Audit Report template

Audit Report

For

Lake Dale Contact Center (LDCC)

By Bernardino, Raul

Audit Objective:

LDCC intent to get ISO 27001:2013 certification

Audit Scope:

Information Security Management System (ISMS) applies to the provision of Telephony services, the management of information and business support services at our only site in Mumbai (India), in accordance with the ISMS Statement of Applicability (SoA) revision 03, dated 21/Sept/2014. The scope of this ISMS excluded all IS outsources process (as there is not controlled by LDCC)

Audit Criteria:

ISO/IEC 27001:2013

Conclusion:

The audit team found that there are several NCs during the auditing process. The audit team decided to not process the ISO 27001:2013 certification to LDCC yet until those NCs are corrected in the LDCC.

We encourage the Management Review to have a closed monitoring with the relevant risks owners in order to do a corrective and correction action and continual improve.

Recommendations:

The Audit team recommend to the Management Representative (MR) to take more serious on the Major Non-Conformities (NCs) and liaise with Risk Owner to take a Corrective Action and Correction Action of the findings.

The MR shall ensure all Risk Owner approvals are approved and accepted the risks.

The MR shall liaise with internal auditor to do internal audit periodically or as per internal auditing plan.

The MR should produce effectiveness report towards to the implementation the correctives of the NCs.

The external auditor will perform the follow up auditing process in next 60 days.

Description of Audit Process:

The Audit team consists of Mr. Dino, the Lead Auditor, Mr. Toha, the Auditor team member, and Ms. Qory, the Auditor team member. The audit team has held with Mr. Sanchez, as a Management Representative and the meeting happened as per agreed schedule.

The lead auditor greeted the Management Representative, Mr. Sanches and introduced auditor team members. The lead auditor explained the objective of the meeting and Mr. Sanchez was most welcoming the auditor team members. The situation was friendly or conducive for both auditors and auditee.

The lead auditor started with brief interviews the MR and followed with questions that were focusing on clause 6. For instant, how do you prevent or reduce your effects? 

MR replied that they had a risks assessment, risk evaluation, risk analysis, and risk evaluation toward to the external and internal issue. They had seriously tackling the issues which are compliance the ISMS standards.  Why in some risks, the RO did not sign or approved the risks? MR replied that because that staffs were on leave once the return the will signed.

The auditor team member was questioning how LDCC set the Risk criteria? MR replied to the team that they just use Low, Medium, High us their parameter’s. Ms. Qory has follow up question how if the risk owner change and the person does know the situation and adjusting with wrong judgment? MR replied they will know that.

Other auditor team member was questioning the SoA document which based on assets and not on the control. MR replied that they have a procedure for that.

The lead auditor was question about lot of loss on documents and unorganized file? MR replied that just lock the door when they out of office; the follow up question was how about Janitor has the key and access the room and looking the confidentiality files or documents? MR persistent that once they locked the door no one can access it;    

During this interviewed, auditor team members found several NCs and they are in the following section.

Non Conformity (NC):

1.     Risk Owner (RO) – [Minor-NC]:

Based on the Risk Assessment template ISO 27001 - D13 – issue 1, we found that some of “Risk Owner” did not approved, especially in the section A1 and A18.

During the audit process, the Management Representative (MR) stated that the Risk Owner did not approved because they were on leave

This is against requirement of standard of ISO 27001:2013 in clause 6.1.3 (f), which is to ‘obtain Risk Owner approval of the information security Risk Treatment Plan (RTP) and acceptance of residual information security risks’.

2.     The Statement of Applicability (SoA) document is not effective [Major-NC]

In the SoA document number SoA - D14 - issue 1, which is based on the asset and it is not based control.

This is against the requirement standard of ISO 27001:2013 clause 6.1.3 (d) which is to ‘produce a Statement of Applicability that contains the necessary controls (see also 6.1.3 (b) and (c) and justification for inclusions, whether they are implemented or not, and the justification for exclusions of the control from Annex A’.

3.     Risk Criteria was not effective [Major-NC]

The LDCC did not defined the information security criteria properly based on the document Information Security Risk Procedure - D11- issue 2, there are no brief definition about the scoring level for consequences, likelihood, and occurrence in the procedure. It can be triggered a different assumption from the risk owners.

It is against requirement of the ISO 27001:2013 in clause 6.1.2 (b) which is to ‘ensure that repeated information security risk assessment produce a consistent, valid, and comparable results’.

Observation:

The interviewers and auditee were have more relaxing time and it is created a conducive situation while the flows of questions and answers were no proper implementation was enjoyable.

Schedule for Next external audit:

July 10, 2014

Dated: May 9, 2014

Prepare by,                                                                    Approved by,

Mr. Dino, Lead Auditor                                   Mr. Sanches, MR

TCP, UDP and Wireshark-Lab

 By Raul Bernardino

Abstract:

The transport-layer is providing logical communication between processes residing on different network nodes. Whenever, the word logical is mentioned in the computer literature, it denotes an abstract of physical. In other words, it’s making a complicated physical specification simpler. Thus we have logical memory addresses and physical memory address, logical records and physical records and so forth. In the same discussion, we understand that the transport-layer simplifies the communication between processes, by providing an abstract form instead of the actual complex communication form. Accordingly, an application located on one computer, can exchange messages with another remote application, as if both are resident on the same computer.

Introduction:

The transport-layer depends on the network-layer to obtain a logical communication link to other remote hosts. The network-layer provides only best-effort service to pass data between hosts. In other words, network-layer does not guaranteed communication channels. To offset the lack of reliability offered by the network-layer, the transport-layer applies data loss detection measures and retransmissions to provide applications with a reliable communication link. In addition, transport-layers regulate data transmission rates to avoid network link congestion. Within the transport-layer, operate two protocols: TCP and UDP.

These two protocols provide applications with the required quality of service: TCP guarantees error free service, while UDP provides constant data transmission. The choice between one protocol and the other depends on the application.

Multiplexing and De-multiplexing:

A major job of the transport-layer is to collect data units from the application layer, envelop them in headers and forward them to the network-layer to be sent to a destination host. We will follow the textbook convention by calling enveloped data units segments. Collecting segments from different applications is called multiplexing. At the receiving end, the transport-layer receives segments from the network-layer. In order to identify the recipient application, the receiving transport-layer analyzes the header attached to a segment by the sending transport-layer. Then, the receiving transport-layer passes on received segments to corresponding applications. This act is called de-multiplexing.

.

Transport-layers identify the receiving applications with the aid of a three-number address. Applications are associated with port numbers, which identify the interface between application layer and transport-layer. Since network applications follow the client/server model, port numbers for the sending and the receiving applications are the same. To allow more than one application of the same type to be active, a second number is added to distinguish between these applications.

Furthermore, allowing applications of the same type to run on other hosts and send segments to applications at a server, a third number is used. The third number reflects the identity of the host on which a client application runs. The three numbers taken together (triplet) serve to identify a receiving application for the transport layer.  

Connectionless Transport: UDP

We have already mentioned that there are two protocols operating within the transport layer (TCP and UDP). We also mentioned that the transport-layer is responsible for the reliability of transmission (we will find later that other layers also do different degrees of reliability control).

The UDP can be described as the less complex of the two transport-layer protocols, yet it is the more efficient one. Being a less complex protocol also means UDP provides less services for applications. The main difference between UDP and TCP is the quality of service. TCP invests more time in assuring error free delivery than UDP. However, time critical applications are less willing to pay for this assurance, especially if there is tolerance for some glitches in the received data. Imagine if you lost several milliseconds of voice in a radio (or TV) broadcast! It is not that much different than a perfect, but with variable speed, transmission?

There are obviously advantages to using UDP over TCP. Most of these advantages stem from the smaller UDP segments and un-throttled delivery. For example, the overhead in UDP segments is only 8 bytes vs. 20 bytes for TCP. In addition, TCP senders and receivers require additional storage to store the connection state.

UDP is not totally free of error checking. In fact, UDP does provide indication of corrupted data to the receiver, and then, it is left to the receiver to decide what to do. Some applications take advantage of this feature and include reaction to errors. Error detection is done in a simple way through a two-byte checksum attached to the segment header. The checksum contains the 1s complement of the sum of the data (plus header).

2 hosts A and B sent data-grams

The segment travel from B to A where have source port number is Y and the destination port number X as it sees in the below diagram:

Q2.: Yes, it is can running over UDP protocol. In order to explain that, we have to understand how is de-multiplexing and multiplexing works.

The de-multiplexing (de-mux):

a)     The host receives IP data-grams whereas each data-gram has the source and destination IP addresses, each data-gram carrying one transport layer segment, and each segment has the source and destination ports.

b)    The host uses IP address and port number to direct segment to appropriate socket ,as it sees in below diagram:

The UDP or connection-less de-multiplexing on the sender site:

UDP has created sockets with the port numbers, for instance socket-1 with port 1234 and socket-2 with port 1243; how to identify the UDP sockets. The UDP has 2-tuple whereas has the destination IP address and destination port number

The UDP or connectionless de-multiplexing on the receiver site:

The host receives segment: first check destination port in the segment then direct UDP segment to socket with the given port number; second the IP data-grams with the different IP source and source port number directs in to the same socket as it can be seen in below diagram:

From the process 1 (P1), client IP B sends data-gram with its own source port (SP):5775 and with destination port (DP): 6428 to the server IP C then server IP C directed DP: 6428 which is not IP C destination port. When the server IP C knows (P3) that is a client A IP destination port, the server IP C the change the original SP: 5775 with its own SP: 9157. In the P2 the client IP A acknowledges the port, it returns SP: 6428 to the destination 9157 (server IP C). In the P3 processes the server IP C forwards the SP: 6428 to DP: 5775 the original requestor.

Q3.:  The solotion is using the TCP Fair. Why is that? The 2 – TCP sessions use the same bottleneck link of the share bandwidth R bps. The transmission rate = R/2 as it sees in below diagram:

These 2 - TCPs sessions are competing to have the equal share of the existing bandwidth and the result as it sees on the diagram below:

Where the 2 - TCPs are adding the increases and giving the 1 slope as it increases the throughout in other end it is multiplicative the decrease of the throughout proportional decreases.

Q4.: Wireshark-Lab:

Q4.1: the IP address is 128.119.245.12 as it sees in the below screen shots:

Where the source port # is SP: http (80) and the destination port # is DP: 55070

Q4.2 the address of my computer IP is 10.2.0.93 as it sees in the screen shot below:

Where the source port # is SP: 55070 and the destination port # is DP: http (80)

Q4.3: TCP sequence #:449730, next sequence #449868 as it sees in the screen shot:

The POST data are 50 4f 53 54 as it sees in the screen shot:

Q4.4: the first length is 52 as it sees in the screen shot:

The second length is 52 as it sees in the screen shot:

The third length is 40 as it sees in the screen shot:

The fourth length is 40 as it sees in the screen shot:

The fifth length is 40 as it sees in the screen shot:

The sixth length is 40 as it sees as in the screen shot:

Reference List:

1.     Kurose James, Ross Keith, 2010;’Computer Networking; A Top-Down Approach: 5^th Edition’; Boston, Addison-Wesley

2.     Lecture notes, CPCOMM_week3_lecture

3.     Kessler, G.C, (Nov 9, 2010), An Overview of TCP/IP Protocols and the Internet, [on-line]. Available from: http://www.garykessler.net/library/tcpip.html   (Accessed: 24 May 2014)