Audit and assurance

This section describes Itron’s policy for the logging and monitoring of security events occurring in the Itron Azure environment. This policy applies to all staff, contracts, or third-party owners, operators, and users who access or use Itron Azure environment and the outcomes it hosts. This policy applies to all Itron Azure environment production assets including all software, applications and services, data, and infrastructure. This policy applies to all facilities of Itron, Inc. and all its direct and indirect subsidiaries.

The infrastructure team, developer teams, and users of the Itron Azure environment are responsible for ensuring they adhere to procedures and controls that demonstrate compliance with this policy. Teams are responsible for assigning resources necessary to achieve compliance. Itron management commits to actively supporting the teams with complying with this policy by ensuring the policy is reviewed and approved, responsibilities are defined, and resources and budget are available. Any Itron employee being in scope found to have violated this policy may be subject to disciplinary action. The severity of the incident shall govern the severity of the action taken: such action may vary from a verbal warning up to termination.

Policy

This policy is based on the NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations Rev 4 Audit and Accountability (AU) control family guidelines.

Audit and accountability procedures

Itron adheres to formal, documented audit and accountability procedures for the Itron Azure environment that facilitate the implementation of the audit and accountability policy and associated audit and accountability controls. The audit and accountability procedures document addresses scope, roles, responsibilities and the audit and accountability processes and procedures necessary to ensure Itron implements security best practices with regard to event logging and the retention of audit evidence for the Itron Azure environment.

Auditable events and audit generation

Any observable occurrence (event) within the Itron Azure environment or its assets that is significant and relevant to the security of the Itron Azure environment and the outcomes and services it hosts are auditable. A set of auditable events that are deemed to be adequate to support an after-the-fact investigation of security incidents and root cause analysis are identified (typically a subset of all events the Itron Azure environment is capable of auditing). The frequency of, or situations requiring, the auditing of each required auditable event is determined. For example, some auditable events may be recorded whenever they occur, others may not be activated and recorded except in special circumstances. Audit records for the identified auditable events, at the determined frequencies and situations, are generated, with the content defined in the content of audit records section.

Content of audit records

At a minimum, all audit records contain sufficient information to establish:

  • What type of event occurred

  • When the event occurred

  • Where the event occurred

  • The source of the event

  • The outcome of the event (for example, success or failure)

  • The identity of any users and/or services associated with the event

Audit record time stamps are generated using internal system clocks and expressed in Coordinated Universal Time (UTC).

Audit storage capacity

Sufficient audit storage capacity is allocated and managed to minimize the likelihood of such capacity being exceeded, resulting in loss or reduction of auditing capability.

Response to audit processing failures

Alerts are sent to designated personnel/roles in the event of an audit processing failure.

Audit review, analysis, and reporting

All audit records are reviewed and analyzed periodically for indications of inappropriate or unusual activity. Findings or indications of inappropriate or unusual activity are reported to the infrastructure team and Itron Security.

Audit reduction and report generation

The capability to on-demand manipulate, organize and report collected audit records in a summary format that is more meaningful to analysts is provided, to support after-the-fact investigations of security incidents. Any audit reduction and report generation must not alter the original content or time ordering of the audit records.

Protection of audit information

Audit information (records, setting, reports) and audit tools are protected from unauthorized access, modification, and deletion.

Non-repudiation

The Itron Azure environment protects against individuals falsely denying having performed a particular action on or within the Itron Azure environment.

Audit record retention

Audit records are retained for at least one year to provide support for after-the-fact investigations of security incidents.

Procedure

Itron and partner third-party developer teams adhere to the defined audit logging process and transfer audit logs into a centralized audit log storage. Developer teams have regular audit reviews and are alerted in case of high severity incidents.

Audit logging process

The audit logging process is about producing/collecting the security-related audit logs from the Itron Azure environment into a centralized logging system. This process is mainly supervised by Itron Security. For Itron developers, the security-related logs are collected via an automated mechanism controlled by Itron Security. For partner third-party developers, the developer teams contact Itron if audit logs haven't been collected yet from an Azure resource or any other components that are hosted and used in the Itron Azure environment.

A plan is provided for:

  • Definition of the auditable events

  • Content of the audit records

  • Mechanism of transferring the logs into the centralized log storage

  • Alerting mechanism in case of audit processing failures

  • Set of definitions of security alerts

Supported Azure resources include:

  • Management plane logs

    • Activity logs (from all Azure resources)

    • Tenant logs

  • Data plane logs

    • Public IP addresses

    • Network security groups

    • Azure Key Vault

    • Virtual machines (Windows/Linux machines)

    • App services

    • Storage accounts

    • SQL as a Service databases

    • Azure Kubernetes services

Audit log storage

A centralized audit log analytics application is used to collect any security-related audit events from the Itron Azure environment. This audit log analytics application is owned by Itron Security. Sufficient audit storage capacity is allocated to provide a continuous and high-availability logging service. The log collection mechanism is maintained and operated by Itron Security. Access control to the audit log analytics application is controlled to protect audit records from unauthorized access, modification, and deletion. The audit records retention policies are defined by Itron Security. By default, DI records are stored for 13 months.

Audit log review, analysis, and reporting

The audit log records are constantly monitored, reviewed, and analyzed by Itron Security. Itron Security members have the responsibility to maintain and operate the audit logging application. The audit logs are reviewed and analyzed continuously. Patterns are identified and investigated by them. Based on the investigation results, new security alerts may be defined. Developers review the logs and alerts on a semi-regular basis to provide additional use cases to Itron Security. Security alerts defined based on uses cases and log patterns are fired by the Security Operations Center mechanism. Itron Security members have the responsibility to initiate a basic security incident triage process and if necessary escalate the alert with the user or resource owner. Itron Security provides weekly reports based on log analysis and alerts. Additionally, the application is capable of conducting ad-hoc reporting and dashboarding.

Independent assessments

Itron Security policy is to use OpenText™ Fortify™ On Demand software to perform security scans, assessments, and reports each quarter. Itron also does annual SOC 2, Type 2 auditing and attestation against our NIST SP 500-83 control groups.

Risk-based planning assessment

The security of the Itron Azure environment and its hosted outcomes is assessed to ensure security is built-in, to identify security weaknesses and deficiencies, and to provide the information needed to make risk-based decisions. Security assessments are conducted on implemented security controls required by the Itron Azure environment security plan.

Security controls are assessed as part of:

  • Planned security assessments

  • Continuous monitoring

  • Vulnerability scanning

  • Risk assessment

The Itron Azure environment infrastructure security assessment plan defines the scope of the security assessment, the roles and responsibilities of the participants, and the activities and procedures to be used. The Itron Azure environment platform security assessment plan defines the scope of the security assessment of the platform services, the roles and responsibilities of the assessment team, and the activities and procedures to be used.

Each developer team hosted by the Itron Azure environment provides a security assessment plan document that extends the Itron Azure environment platform security assessment plan document. These documents define additional security assessments for the outcome-specific artifacts, the roles and responsibilities of the assessment team, and the activities and procedures to be used.

Itron Azure environment security assessment plans (platform and outcome) are updated as required when there are changes to the Itron Azure environment or its security controls. Itron Azure environment security assessment plans are reviewed after being updated, and at least annually, by Itron Security, other nominated subject matter experts, and the infrastructure team.

Each developer team manager is responsible for approving the Itron Azure environment security assessment plans for their teams. On approval, Itron Azure environment security assessment plans are published to the approved storage location, where modification or deletion of the documents is prohibited. Read-only access to the approved storage location is granted to Itron Security, the developer team managers, and the infrastructure team- each of whom receives a notification that a new version is published.

Security assessment activities are conducted as defined in the Itron Azure environment security assessment plans, and the results (including the status of security controls and details of any deficiencies, weaknesses, or non-compliance) are communicated as defined in the security assessment plans.

Azure DevOps Services (ADS) work items are created for all remedial actions needed to correct security weaknesses and deficiencies.

DI assessment plan

The assessment plan for DI consist of the following aspects:

  • Threat modeling. Itron Security is responsible for conducting threat modeling activities for the Itron Azure environment, platform services, and hosted outcomes upon request of the developer teams.

  • Penetration test. Itron Security is also responsible for conducting penetration testing of the Itron Azure environment, platform services, and hosted outcomes upon request of the developer team. Fortify On Demand software penetration tests are performed to determine any vulnerabilities in the website. Itron Security performs additional penetration tests of the complete DI solution annually. Any risks that are identified through these planned assessments follow the risk assessment strategy described in the risk assessment section.

  • Infrastructure vulnerability assessment. Itron Security is responsible for regular assessment of the Itron Azure environment infrastructure. Itron Security performs vulnerability scanning by utilizing an industry-leading security assessment tool, as described in the vulnerability scanning section. An overall Azure Security Assessment is conducted every 6 months by Itron Security. Any risks that are identified through these planned assessments follow the risk assessment strategy described in the risk assessment section.

Security flaw remediation

The security flaw remediation process ensures that all third-party components are updated regularly and that any security vulnerabilities are patched as contractually required. This section is an extension to all security architecture documents defined globally for the Itron Azure environment infrastructure.

The DI Platform team oversees the following components in the Itron Azure environment

  • Service Fabric. Service Fabric is a service orchestrator by Microsoft. The infrastructure team checks quarterly for new versions of the Service Fabric orchestrator. A decision is made on when to upgrade to new versions. The strategy and the priority are captured as a work item in ADS following the configuration management procedures. The infrastructure team doesn't own any services on the Service Fabric cluster and the OS and VM images are automatically updated by Microsoft. However, as part of the quarterly infrastructure maintenance process, the infrastructure team checks the images of the Service Fabric clusters.

  • Virtual Machines. Azure Automation Update Management is used to update DI virtual machines.

  • Virtual Infrastructure Elements. Microsoft in Azure updates any virtual infrastructure elements, such as service buses or storage accounts.