WAPAW Apache Web Server Research

Apache Web Services Server
Audit/Assurance Program
Apache Web Services Server Audit/Assurance Program
ISACA
With 95,000 constituents in 160 countries, ISACA (www.isaca.org) is a leading global provider o !no"ledge,
certiications, co##unit$, advocac$ and education on inor#ation s$ste#s (IS) assurance and securit$, enterprise
governance and #anage#ent o I%, and I%&related ris! and co#pliance' (ounded in 1969, the nonproit, independent
ISACA hosts international conerences, publishes the ISACA
Journal, and develops international IS auditing and

control standards, "hich help its constituents ensure trust in, and value ro#, inor#ation s$ste#s' It also advances
and attests I% s!ills and !no"ledge through the globall$ respected Certiied Inor#ation S$ste#s Auditor
)
(CISA
)
),
Certiied Inor#ation Securit$ *anager
)
(CIS*
)
), Certiied in the +overnance o ,nterprise I%
)
(C+,I%
)
) and
Certiied in -is! and Inor#ation S$ste#s Control. (C-ISC.) designations' ISACA continuall$ updates C/0I%
)
,
"hich helps I% proessionals and enterprise leaders ulill their I% governance and #anage#ent responsibilities,
particularl$ in the areas o assurance, securit$, ris! and control, and deliver value to the business'
Disclaimer
ISACA has designed and created Apache Web Services Server Audit/Assurance Program (the 1Wor!2) pri#aril$
as an inor#ational resource or audit and assurance proessionals' ISACA #a!es no clai# that use o an$ o the
Wor! "ill assure a successul outco#e' %he Wor! should not be considered inclusive o all proper inor#ation,
procedures and tests or e3clusive o other inor#ation, procedures and tests that are reasonabl$ directed to obtaining
the sa#e results' In deter#ining the propriet$ o an$ speciic inor#ation, procedure or test, audit4assurance
proessionals should appl$ their o"n proessional 5udg#ent to the speciic circu#stances presented b$ the particular
s$ste#s or I% environ#ent'
Reservation of Rights
6 7010 ISACA' All rights reserved' 8o part o this publication #a$ be used, copied, reproduced, #odiied,
distributed, displa$ed, stored in a retrieval s$ste# or trans#itted in an$ or# b$ an$ #eans (electronic, #echanical,
photocop$ing, recording or other"ise) "ithout the prior "ritten authori9ation o ISACA' -eproduction and use o
all or portions o this publication are per#itted solel$ or acade#ic, internal and nonco##ercial use, and
consulting4advisor$ engage#ents, and #ust include ull attribution o the #aterial:s source' 8o other right or
per#ission is granted "ith respect to this "or!'
ISACA
;<01 Algon=uin -oad, Suite 1010
-olling *eado"s, I> 6000? @SA
AhoneB C1'?D<'75;'15D5
(a3B C1'?D<'75;'1DD;
,&#ailB ino!isaca.org
Web siteB www.isaca.org
IS08 9<?&1&60D70&16D&7
C-ISC is a trade#ar!4service #ar! o ISACA' %he #ar! has been applied or or registered in countries throughout
the "orld'
Apache Web Services Server Audit/Assurance Program is an independent publication and is not ailiated "ith,
nor has it been authori9ed, sponsored or other"ise approved b$ %he Apache Sot"are (oundation'
6 7010 ISACA' All rights reserved' Aage 7
ISACA wishes to recognize:

Author
8or# Eelson, CISA, C+,I%, CAA, CA, Interactive Inc', @SA
Expert Reviewers
An5a$ Agar"al, CISA, C+,I%, C-ISC, AAA %echnologies A' >td', India
(ara9 (aroo=i, Canada
Abdus Sa#i Ehan, Sa#i Associates, Aa!istan
Willia# C' >isse Fr', CISA, C+,I%, CISSA, +<<99, A*A, /C>C, Inc', @SA
-aGl *illHn, CISA, CIS*, CCS,, C,I, CISSA, Consultores de Seguridad Inor#Htica, S'A', Aana#H
ISACA Board o !irectors
,#il J:Angelo, CISA, CIS*, 0an! o %o!$o&*itsubishi @(F >td', @SA, International Aresident
Christos E' Ji#itriadis, Ah'J', CISA, CIS*, I8%-A>/% S'A', +reece, Kice Aresident
-ia >ucas, CISA, C+,I%, %elstra Corp' >td', Australia, Kice Aresident
Iitoshi /ta, CISA, CIS*, C+,I%, CIA, *i9uho Corporate 0an! >td', Fapan, Kice Aresident
Fose Angel Aena Ibarra, C+,I%, Alintec S'A', *e3ico, Kice Aresident
-obert ,' Stroud, C+,I%, CA %echnologies, @SA, Kice Aresident
Eenneth >' Kander Wal, CISA, CAA, ,rnst L Moung >>A (retired), @SA, Kice Aresident
-ol *' von -oessing, CISA, CIS*, C+,I%, (ora A+, +er#an$, Kice Aresident
>$nn C' >a"ton, CISA, (0CS CI%A, (CA, (IIA, EA*+ >td', -ussian (ederation, Aast International Aresident
,verett C' Fohnson Fr', CAA, Jeloitte L %ouche >>A (retired), @SA, Aast International Aresident
+regor$ %' +rochols!i, CISA, %he Jo" Che#ical Co', @SA, Jirector
%on$ Ia$es, C+,I%, A(CIS,, CI,, (ACS, (CAA, (IIA, Nueensland +overn#ent, Australia, Jirector
Io"ard 8icholson, CISA, C+,I%, C-ISC, Cit$ o Salisbur$, Australia, Jirector
Fe Spive$, CAA, ASA, Securit$ -is! *anage#ent, @SA, I%+I %rustee
"now#edge Board
+regor$ %' +rochols!i, CISA, %he Jo" Che#ical Co', @SA, Chair
*ichael 0erardi Fr', CISA, C+,I%, 8estle @SA, @SA
Fohn Io Chi, CISA, CIS*, C0CA, C(,, ,rnst L Moung, Singapore
Fose Angel Aena Ibarra, C+,I%, Alintec S'A', *e3ico
Fo Ste"art&-attra$, CISA, CIS*, C+,I%, CS,AS, -S* 0ird Ca#eron, Australia
Fon Singleton, CISA, (CA, Canada
Aatric! Stachtchen!o, CISA, C+,I%, CA, Stachtchen!o L Associates SAS, (rance
Eenneth >' Kander Wal, CISA, CAA, ,rnst L Moung >>A (retired), @SA
$uidance and Practices Committee
Eenneth >' Kander Wal, CISA, CAA, ,rnst L Moung >>A (retired), @SA, Chair
Ea#al Jave, CISA, CIS*, C+,I%, Ie"lett&Aac!ard, @SA
@rs (ischer, CISA, C-ISC, CIA, CAA (S"iss), S"it9erland
-a#ses +allego, CIS*, C+,I%, CISSA, ,ntel I% Consulting, Spain
Ahillip F' >ageschulte, C+,I%, CAA, EA*+ >>A, @SA
-avi *uthu!rishnan, CISA, CIS*, (CA, ISCA, Capco I% Service India Avt' >td', India
Anthon$ A' 8oble, CISA, CCA, Kiaco# Inc', @SA
Salo#on -ico, CISA, CIS*, C+,I%, Jeloitte, *e3ico
(ran! Kan Jer O"aag, CISA, Westpac 8e" Oealand, 8e" Oealand
ISACA and I% $overnance Institute Ai#iates and Sponsors
A#erican Institute o Certiied Aublic Accountants
ASIS International
%he Center or Internet Securit$
Co##on"ealth Association or Corporate +overnance Inc'
(IJA Inor#
Inor#ation Securit$ (oru#
6 7010 ISACA' All rights reserved' Aage ;
Inor#ation S$ste#s Securit$ Association
Institut de la +ouvernance des S$stP#es d:Inor#ation
Institute o *anage#ent Accountants Inc'
ISACA chapters
I%+I Fapan
8or"ich @niversit$
Solva$ 0russels School o ,cono#ics and *anage#ent
@niversit$ o Ant"erp *anage#ent School
ASI S$ste# Integration
Ie"lett&Aac!ard
I0*
S/AAro5ects Inc'
S$#antec Corp'
%ruAr3 Inc'
Table of Contents
I' Introduction D
II' @sing %his Jocu#ent 5
III' Controls *aturit$ Anal$sis ?
IK' Assurance and Control (ra#e"or! 9
K' ,3ecutive Su##ar$ o Audit4Assurance (ocus 11
KI' Audit4Assurance Arogra# 1;
1' Alanning and Scoping the Audit 1;
7' Areparator$ Steps 1D
;' Iost S$ste# 15
D' Web Server 1<
5' Shared I% *anage#ent Services 77
6' Web Server Additional Co#ponents 7D
KII' *aturit$ Assess#ent 75
KIII' Assess#ent *aturit$ vs' %arget *aturit$ 7<
I. Introduction
vervie!
ISACA has developed the I" Assurance #ramewor$
%*
(I%A(
%*
) as a co#prehensive and good&practice&
setting #odel' I%A( provides standards that are designed to be #andator$ and that are the guiding
principles under "hich the I% audit and assurance proession operates' %he guidelines provide
inor#ation and direction or the practice o I% audit and assurance' %he tools and techni=ues provide
#ethodologies, tools and te#plates to provide direction in the application o I% audit and assurance
processes'
Purpose
%he audit4assurance progra# is a tool and te#plate to be used as a road #ap or the co#pletion o a
speciic assurance process' ISACA has co##issioned audit4assurance progra#s to be developed or use
b$ I% audit and assurance practitioners' %his audit4assurance progra# is intended to be utili9ed b$ I%
audit and assurance proessionals "ith the re=uisite !no"ledge o the sub5ect #atter under revie", as
described in I%A( section 7700Q+eneral Standards' %he audit4assurance progra#s are part o I%A(
section D000QI% Assurance %ools and %echni=ues'
6 7010 ISACA' All rights reserved' Aage D
Control "rame!or#
%he audit4assurance progra#s have been developed in align#ent "ith the ISACA C/0I% ra#e"or!Q
speciicall$ C/0I% D'1Qusing generall$ applicable and accepted good practices' %he$ relect I%A(
sections ;D00QI% *anage#ent Arocesses, ;600QI% Audit and Assurance Arocesses, and ;?00QI%
Audit and Assurance *anage#ent'
*an$ organi9ations have e#braced several ra#e"or!s at an enterprise level, including the Co##ittee o
Sponsoring /rgani9ations o the %read"a$ Co##ission (C/S/) Internal Control (ra#e"or!' %he
i#portance o the control ra#e"or! has been enhanced due to regulator$ re=uire#ents b$ the @S
Securities and ,3change Co##ission (S,C) as directed b$ the @S Sarbanes&/3le$ Act o 7007 and
si#ilar legislation in other countries' %he$ see! to integrate control ra#e"or! ele#ents used b$ the
general audit4assurance tea# into the I% audit and assurance ra#e"or!' Since C/S/ is "idel$ used, it
has been selected or inclusion in this audit4assurance progra#' %he revie"er #a$ delete or rena#e these
colu#ns to align "ith the enterprise:s control ra#e"or!'
$overnance% Ris# and Control of I&
+overnance, ris! and control o I% are critical in the peror#ance o an$ assurance #anage#ent process'
+overnance o the process under revie" "ill be evaluated as part o the policies and #anage#ent
oversight controls' -is! pla$s an i#portant role in evaluating "hat to audit and ho" #anage#ent
approaches and #anages ris!' 0oth issues "ill be evaluated as steps in the audit4assurance progra#'
Controls are the pri#ar$ evaluation point in the process' %he audit4assurance progra# identiies the
control ob5ectives and the steps to deter#ine control design and eectiveness'
Responsibilities of I& Audit and Assurance Professionals
I% audit and assurance proessionals are e3pected to custo#i9e this docu#ent to the environ#ent in
"hich the$ are peror#ing an assurance process' %his docu#ent is to be used as a revie" tool and starting
point' It #a$ be #odiied b$ the I% audit and assurance proessionalR it is not intended to be a chec!list or
=uestionnaire' It is assu#ed that the I% audit and assurance proessional has the necessar$ sub5ect #atter
e3pertise re=uired to conduct the "or! and is supervised b$ a proessional "ith the Certiied Inor#ation
S$ste#s Auditor (CISA) designation and4or necessar$ sub5ect #atter e3pertise to ade=uatel$ revie" the
"or! peror#ed'
II. Using This Document
%his audit4assurance progra# "as developed to assist the audit and assurance proessional in designing
and e3ecuting a revie"' Jetails regarding the or#at and use o the docu#ent ollo"'
Wor# Program Steps
%he irst colu#n o the progra# describes the steps to be peror#ed' %he nu#bering sche#e used
provides built&in "or! paper nu#bering or ease o cross&reerence to the speciic "or! paper or that
section' %he ph$sical docu#ent "as designed in *icrosot
)
Word' %he I% audit and assurance
proessional is encouraged to #a!e #odiications to this docu#ent to relect the speciic environ#ent
under revie"'
Step 1 is part o the act gathering and preield"or! preparation' 0ecause the preield"or! is essential to
a successul and proessional revie", the steps have been ite#i9ed in this plan' %he irst level steps, e'g',
1'1, are in bold t$pe and provide the revie"er "ith a scope or high&level e3planation o the purpose or
the substeps'
0eginning in step 7, the steps associated "ith the "or! progra# are ite#i9ed' %o si#pli$ use, the
audit4assurance progra# describes the audit4assurance ob5ectiveQthe reason or peror#ing the steps in
the topic area and the speciic controls ollo"' ,ach revie" step is listed ater the control' %hese steps
#a$ include assessing the control design b$ "al!ing through a process, intervie"ing, observing or
other"ise veri$ing the process and the controls that address that process' In #an$ cases, once the control
design has been veriied, speciic tests need to be peror#ed to provide assurance that the process
associated "ith the control is being ollo"ed'
%he #aturit$ assess#ent, "hich is described in #ore detail later in this docu#ent, #a!es up the last
section o the progra#'
%he audit4assurance plan "rap&upQthose processes associated "ith the co#pletion and revie" o "or!
papers, preparation o issues and reco##endations, report "riting and report clearingQhas been
e3cluded ro# this docu#ent because it is standard or the audit4assurance unction and should be
identiied else"here in the enterprise:s standards'
C'I& Cross(reference
%he C/0I% cross&reerence provides the audit and assurance proessional "ith the abilit$ to reer to the
speciic C/0I% control ob5ective that supports the audit4assurance step' %he C/0I% control ob5ective
should be identiied or each audit4assurance step in the section' *ultiple cross&reerences are not
unco##on' Subprocesses in the "or! progra# are too granular to be cross&reerenced to C/0I%' %he
audit4assurance progra# is organi9ed in a #anner to acilitate an evaluation through a structure parallel to
the develop#ent process' C/0I% provides in&depth control ob5ectives and suggested control practices at
each level' As proessionals revie" each control, the$ should reer to C/0I% D'1 or the I" Assurance
%uide& 'sing C()I" or good&practice control guidance'
CS Components
As noted in the introduction, C/S/ and si#ilar ra#e"or!s have beco#e increasingl$ popular a#ong
audit and assurance proessionals' %his ties the assurance "or! to the enterprise:s control ra#e"or!'
While the I% audit4assurance unction uses C/0I% as a ra#e"or!, operational audit and assurance
proessionals use the ra#e"or! established b$ the enterprise' Since C/S/ is the #ost prevalent internal
control ra#e"or!, it has been included in this docu#ent and is a bridge to align I% audit4assurance "ith
the rest o the audit4assurance unction' *an$ audit4assurance organi9ations include the C/S/ control
co#ponents "ithin their reports, and su##ari9e assurance activities to the audit co##ittee o the board
o directors'
(or each control, the audit and assurance proessional should indicate the C/S/ co#ponent(s) addressed'
It is possible, but generall$ not necessar$, to e3tend this anal$sis to the speciic audit step level'
%he original C/S/ internal control ra#e"or! contained ive co#ponents' In 700D, C/S/ "as revised
as the *nterprise +is$ ,anagement -*+,. Integrated #ramewor$ and e3tended to eight co#ponents' %he
pri#ar$ dierence bet"een the t"o ra#e"or!s is the additional ocus on ,-* and integration into the
business decision #odel' >arge enterprises are in the process o adopting ,-*' %he t"o ra#e"or!s are
co#pared in figure 1'
Figure 1Com!arison of C"S" Internal Control and #$% Integrated Framewor&s
Internal Control Framewor& #$% Integrated Framewor&
Control #n'ironment: %he control environ#ent sets the tone o an
organi9ation, inluencing the control consciousness o its people' It is
the oundation or all other co#ponents o internal control, providing
discipline and structure' Control environ#ent actors include the
integrit$, ethical values, #anage#ent:s operating st$le, delegation o
authorit$ s$ste#s, as "ell as the processes or #anaging and
developing people in the organi9ation'
Internal #n'ironmentB %he internal environ#ent enco#passes the
tone o an organi9ation, and sets the basis or ho" ris! is vie"ed and
addressed b$ an entit$:s people, including ris! #anage#ent
philosoph$ and ris! appetite, integrit$ and ethical values, and the
environ#ent in "hich the$ operate'
"b(ecti'e SettingB /b5ectives #ust e3ist beore #anage#ent can
identi$ potential events aecting their achieve#ent' ,nterprise ris!
#anage#ent ensures that #anage#ent has in place a process to set
ob5ectives and that the chosen ob5ectives support and align "ith the
entit$:s #ission and are consistent "ith its ris! appetite'
#'ent IdentificationB Internal and e3ternal events aecting
achieve#ent o an entit$:s ob5ectives #ust be identiied, distinguishing
bet"een ris!s and opportunities' /pportunities are channeled bac! to
#anage#ent:s strateg$ or ob5ective&setting processes'
$is& AssessmentB ,ver$ entit$ aces a variet$ o ris!s ro# e3ternal
and internal sources that #ust be assessed' A precondition to ris!
assess#ent is establish#ent o ob5ectives, and, thus, ris! assess#ent is
the identiication and anal$sis o relevant ris!s to achieve#ent o
assigned ob5ectives' -is! assess#ent is a prere=uisite or deter#ining
ho" the ris!s should be #anaged'
$is& AssessmentB -is!s are anal$9ed, considering the li!elihood and
i#pact, as a basis or deter#ining ho" the$ could be #anaged' -is!
areas are assessed on an inherent and residual basis'
$is& $es!onse: *anage#ent selects ris! responsesQavoiding,
accepting, reducing or sharing ris!Qdeveloping a set o actions to
align ris!s "ith the entit$:s ris! tolerances and ris! appetite'
Control Acti'itiesB Control activities are the policies and procedures
that help ensure #anage#ent directives are carried out' %he$ help
ensure that necessar$ actions are ta!en to address ris!s to achieve#ent
o the entit$Ss ob5ectives' Control activities occur throughout the
organi9ation, at all levels and in all unctions' %he$ include a range o
activities as diverse as approvals, authori9ations, veriications,
reconciliations, revie"s o operating peror#ance, securit$ o assets
and segregation o duties'
Control Acti'ities: Aolicies and procedures are established and
i#ple#ented to help ensure the ris! responses are eectivel$ carried
out'
Information and CommunicationB Inor#ation s$ste#s pla$ a !e$
role in internal control s$ste#s as the$ produce reports, including
operational, inancial and co#pliance&related inor#ation that #a!e it
possible to run and control the business' In a broader sense, eective
co##unication #ust ensure inor#ation lo"s do"n, across and up
the organi9ation' ,ective co##unication should also be ensured "ith
e3ternal parties, such as custo#ers, suppliers, regulators and
shareholders'
Information and Communication: -elevant inor#ation is
identiied, captured and co##unicated in a or# and ti#e ra#e that
enable people to carr$ out their responsibilities' ,ective
co##unication also occurs in a broader sense, lo"ing do"n, across
and up the entit$'
%onitoringB Internal control s$ste#s need to be #onitoredQa
process that assesses the =ualit$ o the s$ste#:s peror#ance over
ti#e' %his is acco#plished through ongoing #onitoring activities or
separate evaluations' Internal control deiciencies detected through
these #onitoring activities should be reported upstrea# and corrective
actions should be ta!en to ensure continuous i#prove#ent o the
s$ste#'
%onitoring: %he entiret$ o enterprise ris! #anage#ent is #onitored
and #odiications are #ade as necessar$' *onitoring is acco#plished
through ongoing #anage#ent activities, separate evaluations or both'
Inor#ation or figure 1 "as obtained ro# the C/S/ "eb site, www.coso.org/aboutus.htm.
%he original C/S/ internal control ra#e"or! addresses the needs o the I% audit and assurance
proessionalB control environ#ent, ris! assess#ent, control activities, inor#ation and co##unication,
and #onitoring' As such, ISACA has elected to utili9e the ive&co#ponent #odel or its audit4assurance
progra#s' As #ore enterprises i#ple#ent the ,-* #odel, the additional three colu#ns can be added, i
relevant' When co#pleting the C/S/ co#ponent colu#ns, consider the deinitions o the co#ponents as
described in figure 1'
Reference/)*perlin#
+ood practices re=uire the audit and assurance proessional to create a "or! paper that describes the "or!
peror#ed, issues identiied and conclusions or each line ite#' %he reerence4h$perlin! is to be used to
cross&reerence the audit4assurance step to the "or! paper that supports it' %he nu#bering s$ste# o this
6 7010 ISACA' All rights reserved' Aage <
docu#ent provides a read$ nu#bering sche#e or the "or! papers' I desired, a lin! to the "or! paper
can be pasted into this colu#n'
Issue Cross(reference
%his colu#n can be used to lag a inding4issue that the I% audit and assurance proessional "ants to
urther investigate or establish as a potential inding' %he potential indings should be docu#ented in a
"or! paper that indicates the disposition o the indings (or#all$ reported, reported as a #e#o or verbal
inding, or "aived)'
Comments
%he co##ents colu#n can be used to indicate the "aiving o a step or other notations' It is not to be used
in place o a "or! paper that describes the "or! peror#ed'
III. Controls %aturit) Anal)sis
/ne o the consistent re=uests o sta!eholders "ho have undergone I% audit4assurance revie"s is a desire
to understand ho" their peror#ance co#pares to good practices' Audit and assurance proessionals #ust
provide an ob5ective basis or the revie" conclusions' *aturit$ #odeling or #anage#ent and control
over I% processes is based on a #ethod o evaluating the enterprise, so it can be rated ro# a #aturit$
level o none3istent (0) to opti#i9ed (5)' %his approach is derived ro# the #aturit$ #odel that the
Sot"are ,ngineering Institute (S,I) o Carnegie *ellon @niversit$ deined or the #aturit$ o sot"are
develop#ent'
I" Assurance %uide 'sing C()I", Appendi3 KIIQ*aturit$ *odel or Internal Control (figure *)
provides a generic #aturit$ #odel that sho"s the status o the internal control environ#ent and the
establish#ent o internal controls in an enterprise' It sho"s ho" the #anage#ent o internal control, and
an a"areness o the need to establish better internal controls, t$picall$ develops ro# an ad hoc to an
opti#i9ed level' %he #odel provides a high&level guide to help C/0I% users appreciate "hat is re=uired
or eective internal controls in I% and to help position their enterprise on the #aturit$ scale'
Figure *%aturit) %odel for Internal Control
%aturit) +e'el Status of the Internal Control #n'ironment #stablishment of Internal Controls
0 8on&e3istent %here is no recognition o the need or internal control'
Control is not part o the organi9ation:s culture or #ission'
%here is a high ris! o control deiciencies and incidents'
%here is no intent to assess the need or internal control'
Incidents are dealt "ith as the$ arise'
1 Initial4ad hoc %here is so#e recognition o the need or internal control'
%he approach to ris! and control re=uire#ents is ad hoc and
disorgani9ed, "ithout co##unication or #onitoring'
Jeiciencies are not identiied' ,#plo$ees are not a"are o
their responsibilities'
%here is no a"areness o the need or assess#ent o "hat is
needed in ter#s o I% controls' When peror#ed, it is onl$ on
an ad hoc basis, at a high level and in reaction to signiicant
incidents' Assess#ent addresses onl$ the actual incident'
7 -epeatable but
Intuitive
Controls are in place but are not docu#ented' %heir operation
is dependent on the !no"ledge and #otivation o individuals'
,ectiveness is not ade=uatel$ evaluated' *an$ control
"ea!nesses e3ist and are not ade=uatel$ addressedR the
i#pact can be severe' *anage#ent actions to resolve control
issues are not prioriti9ed or consistent' ,#plo$ees #a$ not
be a"are o their responsibilities'
Assess#ent o control needs occurs onl$ "hen needed or
selected I% processes to deter#ine the current level o control
#aturit$, the target level that should be reached and the gaps
that e3ist' An inor#al "or!shop approach, involving I%
#anagers and the tea# involved in the process, is used to
deine an ade=uate approach to controls or the process and to
#otivate an agreed&upon action plan'
; Jeined Controls are in place and ade=uatel$ docu#ented' /perating
eectiveness is evaluated on a periodic basis and there is an
average nu#ber o issues' Io"ever, the evaluation process is
not docu#ented' While #anage#ent is able to deal
predictabl$ "ith #ost control issues, so#e control
"ea!nesses persist and i#pacts could still be severe'
,#plo$ees are a"are o their responsibilities or control'
Critical I% processes are identiied based on value and ris!
drivers' A detailed anal$sis is peror#ed to identi$ control
re=uire#ents and the root cause o gaps and to develop
i#prove#ent opportunities' In addition to acilitated
"or!shops, tools are used and intervie"s are peror#ed to
support the anal$sis and ensure that an I% process o"ner
o"ns and drives the assess#ent and i#prove#ent process'
6 7010 ISACA' All rights reserved' Aage ?
Figure *%aturit) %odel for Internal Control
%aturit) +e'el Status of the Internal Control #n'ironment #stablishment of Internal Controls
D *anaged and
*easurable
%here is an eective internal control and ris! #anage#ent
environ#ent' A or#al, docu#ented evaluation o controls
occurs re=uentl$' *an$ controls are auto#ated and regularl$
revie"ed' *anage#ent is li!el$ to detect #ost control issues,
but not all issues are routinel$ identiied' %here is consistent
ollo"&up to address identiied control "ea!nesses' A li#ited,
tactical use o technolog$ is applied to auto#ate controls'
I% process criticalit$ is regularl$ deined "ith ull support
and agree#ent ro# the relevant business process o"ners'
Assess#ent o control re=uire#ents is based on polic$ and
the actual #aturit$ o these processes, ollo"ing a thorough
and #easured anal$sis involving !e$ sta!eholders'
Accountabilit$ or these assess#ents is clear and enorced'
I#prove#ent strategies are supported b$ business cases'
Aeror#ance in achieving the desired outco#es is
consistentl$ #onitored' ,3ternal control revie"s are
organi9ed occasionall$'
5 /pti#i9ed An enterprise&"ide ris! and control progra# provides
continuous and eective control and ris! issues resolution'
Internal control and ris! #anage#ent are integrated "ith
enterprise practices, supported "ith auto#ated real&ti#e
#onitoring "ith ull accountabilit$ or control #onitoring,
ris! #anage#ent and co#pliance enorce#ent' Control
evaluation is continuous, based on sel&assess#ents and gap
and root cause anal$ses' ,#plo$ees are proactivel$ involved
in control i#prove#ents'
0usiness changes consider the criticalit$ o I% processes and
cover an$ need to reassess process control capabilit$' I%
process o"ners regularl$ peror# sel&assess#ents to conir#
that controls are at the right level o #aturit$ to #eet business
needs and the$ consider #aturit$ attributes to ind "a$s to
#a!e controls #ore eicient and eective' %he organi9ation
bench#ar!s to e3ternal best practices and see!s e3ternal
advice on internal control eectiveness' (or critical
processes, independent revie"s ta!e place to provide
assurance that the controls are at the desired level o #aturit$
and "or!ing as planned'
%he #aturit$ #odel evaluation is one o the inal steps in the evaluation process' %he I% audit and
assurance proessional can address the !e$ controls "ithin the scope o the "or! progra# and or#ulate
an ob5ective assess#ent o the #aturit$ levels o the control practices' %he #aturit$ assess#ent can be a
part o the audit4assurance report and can be used as a #etric ro# $ear to $ear to docu#ent progress in
the enhance#ent o controls' Io"ever, the perception o the #aturit$ level #a$ var$ bet"een the
process4I% asset o"ner and the auditor' %hereore, an auditor should obtain the concerned sta!eholder:s
concurrence beore sub#itting the inal report to #anage#ent'
At the conclusion o the revie", once all indings and reco##endations are co#pleted, the proessional
assesses the current state o the C/0I% control ra#e"or! and assigns it a #aturit$ level using the si3&
level scale' So#e practitioners utili9e deci#als (3'75, 3'5, 3'<5) to indicate gradations in the #aturit$
#odel' As a urther reerence, C/0I% provides a deinition o the #aturit$ designations b$ control
ob5ective' While this approach is not #andator$, the process is provided as a separate section at the end o
the audit4assurance progra# or those enterprises that "ish to i#ple#ent it' It is suggested that a #aturit$
assess#ent be #ade at the C/0I% control level' %o provide urther value to the client4custo#er, the
proessional can also obtain #aturit$ targets ro# the client4custo#er' @sing the assessed and target
#aturit$ levels, the proessional can create an eective graphic presentation that describes the
achieve#ent or gaps bet"een the actual and targeted #aturit$ goals' A graphic is provided as the last page
o the docu#ent (section KIII), based on sa#ple assess#ents'
I,. Assurance and Control Framewor&
ISACA I& Assurance "rame!or# and Standards
I%A( section ;6;0'1DQ/perating S$ste#s (/Ss) *anage#ent and ControlsQis relevant to Apache Web
Services Server'
ISACA Controls "rame!or#
C/0I% is a ra#e"or! or the governance o I% and a supporting tool set that allo"s #anagers to bridge
the gap a#ong control re=uire#ents, technical issues and business ris!s' C/0I% enables clear polic$
develop#ent and good practice or I% control throughout enterprises'
@tili9ing C/0I% as the control ra#e"or! ro# "hich I% audit4assurance activities are based aligns I%
audit4assurance "ith good practices as developed b$ the enterprise'
C/0I% I% process JS9 ,anage the coniguration ro# the Jeliver and Support (JS) do#ain addresses
good practices or ensuring the integrit$ o hard"are and sot"are conigurations' %his re=uires the
establish#ent and #aintenance o an accurate and co#plete coniguration repositor$' Sections ro# JS5
*nsure s/stems securit/ and AI; Ac0uire and maintain technolog/ inrastructure are relevant in the
i#ple#entation process'
%he coniguration C/0I% control ob5ectives areB
1S2.3 Coniguration repositor/ and baseline4,stablish a supporting tool and a central repositor$ to
contain all relevant inor#ation on coniguration ite#s' *onitor and record all assets and changes to
assets' *aintain a baseline o coniguration ite#s or ever$ s$ste# and service as a chec!point to
"hich to return ater changes'
1S2.5 Identiication and maintenance o coniguration items4,stablish coniguration procedures to
support #anage#ent and logging o all changes to the coniguration repositor$' Integrate these
procedures "ith change #anage#ent, incident #anage#ent and proble# #anage#ent procedures'
1S2.6 Coniguration integrit/ review4Aeriodicall$ revie" the coniguration data to veri$ and
conir# the integrit$ o the current and historical coniguration' Aeriodicall$ revie" installed sot"are
against the polic$ or sot"are usage to identi$ personal or unlicensed sot"are or an$ sot"are
instances in e3cess o current license agree#ents' -eport, act on and correct errors and deviations'
%he securit$ and design C/0I% control ob5ectives areB
AI6.5 Inrastructure resource protection and availabilit/4I#ple#ent internal control, securit$ and
auditabilit$ #easures during coniguration, integration and #aintenance o hard"are and
inrastructural sot"are to protect resources and ensure availabilit$ and integrit$' -esponsibilities or
using sensitive inrastructure co#ponents should be clearl$ deined and understood b$ those "ho
develop and integrate inrastructure co#ponents' %heir use should be #onitored and evaluated'
AI6.6 Inrastructure maintenance4Jevelop a strateg$ and plan or inrastructure #aintenance, and
ensure that changes are controlled in line "ith the organisation:s change #anage#ent procedure'
Include periodic revie"s against business needs, patch #anage#ent, upgrade strategies, ris!s,
vulnerabilities assess#ent and securit$ re=uire#ents'
1S7.6 Identit/ management4,nsure that all users (internal, e3ternal and te#porar$) and their activit$
on I% s$ste#s (business application, I% environ#ent, s$ste# operations, develop#ent and
#aintenance) are uni=uel$ identiiable' ,nable user identities via authentication #echanis#s'
Conir# that user access rights to s$ste#s and data are in line "ith deined and docu#ented business
needs and that 5ob re=uire#ents are attached to user identities' ,nsure that user access rights are
re=uested b$ user #anage#ent, approved b$ s$ste# o"ners and i#ple#ented b$ the securit$&
responsible person' *aintain user identities and access rights in a central repositor$' Jeplo$ cost&
eective technical and procedural #easures, and !eep the# current to establish user identiication,
i#ple#ent authentication and enorce access rights'
1S7.8 'ser account management4Address re=uesting, establishing, issuing, suspending, #odi$ing
and closing user accounts and related user privileges "ith a set o user account #anage#ent
procedures' Include an approval procedure outlining the data or s$ste# o"ner granting the access
privileges' %hese procedures should appl$ or all users, including ad#inistrators (privileged users)
and internal and e3ternal users, or nor#al and e#ergenc$ cases' -ights and obligations relative to
access to enterprise s$ste#s and inor#ation should be contractuall$ arranged or all t$pes o users'
1S7.7 Securit/ testing9 surveillance and monitoring4%est and #onitor the I% securit$
i#ple#entation in a proactive "a$' I% securit$ should be reaccredited in a ti#el$ #anner to ensure
that the approved enterprise:s inor#ation securit$ baseline is #aintained'
1S7.: Securit/ incident deinition4Clearl$ deine and co##unicate the characteristics o potential
securit$ incidents so the$ can be properl$ classiied and treated b$ the incident and proble#
#anage#ent process'
1S7.3; <etwor$ securit/4@se securit$ techni=ues and related #anage#ent procedures (e'g',
ire"alls, securit$ appliances, net"or! seg#entation, intrusion detection) to authori9e access and
control inor#ation lo"s ro# and to net"or!s'
-eer to the ISACA publication C()I" Control Practices& %uidance to Achieve Control (b=ectives or
Successul I" %overnance9 5
nd
*dition, published in 700<, or the related control practice value and ris!
drivers'
,. #-ecuti'e Summar) of Audit.Assurance Focus
Apache Securit*
Apache Web Services Server, co##onl$ reerred to as Apache, is the #ost popular "eb server in use
toda$ and accounts or #ore than 50 percent o "eb server installed bases' Apache is pri#aril$ used to
displa$ "eb pages on the World Wide Web' It resides as an application on a host co#puter or server'
Apache operates on #ost operating s$ste#s (hosts) including the various proprietar$ versions o @8IT,
>inu3, Windo"s Server and Apple *acintosh, providing portabilit$ and consistenc$ bet"een operating
plator#s' It provides the basic "eb operating environ#ent plator# or speciic supporting applications,
including database #anage#ent s$ste#s, d$na#ic content #anage#ent, server progra##ing, etc'
Apache operates as a process, using the host operating s$ste# or basic support, including securit$, access
control, etc'
Apache is authored b$ the Apache Sot"are (oundation' %he licence is open source, "hich re=uires the
user to preserve cop$right notices, but per#its the source code to be #odiied and4or distributed reel$'
So#e hard"are vendors bundle Apache "ith their operating s$ste#R others provide lin!s to the Apache
Sot"are (oundation "eb site' @sers can do"nload the source, deter#ine the co#ponents to be included
in their internal version and co#pile a custo#ised e3ecutable version o the Apache Web Services Server'
Apache Web Services Servers are used in the enterprise operating environ#ent as e3ternal e&co##erce or
content servers and, internall$, as the ront&end to accounting and business operations and docu#entation
repositories' (ailure o an Apache server to be properl$ conigured could result in the inabilit$ o the
business to e3ecute its critical processes and in the loss o intellectual propert$' %he collective
develop#ent o Apache adds additional ris!' @nless the distribution is controlled and #anaged, dangerous
processes could be introduced into the operating s$ste# as a result o the open nature o the operating
s$ste# and its essential processes' In addition, the securit$ o Apache Web Services Server is dependent
upon the coniguration o the operating s$ste#'

'usiness Impact and Ris#
Apache ris!s resulting ro# ineective or incorrect operating s$ste# conigurations are dependent on the
applications processed b$ the "eb server' %hese issues could includeB
Jisclosure o privileged inor#ation
>oss o ph$sical assets
1
>oss o intellectual propert$
>oss o co#petitive advantage
>oss o custo#er conidence
1
Instances in "hich the s$ste# under revie" processes transactions as aecting assets, i'e', inventor$, order
entr$4shipping, invest#ents and cash
>oss o reputation
Kiolation o regulator$ re=uire#ents
Jisruption o the co#puter inrastructure resulting in the inabilit$ to peror# critical business
unctions
Inection o co#puter s$ste#s "ith viruses and the li!e to disrupt processing
@se o the "eb server as a launching pad or #alicious activit$ against other entities (and the potential
to be held liable or the da#ages)
b+ective and Scope
"b(ecti'e%he ob5ective o the Apache Web Services Server securit$ audit4assurance revie" is to
provide #anage#ent "ith an independent assess#ent relating to the eectiveness o the coniguration
and securit$ o Apache Web Services Servers "ithin the enterprise:s co#puting environ#ent'
Sco!e%he revie" "ill ocus on the conigurations o the relevant Apache Web Services Servers "ithin
the enterprise' %he selection o the applications4unctions and speciic servers "ill be based on the ris!s
introduced to the enterprise b$ these s$ste#s'
8u#erous Apache #odules e3ist to provide custo#i9ed resources and capabilities' 0ecause each
installation #a$ use dierent "eb progra##ing and support tools, this audit4assurance progra# is li#ited
in scope to the Apache Web Services Server coniguration' Additional sot"are, including databases,
d$na#ic content s$ste#s, co##on gate"a$ interaces, server&side includes, etc', are e3cluded ro# the
scope o this revie"' It is suggested that either separate audits be peror#ed o these products or that this
audit4assurance progra# be #odiied to address these speciic e3tensions to the basic Apache Web
Services Server'
Apache Web Services Server relies on the integrit$ o the host operating s$ste#' Accordingl$, the auditor
#ust peror# or have access to a recent audit o the host operating s$ste#:s coniguration and be assured
o the integrit$ and securit$ o the host' I this cannot be assured, the audit o the host operating s$ste#
should be co#pleted prior to beginning this audit' I the audit has identiied signiicant deiciencies or
#aterial "ea!nesses, the audit should be postponed until these issues are re#ediated'
U%he re#ainder o this paragraph needs to be custo#i9ed to describe "hich servers and applications
"ithin the enterprise "ill be revie"ed'V
,inimum Audit S#ills
%his revie" is considered highl$ technical' %he I% audit and assurance proessional #ust have an
understanding o the host operating s$ste#:s good&practice coniguration and !no"n securit$ "ea!nesses'
Since Apache is built on the @8IT #odel, !no"ledge o @8IT processes, unctionalit$ and utilit$ tools
is re=uired' It should not be assu#ed that an audit and assurance proessional holding the CISA
designation alone has the re=uisite s!ills to peror# this revie"'
,I. Audit.Assurance /rogram
Audit.Assurance /rogram Ste!
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
1. /+A33I34 A3D SC"/I34 T2# AUDIT
1'1 Define the audit.assurance ob(ecti'es.
%he audit4assurance ob5ectives are high level and describe the overall audit goals'
1'1'1 -evie" the audit4assurance ob5ectives in the introduction to this audit4assurance
progra#'
1'1'7 *odi$ the audit4assurance ob5ectives to align "ith the audit4assurance universe, annual
plan and charter'
1'7 Define the boundaries of the re'iew.
%he revie" #ust have a deined scope' @nderstand the unctions and application re=uire#ents
or the "eb servers "ithin the scope'
1'7'1 /btain a description o the applications operating on the "eb servers.
1'7'7 Jeter#ine the "eb servers to be "ithin scope'
1'; Identif) and document ris&s.
%he ris! assess#ent is necessar$ to evaluate "here audit resources should be ocused' In #ost
enterprises, audit resources are not available or all processes' %he ris!&based approach assures
utili9ation o audit resources in the #ost eective #anner'
1';'1 Identi$ the business ris!s associated "ith the "eb server applications and an$ speciic
unctionalit$ o the "eb server'
1';'7 ,valuate the overall ris! actor or peror#ing the revie"'
1';'; 0ased on the ris! assess#ent, identi$ changes to the scope'
1';'D Jiscuss the ris!s "ith I% #anage#ent, and ad5ust the ris! assess#ent'
1';'5 0ased on the ris! assess#ent, revise the scope'
1'D Define the change !rocess.
%he initial audit approach is based on the revie"er:s understanding o the operating environ#ent
and associated ris!s' As urther research and anal$sis are peror#ed, changes to the scope and
approach #a$ result'
1'D'1 Identi$ the senior I% assurance resource responsible or the revie"'
1'D'7 ,stablish the process or suggesting and i#ple#enting changes to the audit4assurance
6 7010 ISACA' All rights reserved' Aage 1;
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
progra# and the authori9ations re=uired'
1'5 Define assignment success.
%he success actors need to be identiied' Co##unication a#ong the I% audit4assurance tea#,
other assurance tea#s and the enterprise is essential'
1'5'1 Identi$ the drivers or a successul revie" (this should e3ist in the assurance unction:s
standards and procedures)'
1'5'7 Co##unicate success attributes to the process o"ner or sta!eholder, and obtain
agree#ent'
1'6 Define the audit.assurance resources re5uired.
%he resources re=uired are deined in the introduction to this audit4assurance progra#'
1'6'1 Jeter#ine the audit4assurance s!ills necessar$ or the revie"'
1'6'7 ,sti#ate the total audit4assurance resources (hours) and ti#e ra#e (start and end dates)
re=uired or the revie"'
1'< Define deli'erables.
%he deliverable is not li#ited to the inal report' Co##unication bet"een the audit4assurance
tea#s and the process o"ner is essential to assign#ent success'
1'<'1 Jeter#ine the interi# deliverables, including initial indings, status reports, drat reports,
due dates or responses or #eetings, and the inal report'
1'? Communications
%he audit4assurance process #ust be clearl$ co##unicated to the custo#er4client'
1'?'1 Conduct an opening conerence to discussB
-evie" ob5ectives "ith the sta!eholders'
Jocu#ents and inor#ation securit$ resources re=uired to eectivel$ peror# the
revie"
%i#elines and deliverables
*. /$#/A$AT"$6 ST#/S
7'1 "btain and re'iew the current organization chart for the o!erating s)stem7s management
and securit) functions.
7'7 Determine if an audit of the host o!erating s)stem has been !erformed.
6 7010 ISACA' All rights reserved' Aage 1D
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
7'7'1 I an audit had been peror#ed, obtain the "or! papers or the previous audit'
7'7'1'1 -evie" the securit$ coniguration, and deter#ine i identiied issues have been
corrected'
7'7'1'7 Jeter#ine i the speciic "eb servers under consideration or inclusion in the
scope o this audit "ere included in the operating s$ste# revie"'
7'7'7 I an audit has not been peror#ed as described in 7'7'1 or the "eb servers "ere not
"ithin scope, consider peror#ing an audit o the "eb server:s host operating s$ste#
prior to continuing "ith this audit4assurance progra#'
7'; Select the ser'ers to be included in the re'iew.
7';'1 0ased on the prioriti9ed list o "eb servers developed previousl$, identi$ the servers to
be included in the revie"' 0e sure that there is a representative sa#ple o high&ris! "eb
servers' A group o servers #a$ have si#ilar unctions and can be aggregated into a
group'
7';'7 Jeter#ine i there is a corporate standard server coniguration and related settings or
"eb servers'
7';'; I a corporate standard server coniguration and related settings or Apache Web Servers
do not e3ist, reco##end the develop#ent o standards as a basis or continuing the audit'
7'D "btain web configuration documentation for the ser'ers to be re'iewed.
7'D'1 /btain the ollo"ing ile listings using the host operating s$ste#:s utilities or reporting
sot"areB
7
Ittpd'con
Apache7'con
(iles in and subordinate to the con'd director$
7'D'7 /btain the read access per#issions or the ollo"ing directoriesB
Apache7
"""
7'D'; /btain an understanding o the operating environ#ent and #anage#ent issues'
7'D'D Intervie" the senior operating s$ste#:s #anage#ent anal$st (#anager or director) to
obtain an understanding o policies, procedures and !no"n issues'
7
Consult the host operating s$ste# docu#entation or speciic co##ands and locations'
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
8. 2"ST S6ST#%
;'1 2ardened 2ost S)stem
Audit4Assurance /b5ectiveB %he operating s$ste# o the server that hosts the "eb server has
been conigured to address identiied securit$ vulnerabilities or co#pensating controls or
residual ris!s'
D' Web Server is Isolated
ControlB Web server is hosted on a dedicated server'
AI;'7
JS9'1
T
D'1'1'1 Keri$ that the co#puter hosting the "eb server is dedicated to the "eb server
unction'
5' Web Server Iost /perating S$ste# Coniguration
ControlB %he host operating s$ste# is conigured to ensure that the "eb server "ill not be
sub5ect to host operating s$ste# coniguration vulnerabilities'
AI;'7
JS5';
JS5'D
JS9'1
JS9'7
JS9';
T
5'1'1'1 Jeter#ine i an assurance revie" has been peror#ed on the coniguration o the
host "eb server'
5'1'1'7 I the assurance revie" has been peror#ed, deter#ine that all ollo"&up securit$
issues have been corrected'
5'1'1'; I an assurance revie" has not been peror#ed, e3ecute a revie" o the host server
prior to continuing "ith this assess#ent' It is suggested that $ou use the ISACA
@8IT4>inu3 Audit4Assurance Arogra# or an e=uivalent Windo"s audit4assurance
progra# that ocuses on a server environ#ent'
5'1'1'D Jeter#ine i a list o authori9ed services and dae#ons e3ists or "eb servers'
5'1'1'5 I the list e3ists, e3a#ine it or potentiall$ ris!$ #odules or services'
5'1'1'6 I no list e3ists, deter#ine ho" servers are protected ro# unauthori9ed services or #odules' 5'1'1'< 5'1'1'? 5'1'1'9
5'1'1'10 Jeter#ine that onl$ @8IT4>inu3 core services re=uired to host a "eb server are
installed (speciic Apache and "eb services "ill be addressed later)'
5'1'1'11 Jeter#ine the services running on the host server'
5'1'1'17 /n non&-ed Iat servers, run nts$sv or rccon'
5'1'1'1; (or -ed IatB use ch!conig Wlist'
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
5'1'1'1D Jeter#ine services built into the server build'
5'1'1'15 Investigate and evaluate #odules or services not on the approved list'
6' Web Server Securit$ @pdates
ControlB /perating S$ste# updates are applied routinel$'
AI;'7
JS9'1
JS9'7
T
6'1'1'1 Jeter#ine i policies e3ist that prescribe ho" securit$ updates are evaluated,
prioriti9ed, tested and applied to production servers'
6'1'1'7 I policies do not e3ist, deter#ine ho" securit$ updates are evaluated, prioriti9ed,
tested and applied to production servers'
6'1'1'; /btain update logs'
6'1'1'D Jeter#ine i the update polic$ has been ollo"ed'
<' @ser Access to 4chroot
;

ControlB *ini#i9e users having access to Xchroot'
AI;'7
JS5';
JS5'D
JS9'7
T
<'1'1'1 Identi$ users having access to Xchroot'
<'1'1'7 ,3ecute the ollo"ing co##ands to identi$ all IJ:s having -//% access
ind 4 &per# CD000 &user Xchroot &t$pe (or @8IT4>inu3 server)'
1'
<'1'1'; ' Jeter#ine i the ollo"ing directories are restricted ro# -//% accessB
7' 4etc4group
;' 4etc4pass"d ("ho has +IJ 0)
D' 4etc4sudoers (or e=uivalent) and ho" that is conigured then revie"
4etc4group and 4etc4pass"ord or 1sudo2ers
<'1'1'D -evie" s$slog iles the use o 1su2 or 1sudo2'
9. :#0 S#$,#$
;

;
%he director$ 4choot is a director$ directl$ subordinate to the -//% o a volu#e' It can have an$ na#e but its purpose is to isolate the director$ structure o the Apache iles ro# other directories'
D
Arior to e3ecuting this section o the audit4assurance progra#, it is suggested that the auditor obtain the latest set o Apache vulnerabilities and ad5ust the progra# accordingl$'
-eer toB http&//httpd.apache.org/securit/>report.html.
6 7010 ISACA' All rights reserved' Aage 1<
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
?'1 #nabled :eb Ser'er %odules
Audit4Assurance /b5ectiveB /nl$ necessar$ "eb server #odules are installed and enabled'
9' Web Server *odule Aolic$
ControlB Aolicies are in orce to identi$ and approve authori9ed "eb server #odules based
on criteria o unctional need'
AI;'7
JS9'1
JS9'7
T T T
9'1'1'1 Jeter#ine i a polic$ e3ists that establishes the approved #odules and a process
or approval'
10' @nnecessar$ *odules Are Jisabled
10'1'1'1 ControlB %he Apache Web Services Server coniguration li#its the "eb
#odules to those re=uired or the "eb services oered'
AI;'7
JS9'1
JS9'7
T
10'1'1'7 Assess i the Apache version installed on the "eb server is a standard
distribution or speciall$ co#piled version'
10'1'1'; I the Apache version is custo# co#piled, obtain co#pile lists to identi$
#odules included in the co#pile'
10'1'1'D -evie" the co#pile coniguration or approved #odules during co#pilation'
10'1'1'5 Jeter#ine the list o #odules b$ using #odprobe &l or revie"ing httpd'con or
load #odules'
10'1'1'6 I the Apache version is a distribution version, revie" the #odules selected or
loading'
10'1'1'< /btain a list o #odules in the #ods&enabled director$'
D'1'7'<'1Jeter#ine i an$ #odules should not be included in this list'
10'1'1'? -un ch!conig to list #odules'
D'1'7'?'1Jeter#ine i an$ #odules should not be included in this list'
10'1'1'9 -evie" the httpd'con or apache7'con or a list o #odules deleted and
included in the load process'
11' -e=uired Web Server *odules Are ,nabled
ControlB Web server #odules are enabled based on polic$ or, in the absence o polic$,
evaluated according to unctional re=uire#ents'
AI;'7
JS9'1
JS9'7
T
11'1'1'1 Jeter#ine the #odules re=uired or this "eb server installation, run the
ollo"ing co##andsB
5' httpd &l (or static #odules)
6 7010 ISACA' All rights reserved' Aage 1?
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
httpd &* (or shared4d$na#ic #odules)
11'1'1'7 -evie" the list or re=uired #odules'
11'1'1'; -evie" the list to deter#ine i there are unnecessar$ #odules (Apache
version ;)B
6' -e=uiredB
httpdYcore
#odYaccess
#odYauth
#odYdir
#odYlogYconig
#odY#i#e
JesiredB
#odYsecurit$
SupportingB
AIA
*$s=l
11'1'1'D -evie" the list o other approved #odules and deter#ine i other
#odules present a ris!'
11'1'1'5 Jeter#ine that the directives belo" are s"itched o or
disabled i not being usedB
9' Jirector$ inde3es
10' @nnecessar$ deault ZAlias: and SScriptAlias:
11' Iandlers (onl$ leave handlers that $ou "ill be using'
-e#ove all others')
17' Z(ollo"S$#>in!s: (i no s$#bolic lin!s are used in the
"eb directories)
11'1'1'6 Jeter#ine i other #odules in the list are unnecessar$'
11'7 Secure Authentication
Audit4Assurance /b5ectiveB %he "eb server is protected ro# unauthori9ed access'
5
5
(or a list o Apache Web Securit$ related conigurations please visit http&//httpd.apache.org/docs/3.6/misc/securit/>tips.html.
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
17' Apache Server -estricted Access to /4S
ControlB Apache Web Services Server is run as a nonprivileged user'
AI<
JS5';
JS5'D
JS9'1
JS9'7
T
17'1'1'1 Jeter#ine that the Apache Web Services Server has its o"n @IJ and +IJ'
17'1'1'7 /n the server, enter cat 4etc4pass"ord'
17'1'1'; Keri$ that the Apace Server has a dedicated user IJ'
17'1'1'D Keri$ that the @IJ o the Apache server is greater than 999
(non&privileged user)'
1;' Apache Server @IJ has 8o Jirector$ or Shell
ControlB %he Apache Server @IJ settings include no director$ or shell'
AI<
JS5';
JS5'D
JS9'1
JS9'7
T
1;'1'1'1 Jeter#ine that the Apache Web Services Server login has no director$ or shell'
1;'1'1'7 /n the server, enterB (I8+,- and the @IJ or the Apache server
account'
1;'1'1'; Keri$ the ollo"ingB dir [ 4dev4null shell [ 4sbin4nologin'
1D' Apache Server Ias a Separate Aass"ord (ile
ControlB %he Apache Web Services Server has a separate pass"ord ile or access to the
Apache Web Services Server'
AI<
JS5';
JS5'D
JS9'1
JS9'7
T
1D'1'1'1 Keri$ that an 'htaccess ile is in the root director$ o the Apache server sot"are
(see D'D'1 Secure Jirectories in Secure Server Co#ponents section)'
1D'7 Secure 3etwor& Ser'ices
Audit4Assurance /b5ectiveB %he Apache server coniguration establishes secure net"or!
connections'
15' Aort >i#its
ControlB %he net"or! coniguration li#its ports to ?0 (I%%A) and (DD;) SS>'
AI;'7
AI<
T
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
JS5'5
JS5'10
15'1'1'1 /btain the ile ports'con ro# the Apache director$'
15'1'1'7 Jeter#ine that the onl$ entries or >isten are ?0 and, i necessar$, DD;'
16' Web Server (ire"all and -everse Aro3$
ControlB Web server ire"all and reverse pro3$ are installed and enabled'
AI;'7
AI<
JS5'5
JS5'10
T
16'1'1'1 Jeter#ine i #odYsecurit$ #odule is enabled'
16'1'1'7 -eer to www.thebitsource.com/web?application/securing?apache?web?servers?
modsecurit$ or a detailed description o the coniguration'
16'7 Secure Ser'er Com!onents
Audit4Assurance /b5ectiveB %he Apache server coniguration secures the Apache #odules and
content'
1<' Secure Jirectories
ControlB Web server directories are secured against unauthori9ed access using chroot'
AI;'7
AI<
JS9'1
JS9'7
T
1<'1'1'1 Jeter#ine that a director$ has been created at the root o the hard dis! or on a
separate drive'
1<'1'1'7 Jeter#ine that the Apache director$ has been copied ro# the 4etc director$ to
the ne" root director$ (or consistenc$, this director$ "ill be reerred to as
4chroot)'
1<'1'1'; Jeter#ine that the Apache Web Services Server is the o"ner o the director$ and
no other user has access'
1<'1'1'D ,nter ls 4chroot Wl'
1<'1'1'5 Keri$ that the access is r"3r&&&&&'
1<'1'1'6 Jeter#ine that the root content director$ 4""" has Apache server as o"ner and
read access to others'
1<'1'1'< ,nter ls 4""" Wl'
1<'1'1'? Keri$ that the access is r"3r&3r&3'
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
1?' Server Signature >i#ited
ControlB %he server signature does not identi$ the version o the server'
AI;'7
AI<
JS9'1
JS9'7
T
1?'1'1'1 Jeter#ine i the Apache version is hidden'
1?'1'1'7 ,nter either http &v or apache7 Wv'
1?'1'1'; I the response indicates a version nu#ber, the co##and ServerSignature in the apache7'con
ile should be set to 1o'2
19' (ile Inde3ing and S$#bolics Are Set to /
ControlB %he coniguration to prevent ile inde3ing and s$#bolic lin!s is set to 1o'2
AI;'7
AI<
JS9'1
JS9'7
T
19'1'1'1 Kie" Appach7'con or httpd'con, and ensure that the directive or director$B
apache4htdocs is set as ollo"sB options & inde3es W(ollo"S$#>in!s'
70' C+I Scripts Arohibited (ro# Web -oot
ControlB C+I Scripts cannot e3ecute ro# the Web -oot director$'
A/<
70'1'1'1 Keri$ the ollo"ing is in the apache7,con ileB
1;' /ptions ,3ecC+I
1D' /rder allo",den$
15' Allo" ro# all
*1. S2A$#D IT %A3A4#%#3T S#$,IC#S
71'1 /atch %anagement
Audit4Assurance /b5ectiveB Aatch #anage#ent procedures are consistentl$ applied using
installation policies and procedures'
77' Aatch *anage#ent
ControlB Standard installation patch #anage#ent policies and procedures are i#ple#ented
or the Apache Web Services Server'
AI;';
JSD
JS9';
T
77'1'1'1 /btain the patch #anage#ent procedures'
77'1'1'7 Jeter#ine that appropriate testing, authori9ation, prioriti9ation and
pro#otion to production procedures are in use or the "eb&server&
related progra#s and iles'
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
77'1'1'; /btain recent audit4assurance "or! papers o patch #anage#ent'
77'1'1'D ,valuate open issues, and deter#ine their i#pact on the "eb server
controls environ#ent'
77'1'1'5 77'1'1'6 77'1'1'< 77'1'1'? 77'1'1'9 77'1'1'10
22.1.1.11 22.1.1.12 22.1.1.13
77'7 +og %anagement
Audit4Assurance /b5ectiveB >ogs o critical "eb server activities are available or revie" and
anal$sis'
77'7'1'1 77'7'1'7 77'7'1'; 77'7'1'D 77'7'1'5 77'7'1'6
22.2.1.7 22.2.1.8 22.2.1.9
5'7'1>og *anage#ent
ControlB *anage#ent generates appropriate securit$ logs, revie"s logs regularl$, and
retains the logs or discover$ and orensic anal$sis'
AI;'7
JS5'5
JS5'<
JS9'7
JS1;';
T
5'7'1'1/btain the installation log policies'
77'7'1'10 Jeter#ine that appropriate logs are generated and retained'
77'7'1'11 Select a sa#ple critical logging reports'
77'7'1'17 -evie" the procedures or evidence o #anage#ent revie", incident escalation
based on the revie" o logs, and retention policies'
77'; Incident %anagement
Audit4Assurance /b5ectiveB Incident #anage#ent processes assure issues aecting the "eb
server environ#ent are identiied, researched, an action plan or re#ediation is established,
protection actions i#ple#ented, signiicant issues escalated to appropriate #anage#ent,
incidents closed, and incident trends anal$9ed'
7;' Incident *anage#ent
ControlB ,nterprise incident #anage#ent processes include "eb server activities and the
incident #anage#ent processes are activel$ #onitored'
JS5'6
JS?
T T T
7;'1'1'1 /btain the enterprise incident #anage#ent processes'
7;'1'1'7 Jeter#ine i "eb activities are included in the incident #anage#ent procedure'
7;'1'1'; Select "eb&related incidents ro# the incident #anage#ent s$ste#' (ollo" the
incident investigation and re#ediation to closure'
7;'1'1'D Jeter#ine i signiicant securit$ incidents have been escalated to the appropriate
oicials'
6 7010 ISACA' All rights reserved' Aage 7;
C"0IT
Cross1
reference
C&S&
$eference
2)!er1
lin&
Issue
Cross1
reference
Comments
C
o
n
t
r
o
l

E
n
v
i
r
o
n
m
e
n
t
R
i
s
k

A
s
s
e
s
s
m
e
n
t
C
o
n
t
r
o
l

A
c
t
i
v
i
t
i
e
s
I
n
f
o
r
m
a
t
i
o
n

a
n
d

C
o
m
m
u
n
i
c
a
t
i
o
n
M
o
n
i
t
o
r
i
n
g
7;'1'1'5 Jeter#ine i appropriate re#ediation and closure has been docu#ented'
7;'7 Intrusion %onitoring and /re'ention
Audit4Assurance /b5ectiveB Web servers are included in the intrusion detection4prevention
activities o the enterprise'
7D' Intrusion Jetection4Arevention
ControlB Web servers are "ithin the scope o the enterprise intrusion detection4prevention
policies'
JS5'5
JS5'9
JS1;';
*,1
*,7
T T T
7D'1'1'1 Jeter#ine i an audit4assurance assess#ent has been peror#ed o the intrusion
#onitoring and detection process associated "ith net"or! peri#eter audits'
7D'1'1'7 I audits have been peror#ed, obtain the "or! papers and report'
7D'1'1'; Jeter#ine i the scope o the intrusion detection4prevention process includes the
"eb server environ#ent'
7D'1'1'D I an audit has not been peror#ed or i the "eb server environ#ent has been
e3cluded ro# the standard #onitoring process, e3pand the scope o this audit or
peror# a separate audit o the intrusion #onitoring progra#'
*<. :#0 S#$,#$ ADDITI"3A+ C"%/"3#3TS
Audit4Assurance /b5ectiveB Additional "eb server co#ponents provide ade=uate securit$ to
prevent unauthori9ed access to "eb server services and "eb content'
75'1 The audit.assurance !rofessional can add audit ste!s for SS+ web e-tensions= web
d)namic content com!onents= ser'er side includes= common gatewa) interfaces >C4I?
and database management s)stems. Since these com!onents will 'ar) b) installation= it
is !referable to customize the audit.assurance !rogram to fit the s!ecific installation
com!onents. The) can be filled in below.
75'1'1 Jeter#ine i Server Sides Includes (SSIs) are disabledQSSIs introduce a nu#ber o
potential securit$ ris!s' SSI&enabled "eb docu#ents "ill severel$ increase the load on
the server'
6 7010 ISACA' All rights reserved' Aage 7D
,II. %aturit) Assessment
%he #aturit$ assess#ent is an opportunit$ or the revie"er to assess the #aturit$ o the processes revie"ed' 0ased on the results o audit4assurance revie",
and the revie"er:s observations, assign a #aturit$ level to each o the ollo"ing C/0I% control practices'
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eference
2)!er1
lin&
Comments
AI8.* Infrastructure $esource /rotection and A'ailabilit)
I#ple#ent internal control, securit$ and auditabilit$ #easures during coniguration, integration
and #aintenance o hard"are and inrastructural sot"are to protect resources and ensure
availabilit$ and integrit$' -esponsibilities or using sensitive inrastructure co#ponents should
be clearl$ deined and understood b$ those "ho develop and integrate inrastructure
co#ponents' %heir use should be #onitored and evaluated'
AI8.8 Infrastructure %aintenance
Jevelop a strateg$ and plan or inrastructure #aintenance, and ensure that changes are
controlled in line "ith the organisation:s change #anage#ent procedure' Include periodic
revie"s against business needs, patch #anage#ent, upgrade strategies, ris!s, vulnerabilities
assess#ent and securit$ re=uire#ents'
DS<.8 Identit) %anagement
,nsure that all users (internal, e3ternal and te#porar$) and their activit$ on I% s$ste#s
(business application, I% environ#ent, s$ste# operations, develop#ent and #aintenance) are
uni=uel$ identiiable' ,nable user identities via authentication #echanis#s' Conir# that user
access rights to s$ste#s and data are in line "ith deined and docu#ented business needs and
that 5ob re=uire#ents are attached to user identities' ,nsure that user access rights are re=uested
b$ user #anage#ent, approved b$ s$ste# o"ners and i#ple#ented b$ the securit$&responsible
person' *aintain user identities and access rights in a central repositor$' Jeplo$ cost&eective
technical and procedural #easures, and !eep the# current to establish user identiication,
i#ple#ent authentication and enorce access rights'
DS<.; User Account %anagement
Address re=uesting, establishing, issuing, suspending, #odi$ing and closing user accounts and
related user privileges "ith a set o user account #anage#ent procedures' Include an approval
procedure outlining the data or s$ste# o"ner granting the access privileges' %hese procedures
should appl$ or all users, including ad#inistrators (privileged users) and internal and e3ternal
users, or nor#al and e#ergenc$ cases' -ights and obligations relative to access to enterprise
s$ste#s and inor#ation should be contractuall$ arranged or all t$pes o users' Aeror# regular
#anage#ent revie" o all accounts and related privileges'
DS<.< Securit) Testing= Sur'eillance and %onitoring
C"0IT Control /ractice
Assessed
%aturit)
Target
%aturit)
$eference
2)!er1
lin&
Comments
%est and #onitor the I% securit$ i#ple#entation in a proactive "a$' I% securit$ should be
reaccredited in a ti#el$ #anner to ensure that the approved enterprise:s inor#ation securit$
baseline is #aintained' A logging and #onitoring unction "ill enable the earl$ prevention
and4or detection and subse=uent ti#el$ reporting o unusual and4or abnor#al activities that #a$
need to be addressed'
DS<.@ Securit) Incident Definition
Clearl$ deine and co##unicate the characteristics o potential securit$ incidents so the$ can be
properl$ classiied and treated b$ the incident and proble# #anage#ent process'
DS<.1A 3etwor& Securit)
@se securit$ techni=ues and related #anage#ent procedures (e'g', ire"alls, securit$
appliances, net"or! seg#entation, intrusion detection) to authori9e access and control
inor#ation lo"s ro# and to net"or!s'
DSB.1 Configuration $e!ositor) and 0aseline
,stablish a supporting tool and a central repositor$ to contain all relevant inor#ation on
coniguration ite#s' *onitor and record all assets and changes to assets' *aintain a baseline o
coniguration ite#s or ever$ s$ste# and service as a chec!point to "hich to return ater
changes'
DSB.* Identification and %aintenance of Configuration Items
,stablish coniguration procedures to support #anage#ent and logging o all changes to the
coniguration repositor$' Integrate these procedures "ith change #anage#ent, incident
#anage#ent and proble# #anage#ent procedures'
DSB.8 Configuration Integrit) $e'iew
Aeriodicall$ revie" the coniguration data to veri$ and conir# the integrit$ o the current and
historical coniguration' Aeriodicall$ revie" installed sot"are against the polic$ or sot"are
usage to identi$ personal or unlicensed sot"are or an$ sot"are instances in e3cess o current
license agree#ents' -eport, act on and correct errors and deviations'
,III. Assessment %aturit) 's. Target %aturit)
%his spider graph is an e3a#ple o the assess#ent results and #aturit$ target or a speciic co#pan$'
6 7010 ISACA' All rights reserved' Aage 7<

WAPAW Apache Web Server Research

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WAPAW Apache Web Server Research

Uploaded by

Copyright:

Available Formats

Apache Web Services Server

Journal, and develops international IS auditing and

You might also like