Is Security Audit

7/26/2019 Is Security Audit

1/52

IT Security Auditing


2/52

Topics

Defning IT Audit

Risk Analysis

Internal Controls Steps o an IT Audit

Preparing to be Audited

Auditing IT Applications Who is an auditor


3/52

What is IT Audit (inoral!

Say "hat you do

Do "hat you say

#$idence


4/52

Defning IT Security Audit

IT Audit Independent assessent o an organi%ation&s internal policies'

controls' and acti$ities )ou use an audit to assess the presence ande*ecti$eness o IT controls and to ensure that those controls arecopliant "ith stated policies In addition' audits pro$ide reasonable

assurance that organi%ations are copliant "ith applicableregulations and other industry re+uireents

Address the risk e,posures "ithin IT systes and assess the controlsand integrity o inoration systes

Shouldn&t be conused "ith Penetration Testing

pen test is a very narrowly focused attempt to look for

security holes in a critical resource, such as a firewall or

webserver.


5/52

Audit Charter

Audit charter (or engageent letter!

Stating anageent&s responsibility andob-ecti$es or' and delegation o authority

to' the IT audit unction

.utlining the o$erall authority' scope andresponsibilities o the audit unction


6/52

Scope o IT Audit

The scope o an IT audit oten $aries' but canin$ol$e any cobination o the ollo"ing/

.rgani%ational0 #,aines the anageentcontrol o$er IT and related progras' policies'

and processes Copliance0 Pertains to ensuring that specifc

guidelines' la"s' or re+uireents ha$e been et

Application0 In$ol$es the applications that are

strategic to the organi%ation' or e,aple thosetypically used by fnance and operations

Technical0 #,aines the IT inrastructure anddata counications


7/52

1uestions to be asked

Are pass"ords di2cult to crack3 Are there access control lists (AC4s! in place on net"ork de$ices to control

"ho has access to shared data3 Are there audit logs to record "ho accesses data3 Are the audit logs re$ie"ed3 Are the security settings or operating systes in accordance "ith accepted

industry security practices3 5a$e all unnecessary applications and coputer ser$ices been eliinated

or each syste3 Are these operating systes and coercial applications patched to current

le$els3 5o" is backup edia stored3 Who has access to it3 Is it up6to6date3 Is there a disaster reco$ery plan3 5a$e the participants and stakeholders

e$er rehearsed the disaster reco$ery plan3

Are there ade+uate cryptographic tools in place to go$ern data encryption'and ha$e these tools been properly confgured3

5a$e custo6built applications been "ritten "ith security in ind3 5o" ha$e these custo applications been tested or security 7a"s3 5o" are confguration and code changes docuented at e$ery le$el3 5o"

are these records re$ie"ed and "ho conducts the re$ie"3


8/52

IT Security audit progragoals

8 Pro$ide an ob-ecti$e and independentre$ie" o an organi%ation&s policies'inoration systes' and controls

8 Pro$ide reasonable assurance thatappropriate and e*ecti$e IT controlsare in place

8 Pro$ide audit recoendations orboth correcti$e actions andipro$eent to controls


9/52

Risk Analysis

Where is the risk3

5o" signifcant is the risk3


10/52

Risk analysis (cont!

Threat profle 9 "hat threats or risks "illa*ect the asset3

Threat probability 9 "hat is the likelihood o

the threats happening3 Threat conse+uence 9 "hat ipact or e*ect

"ould the loss o the asset ha$e on theoperation o the organi%ation or its

personnel

Threats+Impact+Likelihood =Risk


11/52

Threat&s list (e,aples! Computer and network passwords Is there a log o all people "ith pass"ords

(and "hat type! 5o" secure is this AC4 list' and ho" strong are the pass"ordscurrently in use3

Physical assets Can coputers or laptops be picked up and reo$ed ro thepreises by $isitors or e$en eployees3

Data backups What backups o $irtual assets e,ist' ho" are they backed up' "hereare the backups kept' and "ho conducts the backups3

Logging of data access #ach tie soeone accesses soe data' is this logged'

along "ith "ho' "hat' "hen' "here' etc3 ccess to sensiti!e customer data" e#g#" credit card info Who has access3 5o"

can access be controlled3 Can this inoration be accessed ro outside thecopany preises3

ccess to client lists Does the "ebsite allo" backdoor access into the clientdatabase3 Can it be hacked3

Long$distance calling Are long6distance calls restricted' or is it a ree6or6all3

Should it be restricted3 %mails Are spa flters in place3 Do eployees need to be educated on ho" to spot

potential spa and phishing eails3 Is there a copany policy that outgoing eailsto clients not ha$e certain types o hyperlinks in the3


12/52

Risk Analysis (cont!

:ro the IT auditor&s perspecti$e' riskanalysis ser$es ore than one purpose/

It assists the IT auditor in identiying risks and

threats to an IT en$ironent and IT syste0risks and threats that "ould need to beaddressed by anageent0and in identiyingsyste specifc internal controls Dependingon the le$el o risk' this assists the IT auditorin selecting certain areas to e,aine


13/52


It helps the IT auditor in his;her e$aluation ocontrols in audit planning

It assists the IT auditor in deterining audit

ob-ecti$es It supports risk6based audit decision aking

Part o audit planning

5elps identiy risks and $ulnerabilities The IT auditor can deterine the controls

needed to itigate those risks


14/52


IT auditors ust be able to/


15/52


In analy%ing the business risks arising ro theuse o IT' it is iportant or the IT auditor toha$e a clear understanding o/

The purpose and nature o business' the en$ironent in "hichthe business operates and related business risks

The dependence on technology and related dependencies thatprocess and deli$er business inoration

The business risks o using IT and related dependencies and

ho" they ipact the achie$eent o the business goals andob-ecti$es

A good o$er$ie" o the business processes and the ipact o ITand related risks on the business process ob-ecti$es


16/52



17/52

Internal Controls

Policies' procedures' practices and

organi%ational

structures ipleented to reduce risks Classifcation o internal controls

Pre$enti$e controls

Detecti$e controls

Correcti$e controls


18/52

Internal Controls (continued!


19/52

Internal Control .b-ecti$es

Internal control ob-ecti$es

Saeguarding o IT assets

Copliance to corporate policies or legal re+uireents

Input

Authori%ation

Accuracy and copleteness o processing o datainput;transactions

.utput

Reliability o process


20/52

Steps o An IT Audit

= Planning Phase

> Testing Phase

? Reporting Phase

Ideally its a continuous cycle

Again not always the case


21/52

Planning Phase

De&ning the 'cope of (our udit

Security Paraeter

The security perieter is both aconceptual and physical boundary"ithin "hich your security audit "illocus' and outside o "hich your audit

"ill ignore


22/52

#,aple Asset list Coputers and laptops

Routersand net"orking e+uipent Printers

Caeras' digital or analog' "ith copany6sensiti$e photographs

Data 6 sales' custoer inoration' eployee inoration

Copany sartphones; PDAs

@oIPphones' IP P


23/52

Planning Phase .utcoe

#ntry Beeting

Defne Scope

4earn Controls

5istorical Incidents

Past Audits

Site Sur$ey

Re$ie" CurrentPolicies

1uestionnaires

Defne .b-ecti$es

De$elop Audit

Plan ; Checklist


24/52


25/52

Testing Phase

Beet With Site Banagers

What data "ill be collected

5o";"hen "ill it be collected

Site eployee in$ol$eent

et +uestions ans"ered


26/52

Testing Phase (cont!

Data Collection


27/52

Procedures for Testing and %!aluating ITControls

se o generali%ed audit sot"are to sur$ey thecontents o data fles

se o speciali%ed sot"are to assess the contentso operating syste paraeter fles

:lo"6charting techni+ues or docuentingautoated applications and business process

se o audit reports a$ailable in operation systes

Docuentation re$ie"

.bser$ation


28/52

Testing Assets (e,aple! Computer and network passwords Is there a log o all people "ith pass"ords (and "hat

type! 5o" secure is this AC4 list' and ho" strong are the pass"ords currently in use3

Physical assets Can coputers or laptops be picked up and reo$ed ro the preises by$isitors or e$en eployees3

Records of physical assets Do they e,ist3 Are they backed up3o

Data backups What backups o $irtual assets e,ist' ho" are they backed up' "here are thebackups kept (onsite and;or o*site!' and "ho conducts the backups3

Logging of data access #ach tie soeone accesses soe data' is this logged' along "ith"ho' "hat' "hen' "here' etc3

ccess to sensiti!e customer data" e#g#" credit card info Who has access3 5o" canaccess be controlled3 Can this inoration be accessed ro outside the copany preises3

ccess to client lists Does the "ebsite allo" backdoor access into the client database3Can it be hacked3

Long$distance calling Are long6distance calls restricted' or is it a ree6or6all3 Should it berestricted3

%mails Are spa flters in place3 Do eployees need to be educated on ho" to spotpotential spa and phishing eails3 Is there a copany policy that outgoing eails to clients

not ha$e certain types o hyperlinks in the3 Past Due Diligence ) Predicting the *uture Checking past security threat trends and

predicting uture ones


29/52

Reporting Phase

#,it Beeting 6 Short Report

Iediate probles

1uestions E ans"er or site anagers

Preliinary fndings

IS auditors should be a"are that'ultiately' they are responsible to senioranageent and the audit coittee othe board o directors IS auditors shouldeel ree to counicate issues orconcerns to such anageent


30/52

Reporting Phase (cont!

4ong Report Ater oing Through Data

Intro defning ob-ecti$es;scope

5o" data "as collected

Suary o probles Table orat

5istorical data (i a$ailable!

Ratings

:i,es Page F "here in depth description is


31/52


In depth description o proble 5o" proble "as disco$ered

:i, (In detail!

Industry standards (i a$ailable! lossary o ters

Reerences

Gote/ The Abo$e @aries Dependingon Where )ou Work


32/52


udit report structure and contents

An introduction to the report

Audit fndings presented in separate sections

The IS auditor&s o$erall conclusion and opinion

The IS auditor&s reser$ations "ith respect tothe audit

Detailed audit fndings and recoendations

Bateriality o fndings


33/52

Audit Docuentation

udit documentation includes

Planning and preparation o the audit scopeand ob-ecti$es

Description on the scoped audit area

Audit progra

Audit steps perored and e$idence gathered

.ther e,perts used

Audit fndings' conclusions andrecoendations


34/52

#,aple Audit checklist

HAn Auditor&s Checklist orPeroring a Perieter Audit o onI


35/52

Ipleentation o Recoendations

Auditing is an ongoing process Tiing o ollo"6up


36/52

Preparing To


37/52

Application Audit

An assessent Whose Scope :ocuses on aGarro" but


38/52

Application Audit (cont!

= Adinistration

> Inputs' Processing' .utputs

? 4ogical Security

Disaster Reco$ery Plan

M Change Banageent

N ser Support

O Third Party Ser$ices

eneral Controls

li i di


39/52

Application Audit 6Adinistration

Probably the ost iportant area othe audit' because this area ocuseson the o$erall o"nership and

accountability o the application Roles E Responsibilities 6 de$elopent'

change appro$al' access authori%ation

4egal or regulatory copliance issues


40/52

Application Audit 6 Inputs'Processing' .utputs

4ooking or e$idence o datapreparation procedures'reconciliation processes' handling

re+uireents' etc Run test transactions against the

application

Includes "ho can enter input and seeoutput

Retention o output and its destruction

A li i A di 4 i l


41/52

Application Audit 6 4ogicalSecurity

4ooking at user creation and authori%ationas go$erned by the application its sel

ser ID linked to a real person

Guber o allo"able unsuccessul log6onattepts

Biniu pass"ord length

Pass"ord e,piration

Pass"ord Re6use ability S14 in-ection

SS attacks


42/52

Application Audit 6 DisasterReco$ery Plan

4ooking or an ade+uate andperorable disaster reco$ery planthat "ill allo" the application to be

reco$ered in a reasonable aount otie ater a disaster


43/52

Application Audit 6 ChangeBanageent

#,aines the process changes to anapplication go through

Process is docuented' ade+uate and ollo"ed

Who is allo"ed to ake a re+uest a change'appro$e a change and ake the change

Change is tested and doesn&t break copliance(deterined in Adinistration! beore being

placed in to production

A li ti A dit


44/52

Application Audit 6 serSupport

.ne o the ost o$erlooked aspectso an application

ser docuentation (anuals' online

help' etc! 6 a$ailable E up to date

ser training 6 producti$ity' proper use'security

Process or user ipro$eent re+uests

li i di hi d


45/52

Application Audit 6 Third PartySer$ices

4ook at the controls around any ?rd partyser$ices that are re+uired to eetbusiness ob-ecti$es or the application or

syste 4iaison to ?rd party $endor Re$ie" contract agreeent

SAS (Stateent on Auditing Standards! GJ OJ

6 Ser$ice organi%ations disclose their controlacti$ities and processes to their custoers andtheir custoers& auditors in a unior reportingorat

A li i A di l


46/52

Application Audit 6 eneralControls

#,aining the en$ironent theapplication e,ists "ithin that a*ect theapplication

Syste adinistration ; operations .rgani%ational logical security

Physical security

.rgani%ational disaster reco$ery plans

.rgani%ational change control process 4icense control processes

@irus control procedures


47/52

Who is an IT Auditor

Accountant Raised to a CS Ba-or or a CPA' CISA' CISB' Get"orking' 5ard"are'

Sot"are' Inoration Assurance' Cryptography

Soe one "ho kno"s e$erything an

accountant does plus e$erything a


48/52

CISA3 CISB3

CISA 6 Certifed Inoration SystesAuditor

CISB 6 Certifed Inoration Systes

Bangager 6 ne" """isacaorg (Inoration Systes Audit

and Control .rgani%ation!

Teaching fnancial auditors to talk to CS people


49/52

CISA

Bin o M years o IT auditing' control orsecurity "ork e,perience

Code o proessional ethics

Adhering to IT auditing standards #,a topics/

= Banageent' Planning' and .rgani%ation oIS

> Technical Inrastructure and .perationalPractices

? Protection o Inoration Assets


50/52

CISA (cont!

#,a topics/ (cont!

Disaster Reco$ery and


51/52

CISB

Ge,t step abo$e CISA

#,a topics/

= Inoration Security o$ernance

> Risk Banageent ? Inoration Security Progra Banageent

Inoration Security Banageent

M Response Banageent


52/52

Is Security Audit

Documents

Transcript of Is Security Audit