A Planning

i.1 Scope
Scope is limited to a high level assessment of the network and security systems. This includes Hardware,
software, policies and procedures

i.2 Notification Procedures

Please include:
• Network Diagram
• Firewall Software inventory (include version)
• Operating system software inventory (include version)
• Firewall hardware inventory
• Communications hardware inventory and firmware versions

B Logical Access
Controls should provide reasonable assurance that logical access to firewall related systems is limited to
properly authorized individuals.

i.1 Background
Meet with Key Business Unit personnel and get an understanding of the logical access control
environment.

i.2 Policy
Determine if Business Unit security policies and procedures are documented
Determine if Security poicies and procedures are available for review.

i.3 Security Procedures

Get an understanding of security awareness and an understanding of the security control environment.

Determine whether security measures have been implemented to restrict data access by users.

Determine if audit logs of users accessing the system are maintained.

Identify communication session security measures.

C Monitoring
Controls should provide reasonable assurance that problems are resolved in a timely manner.

i.1 Background
Meet with key personnel and get an understanding of the monitoring control environment.

i.2 Intrusion Detection system

What are the methods used for monitoring the firewalls and who is responsible.
o Is there use of automated tools.
o Is there restricted access to these tools.
Determine if an Intrusion Detection System is in use and how it is being used:
o Real-Time Intrusion Identification
o Real-Time Administrator Notification
o Scope of detectable intrusions

i.3 Operational Performance

Identify controls in place to monitor system capacity and packet loss
Identify policies and procedures related to firewall operational performance
 i.4 Response Procedures
Determine whether procedures have been documented and or tested.
Determine whether policies and procedures have been documented that address multiple intrusion response
scenarios. Consider:
o Impact of various types of attack on business processes
o Level of response vs. type of attack
o Brute force attack response

D High Availability
Controls should provide reasonable assurance that programs are migrated from the development
environment to the production environment in accordance with clients’ instructions.

i.1 Background
Meet with Key Business Unit personnel to get an understanding of the high availability control
environment.

i.2 Firewall Redundancy

Review the network diagram and identify firewall redundancy designs.
Get a tour the data center and ensure the network diagram reasonably reflects the hardware and
connectivity identified in the network diagram.

o Review the network diagram and identify firewall redundancy designs.

Make observations about redundancy within the network design, as it pertains to
the firewalls, and identify procedures or allowances for failures that could occur
with the firewalls. Further, make observations regarding the firewall placement
and DMZ placement within the context of the overall network design that could
allow for potential threats and vulnerabilities.
o Tour the data center and ensure the network diagram reasonably
reflects the hardware and connectivity identified in the network diagram.

i.3 Disaster Recovery Plans

Identify procedures in place to restore firewalls in the event of a disaster
o Configuration
o Patch Updates
o Testing procedures

i.4 Business Continuity Plans

Identify procedures in place to restore business functionality related to firewalls in the event of a disaster.
Consider:
o Business Unit communications
o Business Unit personnel training and awareness

i.5 Backup and Restoration Procedures

Identify procedures to backup firewalls. Consider:
o Incremental backup procedures and frequency for firewall logs
o Full backup procedures and frequency after changes are applied to firewall code/rules
o Testing of backups
o Number of generations maintained for both full and incremental backups
 E Physical and Environmental Controls
Controls should provide reasonable assurance that backup and recovery procedures and the redundancy
architecture are appropriate to preserve the integrity of system security, related programs, and data files.

i.1 Background
Get an understanding of the physical and environmental controls.

i.2 Physical Controls

Tour data center and observe physical access is appropriately controlled and monitored. Consider:
o Surveillance cameras
o Cardkey access
o Response procedures
o Maintenance of authorized personnel

i.3 Environmental Controls

Tour data center and observe environmental controls in place. Consider:
o Air conditioning
o Fire suppression system
o Locked cabinets and racks
o Raised floors
o Water detection devices
o Handheld fire extinguishers
o Backup generators
o Uninterruptible Power Supplies (UPS)