1 / 31

IT Security Auditing

IT Security Auditing. Martin Goldberg. Today’s Topics. Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications. Defining IT Security Audit. Financial Audit IRS Physical Audit Inventory. Defining IT Security Audit (cont.). IT Audit

braden
Télécharger la présentation

IT Security Auditing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT Security Auditing Martin Goldberg

  2. Today’s Topics • Defining IT Audit and the Auditor • Steps of an IT Audit • Preparing to be Audited • How IT Audit Applications

  3. Defining IT Security Audit • Financial Audit • IRS • Physical Audit • Inventory

  4. Defining IT Security Audit (cont.) • IT Audit • Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend changes in controls, policies, or procedures - DL 1.1.9 • Good Amount of Vagueness • Ultimately defined by where you work

  5. Who is an IT Auditor • Accountant Raised to a CS Major • CPA, CISA, CISM, Networking, Hardware, Software, Information Assurance, Cryptography • Some one who knows everything an accountant does plus everything a BS/MS does about CS and Computer Security - Not likely to exist • IT Audits Are Done in Teams • Accountant + Computer Geek = IT Audit Team • Scope to large • Needed expertise varies

  6. CISA? CISM? • CISA - Certified Information Systems Auditor • CISM - Certified Information Systems Mangager - new • www.isaca.org (Information Systems Audit and Control Organization) • Teaching financial auditors to talk to CS people

  7. CISA • Min. of 5 years of IS auditing, control or security work experience • Code of professional ethics • Adhering to IS auditing standards • Exam topics: • 1. Management, Planning, and Organization of IS • 2. Technical Infrastructure and Operational Practices • 3. Protection of Information Assets

  8. CISA (cont.) • Exam topics: (cont.) • 4. Disaster Recovery and Business Continuity • 5. Business Application System Development, Acquisition, Implementation, and Maintenance • 6. Business Process Evaluation and Risk Management • 7. The IS Audit Process

  9. CISM • Next step above CISA • Exam topics: • 1. Information Security Governance • 2. Risk Management • 3. Information Security Program Management • 4. Information Security Management • 5. Response Management

  10. Steps of An IT Audit • 1. Planning Phase • 2. Testing Phase • 3. Reporting Phase • Ideally it’s a continuous cycle • Again not always the case

  11. Entry Meeting Define Scope Learn Controls Historical Incidents Past Audits Site Survey Review Current Policies Questionnaires Define Objectives Develop Audit Plan / Checklist Planning Phase

  12. Defining Objectives & Data Collection • Some Points to Keep in Mind • OTS (Department of Treasury - Office of Thrift Savings) - Banking Regulations • SEC (Securities and Exchange Commission) - Mutual Funds • HIPPA - Health Care • Sarbanes Oxley - Financial Reports, Document Retention • Gramm-Leach Bliley - Consumer Financial Information • FERPA (Family Education Rights and Privacy Act) - Student Records • Clearence

  13. Example Checklist • “An Auditor’s Checklist for Performing a Perimeter Audit of on IBM ISERIES (AS/400) System” - Craig Reise • Scope of the audit does not include the Operating System • Physical security • Services running

  14. Testing Phase • Meet With Site Managers • What data will be collected • How/when will it be collected • Site employee involvement • Answer questions

  15. Testing Phase (cont.) • Data Collection • Based on scope/objectives • Types of Data • Physical security • Interview staff • Vulnerability assessments • Access Control assessments

  16. Reporting Phase • Exit Meeting - Short Report • Immediate problems • Questions & answer for site managers • Preliminary findings • NOT able to give in depth information

  17. Reporting Phase (cont.) • Long Report After Going Through Data • Intro defining objectives/scope • How data was collected • Summary of problems • Table format • Historical data (if available) • Ratings • Fixes • Page # where in depth description is

  18. Reporting Phase (cont.) • In depth description of problem • How problem was discovered • Fix (In detail) • Industry standards (if available) • Glossary of terms • References • Note: The Above Varies Depending on Where You Work

  19. Preparing To Be Audited • This Is NOT a Confrontation • Make Your Self Available • Know What The Scope/Objectives Are • Know What Type of Data Will be Collected • Know What Data Shouldn’t be Collected

  20. Example - Auditing User & Groups

  21. Application Audit • An assessment Whose Scope Focuses on a Narrow but Business Critical Processes or Application • Excel spreadsheet with embedded macros used to analyze data • Payroll process that may span across several different servers, databases, operating systems, applications, etc. • The level of controls is dependent on the degree of risk involved in the incorrect or unauthorized processing of data

  22. Application Audit (cont.) • 1. Administration • 2. Inputs, Processing, Outputs • 3. Logical Security • 4. Disaster Recovery Plan • 5. Change Management • 6. User Support • 7. Third Party Services • 8 . General Controls

  23. Application Audit - Administration • Probably the most important area of the audit, because this area focuses on the overall ownership and accountability of the application • Roles & Responsibilities - development, change approval, access authorization • Legal or regulatory compliance issues

  24. Application Audit - Inputs, Processing, Outputs • Looking for evidence of data preparation procedures, reconciliation processes, handling requirements, etc. • Run test transactions against the application • Includes who can enter input and see output • Retention of output and its destruction

  25. Application Audit - Logical Security • Looking at user creation and authorization as governed by the application its self • User ID linked to a real person • Number of allowable unsuccessful log-on attempts • Minimum password length • Password expiration • Password Re-use ability

  26. Application Audit - Disaster Recovery Plan • Looking for an adequate and performable disaster recovery plan that will allow the application to be recovered in a reasonable amount of time after a disaster • Backup guidelines, process documentation, offsite storage guidelines, SLA’s with offsite storage vendors, etc.

  27. Application Audit - Change Management • Examines the process changes to an application go through • Process is documented, adequate and followed • Who is allowed to make a request a change, approve a change and make the change • Change is tested and doesn’t break compliance (determined in Administration) before being placed in to production

  28. Application Audit - User Support • One of the most overlooked aspects of an application • User documentation (manuals, online help, etc.) - available & up to date • User training - productivity, proper use, security • Process for user improvement requests

  29. Application Audit - Third Party Services • Look at the controls around any 3rd party services that are required to meet business objectives for the application or system • Liaison to 3rd party vendor • Review contract agreement • SAS (Statement on Auditing Standards) N0. 70 - Service organizations disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format

  30. Application Audit - General Controls • Examining the environment the application exists within that affect the application • System administration / operations • Organizational logical security • Physical security • Organizational disaster recovery plans • Organizational change control process • License control processes • Virus control procedures

  31. References • www.isaca.org • “An Auditor’s Checklist for Performing a Perimeter Audit of on IBM ISERIES (AS/400) System” - Craig Reise • “Conducting a Security Audit: An Introductory Overview” - Bill Hayes • “The Application Audit Process - A Guide for Information Security Professionals” - Robert Hein

More Related