chap 5a-it audit component
DESCRIPTION
itTRANSCRIPT
Chap 5 – IT Audit Component
Performing IS Audit (Source: CISA Review)
Classification of Audit
Audit Program
Audit Methodology
Fraud Detection
Risk-based Auditing
Audit Risk and Materiality
Risk Assessment and treatment
Risk Assessment Technique
Audit Objectives
Compliance vs substantive testing
Evidence
Performing IS Audit (Source: CISA Review)
Interviewing and Observing Personal in perform
their duties
Sampling
Using the other services of auditors and Experts
Computer-assisted audit Techniques(CAAT)
Evaluation of strength and weakness
Communication audit result
Management Implementation and recommendation
Audit documentation
IT Audit Component determined by
Type of IT Audit underlying purpose
Auditor skill
Audit Procedure and Standards
The scope of IT Audit –Technology
–Process and Procedure
–Organizational Asset
–Operational capabilities
–Management
IT AUDIT POTENTIAL AUDIT SUBJECTS SPAN
Establishing the scope of IT audits
Key: what types of audits are needed and
identifying what must be or could be
audited
Audit Phase
Audit Phase Description
Audit Subject Identify the area (universe) to be added
Audit Objective Identify the purpose of audit. E.g. an objective may be to
determine whether program source code change occurs
in well defined and controlled environment
Audit Scope Identify the specific system, function or unit of
organization
Pre audit planning Identify technical skill and resources needed
Identify the sources of information for test or review
Identify location and facility to be audited
Audit Procedures and step
for data gathering
Procedure for
communication
Audit report preparation
Audit Universe (from COSO)
1. units of organizational structure such as business
units, operating divisions, facilities, or subsidiaries
2. accounting structures such as cost centers, lines of
business, or process areas
3. strategic goals, objectives, and outcomes, which
are evaluated in part by auditing the resources
allocated for their achievement;
4. mission and business processes, services, and
operational functions executed by the organization;
Audit Universe (from COSO)
5. assets—including IT assets—the organization
owns, operates, manages, or controls;
6. programs, projects, and investments to which the
organization commits funding or other resources;
7. internal and external controls implemented by the
organization or on its behalf;
8. management functions or programs such as
governance, risk management, quality assurance,
certification, and compliance as well as internal
auditing.
How to determine Audit Universe
Using Governance, risk, and compliance
(GRC) activities –COBIT 4.1 with 34 processes in four key governance
domains
–COBIT 5 with 37 processes among 5 domain
Business Unit Hierarchy
Enterprise Architecture
Business Process Model
Service catalog
Magister Sistem Informasi (MSI)
Example of IS Auditing Component and Process
Dr. Charles H. Apigian
Excerpts from Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing, CoBIT 4.1, and ISO17799
Magister Sistem Informasi (MSI)
A Comprehensive Network Security Assessment
Vulnerability Assessment / Penetration Test
Security Policies (Change Control Policies)
Security Configuration
User Account Provisioning
Security Monitoring
Employee Training
Social Engineering
List obtained from FDH Consulting via ISACA – Middle Tennessee Chapter
Magister Sistem Informasi (MSI)
CISA Job Practice AreasCISA Job Practice Areas Description
1 IS Audit Process (10%)
Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to
assist the organization in ensuring that its information technology and business systems are
protected and controlled.
2 IT Governance (15%)
To provide assurance that the organization has the structure, policies, accountability,
mechanisms, and monitoring practices in place to achieve the requirements of corporate
governance of IT.
3 Systems and Infrastructure Lifecycle
Management (16%)To provide assurance that the management practices for the development/acquisition, testing,
implementation, maintenance, and disposal of systems and infrastructure will meet the
organization’s objectives.
4 IT Service Delivery and Support (14%)
To provide assurance that the IT service management practices will ensure the delivery of the
level of services required to meet the organization’s objectives.
5 Protection of Information
Assets (31%) To provide assurance that the security architecture (policies, standards, procedures, and controls)
ensures the confidentiality, integrity, and availability of information assets.
6 Business Continuity and Disaster
Recovery (14%) To provide assurance that in the event of a disruption the business continuity and disaster
recovery processes will ensure the timely resumption of IT services while minimizing the business
impact.
Magister Sistem Informasi (MSI)
CISM Job Practice Areas
CISM Job Practice Areas Description1 Information Security Governance
(23%)Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.
2 Information Risk Management (22%)
Identify and manage information security risks to achieve business objectives.
3 Information Security Program
Development (17%) Create and maintain a program to implement the information security strategy.
4 Information Security Program
Management (24%) Oversee and direct information security activities to execute the information security program.
5 Incident Management and
Response(14%) Plan, develop and manage a capability to detect, respond to and recover from information security incidents.
Magister Sistem Informasi (MSI)
CISA/CISM MappingIS Audit Process
IT Governance
Systems and Infrastructure Lifecycle Management
IT Service Delivery and Support
Business Continuity and Disaster Recovery
Protection of Information Assets
Information Security Governance
Information Risk Management
Information Security Program Development
Incident Management and Response
Information Security Program Management
Magister Sistem Informasi (MSI)
Area 5: Protection of Information Assets
To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets.
− 5.1 Evaluate the design, implementation, and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets.
− 5.2 Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorizeduse of the network and the information transmitted.
− 5.3 Evaluate the design, implementation, and monitoring of environmental controls to prevent or minimize loss.
− 5.4 Evaluate the design, implementation, and monitoring of physical access controls to ensure that information assets are adequately safeguarded.
− 5.5 Evaluate the processes and procedures used to store, retrieve, transport, and dispose of confidential information assets.
Magister Sistem Informasi (MSI)
Knowledge Areas5.1 Knowledge of the techniques for the design, implementation and monitoring of security (e.g.,
threat and risk assessment, sensitivity analysis, privacy impact assessment)5.2 Knowledge of logical access controls for the identification, authentication, and restriction of
users to authorized functions and data (e.g., dynamic passwords, challenge/response, menus, profiles)
5.3 Knowledge of logical access security architectures (e.g., single sign-on, user identification strategies, identity management)
5.4 Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses, denial of service, spamming)
5.5 Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team)
5.6 Knowledge of network and Internet security devices, protocols, and techniques (e.g., SSL, SET, VPN, NAT)
5.7 Knowledge of intrusion detection systems and firewall configuration, implementation, operation, and maintenance
5.8 Knowledge of encryption algorithm techniques (e.g., AESRSA)5.9 Knowledge of public key infrastructure (PKI) components (e.g., certification authorities,
registration authorities) and digital signature techniques5.10 Knowledge of virus detection tools and control techniques5.11 Knowledge of security testing and assessment tools (e.g., penetration testing, vulnerability
scanning)5.12 Knowledge of environmental protection practices and devices (e.g., fire suppression, cooling
systems, water sensors)5.13 Knowledge of physical security systems and practices (e.g., biometrics, access cards, cipher
locks, tokens)5.14 Knowledge of data classification schemes (e.g., public, confidential, private, and sensitive
data)5.15 Knowledge of voice communications security (e.g., voice over IP)5.16 Knowledge of the processes and procedures used to store, retrieve, transport, and dispose of
confidential information assets5.17 Knowledge of controls and risks associated with the use of portable and wireless devices
(e.g., PDAs, USB devices, Bluetooth devices)
Magister Sistem Informasi (MSI)
Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing
Intranet
Firewall
IDSNetwork Admin
VPN
Utilities
Magister Sistem Informasi (MSI)
Terminology
Computer Security:
− The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, in formation/data, and telecommunications).
Information security:
−a “well-informed sense of assurance that the information risks and controls are in balance.”
Magister Sistem Informasi (MSI)
What is Information Security? is the protection of information from a wide range of
threats in order to ensure:
− business continuity
− minimize business risk
− maximize return on investments and business opportunities.
is achieved by implementing a suitable set of controls,
including:
These controls need to be established, implemented,
monitored, reviewed, and improved, where necessary, to
ensure that the specific security and business objectives of
the organization are met. This should be done in
conjunction with other business management processes.
(ISO/IEC 17799:2005(E) – Information technology – Security techniques – Code of
practice for information security management)
◦ Policies
◦ Processes
◦ Procedures
◦ structures
◦ Software functions
◦ Hardware functions
Magister Sistem Informasi (MSI)
Objective of Information Security
is protecting the interests of those relying on information and the systems and communications that deliver the information from harm resulting from failures of confidentiality, integrity, and availability.
The impact of the Internet and the growth of the network economy have added the need for trust in electronic applications. (CobiT Security Baseline, www.itgi.org)
Magister Sistem Informasi (MSI)
CoBIT Security Baseline 2nd
Edition
A comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework.
COBIT covers security in addition to other risks that can occur with the use of IT. This guide has been updated and aligned with the new COBIT 4.1 framework.
Magister Sistem Informasi (MSI)
CoBIT Security Baseline 2nd Ed.
This publication focuses on the specific risk of information security in a way that is simple to follow and implement for the home user or the user in small to medium enterprises, as well as for executives and board members of larger organisations. It provides the following elements:
− An introduction to information security—what it means and what it covers
− An explanation of why security is important, with examples of the most common things that can go wrong
− Some thought-provoking questions to help determine risks
− The COBIT-based security baseline, providing key controls
− In addition to the mapping against COBIT 4.1, a mapping against the updated ISO/IEC 17799:2005 (ISO/IEC 27002:2007) information security standard
− Information security survival kits providing essential questions and checklists for varying audiences, including:
home users
professional users
Managers
Executives and boards of directors
− An appendix containing a summary of technical security risks
Magister Sistem Informasi (MSI)
CoBIT Security Baseline 2nd
Edition
IT Process/Control Objective Steps (1 – 44)
Define the security strategy and the information architecture. 1
Define the IT organisation and relationships. 2
Communicate management aims and direction. 3
Manage IT human resources. 4, 5, 6, and 7
Assess and manage IT risks. 8, 9, and 10
Identify automated solutions. 11 and 12
Acquire and maintain application and technology infrastructure. 13, 14, and 15
Enable operation and use. 16
Manage changes. 17 and 18
Install and accredit solutions and changes. 19 and 20
Define and manage service levels. 21
Manage third-party services. 22, 23, and 24
Ensure continuous service. 25 – 33
Manage the configuration. 34 and 35
Manage data. 36, 37, 38, and 39
Manage the physical environment. 40 and 41
Monitor and evaluate IT performance—assess internal control
adequacy.
42
Obtain independent assurance. 43
Ensure regulatory compliance. 44
Magister Sistem Informasi (MSI)
What should an auditor know?
For an auditor, it is not important to be an expert in every facet of security. However, it is important for the auditor to know all elements of protecting assets and the controls that should be in place.
Threats (risk assessment)
Perpetrators
Attacks
Data (types and authority roles)
Data Retention
Personnel Management
Physical Access
Incident Handling
Violation Reporting
Data Processing Locations
Environmental Controls
Technical Protection
Magister Sistem Informasi (MSI)
Type of Threats
Errors and Omissions
Fraud and Theft
Employee Sabotage
Loss of Physical and Infrastructure Support
Malicious Hackers
Industrial Espionage
Malicious Code
Threats to Personal Privacy
Other Threats◦ Technological
Obsolescence
◦ Compromises to Intellectual Property
◦ Social Engineering
Magister Sistem Informasi (MSI)
The Perpetrators
Hackers
Crackers
Script Kiddies
Employee Betrayal
Ethical Hacker Gone Bad
Third Parties
Ignorance
Magister Sistem Informasi (MSI)
Types of Attacks
Passive Attacks
− Network analysis
− Host traffic analysis
− Eavesdropping
Active Attacks
− Social engineering
− Phishing
− Dumpster diving
− Virus
− Worm
− Logic bomb
− Trap door
− Root kit
− Brute force attack
− DOS/DDOS
− Maintenance accounts
Magister Sistem Informasi (MSI)
Types of Attacks (cont.)
Remote Access Attacks
− War dialing
− War driving/walking
− Source routing
− Salami technique
− Packet replay
− Message modification
− Email spamming and spoofing
Magister Sistem Informasi (MSI)
Data – What type?
As part of any IS Security Governance technique, it is important to identify data (information assets), and also categorize the type as well as its data owners, users, and custodians.
Types of data (generalized approach)
− Public
− Sensitive
− Private (internal use only)
− Confidential
Magister Sistem Informasi (MSI)
Authority Roles over Data
Data Owner
− Executives and managers responsible for data content.
− An auditor would review decisions made by the DO to evaluate of they were appropriate
Data User
− Business person who benefits from the computerized data
− An auditor would evaluate the effectiveness of management to communicate their controls to the user.
Data Custodian
− Responsible for implementing data storage safeguards and ensuring the availability of data.
Magister Sistem Informasi (MSI)
Data Retention
Specifies the procedure for storing data and how it will be disposed.
Requirements for retention:
− Value of data
− Its useful life
− Legal requirements
Example
− Financial records must be accessible for 7 years
− Medical are required to be available indefinitely
− Sale records of property are to be maintained indefinitely, as are many government records
Magister Sistem Informasi (MSI)
Personnel Management
All employees should undergo a process of security awareness training.
Training programs
− New hire orientation that includes IT security orientation
− Physical security safeguards & asset protection
− Re/educate existing staff about IT security req.
− Introduction of new security requirements
− Virus protection
− Business continuity
Magister Sistem Informasi (MSI)
Physical Access
An IS auditor needs to investigate how access is granted for employees, visitors, etc.
Areas of concern
− Sensitive areas (computer room)
− Service ports
− Computer consoles (keyboard of the server)
Magister Sistem Informasi (MSI)
Terminating Access
The IS auditor should investigate how the organization terminates access and whether it reviews existing access levels.
Review:
− Termination procedures
− Logs of terminated employees
− Access levels of employees
− Transfers within the organization and access to previous position
Magister Sistem Informasi (MSI)
Incident Handling
IS auditors need to investigate how the organization deals with incidents in regards to security implications.
Auditors should ask:
− Events that can trigger an incident response
− Are users/help desk trained to know where to call
− What is the process
− Does the response team have an established procedure
− Are members formally appointed and trained
Magister Sistem Informasi (MSI)
Violation reporting
The IS auditor needs to investigate how violations are reported to management
− Does a formal process exist
− Will a violation report trigger the incident response team
Magister Sistem Informasi (MSI)
Physical Protection (Barriers)
− Closed circuit TV
− Guards
− Special locks
Traditional tumbler locks
Electronic lock
Cipher lock
− Biometrics
− Burglar alarm
− Environmental sensors
Magister Sistem Informasi (MSI)
Data Processing Locations
The ID auditor should evaluate the location of DP locations.
− Should not draw attention
− Be constructed according to national fire-protection codes
2 hr fire protection rating for floors, ceilings, doors, and walls
− Basements are a poor choice (flooding)
− Normally between the second floor and one floor below the top floor
− Should be monitored and restricted
− 3D space considerations
Magister Sistem Informasi (MSI)
Environmental Controls
Unstable power is the number one threat
− Emergency power shutoff
− UPS
− Standby Generator
Diesel generator
Natural gas generator
− Dual power leads
− Power transfer system
− Heating, ventilation, and air conditioning
− Fire, smoke, and heat detection (smoke, heat, and flame)
− Fire suppression (wet or dry pipe)
− Water detection
Magister Sistem Informasi (MSI)
Electrical Power Conditions
Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing
Magister Sistem Informasi (MSI)
Environmental Controls (cont.)
Safe Storage
− Offsite storage
− Media transport
Disposal Procedures
− Paper, plastic, and photographic data
− Durable and magnetic media
Overwriting
Degaussing
Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing