auditing corporate information security john r. robles tuesday, november 1, 2005 email:...

Auditing Corporate Auditing Corporate Information SecurityInformation Security

John R. RoblesJohn R. RoblesTuesday, November 1, 2005Tuesday, November 1, 2005

Email: Email: [email protected]@coqui.netTel: 787-647-396Tel: 787-647-396

Auditing Corporate Information Auditing Corporate Information SecuritySecurity

Steps in the Information Security AuditSteps in the Information Security Audit Plan Plan Gather dataGather data Analyze and test Analyze and test ConcludeConclude Report findingsReport findings


Federal Financial Institutions Examination Federal Financial Institutions Examination Council (FFIEC)Council (FFIEC) Federal Reserve SystemFederal Reserve System Federal Deposit Insurance Corporation (FDIC)Federal Deposit Insurance Corporation (FDIC) National Credit Union Administration (NCUA)National Credit Union Administration (NCUA) Office of the Comptroller of the Currency Office of the Comptroller of the Currency

(OCC), and (OCC), and The Office of Thrift Supervision (OTS) The Office of Thrift Supervision (OTS)


Information Systems Security Standards based on:Information Systems Security Standards based on: FFIEC Information TechnologyFFIEC Information Technology

Examination HandbookExamination Handbook http://www.ffiec.gov/ffiecinfobase/http://www.ffiec.gov/ffiecinfobase/ Audit areas include:Audit areas include:

• AuditAudit• Business Continuity PlanningBusiness Continuity Planning• Development and AcquisitionDevelopment and Acquisition• E-BankingE-Banking• FedLineFedLine• Information SecurityInformation Security• ManagementManagement• OperationsOperations• Outsourcing Technology Services Outsourcing Technology Services • Retail Payment SystemsRetail Payment Systems• Supervision of Technology Service ProvidersSupervision of Technology Service Providers• Wholesale Payment systemWholesale Payment system


INFORMATION SECURITY WORKPROGRAMINFORMATION SECURITY WORKPROGRAM EXAMINATION OBJECTIVE:EXAMINATION OBJECTIVE: Assess the quantity of risk and the effectiveness Assess the quantity of risk and the effectiveness

of the institution’s risk management processes of the institution’s risk management processes as they relate to the security measures instituted as they relate to the security measures instituted to ensure confidentiality, to ensure confidentiality,

integrity, and integrity, and availability of information and to availability of information and to

instill accountability for actions taken on the instill accountability for actions taken on the institution’s systems. institution’s systems.


The objectives and procedures are divided into Tier 1 The objectives and procedures are divided into Tier 1 and Tier II:and Tier II:

Tier I assesses Tier I assesses an institution’s process for identifying and managing risks.an institution’s process for identifying and managing risks.

Tier II provides Tier II provides additional verification where risk warrants it.additional verification where risk warrants it.

Tier I and Tier II are intendedTier I and Tier II are intended to be a tool set examiners will use when selecting examination to be a tool set examiners will use when selecting examination

procedures for their particular examination. procedures for their particular examination. Examiners should use these procedures as necessary to Examiners should use these procedures as necessary to

support examination objectives.support examination objectives.


Tier 1 Audit ObjectivesTier 1 Audit Objectives Objective 1: Determine the appropriate scope Objective 1: Determine the appropriate scope

for the examination for the examination Quantity of RiskQuantity of Risk

Objective 2: Determine the complexity of the Objective 2: Determine the complexity of the institution’s information security environment. institution’s information security environment.

Quality of Risk ManagementQuality of Risk Management Objective 3: Determine the adequacy of the Objective 3: Determine the adequacy of the

risk assessment process. risk assessment process.


Objective 4: Evaluate the adequacy of Objective 4: Evaluate the adequacy of security policies relative to the risk to the security policies relative to the risk to the institution. institution.

Objective 5: Evaluate the security-related Objective 5: Evaluate the security-related controls embedded in vendor controls embedded in vendor management. management.

Objective 6: Determine the adequacy of Objective 6: Determine the adequacy of security testing. security testing.


Objective 7: Evaluate the effectiveness of Objective 7: Evaluate the effectiveness of enterprise-wide security administration. enterprise-wide security administration.

ConclusionsConclusions Objective 8: Discuss corrective action and Objective 8: Discuss corrective action and

communicate findings. communicate findings.


Tier 2 ControlsTier 2 Controls Access Rights AdministrationAccess Rights Administration AuthenticationAuthentication Network SecurityNetwork Security Host SecurityHost Security User Equipment SecurityUser Equipment Security Physical SecurityPhysical Security Personnel SecurityPersonnel Security


Tier 2 Controls (Continued)Tier 2 Controls (Continued) Application SecurityApplication Security Software Development and AcquisitionSoftware Development and Acquisition Business Continuity SecurityBusiness Continuity Security Intrusion Detection and ResponseIntrusion Detection and Response Service Provider Oversight SecurityService Provider Oversight Security Encryption SecurityEncryption Security Data SecurityData Security


Audit to Information Security Standards used by Audit to Information Security Standards used by the Information Security departmentthe Information Security department ISO 17799 – world wide standardISO 17799 – world wide standard

• http://www.iso.org/iso/en/prods-services/popstds/http://www.iso.org/iso/en/prods-services/popstds/informationsecurity.htmlinformationsecurity.html

Cobit – High Level Standard, www.isaca.orgCobit – High Level Standard, www.isaca.org Industry specific – HIPAA Final Security StandardsIndustry specific – HIPAA Final Security Standards Industry Specific – FFIEC StandardIndustry Specific – FFIEC Standard NIST NIST


ISO 17799 - This is essentially the set of security ISO 17799 - This is essentially the set of security controls: the measures and safeguards for controls: the measures and safeguards for potential implementation. In volume it is the main potential implementation. In volume it is the main body of the overall 'standard set' itself. body of the overall 'standard set' itself.

1.1. Security Policy Security Policy

2.2. Security Organization Security Organization Information Security Infrastructure Information Security Infrastructure Security and Third Party Access Security and Third Party Access Outsourcing Outsourcing


3.3. Asset Classification and ControlAsset Classification and Control Accountability for assets Accountability for assets Information Classification Information Classification

4.4. Personnel Security Personnel Security Security in Job Definition and Security in Job Definition and

Resourcing Resourcing User Training User Training Responding to Security Incidents and Responding to Security Incidents and

Malfunctions Malfunctions 5.5. Physical and Environmental SecurityPhysical and Environmental Security

Secure Areas Secure Areas Equipment Security Equipment Security General Controls General Controls


6.6. Communications and Operations Communications and Operations ManagementManagement

Operational Procedures and Operational Procedures and Responsibility Responsibility

System Planning and Acceptance System Planning and Acceptance Protection Against Malicious Software Protection Against Malicious Software Housekeeping Housekeeping Network Management Network Management Media Handling and Security Media Handling and Security

Exchanges of Information and SoftwareExchanges of Information and Software


77. Access Control. Access Control Business Requirement for Access Business Requirement for Access

Control Control User Access Management User Access Management User Responsibilities User Responsibilities Network Access Control Network Access Control Operating System Access Control Operating System Access Control Application Access Management Application Access Management Monitoring System Access and Use Monitoring System Access and Use Mobile Computing and TelenetworkingMobile Computing and Telenetworking


8.8. System Development and Maintenance System Development and Maintenance Security Requirements of Systems Security Requirements of Systems Security in Application Systems Security in Application Systems Cryptographic Controls Cryptographic Controls Security of System Files Security of System Files Security in Development and Support Security in Development and Support

Processes Processes 9.9. Business Continuity ManagementBusiness Continuity Management

Aspects of Business Continuity Aspects of Business Continuity Management Management

10. Compliance10. Compliance Compliance with Legal Requirements Compliance with Legal Requirements Reviews of Security Policy and Reviews of Security Policy and

Technical Technical Compliance Compliance System Audit Considerations System Audit Considerations


COBIT—IT Control FrameworkCOBIT—IT Control Framework Four (4) IT Domains and 34 ProcessesFour (4) IT Domains and 34 Processes

PLAN AND ORGANISEPLAN AND ORGANISE PO1—Define a strategic IT planPO1—Define a strategic IT plan PO2—Define the information architecturePO2—Define the information architecture PO3—Determine the technological directionPO3—Determine the technological direction PO4—Define the IT organization and relationshipsPO4—Define the IT organization and relationships PO5—Manage the IT investment PO5—Manage the IT investment PO6—Communicate management aims and directionPO6—Communicate management aims and direction PO7—Manage human resourcesPO7—Manage human resources PO8—Ensure compliance with external requirementsPO8—Ensure compliance with external requirements PO9—Assess risksPO9—Assess risks PO10—Manage projectsPO10—Manage projects PO11—Manage qualityPO11—Manage quality


ACQUIRE AND IMPLEMENTACQUIRE AND IMPLEMENT AI1—Identify automated solutionsAI1—Identify automated solutions AI2—Acquire and maintain application softwareAI2—Acquire and maintain application software AI3—Acquire and maintain technology infrastructure AI3—Acquire and maintain technology infrastructure AI4—Develop and maintain proceduresAI4—Develop and maintain procedures AI5—Install and accredit systemsAI5—Install and accredit systems AI6—Manage changesAI6—Manage changes M4—Provide for independent auditM4—Provide for independent audit


DELIVER AND SUPPORTDELIVER AND SUPPORT DS1—Define and manage service levelsDS1—Define and manage service levels DS2—Manage third-party servicesDS2—Manage third-party services DS3—Manage performance and capacityDS3—Manage performance and capacity DS4—Ensure continuous serviceDS4—Ensure continuous service DS5—Ensure systems securityDS5—Ensure systems security DS6—Identify and allocate costsDS6—Identify and allocate costs DS7—Educate and train usersDS7—Educate and train users DS8—Assist and advise customersDS8—Assist and advise customers DS9—Manage the configurationDS9—Manage the configuration DS10—Manage problems and incidentsDS10—Manage problems and incidents DS11—Manage dataDS11—Manage data DS12—Manage facilitiesDS12—Manage facilities DS13—Manage operationsDS13—Manage operations


MONITOR AND EVALUATEMONITOR AND EVALUATE M1—Monitor the processesM1—Monitor the processes M2—Assess internal control adequacyM2—Assess internal control adequacy M3—Obtain independent assuranceM3—Obtain independent assurance


Test ControlsTest Controls Document FindingsDocument Findings Prepare Report and present Prepare Report and present

recommendations to managementrecommendations to management


Thank You!Thank You!

John R. RoblesJohn R. RoblesEmail: Email: [email protected]@coqui.net

Tel: 787-647-396Tel: 787-647-396http://home.coqui.net/jrobleshttp://home.coqui.net/jrobles

auditing corporate information security john r. robles tuesday, november 1, 2005 email:...

Documents

examination procedures

availability of information

security measures

examination objectives

particular examination

institutions systems

audit objectives objective

institutions process