffic)
    6. Failure Management/Recovery management - BCP/DR integrated
    7.Security Policies and Segmentation
    8.Planning application provisioning, bandwidth increases, and branch expansions
    9. Application Quality-of-Service (QoS) categorization and policy changes for predictable performance
    10. MPLS spending audit (for reduced spending)
    11. Bandwidth performance audit
    12. Configuration and change control (changes/additions, firmware upgrade/rollback)
    13. Training and certification requirements for teams (capability management)
    14. Operational risk Managment (failure, single point of failure, recovery, wan changes, RTI)
    15. Integration with SIEM process.
    16. Metrics and Reporting.
    17. Regulatory Compliance Management ( NIST, ISO 27001, PCI-DSS etc)

    Hope this helps, let me know if you need assistance.

    ------------------------------
    Thanks and regards,

    Suresh "Sam" Chhabria, MCOM, MBB, TQM, SOX, VCA, CISA
    Technology Auditor
    Governance Advisor
    ------------------------------