1 / 63

IT Audit Methodologies

IT Audit Methodologies. IT Audit Methodologies. Main Areas of Use. IT Audits Risk Analysis Health Checks (Security Benchmarking) Security Concepts Security Manuals / Handbooks. Security Definition. Confidentiality Integrity Correctness Completeness Availability. CobiT.

kennethgraves
Télécharger la présentation

IT Audit Methodologies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IT AuditMethodologies IT Audit Methodologies

  2. Main Areas of Use • IT Audits • Risk Analysis • Health Checks (Security Benchmarking) • Security Concepts • Security Manuals / Handbooks IT Audit Methodoloies

  3. Security Definition • Confidentiality • Integrity • Correctness • Completeness • Availability IT Audit Methodoloies

  4. CobiT • Governance, Control & Audit for IT • Developed by ISACA • Releases • CobiT 1: 1996 • 32 Processes • 271 Control Objectives • CobiT 2: 1998 • 34 Processes • 302 Control Objectives IT Audit Methodoloies

  5. CobiT - Model for IT Governance • 36 Control models used as basis: • Business control models (e.g. COSO) • IT control models (e.g. DTI‘s CoP) • CobiT control model covers: • Security (Confidentiality, Integrity, Availability) • Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) • IT Resources (Data, Application Systems, Technology, Facilities, People) IT Audit Methodoloies

  6. CobiT - Framework IT Audit Methodoloies

  7. CobiT - Structure • 4 Domains • PO - Planning & Organisation • 11 processes (high-level control objectives) • AI - Acquisition & Implementation • 6 processes (high-level control objectives) • DS - Delivery & Support • 13 processes (high-level control objectives) • M - Monitoring • 4 processes (high-level control objectives) IT Audit Methodoloies

  8. PO - Planning and Organisation • PO 1 Define a Strategic IT Plan • PO 2 Define the Information Architecture • PO 3 Determine the Technological Direction • PO 4 Define the IT Organisation and Relationships • PO 5 Manage the IT Investment • PO 6 Communicate Management Aims and Direction • PO 7 Manage Human Resources • PO 8 Ensure Compliance with External Requirements • PO 9 Assess Risks • PO 10 Manage Projects • PO 11 Manage Quality IT Audit Methodoloies

  9. AI - Acquisition and Implementation • AI 1 Identify Solutions • AI 2 Acquire and Maintain Application Software • AI 3 Acquire and Maintain Technology Architecture • AI 4 Develop and Maintain IT Procedures • AI 5 Install and Accredit Systems • AI 6 Manage Changes IT Audit Methodoloies

  10. DS - Delivery and Support • DS 1 Define Service Levels • DS 2 Manage Third-Party Services • DS 3 Manage Performance and Capacity • DS 4 Ensure Continuous Service • DS 5 Ensure Systems Security • DS 6 Identify and Attribute Costs • DS 7 Educate and Train Users • DS 8 Assist and Advise IT Customers • DS 9 Manage the Configuration • DS 10 Manage Problems and Incidents • DS 11 Manage Data • DS 12 Manage Facilities • DS 13 Manage Operations IT Audit Methodoloies

  11. M - Monitoring • M 1 Monitor the Processes • M 2 Assess Internal Control Adequacy • M 3 Obtain Independent Assurance • M 4 Provide for Independent Audit IT Audit Methodoloies

  12. IT Processes CobiT - IT Process Matrix Information Criteria • Effectiveness • Efficiency • Confidentiality • Integrity • Availability • Compliance • Reliability IT Resources • People • Applications • Technology • Facilities • Data IT Audit Methodoloies

  13. CobiT - Summary • Mainly used for IT audits, incl. security aspects • No detailed evaluation methodology described • Developed by international organisation (ISACA) • Up-to-date: Version 2 released in 1998 • Only high-level control objectives described • Detailed IT control measures are not documented • Not very user friendly - learning curve! • Evaluation results not shown in graphic form IT Audit Methodoloies

  14. CobiT - Summary • May be used for self assessments • Useful aid in implementing IT control systems • No suitable basis to write security handbooks • CobiT package from ISACA: $ 100.-- • 3 parts freely downloadable from ISACA site • Software available from Methodware Ltd., NZ (www.methodware.co.nz) • CobiT Advisor 2nd edition: US$ 600.-- IT Audit Methodoloies

  15. BS 7799 - CoP • Code of Practice for Inform. Security Manag. • Developed by UK DTI, BSI: British Standard • Releases • CoP: 1993 • BS 7799: Part 1: 1995 • BS 7799: Part 2: 1998 • Certification & Accreditation scheme (c:cure) IT Audit Methodoloies

  16. BS 7799 - Security Baseline Controls • 10 control categories • 32 control groups • 109 security controls • 10 security key controls IT Audit Methodoloies

  17. BS 7799 - Control Categories • Information security policy • Security organisation • Assets classification & control • Personnel security • Physical & environmental security • Computer & network management IT Audit Methodoloies

  18. BS 7799 - Control Categories • System access control • Systems development & maintenance • Business continuity planning • Compliance IT Audit Methodoloies

  19. BS7799 - 10 Key Controls • Information security policy document • Allocation of information security responsibilities • Information security education and training • Reporting of security incidents • Virus controls IT Audit Methodoloies

  20. BS7799 - 10 Key Controls • Business continuity planning process • Control of proprietary software copying • Safeguarding of organizational records • Data protection • Compliance with security policy IT Audit Methodoloies

  21. BS7799 - Summary • Main use: Security Concepts & Health Checks • No evaluation methodology described • British Standard, developed by UK DTI • Certification scheme in place (c:cure) • BS7799, Part1, 1995 is being revised in 1999 • Lists 109 ready-to-use security controls • No detailed security measures described • Very user friendly - easy to learn IT Audit Methodoloies

  22. BS7799 - Summary • Evaluation results not shown in graphic form • May be used for self assessments • BS7799, Part1: £ 94.-- • BS7799, Part2: £ 36.-- • BSI Electronic book of Part 1: £ 190.-- + VAT • Several BS7799 c:cure publications from BSI • CoP-iT software from SMH, UK: £349+VAT (www.smhplc.com) IT Audit Methodoloies

  23. BSI (Bundesamt für Sicherheit in der Informationstechnik) • IT Baseline Protection Manual(IT- Grundschutzhandbuch ) • Developed by German BSI (GISA: German Information Security Agency) • Releases: • IT security manual: 1992 • IT baseline protection manual: 1995 • New versions (paper and CD-ROM): each year IT Audit Methodoloies

  24. BSI - Approach IT Audit Methodoloies

  25. BSI - Approach • Used to determine IT security measures for medium-level protection requirements • Straight forward approach since detailed risk analysis is not performed • Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks • List of assembled security measures may be used to establish or enhance baseline protection IT Audit Methodoloies

  26. BSI - Structure • IT security measures • 7 areas • 34 modules (building blocks) • Safeguards catalogue • 6 categories of security measures • Threats catalogue • 5 categories of threats IT Audit Methodoloies

  27. BSI - Security Measures (Modules) • Protection for generic components • Infrastructure • Non-networked systems • LANs • Data transfer systems • Telecommunications • Other IT components IT Audit Methodoloies

  28. BSI - Generic Components • 3.1 Organisation • 3.2 Personnel • 3.3 Contingency Planning • 3.4 Data Protection IT Audit Methodoloies

  29. BSI - Infrastructure • 4.1 Buildings • 4.2 Cabling • 4.3 Rooms • 4.3.1 Office • 4.3.2 Server Room • 4.3.3 Storage Media Archives • 4.3.4 Technical Infrastructure Room • 4.4 Protective cabinets • 4.5 Home working place IT Audit Methodoloies

  30. BSI - Non-Networked Systems • 5.1 DOS PC (Single User) • 5.2 UNIX System • 5.3 Laptop • 5.4 DOS PC (multiuser) • 5.5 Non-networked Windows NT computer • 5.6 PC with Windows 95 • 5.99 Stand-alone IT systems IT Audit Methodoloies

  31. BSI - LANs • 6.1 Server-Based Network • 6.2 Networked Unix Systems • 6.3 Peer-to-Peer Network • 6.4 Windows NT network • 6.5 Novell Netware 3.x • 6.6 Novell Netware version 4.x • 6.7 Heterogeneous networks IT Audit Methodoloies

  32. BSI - Data Transfer Systems • 7.1 Data Carrier Exchange • 7.2 Modem • 7.3 Firewall • 7.4 E-mail IT Audit Methodoloies

  33. BSI - Telecommunications • 8.1 Telecommunication system • 8.2 Fax Machine • 8.3 Telephone Answering Machine • 8.4 LAN integration of an IT system via ISDN IT Audit Methodoloies

  34. BSI - Other IT Components • 9.1 Standard Software • 9.2 Databases • 9.3 Telecommuting IT Audit Methodoloies

  35. BSI - Module „Data Protection“ (3.4) • Threats - Technical failure: • T 4.13 Loss of stored data • Security Measures - Contingency planning: • S 6.36 Stipulating a minimum data protection concept • S 6.37 Documenting data protection procedures • S 6.33 Development of a data protection concept (optional) • S 6.34 Determining the factors influencing data protection (optional) • S 6.35 Stipulating data protection procedures (optional) • S 6.41 Training data reconstruction • Security Measures - Organisation: • S 2.41 Employees' commitment to data protection • S 2.137 Procurement of a suitable data backup system IT Audit Methodoloies

  36. BSI - Safeguards (420 safeguards) • S1 - Infrastructure ( 45 safeguards) • S2 - Organisation (153 safeguards) • S3 - Personnel ( 22 safeguards) • S4 - Hardware & Software ( 83 safeguards) • S5 - Communications ( 62 safeguards) • S6 - Contingency Planning ( 55 safeguards) IT Audit Methodoloies

  37. BSI - S1-Infrastructure (45 safeguards) • S 1.7 Hand-held fire extinguishers • S 1.10 Use of safety doors • S 1.17 Entrance control service • S 1.18 Intruder and fire detection devices • S 1.27 Air conditioning • S 1.28 Local uninterruptible power supply [UPS] • S 1.36 Safekeeping of data carriers before and after dispatch IT Audit Methodoloies

  38. BSI - Security Threats (209 threats) • T1 - Force Majeure (10 threats) • T2 - Organisational Shortcomings (58 threats) • T3 - Human Errors (31 threats) • T4 - Technical Failure (32 threats) • T5 - Deliberate acts (78 threats) IT Audit Methodoloies

  39. BSI - T3-Human Errors (31 threats) • T 3.1 Loss of data confidentiality/integrity as a result of IT user error • T 3.3 Non-compliance with IT security measures • T 3.6 Threat posed by cleaning staff or outside staff • T 3.9 Incorrect management of the IT system • T 3.12 Loss of storage media during transfer • T 3.16 Incorrect administration of site and data access rights • T 3.24 Inadvertent manipulation of data • T 3.25 Negligent deletion of objects IT Audit Methodoloies

  40. BSI - Summary • Main use: Security concepts & manuals • No evaluation methodology described • Developed by German BSI (GISA) • Updated version released each year • Lists 209 threats & 420 security measures • 34 modules cover generic & platform specific security requirements IT Audit Methodoloies

  41. BSI - Summary • User friendly with a lot of security details • Not suitable for security risk analysis • Results of security coverage not shown in graphic form • Manual in HTML format on BSI web server • Manual in Winword format on CD-ROM (first CD free, additional CDs cost DM 50.-- each) • Paper copy of manual: DM 118.-- • Software ‚BSI Tool‘ (only in German): DM 515.-- IT Audit Methodoloies

  42. ITSEC, Common Criteria • ITSEC: IT Security Evaluation Criteria • Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book) • Releases • ITSEC: 1991 • ITSEM: 1993 (IT Security Evaluation Manual) • UK IT Security Evaluation & Certification scheme: 1994 IT Audit Methodoloies

  43. ITSEC, Common Criteria • Common Criteria (CC) • Developed by USA, EC: based on ITSEC • ISO International Standard • Releases • CC 1.0: 1996 • CC 2.0: 1998 • ISO IS 15408: 1999 IT Audit Methodoloies

  44. ITSEC - Methodology • Based on systematic, documented approach for security evaluations of systems & products • Open ended with regard to defined set of security objectives • ITSEC Functionality classes; e.g. FC-C2 • CC protection profiles • Evaluation steps: • Definition of functionality • Assurance: confidence in functionality IT Audit Methodoloies

  45. ITSEC - Functionality • Security objectives (Why) • Risk analysis (Threats, Countermeasures) • Security policy • Security enforcing functions (What) • technical & non-technical • Security mechanisms (How) • Evaluation levels IT Audit Methodoloies

  46. ITSEC - Assurance • Goal: Confidence in functions & mechanisms • Correctness • Construction (development process & environment) • Operation (process & environment) • Effectiveness • Suitability analysis • Strength of mechanism analysis • Vulnerabilities (construction & operation) IT Audit Methodoloies

  47. CC - Security Concept IT Audit Methodoloies

  48. CC - Evaluation Goal IT Audit Methodoloies

  49. CC Part 3 Assurance Requirements CC Part 2 • Assurance Classes • Assurance Families • Assurance Components • Detailed Requirements • Evaluation Assurance Levels (EAL) Functional Requirements CC Part 1 • Functional Classes • Functional Families • FunctionalComponents • Detailed Requirements Introduction and Model • Introduction to Approach • Terms and Model • Requirements forProtection Profiles (PP)and Security Targets (ST) CC - Documentation IT Audit Methodoloies

  50. CC - Security Requirements Functional Requirements • for defining security behavior of the IT product or system: • implemented requirements • become security functions Assurance Requirements • for establishing confidence in Security Functions: • correctness of implementation • effectiveness in satisfying objectives IT Audit Methodoloies

More Related