Top Rated Pune Call Girls Daund ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
The information security audit
1. TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
The Information Security Audit
Ray Trygstad
ITM 478/578 / IT 478
Spring 2004
Information Technology & Management Programs
CenterforProfessional Development
2. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson the
student should be able to:
– Explain what an information security
audit is
– Explain the relationship of information
security policies to the audit process
– Describe how an information security
audit is conducted
– Discuss knowledge required for members
of an information security audit team
3. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
Introduction
What is an Information Security Audit?
A measure of how the confidentiality,
availability and integrity of an organization’s
information is protected and assured
A systematic, measurable technical
assessment of how the organization's security
policy is employed at a specific site
Part of the on-going process of defining and
maintaining effective security policies
– Many audits will involve everyone who uses
computer resources in the organization
4. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
General Methodology
Assess IT security controls which
include:
– General controls at the entity level
– General controls as they are applied to
the specific application(s) being examined
– Application controls, which are the
controls over input, processing, and
output of data associated with individual
applications
5. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
General Controls
Policies and procedures that apply to all or a
large segment of an entity’s information systems
and help ensure their proper operation
Examples of primary objectives for general
controls:
– Safeguard data
– Protect computer application programs
– Prevent unauthorized access to system software
– Ensure continued computer operations in case of
unexpected interruptions
Effectiveness of general controls a significant
factor in determining effectiveness of application
controls
6. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
Relationship of Policy to General Controls
Security policies are a standardization
of security practices put in writing
– Employees must read & agree to them
– In many enterprises today, security
policies may informal or unwritten
•Informal/unwritten policies not legally
enforceable
Typically policies prescribe methods of
implementing general and application
controls
7. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
Nature & Extent of the Audit
Depends on audit objectives and other
factors
Factors to consider:
– Nature and complexity of the information
systems
– The control environment
– Particular accounts and applications
significant to the areas of interest
8. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Scope
Audit objectives determine the scope of the
audit
Scope determination factors
– Site business plan
– Type of data being protected
– Value/importance of data to the client
organization
– Previous security incidents
– Time available to complete the audit
– Talent/expertise/experience of the auditors
Auditors & client must agree on scope prior
to the commencement of the actual audit
9. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Stages
Audit is conducted in four stages
– Planning Phase
– Internal Control Phase
– Testing Phase
– Reporting Phase
10. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
Planning Phase
Auditor gains an understanding of information
system operations, controls and related risks
In view of these risks reach tentatively conclusions
as to which controls are likely to be effective
If controls are likely to be effective and are relevant
to audit objectives, the auditor will determine
nature and extent of audit work needed to confirm
tentative conclusions.
If controls are not likely to be effective, auditor
must develop a sufficient understanding of related
control risks to
– (1) develop appropriate findings and related
recommendations for corrective action
– (2) determine the nature, timing, and extent of
substantive testing necessary
11. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
Pre-Audit Tasks
Review previous audits (baselining)
Assess site survey
– Asset inventory including technical
description of the system’s hosts
– Includes management and user
demographics
Administer security questionnaires
Review previous security incidents
12. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
Pre-Audit Tasks
Read and evaluate the most recent
risk assessment
Read and evaluate all policies &
procedures
Develop the Audit Plan
– Prepare audit checklists tailored for the
audit environment
Discuss audit objective and details
with the client, ensuring objectives are
understood and mutually agreed upon
13. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
Site Survey
May need to be completed by client
staff or may be prepared by a
member of the audit team based on
an existing asset inventory and other
information provided by the client
Should present auditors with a
complete picture of the information
technology environment of the client
14. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Questionnaires
Self-assessment tools allowing client
staff—both IT professional staff and
end users—to measure knowledge of
and compliance with security controls
in place
Should be phrased in terms of
“ranking” (i.e. 1-5, 1-10 scales) as to
knowledge and compliance in specific
areas
15. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Pre-Audit Audit Report
If policies and procedures do not prescribe
adequate controls for the described risks,
auditors may need to:
– develop appropriate findings and related
recommendations for corrective action
– delay remaining portions of the audit until
appropriate corrections have been put in place
– prepare a preliminary Audit Report to facilitate
proper implementation of controls
16. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Internal Control Phase
Auditors obtain detailed information on
control policies, procedures, and objectives
Perform tests of control activities
First test general controls through a
combination of procedures, which may
include
– Observation
– Inquiry
– Inspection
17. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Internal Control Phase
If these controls operate effectively,
auditors should then test & evaluate
effectiveness of general controls for
applications significant to the audit
If general controls are not operating
effectively, application-level controls
are generally not tested
(note: in the audits we conduct, we
will not be testing any application-
level controls…)
18. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Application Level Testing
As an example of application-level control
testing, auditors might test a system to
ensure
– data prepared for entry is complete, valid, and
reliable;
– data is converted to an automated form and
entered into the application accurately,
completely, and on time;
– data is processed by the application completely,
on time, and in accordance with established
requirements;
– output is protected from unauthorized
modification or damage and distributed in
accordance with prescribed policies
19. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Application Level Testing
Auditors evaluate and test the
effectiveness of application controls
by
– observing the controls in operation
– examining related documentation
– discussing the controls with pertinent
personnel
– reperforming the control being tested
20. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Testing Phase
In the testing phase, substantive technical
testing is performed
This may include
– Application security and integrity testing on
appropriate workstation & terminals
• Checking for patches and updates
– Network security testing through both passive
monitoring and active measures
– Restoration of backed-up material
– If conducted in concert with a broader audit (i.e.
a financial audit), auditors may be called upon to
assist financial auditors in identifying/selecting
computer-processed transactions for testing,
possibly using computer audit software
21. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Site Visit
Internal Control and Testing phases are
normally accomplished through a site visit
Aim of auditors is to not to adversely affect
business transactions during the audit
Auditors should conduct an entry briefing
where they outline the scope of the audit
and what they hope to accomplish
Auditors should be thorough, fair and apply
consistent standards and procedures
throughout the audit
22. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Site Visit
During the visit, auditors may:
– Collect data about the physical security of
computer assets
– Perform interviews of site staff
– Perform network vulnerability assessments
– Perform operating system and application
security assessments & vulnerability testing
– Perform access controls assessment
– Other evaluations
Auditors should follow their checklists,
but keep their eyes (and ears!) open for
unexpected problems
23. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Key Audit Questions
Remember, audits are principally concerned
with how security policies are actually
implemented
Key questions to be answered:
– Are passwords difficult to crack?
• Are they on post-it notes on the monitor or inside the
desk’s top drawer?
– Are there access control lists (ACLs) in place on
network devices to control who has access to
shared data?
– Are there audit logs to record who accesses data?
– Are the audit logs reviewed?
24. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Key Audit Questions (continued)
– Are the security settings for operating systems in
accordance with accepted industry security
practices?
– Have all unnecessary applications and computer
services been eliminated for each system?
– Are these operating systems and commercial
applications patched to current levels?
– How is backup media stored? Who has access to
it? Is it up-to-date?
– Is there a disaster recovery plan? Have the
participants and stakeholders ever rehearsed the
disaster recovery plan?
25. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Key Audit Questions (continued)
– Are there adequate cryptographic tools in place
to govern data encryption, and have these tools
been properly configured?
– Have custom-built applications been written
with security in mind?
– How have these custom applications been tested
for security flaws?
– How are configuration and code changes
documented at every level? How are these
records reviewed and who conducts the review?
26. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Checklists
Audits are conducted by checklist
Checklists are widely available but
should be tailored for each audit by
the audit team
Checklists may be challenge-
response (i.e. check-in-the-box or
yes-or-no answers) or they may be
scale rankings (1-4, 1-5, 1-10, etc.)
27. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Sample Audit Checklist
General IT Controls
Audit Program
Purpose / Scope
Perform a General Controls review of Information Technology (IT). The reviews will include all IT related policies, procedures,
data security administration, data center operations, system development / maintenance, the IT Disaster / Recovery plan and its
relation to the corporate Business Continuity plan.
Audit steps Date Initials W/P Ref.
IT General Controls
Planning
Determine if committees review, approve, and report to the board on:
Short and long term information systems plans
IT operating standards
Data security policies and procedures
Resource allocation (major hardware/software acquisition and project priorities)
Status of major projects
IT budgets and current operating cost
Policies, Standards, and Procedures
Determine whether the board of directors has reviewed and approved IT policies.
Examine how IT management has defined standards and adopted a methodology
governing the process of developing, acquiring, implementing, and maintaining information
systems and related technology.
Determine if IT management has adequate standards and procedures for:
Systems development
Program change control
Data Center operations
Data Base administration
DASD management
Performance monitoring
28. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 28
ILLINOIS INSTITUTE OF TECHNOLOGY
Exit Briefing
Ensure management is made aware of any
problems requiring immediate attention or
correction
Answer questions in a very general manner
so as not to create a false impression of the
audit’s outcome
– At this stage auditors are not in a position to
provide definitive answers
– Final answers can only be provided following the
final analysis of the audit data
29. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Reporting Phase
Back at the ranch, auditors will review
and analyze checklist data and analyze
any data discovered through use of
vulnerability assessment tools
There should be an initial meeting to
help focus the outcome of the audit
results
– Auditors should identify problem areas
and possible solutions
30. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Writing the Audit Report
The Audit Report may be prepared in a
number of formats
Keep it simple and direct, containing
concrete findings with measurable ways to
correct identified deficiencies
Typical format
– Executive summary
– Detailed findings
– Supporting data (checklists, scan reports etc.)
should be included as report appendices
31. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Writing the Audit Report
Develop executive summary first as it may
be necessary to report to management
before details are done
Include an audit summary which may
emphasize the positive findings of the audit
Organize audit findings in a simple and
logical manner with a half-page or full page
for each identified problem
Each problem entry should outline the
problem, discuss implications and describe
appropriate corrective actions
32. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 32
ILLINOIS INSTITUTE OF TECHNOLOGY
The Audit Report
Describe information security control weaknesses
clearly in terms understandable to those with
limited knowledge of information system issues
Define all technical terms and avoid jargon and
acronyms
Discuss each weakness in terms of
– related criteria
– the condition identified
– the cause of the weakness
– actual or potential impact on the organization
– appropriate corrective action
This helps senior management to understand the
significance of the problem and to ensure
development of appropriate corrective actions
33. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Reporting
Weaknesses reported to technical staff
should be the same as that reported to
senior management but should include
necessary technical detail to allow the
staff
– to understand the precise cause of the
weaknesses
– to aid them in developing corrective
actions
34. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Report Timeliness & Follow-Up
Prepare the Audit Report as quickly as
accuracy allows so that site staff can
correct problems identified
Auditors may be called upon to assist
technical staff in implementation of
appropriate controls and solutions
Management should follow-up until all
identified deficiencies are corrected
35. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Typical Problems Identified in Audits
Lack of formal IT planning mechanisms
with the result that IT does not serve the
organizations’s pressing needs or does not
do so in a timely and secure manner
Lack of formal security policies resulting in
a piecemeal or “after-an-incident” approach
to security
Inadequate program change control leaving
software vulnerable to unauthorized
changes
36. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Typical Problems Identified in Audits
Little or no awareness of key security issues
and inadequate technical staff to address the
issues
Failure to take advantage of security soft-
ware features such as selective monitoring
capabilities, enforcement of stringent pass-
word rules, & review of key security reports
Inadequate user involvement in testing and
sign-off for new applications resulting in
systems that fail to meet user requirements
or confidentiality, integrity, and availability
needs
37. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Typical Problems Identified in Audits
Installation of software or upgrades without
adequate attention to default configurations
or default passwords
Virus definitions not kept up-to-date
Inadequate continuity of operation plans
Failure to formally assign security
administration responsibilities to staff who
are technically competent, independent, and
report to senior management
38. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Typical Problems Identified in Audits
Lack of user awareness
Unnecessarily high access rights
Lack of or inadequate plans for
– An information security management
program
– Physical and logical access controls
– Software change controls
– Segregated duties
– Continuity of business
39. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
What Should Auditors Know?
Generally accepted accounting practices state “staff
assigned to conduct the audit should collectively
possess adequate professional proficiency for the
tasks required.”
– This includes computer skills and security knowledge for
IS audits
Although each member of an audit team need not
have all attributes, the team must collectively
possess the requisite attributes to be able to
– Adequately plan the audit
– Assess computer-related controls
– Test the controls
– Determine the effect on the overall audit plan
– Develop findings and recommendations
– Report the results
40. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
What Should Auditors Know?
Applicable knowledge is laid out well in the
National State Auditors Association/GAO
Management Planning Guide for
Information Systems Security Auditing
(table on next 2 slides)
Typical knowledge/skill set includes
– Technical competency
– Knowledge and understanding of information
security and privacy requirements and best
practices
– (see the tables)
41. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Knowledge, Skills, and Abilities
Audit Objective Associated knowledge, skills, and abilities forIS Security Audit Areas
Organizationwide security
program planning and
management
Knowledge of applicable legislative requirements for a security program
Knowledge of the sensitivity of data and the risk management process through risk assessment and risk
mitigation
Knowledge of the risks associated with a deficient security program
Knowledge of the elements of a good security program
Ability to analyze and evaluate an organization’s security policies and procedures and identify their
strengths and weaknesses
Access control Knowledge across platforms of the access paths into computer systems and of the functions of
associated hardware and software providing an access path
Knowledge of access level privileges granted to users and the technology used to provide and control
them
Knowledge of the procedures, tools, and techniques that provide for good physical, technical, and
administrative controls over access
Knowledge of the risks associated with inadequate access controls
Ability to analyze and evaluate an organization’s access controls and identify the strengths and
weaknesses
Skills to review security software reports and identify access control weaknesses
Skills to perform penetration testing of the organization’s applications and supporting computer systems
Application software
development and change
control
Knowledge of the concept of a system life cycle and of the System Development Life Cycle (SDLC)
process
Knowledge of the auditor’s role during system development and of federal guidelines for designing
controls into systems during development
Knowledge of the procedures, tools, and techniques that provide control over application software
development and modification
Knowledge of the risks associated with the development and modification of application software
Ability to analyze and evaluate the organization’s methodology and procedures for system development
and modification and identify the strengths and weaknesses
Adapted from “Knowledge, Skills, and Abilities for IS Security Audit Areas by FISCAM Objective” from
National State Auditors Association/GAO Manag e m e nt Pla nning G uide fo r Info rm atio n Syste m s Se curity Auditing , 2001
42. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Knowledge, Skills, and Abilities
Audit Objective Associated knowledge, skills, and abilities forIS Security Audit Areas
System software Knowledge of the different types of system software and their functions
Knowledge of the risks associated with system software
Knowledge of the procedures, tools, and techniques that provide control over the implementation,
modification, and use of system software
Ability to analyze and evaluate an organization’s system software controls and identify the strengths and
weaknesses
Skills to use software products to review system software integrity
Segregation of duties Knowledge of the different functions involved with information systems and data processing and
incompatible duties associated with these functions
Knowledge of the risks associated with inadequate segregation of duties
Ability to analyze and evaluate an organization’s organizational structure and segregation of duties and
identify the strengths and weaknesses
Business continuity Knowledge of the procedures, tools, and techniques that provide for business continuity
Knowledge of the risks that exist when measures are not taken to provide for business continuity
Ability to analyze and evaluate an organization’s program and plans for business continuity and identify
the strengths and weaknesses
Application controls Knowledge about the practices, procedures, and techniques that provide for the authorization,
completeness, and accuracy of application data
Knowledge of typical applications in each business transaction cycle
Ability to analyze and evaluate an organization’s application controls and identify the strengths and
weaknesses
Skills to use a generalized audit software package to conduct data analyses and tests of application
data, and to plan, extract, and evaluate data samples
Adapted from “Knowledge, Skills, and Abilities for IS Security Audit Areas by FISCAM Objective” from
National State Auditors Association/GAO Manag e m e nt Pla nning G uide fo r Info rm atio n Syste m s Se curity Auditing , 2001
43. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Our Audits
Pre-Audit
– Policy Review
– Administer any questionnaires
– Plan the Audit
•Create audit checklists
•Arrange site visit
Site Visit
– Entry briefing but probably no exit briefing
Prepare Report
Deliver Report
44. Transfo rm ing Live s. Inve nting the Future .
www.iit.edu
ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
The End…
Questions?
Discussion!
Notas do Editor
Upon completion of this lesson the student should be able to:
Explain what an information security audit is
Explain the relationship of information security policies to the audit process
Describe how an information security audit is conducted
Discuss knowledge required for members of an information security audit team