Practical Implementation of Automated Assessment Tools for

the IT Auditor

John A. Otte, CISSP, CISA, CFE, EnCE, MSIA

Director, Strategic ServicesFishNet Security

Agenda• IT Audit and assessment testing background• Audit and assessment planning Issues• Challenges to conducting the IT audit• Benefits of automated assessment tools• Examples of automated assessment tools• Automated assessment tools and compliance • Questions and Open Forum

IT Audit and assessment testing background • Requirements to fulfill internal and external control reviews• Compliance with federal, local, state and industry regulatory acts• Detect, prevent and deter misuse, abuse or exposure of or to systems and data• Identify and remediate system, process or control weaknesses• Determine adequate design and effectiveness of critical business processes• Reduce overall true business risk to information systems and data

Audit and assessment planning issues• Integrated audit versus IT Audit • Time required of the audit and operational staff to conduct the audit• Testing methodology (e.g., manual versus automated)• Findings classification/determination• Communication/reporting of findings

Challenges to conducting the IT audit• IT Auditors need to determine the impact of the systems being assessed during the

course of the audit (Relevance and Criticality)• Determining the audit approach (manual/checklist) versus (automated/scripted) • Since information is available electronically and not necessarily in hardcopy, the

traditional methods used to gather and evaluate information may not be sufficient.• Some IT Audits require an advanced level of technical skills or in-depth understanding of systems (e.g., operating systems, applications, databases, etc.)• IT Auditors need a deeper understanding of general computer controls (including

the use of automated assessment tools) and the potential impact such controls may have on the audit approach• Disparate reports, non-integration of systems logs and/or history

Challenges to conducting the IT audit (Continued)• Areas most difficult for the IT Auditor to assess include:

Access Controls (Firewall Rules, ACL’s) Change Management (adds, changes, deletes) Segregation of Duties User or system account access to data Location of critical data (applications/databases/storage) Data Discovery (at-rest, in-motion)

• Some IT Audits are extremely resource intensive and require significant IT interaction

Benefits of automated assessment tools• Help overcome issues associated with manual testing of systems and processes• Most tools are quick to run and require less interaction with IT and business staff• Provide autonomy and flexibility to the audit approach• Yield more detailed information than what could have been acquired manually• Many reports are written in non-technical language so that most IT Auditors could understand and use the information regardless of technical skill set• Reduce audit costs while increasing the audit coverage and quality of value-added recommendations• Helps to rapidly identify “high, critical or most vulnerable” risk areas sooner to maximize remediation timeframes• Illustrate risks and priorities to IT and business units alike

Examples of automated assessment tools

Vulnerability Assessment - Nessus

http://www.nessus.org/demos/index.php?view=demo_videos

Data Discovery - Vontu• Allows an IT Auditor to search for and identify “critical” data within information

processing systems (Servers, Desktops, Workstations, Databases, Storage)• Provides the ability to remediate found data (Move, Erase, Quarantine)• Gives the IT Auditor a means to which expand or reduce the scope of an audit based

on findings• Justifies the IT Auditor’s findings of remediation after validation of the discovered

“critical data”• Empowers the IT Auditor to be a “business enabler” when making recommendations to internal controls or business processes

Firewall Reviews - Firemon• Enables the IT Auditor to quickly review firewall changes using automation• Facilitates the IT Auditor to detect potential issues before they arise• Gives a quick view of actual risks to firewall rules• Enables the IT Auditor to maintain continual analysis and impact

Segregation of Duties – Benefits• Reduces the labor intensive task of manually reviewing user access to systems

and data• Expedites the testing process for user access reviews• Analyze controls at specific transaction levels• Quick and easy to understand reporting on potential conflicts• Helps IT Auditors to better understand both defined and undefined roles within

the organization• Reduces the overall likelihood of risk and fraud•

Segregation of Duties – Product Platforms• Oracle – Built-in tools• SAP – Versa, Business Intelligence, Firefighter, ECC 6.0• Excel Spreadsheets – ComplyXL

Automated assessment tools and compliance• Payment Card Industry Data Security Standard• Health Insurance Portability and Account ability Act• Sarbanes-Oxley Act 2002• Gramm-Leach Bliley Act

Frameworks• International Standards Organization 27001/2• CoBIT• COSO• OCTAVE• NIST

Open Discussion