Systems and System Boundaries
This compilation of white papers is presented to provide a public service by Mindteck Consulting during its ongoing effort that will businesses achieve a more expensive information security posture. Each article is written to target specifically one topic that they are as specific and useful as they can.
System Auditing, Security Assessment, C& A including PCI Audits have numerous things in keeping despite some notable differences. Every one of processes originate as a favorite point, ordinarily a snapshot of each organization from a particular moment in time. Everyone then look at the enterprise and its particular electronic assets to come the final point, whether this point can be a Pass/Fail as well as a numerical score or even Risk Rating does not matter for the purposes. Issues present with those assessment methodologies is Defining Systems and System Boundaries.
A "System" is termed as "a regularly interacting or interdependent list of items forming a unified whole " as well as a "any network component, server, or application in or attached to the... data environment. " With your definitions works within 90% of instances that individuals will likely encounter. The remainder of the 10% is difficult. The difficult part comes as we are involved in technology that introduces situations which don't conveniently fit our common notions of such a "System" is. And without getting a evident prospect of what systems exist with a particular organization, it is usually difficult to define their boundaries. It really is throughout these sectors of uncertainty, or grey areas, that him and i prove our worth as Information Security Professionals. Some situations of particularly difficult instances, combined with techniques that we've found treated them, follow.
Virtual Machines
There was obviously a day years ago when a computer was regardless of whether server or perhaps workstation. One computer, one function (server or workstation), one OS therefore one "System". But the lines began blurring recently with all the turmoil VMWare, Xen, Windows Virtual Machine and so forth. Now it had become straightforward for one computer to grasp multiple Os each running included in the own, protected and isolated instance (or thereabouts the story plot went). This example posed and is constantly on the pose maybe the greats problem to defining systems that's Professionals face today. Because of this first example we'd to re-think our purpose of that of a "System" is, however way of thinking freed us to flourish our opinion of what precisely takes its pc.
A client wanted a pre-PCI audit. That they were a smaller shop plus it was obvious them to be very wary of controlling their It is. They ran endless weeks of frustration servers, by using Virtualization Software installed, so these 12 physical servers actually housed 31 different Os. The actual server which housed the database with credit card information also had 2 additional cases of the virtualization software, thus one server actually housed 3 separate OS's. (A thing of explanation about software virtualization becomes necessary here. There are a bewildering number of virtualization products on the market that could virtualize a lot of only one internet session with the entire Os in this handset. Our client used this latter form of software, virtualizing two Windows XP's and something Redhat Linux installation. This virtualization option would be called "native" or "full virtualization". ) One of several Windows 7 Server instances housed the client's Point of Sale (POS) software and database of credit card information. Permission to access that server was controlled by the firewall Access Control List (ACL) and also 2 factor authentication with the user. The pool of potential users was really small of them costing only 3 individuals. Initially this sounded like a simple case therefore appeared to be may well easily fall inside of the PCI DSS Standards. However, the server virtualization will be the "fly around the ointment" considering that PCI DSS Council we had not yet fully addressed virtualization. We sought some guidance with the PCI forums combined with determined by your expertise in evaluating this machine more closely. We audited each logical demonstration of some type of computer "system" on the server, but tempering this evaluation aided by the knowledge that these particular logical instance do not ever result from vacuum pressure thinking that they are all deeply dependent on the software and hardware resident on the box.
Once we replaced our traditional ideas of "systems" equating to 1 physical computer, we started to think with respect to "logical instances". This might approach to working with computers is just not without problems, there are helped our practice immensely using our auditing assignments.
