Auditing

http://null.co.in/ http://nullcon.net/

Who am I

null

nullcon

Hackim

Battle UnderGround

Hyderabad Hackers missing two hackers


Companies are worried about ?


Restrictions on the accessibility and dissemination of information.

Protecting data from modification or deletion by unauthorized parties

confidentiality

Integrity

Availability

Ensures that information or resources are available when required


A control put into place to mitigate potential loss.


AUDITINGIndustry needs it ?

Ch.Pardhasaradhi a.k.a Babloo

[email protected]


What is Auditing

Types Of Auditors

Audit Planning

Audit Classification

Practical Examples

Phases of the Audit Process

Security Policy

AGENDA


Auditing

An audit is an evaluation of an organization, system, process, project or product.

Performed by competent, independent and objective person, known as auditors who then issue a report on the results of the audit.

Who is responsible

Formerly called an Electronic Data Processing (EDP) audit


Types of auditors

Two types of auditors:

These are employees of a company hired to assess and evaluate its system of internal control.

Internal Auditors

External Auditor

These are independent staff assigned by an auditing firm to assess and evaluate financial statements of their clients or to perform other agreed upon evaluations.


PHASES OF THE AUDIT PROCESS

Subject Example - Area, Department, or entity.

Objective Determine the audit objective or purpose.

Example - Are you going to audit the source code or a firewall services or a security policy.

Scope Typically associated with scope is how much time you going to take for this audit.

Pre-audit planning Identifying the needs


AUDIT PLANNING Gather Information

Identify Stated Components

Assess Risk

Perform Risk Analysis

Conducting Internal Control Review

Set Audit Scope and Objectives

Develop Auditing Strategy

Assign Resources


Audit Classifications

Financial

Operational

Integrated

Administrative

Info Systems

Specialized

Forensics


Security Policy

security policies are a special type of documented business rule for protecting information and the systems which store and process the information.

Types Of Policies

Regulatory Those enforced to meet legal compliance.

Advisory Define a required behavior with sanctions.

Informative Policies that are not enforceable, but can be regulated


Gather InformationTouring the key organization facilities

Looking at the physical infrastructure

Reading up on background material

Publication from the industry

Annual report

Semi annual reports

Independent financial analysis reports

Short term and long term strategic plans

Interview key personnel, key decision makers, CIO, key managers,


Identify Stated Components

Understand business issues

Understand business needs

Review prior auditing reports if any

Assess Risk

Risk is the potential that a given threat will exploit vulnerabilities of an asset to cause loss or damage to the assets.


Risk AnalysisTechnique for identifying and assessing factors that can harm a process or goal.

RA involves implementing preventative measures to avert negative impact of incidents.

Risk assets are of two typesPhysical assets

An item of economic, commercial or exchange value that has a tangible or material existence

ex :Physical location , Physical assets

Information assets

An Information Asset is a definable piece of information, stored in any manner which is recognized as 'valuable' to the organization

Ex: Ip and Data


Conducting Internal Control Review

There are two types of control evaluations:

Alternative Internal Control Review (AICR)

Internal Control Review (ICR).

AICRs and ICRs have the same goal: Assessing a component’s control system effectiveness.

AICRs and ICRs also share common elements. Both types of reviews consist of the following steps: 1. Identifying what might go wrong (risk) 2. Comparing control systems to the GAO control standards 3. Testing control techniques 4. Documenting the evaluation 5. Planning corrective actions Internal Control - 17 6. Reporting the results


Set Audit Scope and Objectives

Develop Auditing Strategy

Auditing Standards and is widely applied by auditing firms. The assessment of inherent and control risk as less than high and the performance of a lower level of substantive procedures involves considerable judgment and entails a degree of risk.

Independence

Staffing and training

Relationships

Due care

Planning ,controlling and recording

Evaluation of internal control System

Reporting and follow up


Assign Resources

Achievable

Implemented

Long term Plans

Preliminary Access

Contingency Allowances


Auditing practically through some software's

MBSA

Log Parser

Event Viewer

Event tracker

Group Edit policy in windows

gpedit.msc is only in win7 Ultimate, Professional (old Business) and Enterprise editions, and not in the Windows 7 Home Premium or Basic editions.


gpedit.msc

•Local Computer Policy Computer Configuration Windows Settings Security Settings Local Policy Audit Policy


Some Certification references ISO 27001

CISA

CISSP

ISACA community https://www.isaca.org/

Hyderabad Chapter http://isaca.org.in/

CISSP ISC2 https://www.isc2.org

GSNA

GIAC Systems and Network Auditor http://www.giac.org/certifications/audit/gsna.php


CISSP GUIDE

Google

Wikipedia

References == Google

Auditing

Technology

Transcript of Auditing