chap 5a-it audit component

Chap 5 – IT Audit Component

Performing IS Audit (Source: CISA Review)

Classification of Audit

Audit Program

Audit Methodology

Fraud Detection

Risk-based Auditing

Audit Risk and Materiality

Risk Assessment and treatment

Risk Assessment Technique

Audit Objectives

Compliance vs substantive testing

Evidence

Performing IS Audit (Source: CISA Review)

Interviewing and Observing Personal in perform

their duties

Sampling

Using the other services of auditors and Experts

Computer-assisted audit Techniques(CAAT)

Evaluation of strength and weakness

Communication audit result

Management Implementation and recommendation

Audit documentation

IT Audit Component determined by

Type of IT Audit underlying purpose

Auditor skill

Audit Procedure and Standards

The scope of IT Audit –Technology

–Process and Procedure

–Organizational Asset

–Operational capabilities

–Management

IT AUDIT POTENTIAL AUDIT SUBJECTS SPAN

Establishing the scope of IT audits

Key: what types of audits are needed and

identifying what must be or could be

audited

Audit Phase

Audit Phase Description

Audit Subject Identify the area (universe) to be added

Audit Objective Identify the purpose of audit. E.g. an objective may be to

determine whether program source code change occurs

in well defined and controlled environment

Audit Scope Identify the specific system, function or unit of

organization

Pre audit planning Identify technical skill and resources needed

Identify the sources of information for test or review

Identify location and facility to be audited

Audit Procedures and step

for data gathering

Procedure for

communication

Audit report preparation

Audit Universe (from COSO)

1. units of organizational structure such as business

units, operating divisions, facilities, or subsidiaries

2. accounting structures such as cost centers, lines of

business, or process areas

3. strategic goals, objectives, and outcomes, which

are evaluated in part by auditing the resources

allocated for their achievement;

4. mission and business processes, services, and

operational functions executed by the organization;

Audit Universe (from COSO)

5. assets—including IT assets—the organization

owns, operates, manages, or controls;

6. programs, projects, and investments to which the

organization commits funding or other resources;

7. internal and external controls implemented by the

organization or on its behalf;

8. management functions or programs such as

governance, risk management, quality assurance,

certification, and compliance as well as internal

auditing.

How to determine Audit Universe

Using Governance, risk, and compliance

(GRC) activities –COBIT 4.1 with 34 processes in four key governance

domains

–COBIT 5 with 37 processes among 5 domain

Business Unit Hierarchy

Enterprise Architecture

Business Process Model

Service catalog

Magister Sistem Informasi (MSI)

Example of IS Auditing Component and Process

Dr. Charles H. Apigian

[email protected]

Excerpts from Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing, CoBIT 4.1, and ISO17799

mailto:[email protected]


A Comprehensive Network Security Assessment

Vulnerability Assessment / Penetration Test

Security Policies (Change Control Policies)

Security Configuration

User Account Provisioning

Security Monitoring

Employee Training

Social Engineering

List obtained from FDH Consulting via ISACA – Middle Tennessee Chapter


CISA Job Practice AreasCISA Job Practice Areas Description

1 IS Audit Process (10%)

Provide IS audit services in accordance with IS audit standards, guidelines, and best practices to

assist the organization in ensuring that its information technology and business systems are

protected and controlled.

2 IT Governance (15%)

To provide assurance that the organization has the structure, policies, accountability,

mechanisms, and monitoring practices in place to achieve the requirements of corporate

governance of IT.

3 Systems and Infrastructure Lifecycle

Management (16%)To provide assurance that the management practices for the development/acquisition, testing,

implementation, maintenance, and disposal of systems and infrastructure will meet the

organization’s objectives.

4 IT Service Delivery and Support (14%)

To provide assurance that the IT service management practices will ensure the delivery of the

level of services required to meet the organization’s objectives.

5 Protection of Information

Assets (31%) To provide assurance that the security architecture (policies, standards, procedures, and controls)

ensures the confidentiality, integrity, and availability of information assets.

6 Business Continuity and Disaster

Recovery (14%) To provide assurance that in the event of a disruption the business continuity and disaster

recovery processes will ensure the timely resumption of IT services while minimizing the business

impact.


CISM Job Practice Areas

CISM Job Practice Areas Description1 Information Security Governance

(23%)Establish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations.

2 Information Risk Management (22%)

Identify and manage information security risks to achieve business objectives.

3 Information Security Program

Development (17%) Create and maintain a program to implement the information security strategy.

4 Information Security Program

Management (24%) Oversee and direct information security activities to execute the information security program.

5 Incident Management and

Response(14%) Plan, develop and manage a capability to detect, respond to and recover from information security incidents.


CISA/CISM MappingIS Audit Process

IT Governance

Systems and Infrastructure Lifecycle Management

IT Service Delivery and Support

Business Continuity and Disaster Recovery

Protection of Information Assets

Information Security Governance

Information Risk Management

Information Security Program Development

Incident Management and Response

Information Security Program Management


Area 5: Protection of Information Assets

To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets.

− 5.1 Evaluate the design, implementation, and monitoring of logical access controls to ensure the confidentiality, integrity, availability and authorized use of information assets.

− 5.2 Evaluate network infrastructure security to ensure confidentiality, integrity, availability and authorizeduse of the network and the information transmitted.

− 5.3 Evaluate the design, implementation, and monitoring of environmental controls to prevent or minimize loss.

− 5.4 Evaluate the design, implementation, and monitoring of physical access controls to ensure that information assets are adequately safeguarded.

− 5.5 Evaluate the processes and procedures used to store, retrieve, transport, and dispose of confidential information assets.


Knowledge Areas5.1 Knowledge of the techniques for the design, implementation and monitoring of security (e.g.,

threat and risk assessment, sensitivity analysis, privacy impact assessment)5.2 Knowledge of logical access controls for the identification, authentication, and restriction of

users to authorized functions and data (e.g., dynamic passwords, challenge/response, menus, profiles)

5.3 Knowledge of logical access security architectures (e.g., single sign-on, user identification strategies, identity management)

5.4 Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses, denial of service, spamming)

5.5 Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team)

5.6 Knowledge of network and Internet security devices, protocols, and techniques (e.g., SSL, SET, VPN, NAT)

5.7 Knowledge of intrusion detection systems and firewall configuration, implementation, operation, and maintenance

5.8 Knowledge of encryption algorithm techniques (e.g., AESRSA)5.9 Knowledge of public key infrastructure (PKI) components (e.g., certification authorities,

registration authorities) and digital signature techniques5.10 Knowledge of virus detection tools and control techniques5.11 Knowledge of security testing and assessment tools (e.g., penetration testing, vulnerability

scanning)5.12 Knowledge of environmental protection practices and devices (e.g., fire suppression, cooling

systems, water sensors)5.13 Knowledge of physical security systems and practices (e.g., biometrics, access cards, cipher

locks, tokens)5.14 Knowledge of data classification schemes (e.g., public, confidential, private, and sensitive

data)5.15 Knowledge of voice communications security (e.g., voice over IP)5.16 Knowledge of the processes and procedures used to store, retrieve, transport, and dispose of

confidential information assets5.17 Knowledge of controls and risks associated with the use of portable and wireless devices

(e.g., PDAs, USB devices, Bluetooth devices)


Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing

Intranet

Firewall

IDSNetwork Admin

VPN

Utilities


Terminology

Computer Security:

− The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, in formation/data, and telecommunications).

Information security:

−a “well-informed sense of assurance that the information risks and controls are in balance.”


What is Information Security? is the protection of information from a wide range of

threats in order to ensure:

− business continuity

− minimize business risk

− maximize return on investments and business opportunities.

is achieved by implementing a suitable set of controls,

including:

These controls need to be established, implemented,

monitored, reviewed, and improved, where necessary, to

ensure that the specific security and business objectives of

the organization are met. This should be done in

conjunction with other business management processes.

(ISO/IEC 17799:2005(E) – Information technology – Security techniques – Code of

practice for information security management)

◦ Policies

◦ Processes

◦ Procedures

◦ structures

◦ Software functions

◦ Hardware functions


Objective of Information Security

is protecting the interests of those relying on information and the systems and communications that deliver the information from harm resulting from failures of confidentiality, integrity, and availability.

The impact of the Internet and the growth of the network economy have added the need for trust in electronic applications. (CobiT Security Baseline, www.itgi.org)


CoBIT Security Baseline 2nd

Edition

A comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework.

COBIT covers security in addition to other risks that can occur with the use of IT. This guide has been updated and aligned with the new COBIT 4.1 framework.


CoBIT Security Baseline 2nd Ed.

This publication focuses on the specific risk of information security in a way that is simple to follow and implement for the home user or the user in small to medium enterprises, as well as for executives and board members of larger organisations. It provides the following elements:

− An introduction to information security—what it means and what it covers

− An explanation of why security is important, with examples of the most common things that can go wrong

− Some thought-provoking questions to help determine risks

− The COBIT-based security baseline, providing key controls

− In addition to the mapping against COBIT 4.1, a mapping against the updated ISO/IEC 17799:2005 (ISO/IEC 27002:2007) information security standard

− Information security survival kits providing essential questions and checklists for varying audiences, including:

home users

professional users

Managers

Executives and boards of directors

− An appendix containing a summary of technical security risks


CoBIT Security Baseline 2nd

Edition

IT Process/Control Objective Steps (1 – 44)

Define the security strategy and the information architecture. 1

Define the IT organisation and relationships. 2

Communicate management aims and direction. 3

Manage IT human resources. 4, 5, 6, and 7

Assess and manage IT risks. 8, 9, and 10

Identify automated solutions. 11 and 12

Acquire and maintain application and technology infrastructure. 13, 14, and 15

Enable operation and use. 16

Manage changes. 17 and 18

Install and accredit solutions and changes. 19 and 20

Define and manage service levels. 21

Manage third-party services. 22, 23, and 24

Ensure continuous service. 25 – 33

Manage the configuration. 34 and 35

Manage data. 36, 37, 38, and 39

Manage the physical environment. 40 and 41

Monitor and evaluate IT performance—assess internal control

adequacy.

42

Obtain independent assurance. 43

Ensure regulatory compliance. 44


What should an auditor know?

For an auditor, it is not important to be an expert in every facet of security. However, it is important for the auditor to know all elements of protecting assets and the controls that should be in place.

Threats (risk assessment)

Perpetrators

Attacks

Data (types and authority roles)

Data Retention

Personnel Management

Physical Access

Incident Handling

Violation Reporting

Data Processing Locations

Environmental Controls

Technical Protection


Type of Threats

Errors and Omissions

Fraud and Theft

Employee Sabotage

Loss of Physical and Infrastructure Support

Malicious Hackers

Industrial Espionage

Malicious Code

Threats to Personal Privacy

Other Threats◦ Technological

Obsolescence

◦ Compromises to Intellectual Property

◦ Social Engineering


The Perpetrators

Hackers

Crackers

Script Kiddies

Employee Betrayal

Ethical Hacker Gone Bad

Third Parties

Ignorance


Types of Attacks

Passive Attacks

− Network analysis

− Host traffic analysis

− Eavesdropping

Active Attacks

− Social engineering

− Phishing

− Dumpster diving

− Virus

− Worm

− Logic bomb

− Trap door

− Root kit

− Brute force attack

− DOS/DDOS

− Maintenance accounts


Types of Attacks (cont.)

Remote Access Attacks

− War dialing

− War driving/walking

− Source routing

− Salami technique

− Packet replay

− Message modification

− Email spamming and spoofing


Data – What type?

As part of any IS Security Governance technique, it is important to identify data (information assets), and also categorize the type as well as its data owners, users, and custodians.

Types of data (generalized approach)

− Public

− Sensitive

− Private (internal use only)

− Confidential


Authority Roles over Data

Data Owner

− Executives and managers responsible for data content.

− An auditor would review decisions made by the DO to evaluate of they were appropriate

Data User

− Business person who benefits from the computerized data

− An auditor would evaluate the effectiveness of management to communicate their controls to the user.

Data Custodian

− Responsible for implementing data storage safeguards and ensuring the availability of data.


Data Retention

Specifies the procedure for storing data and how it will be disposed.

Requirements for retention:

− Value of data

− Its useful life

− Legal requirements

Example

− Financial records must be accessible for 7 years

− Medical are required to be available indefinitely

− Sale records of property are to be maintained indefinitely, as are many government records


Personnel Management

All employees should undergo a process of security awareness training.

Training programs

− New hire orientation that includes IT security orientation

− Physical security safeguards & asset protection

− Re/educate existing staff about IT security req.

− Introduction of new security requirements

− Virus protection

− Business continuity


Physical Access

An IS auditor needs to investigate how access is granted for employees, visitors, etc.

Areas of concern

− Sensitive areas (computer room)

− Service ports

− Computer consoles (keyboard of the server)


Terminating Access

The IS auditor should investigate how the organization terminates access and whether it reviews existing access levels.

Review:

− Termination procedures

− Logs of terminated employees

− Access levels of employees

− Transfers within the organization and access to previous position


Incident Handling

IS auditors need to investigate how the organization deals with incidents in regards to security implications.

Auditors should ask:

− Events that can trigger an incident response

− Are users/help desk trained to know where to call

− What is the process

− Does the response team have an established procedure

− Are members formally appointed and trained


Violation reporting

The IS auditor needs to investigate how violations are reported to management

− Does a formal process exist

− Will a violation report trigger the incident response team


Physical Protection (Barriers)

− Closed circuit TV

− Guards

− Special locks

Traditional tumbler locks

Electronic lock

Cipher lock

− Biometrics

− Burglar alarm

− Environmental sensors


Data Processing Locations

The ID auditor should evaluate the location of DP locations.

− Should not draw attention

− Be constructed according to national fire-protection codes

2 hr fire protection rating for floors, ceilings, doors, and walls

− Basements are a poor choice (flooding)

− Normally between the second floor and one floor below the top floor

− Should be monitored and restricted

− 3D space considerations


Environmental Controls

Unstable power is the number one threat

− Emergency power shutoff

− UPS

− Standby Generator

Diesel generator

Natural gas generator

− Dual power leads

− Power transfer system

− Heating, ventilation, and air conditioning

− Fire, smoke, and heat detection (smoke, heat, and flame)

− Fire suppression (wet or dry pipe)

− Water detection


Electrical Power Conditions



Environmental Controls (cont.)

Safe Storage

− Offsite storage

− Media transport

Disposal Procedures

− Paper, plastic, and photographic data

− Durable and magnetic media

Overwriting

Degaussing


chap 5a-it audit component

Documents