Is Security Audit
Transcript of Is Security Audit
-
7/26/2019 Is Security Audit
1/52
IT Security Auditing
-
7/26/2019 Is Security Audit
2/52
Topics
Defning IT Audit
Risk Analysis
Internal Controls Steps o an IT Audit
Preparing to be Audited
Auditing IT Applications Who is an auditor
-
7/26/2019 Is Security Audit
3/52
What is IT Audit (inoral!
Say "hat you do
Do "hat you say
#$idence
-
7/26/2019 Is Security Audit
4/52
Defning IT Security Audit
IT Audit Independent assessent o an organi%ation&s internal policies'
controls' and acti$ities )ou use an audit to assess the presence ande*ecti$eness o IT controls and to ensure that those controls arecopliant "ith stated policies In addition' audits pro$ide reasonable
assurance that organi%ations are copliant "ith applicableregulations and other industry re+uireents
Address the risk e,posures "ithin IT systes and assess the controlsand integrity o inoration systes
Shouldn&t be conused "ith Penetration Testing
pen test is a very narrowly focused attempt to look for
security holes in a critical resource, such as a firewall or
webserver.
-
7/26/2019 Is Security Audit
5/52
Audit Charter
Audit charter (or engageent letter!
Stating anageent&s responsibility andob-ecti$es or' and delegation o authority
to' the IT audit unction
.utlining the o$erall authority' scope andresponsibilities o the audit unction
-
7/26/2019 Is Security Audit
6/52
Scope o IT Audit
The scope o an IT audit oten $aries' but canin$ol$e any cobination o the ollo"ing/
.rgani%ational0 #,aines the anageentcontrol o$er IT and related progras' policies'
and processes Copliance0 Pertains to ensuring that specifc
guidelines' la"s' or re+uireents ha$e been et
Application0 In$ol$es the applications that are
strategic to the organi%ation' or e,aple thosetypically used by fnance and operations
Technical0 #,aines the IT inrastructure anddata counications
-
7/26/2019 Is Security Audit
7/52
1uestions to be asked
Are pass"ords di2cult to crack3 Are there access control lists (AC4s! in place on net"ork de$ices to control
"ho has access to shared data3 Are there audit logs to record "ho accesses data3 Are the audit logs re$ie"ed3 Are the security settings or operating systes in accordance "ith accepted
industry security practices3 5a$e all unnecessary applications and coputer ser$ices been eliinated
or each syste3 Are these operating systes and coercial applications patched to current
le$els3 5o" is backup edia stored3 Who has access to it3 Is it up6to6date3 Is there a disaster reco$ery plan3 5a$e the participants and stakeholders
e$er rehearsed the disaster reco$ery plan3
Are there ade+uate cryptographic tools in place to go$ern data encryption'and ha$e these tools been properly confgured3
5a$e custo6built applications been "ritten "ith security in ind3 5o" ha$e these custo applications been tested or security 7a"s3 5o" are confguration and code changes docuented at e$ery le$el3 5o"
are these records re$ie"ed and "ho conducts the re$ie"3
-
7/26/2019 Is Security Audit
8/52
IT Security audit progragoals
8 Pro$ide an ob-ecti$e and independentre$ie" o an organi%ation&s policies'inoration systes' and controls
8 Pro$ide reasonable assurance thatappropriate and e*ecti$e IT controlsare in place
8 Pro$ide audit recoendations orboth correcti$e actions andipro$eent to controls
-
7/26/2019 Is Security Audit
9/52
Risk Analysis
Where is the risk3
5o" signifcant is the risk3
-
7/26/2019 Is Security Audit
10/52
Risk analysis (cont!
Threat profle 9 "hat threats or risks "illa*ect the asset3
Threat probability 9 "hat is the likelihood o
the threats happening3 Threat conse+uence 9 "hat ipact or e*ect
"ould the loss o the asset ha$e on theoperation o the organi%ation or its
personnel
Threats+Impact+Likelihood =Risk
-
7/26/2019 Is Security Audit
11/52
Threat&s list (e,aples! Computer and network passwords Is there a log o all people "ith pass"ords
(and "hat type! 5o" secure is this AC4 list' and ho" strong are the pass"ordscurrently in use3
Physical assets Can coputers or laptops be picked up and reo$ed ro thepreises by $isitors or e$en eployees3
Data backups What backups o $irtual assets e,ist' ho" are they backed up' "hereare the backups kept' and "ho conducts the backups3
Logging of data access #ach tie soeone accesses soe data' is this logged'
along "ith "ho' "hat' "hen' "here' etc3 ccess to sensiti!e customer data" e#g#" credit card info Who has access3 5o"
can access be controlled3 Can this inoration be accessed ro outside thecopany preises3
ccess to client lists Does the "ebsite allo" backdoor access into the clientdatabase3 Can it be hacked3
Long$distance calling Are long6distance calls restricted' or is it a ree6or6all3
Should it be restricted3 %mails Are spa flters in place3 Do eployees need to be educated on ho" to spot
potential spa and phishing eails3 Is there a copany policy that outgoing eailsto clients not ha$e certain types o hyperlinks in the3
-
7/26/2019 Is Security Audit
12/52
Risk Analysis (cont!
:ro the IT auditor&s perspecti$e' riskanalysis ser$es ore than one purpose/
It assists the IT auditor in identiying risks and
threats to an IT en$ironent and IT syste0risks and threats that "ould need to beaddressed by anageent0and in identiyingsyste specifc internal controls Dependingon the le$el o risk' this assists the IT auditorin selecting certain areas to e,aine
-
7/26/2019 Is Security Audit
13/52
Risk Analysis (cont!
It helps the IT auditor in his;her e$aluation ocontrols in audit planning
It assists the IT auditor in deterining audit
ob-ecti$es It supports risk6based audit decision aking
Part o audit planning
5elps identiy risks and $ulnerabilities The IT auditor can deterine the controls
needed to itigate those risks
-
7/26/2019 Is Security Audit
14/52
Risk Analysis (cont!
IT auditors ust be able to/
-
7/26/2019 Is Security Audit
15/52
Risk Analysis (cont!
In analy%ing the business risks arising ro theuse o IT' it is iportant or the IT auditor toha$e a clear understanding o/
The purpose and nature o business' the en$ironent in "hichthe business operates and related business risks
The dependence on technology and related dependencies thatprocess and deli$er business inoration
The business risks o using IT and related dependencies and
ho" they ipact the achie$eent o the business goals andob-ecti$es
A good o$er$ie" o the business processes and the ipact o ITand related risks on the business process ob-ecti$es
-
7/26/2019 Is Security Audit
16/52
Risk Analysis (cont!
-
7/26/2019 Is Security Audit
17/52
Internal Controls
Policies' procedures' practices and
organi%ational
structures ipleented to reduce risks Classifcation o internal controls
Pre$enti$e controls
Detecti$e controls
Correcti$e controls
-
7/26/2019 Is Security Audit
18/52
Internal Controls (continued!
-
7/26/2019 Is Security Audit
19/52
Internal Control .b-ecti$es
Internal control ob-ecti$es
Saeguarding o IT assets
Copliance to corporate policies or legal re+uireents
Input
Authori%ation
Accuracy and copleteness o processing o datainput;transactions
.utput
Reliability o process
-
7/26/2019 Is Security Audit
20/52
Steps o An IT Audit
= Planning Phase
> Testing Phase
? Reporting Phase
Ideally its a continuous cycle
Again not always the case
-
7/26/2019 Is Security Audit
21/52
Planning Phase
De&ning the 'cope of (our udit
Security Paraeter
The security perieter is both aconceptual and physical boundary"ithin "hich your security audit "illocus' and outside o "hich your audit
"ill ignore
-
7/26/2019 Is Security Audit
22/52
#,aple Asset list Coputers and laptops
Routersand net"orking e+uipent Printers
Caeras' digital or analog' "ith copany6sensiti$e photographs
Data 6 sales' custoer inoration' eployee inoration
Copany sartphones; PDAs
@oIPphones' IP P
-
7/26/2019 Is Security Audit
23/52
Planning Phase .utcoe
#ntry Beeting
Defne Scope
4earn Controls
5istorical Incidents
Past Audits
Site Sur$ey
Re$ie" CurrentPolicies
1uestionnaires
Defne .b-ecti$es
De$elop Audit
Plan ; Checklist
-
7/26/2019 Is Security Audit
24/52
-
7/26/2019 Is Security Audit
25/52
Testing Phase
Beet With Site Banagers
What data "ill be collected
5o";"hen "ill it be collected
Site eployee in$ol$eent
et +uestions ans"ered
-
7/26/2019 Is Security Audit
26/52
Testing Phase (cont!
Data Collection
-
7/26/2019 Is Security Audit
27/52
Procedures for Testing and %!aluating ITControls
se o generali%ed audit sot"are to sur$ey thecontents o data fles
se o speciali%ed sot"are to assess the contentso operating syste paraeter fles
:lo"6charting techni+ues or docuentingautoated applications and business process
se o audit reports a$ailable in operation systes
Docuentation re$ie"
.bser$ation
-
7/26/2019 Is Security Audit
28/52
Testing Assets (e,aple! Computer and network passwords Is there a log o all people "ith pass"ords (and "hat
type! 5o" secure is this AC4 list' and ho" strong are the pass"ords currently in use3
Physical assets Can coputers or laptops be picked up and reo$ed ro the preises by$isitors or e$en eployees3
Records of physical assets Do they e,ist3 Are they backed up3o
Data backups What backups o $irtual assets e,ist' ho" are they backed up' "here are thebackups kept (onsite and;or o*site!' and "ho conducts the backups3
Logging of data access #ach tie soeone accesses soe data' is this logged' along "ith"ho' "hat' "hen' "here' etc3
ccess to sensiti!e customer data" e#g#" credit card info Who has access3 5o" canaccess be controlled3 Can this inoration be accessed ro outside the copany preises3
ccess to client lists Does the "ebsite allo" backdoor access into the client database3Can it be hacked3
Long$distance calling Are long6distance calls restricted' or is it a ree6or6all3 Should it berestricted3
%mails Are spa flters in place3 Do eployees need to be educated on ho" to spotpotential spa and phishing eails3 Is there a copany policy that outgoing eails to clients
not ha$e certain types o hyperlinks in the3 Past Due Diligence ) Predicting the *uture Checking past security threat trends and
predicting uture ones
-
7/26/2019 Is Security Audit
29/52
Reporting Phase
#,it Beeting 6 Short Report
Iediate probles
1uestions E ans"er or site anagers
Preliinary fndings
IS auditors should be a"are that'ultiately' they are responsible to senioranageent and the audit coittee othe board o directors IS auditors shouldeel ree to counicate issues orconcerns to such anageent
-
7/26/2019 Is Security Audit
30/52
Reporting Phase (cont!
4ong Report Ater oing Through Data
Intro defning ob-ecti$es;scope
5o" data "as collected
Suary o probles Table orat
5istorical data (i a$ailable!
Ratings
:i,es Page F "here in depth description is
-
7/26/2019 Is Security Audit
31/52
Reporting Phase (cont!
In depth description o proble 5o" proble "as disco$ered
:i, (In detail!
Industry standards (i a$ailable! lossary o ters
Reerences
Gote/ The Abo$e @aries Dependingon Where )ou Work
-
7/26/2019 Is Security Audit
32/52
Reporting Phase (cont!
udit report structure and contents
An introduction to the report
Audit fndings presented in separate sections
The IS auditor&s o$erall conclusion and opinion
The IS auditor&s reser$ations "ith respect tothe audit
Detailed audit fndings and recoendations
Bateriality o fndings
-
7/26/2019 Is Security Audit
33/52
Audit Docuentation
udit documentation includes
Planning and preparation o the audit scopeand ob-ecti$es
Description on the scoped audit area
Audit progra
Audit steps perored and e$idence gathered
.ther e,perts used
Audit fndings' conclusions andrecoendations
-
7/26/2019 Is Security Audit
34/52
#,aple Audit checklist
HAn Auditor&s Checklist orPeroring a Perieter Audit o onI
-
7/26/2019 Is Security Audit
35/52
Ipleentation o Recoendations
Auditing is an ongoing process Tiing o ollo"6up
-
7/26/2019 Is Security Audit
36/52
Preparing To
-
7/26/2019 Is Security Audit
37/52
Application Audit
An assessent Whose Scope :ocuses on aGarro" but
-
7/26/2019 Is Security Audit
38/52
Application Audit (cont!
= Adinistration
> Inputs' Processing' .utputs
? 4ogical Security
Disaster Reco$ery Plan
M Change Banageent
N ser Support
O Third Party Ser$ices
eneral Controls
li i di
-
7/26/2019 Is Security Audit
39/52
Application Audit 6Adinistration
Probably the ost iportant area othe audit' because this area ocuseson the o$erall o"nership and
accountability o the application Roles E Responsibilities 6 de$elopent'
change appro$al' access authori%ation
4egal or regulatory copliance issues
-
7/26/2019 Is Security Audit
40/52
Application Audit 6 Inputs'Processing' .utputs
4ooking or e$idence o datapreparation procedures'reconciliation processes' handling
re+uireents' etc Run test transactions against the
application
Includes "ho can enter input and seeoutput
Retention o output and its destruction
A li i A di 4 i l
-
7/26/2019 Is Security Audit
41/52
Application Audit 6 4ogicalSecurity
4ooking at user creation and authori%ationas go$erned by the application its sel
ser ID linked to a real person
Guber o allo"able unsuccessul log6onattepts
Biniu pass"ord length
Pass"ord e,piration
Pass"ord Re6use ability S14 in-ection
SS attacks
-
7/26/2019 Is Security Audit
42/52
Application Audit 6 DisasterReco$ery Plan
4ooking or an ade+uate andperorable disaster reco$ery planthat "ill allo" the application to be
reco$ered in a reasonable aount otie ater a disaster
-
7/26/2019 Is Security Audit
43/52
Application Audit 6 ChangeBanageent
#,aines the process changes to anapplication go through
Process is docuented' ade+uate and ollo"ed
Who is allo"ed to ake a re+uest a change'appro$e a change and ake the change
Change is tested and doesn&t break copliance(deterined in Adinistration! beore being
placed in to production
A li ti A dit
-
7/26/2019 Is Security Audit
44/52
Application Audit 6 serSupport
.ne o the ost o$erlooked aspectso an application
ser docuentation (anuals' online
help' etc! 6 a$ailable E up to date
ser training 6 producti$ity' proper use'security
Process or user ipro$eent re+uests
li i di hi d
-
7/26/2019 Is Security Audit
45/52
Application Audit 6 Third PartySer$ices
4ook at the controls around any ?rd partyser$ices that are re+uired to eetbusiness ob-ecti$es or the application or
syste 4iaison to ?rd party $endor Re$ie" contract agreeent
SAS (Stateent on Auditing Standards! GJ OJ
6 Ser$ice organi%ations disclose their controlacti$ities and processes to their custoers andtheir custoers& auditors in a unior reportingorat
A li i A di l
-
7/26/2019 Is Security Audit
46/52
Application Audit 6 eneralControls
#,aining the en$ironent theapplication e,ists "ithin that a*ect theapplication
Syste adinistration ; operations .rgani%ational logical security
Physical security
.rgani%ational disaster reco$ery plans
.rgani%ational change control process 4icense control processes
@irus control procedures
-
7/26/2019 Is Security Audit
47/52
Who is an IT Auditor
Accountant Raised to a CS Ba-or or a CPA' CISA' CISB' Get"orking' 5ard"are'
Sot"are' Inoration Assurance' Cryptography
Soe one "ho kno"s e$erything an
accountant does plus e$erything a
-
7/26/2019 Is Security Audit
48/52
CISA3 CISB3
CISA 6 Certifed Inoration SystesAuditor
CISB 6 Certifed Inoration Systes
Bangager 6 ne" """isacaorg (Inoration Systes Audit
and Control .rgani%ation!
Teaching fnancial auditors to talk to CS people
-
7/26/2019 Is Security Audit
49/52
CISA
Bin o M years o IT auditing' control orsecurity "ork e,perience
Code o proessional ethics
Adhering to IT auditing standards #,a topics/
= Banageent' Planning' and .rgani%ation oIS
> Technical Inrastructure and .perationalPractices
? Protection o Inoration Assets
-
7/26/2019 Is Security Audit
50/52
CISA (cont!
#,a topics/ (cont!
Disaster Reco$ery and
-
7/26/2019 Is Security Audit
51/52
CISB
Ge,t step abo$e CISA
#,a topics/
= Inoration Security o$ernance
> Risk Banageent ? Inoration Security Progra Banageent
Inoration Security Banageent
M Response Banageent
-
7/26/2019 Is Security Audit
52/52