IT Audit Methodologies

1iCorpCo

IT Audit Methodologies


CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC)

2iCorpCo


IT Audit Methodologies - URLs

CobiT: www.isaca.org BS7799: www.bsi.org.uk/disc/ BSI: www.bsi.bund.de/gshb/english/menue.htm ITSEC: www.itsec.gov.uk CC: csrc.nist.gov/cc/

3iCorpCo


Main Areas of Use

IT Audits Risk Analysis Health Checks (Security Benchmarking) Security Concepts Security Manuals / Handbooks

4iCorpCo


Security Definition

Confidentiality Integrity

Correctness Completeness

Availability

5iCorpCo


CobiT

Governance, Control & Audit for IT Developed by ISACA Releases

CobiT 1: 199632 Processes271 Control Objectives

CobiT 2: 199834 Processes302 Control Objectives

6iCorpCo


CobiT - Model for IT Governance 36 Control models used as basis:

Business control models (e.g. COSO) IT control models (e.g. DTI‘s CoP)

CobiT control model covers: Security (Confidentiality, Integrity, Availability) Fiduciary (Effectiveness, Efficiency, Compliance,

Reliability of Information) IT Resources (Data, Application Systems,

Technology, Facilities, People)

7iCorpCo


CobiT - Framework

8iCorpCo


CobiT - Structure

4 Domains PO - Planning & Organisation

11 processes (high-level control objectives) AI - Acquisition & Implementation

6 processes (high-level control objectives) DS - Delivery & Support

13 processes (high-level control objectives) M - Monitoring

4 processes (high-level control objectives)

9iCorpCo


PO - Planning and Organisation PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organisation and Relationships PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality

10iCorpCo


AI - Acquisition and Implementation

AI 1 Identify Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Architecture AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes

11iCorpCo


DS - Delivery and Support DS 1 Define Service Levels DS 2 Manage Third-Party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Attribute Costs DS 7 Educate and Train Users DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations

12iCorpCo


M - Monitoring

M 1 Monitor the Processes M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit

13iCorpCo


CobiT - IT Process Matrix

Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

IT Resources People Applications Technology Facilities Data

IT ProcessesMicrosoft Excel-Tabelle

14iCorpCo


CobiT - Summary Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form

15iCorpCo


CobiT - Summary

May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.-- 3 parts freely downloadable from ISACA site Software available from Methodware Ltd., NZ

(www.methodware.co.nz)

CobiT Advisor 2nd edition: US$ 600.--

16iCorpCo


BS 7799 - CoP

Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases

CoP: 1993 BS 7799: Part 1: 1995 BS 7799: Part 2: 1998

Certification & Accreditation scheme (c:cure)

17iCorpCo


BS 7799 - Security Baseline Controls

10 control categories 32 control groups 109 security controls 10 security key controls

18iCorpCo


BS 7799 - Control Categories

Information security policy Security organisation Assets classification & control Personnel security Physical & environmental security Computer & network management

19iCorpCo


BS 7799 - Control Categories

System access control Systems development & maintenance Business continuity planning Compliance

20iCorpCo


BS7799 - 10 Key Controls

Information security policy document Allocation of information security

responsibilities Information security education and training Reporting of security incidents Virus controls

21iCorpCo


BS7799 - 10 Key Controls

Business continuity planning process Control of proprietary software copying Safeguarding of organizational records Data protection Compliance with security policy

22iCorpCo


BS7799 - Summary Main use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure) BS7799, Part1, 1995 is being revised in 1999 Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn

23iCorpCo


BS7799 - Summary

Evaluation results not shown in graphic form May be used for self assessments BS7799, Part1: £ 94.-- BS7799, Part2: £ 36.-- BSI Electronic book of Part 1: £ 190.-- +

VAT Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK: £349+VAT

(www.smhplc.com)

24iCorpCo


BSI (Bundesamt für Sicherheit in der Informationstechnik)

IT Baseline Protection Manual(IT- Grundschutzhandbuch )

Developed by German BSI (GISA: German Information Security Agency)

Releases: IT security manual: 1992 IT baseline protection manual: 1995 New versions (paper and CD-ROM): each year

25iCorpCo


BSI - Approach

26iCorpCo


BSI - Approach Used to determine IT security measures for

medium-level protection requirements Straight forward approach since detailed risk

analysis is not performed Based on generic & platform specific security

requirements detailed protection measures are constructed using given building blocks

List of assembled security measures may be used to establish or enhance baseline protection

27iCorpCo


BSI - Structure

IT security measures 7 areas 34 modules (building blocks)

Safeguards catalogue 6 categories of security measures

Threats catalogue 5 categories of threats

28iCorpCo


BSI - Security Measures (Modules)

Protection for generic components Infrastructure Non-networked systems LANs Data transfer systems Telecommunications Other IT components

29iCorpCo


BSI - Generic Components

3.1 Organisation

3.2 Personnel

3.3 Contingency Planning

3.4 Data Protection

30iCorpCo


BSI - Infrastructure 4.1 Buildings

4.2 Cabling

4.3 Rooms

4.3.1 Office

4.3.2 Server Room

4.3.3 Storage Media Archives

4.3.4 Technical Infrastructure Room

4.4 Protective cabinets

4.5 Home working place

31iCorpCo


BSI - Non-Networked Systems

5.1 DOS PC (Single User)

5.2 UNIX System

5.3 Laptop

5.4 DOS PC (multiuser)

5.5 Non-networked Windows NT computer

5.6 PC with Windows 95

5.99 Stand-alone IT systems

32iCorpCo


BSI - LANs

6.1 Server-Based Network

6.2 Networked Unix Systems

6.3 Peer-to-Peer Network

6.4 Windows NT network

6.5 Novell Netware 3.x

6.6 Novell Netware version 4.x

6.7 Heterogeneous networks

33iCorpCo


BSI - Data Transfer Systems

7.1 Data Carrier Exchange

7.2 Modem

7.3 Firewall

7.4 E-mail

34iCorpCo


BSI - Telecommunications

8.1 Telecommunication system

8.2 Fax Machine

8.3 Telephone Answering Machine

8.4 LAN integration of an IT system via ISDN

35iCorpCo


BSI - Other IT Components

9.1 Standard Software

9.2 Databases

9.3 Telecommuting

36iCorpCo


BSI - Module „Data Protection“ (3.4) Threats - Technical failure:

T 4.13 Loss of stored data Security Measures - Contingency planning:

S 6.36 Stipulating a minimum data protection concept S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional) S 6.34 Determining the factors influencing data protection

(optional) S 6.35 Stipulating data protection procedures (optional) S 6.41 Training data reconstruction

Security Measures - Organisation:

S 2.41 Employees' commitment to data protection S 2.137 Procurement of a suitable data backup system

37iCorpCo


BSI - Safeguards (420 safeguards)

S1 - Infrastructure ( 45 safeguards) S2 - Organisation (153 safeguards) S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards) S5 - Communications ( 62 safeguards) S6 - Contingency Planning ( 55 safeguards)

38iCorpCo


BSI - S1-Infrastructure (45 safeguards)

S 1.7 Hand-held fire extinguishers

S 1.10 Use of safety doors

S 1.17 Entrance control service

S 1.18 Intruder and fire detection devices

S 1.27 Air conditioning

S 1.28 Local uninterruptible power supply [UPS]

S 1.36 Safekeeping of data carriers before and after dispatch

39iCorpCo


BSI - Security Threats (209 threats)

T1 - Force Majeure (10 threats) T2 - Organisational Shortcomings (58

threats) T3 - Human Errors (31 threats) T4 - Technical Failure(32 threats) T5 - Deliberate acts (78 threats)

40iCorpCo


BSI - T3-Human Errors (31 threats)

T 3.1 Loss of data confidentiality/integrity as a result of IT user error

T 3.3 Non-compliance with IT security measures

T 3.6 Threat posed by cleaning staff or outside staff

T 3.9 Incorrect management of the IT system

T 3.12 Loss of storage media during transfer

T 3.16 Incorrect administration of site and data access rights

T 3.24 Inadvertent manipulation of data

T 3.25 Negligent deletion of objects

41iCorpCo


BSI - Summary

Main use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year Lists 209 threats & 420 security measures 34 modules cover generic & platform specific

security requirements

42iCorpCo


BSI - Summary User friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in

graphic form Manual in HTML format on BSI web server Manual in Winword format on CD-ROM

(first CD free, additional CDs cost DM 50.-- each)

Paper copy of manual: DM 118.--

Software ‚BSI Tool‘ (only in German): DM 515.--

43iCorpCo


ITSEC, Common Criteria

ITSEC: IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl.

and based primarily on USA TCSEC (Orange Book) Releases

ITSEC: 1991 ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification

scheme: 1994

44iCorpCo


ITSEC, Common Criteria

Common Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases

CC 1.0: 1996 CC 2.0: 1998 ISO IS 15408: 1999

45iCorpCo


ITSEC - Methodology Based on systematic, documented approach for

security evaluations of systems & products Open ended with regard to defined set of

security objectives ITSEC Functionality classes; e.g. FC-C2 CC protection profiles

Evaluation steps: Definition of functionality Assurance: confidence in functionality

46iCorpCo


ITSEC - Functionality

Security objectives (Why) Risk analysis (Threats, Countermeasures) Security policy

Security enforcing functions (What) technical & non-technical

Security mechanisms (How) Evaluation levels

47iCorpCo


ITSEC - Assurance

Goal: Confidence in functions & mechanisms Correctness

Construction (development process & environment) Operation (process & environment)

Effectiveness Suitability analysis Strength of mechanism analysis Vulnerabilities (construction & operation)

48iCorpCo


CC - Security Concept

49iCorpCo


CC - Evaluation Goal

50iCorpCo


CC - Documentation

CC Part 3Assurance Requirements

CC Part 2Functional Requirements

CC Part 1Introduction and Model* Introduction to

Approach

* Terms and Model

* Requirements forProtection Profiles (PP)and Security Targets (ST)

* Functional Classes

* Functional Families

* FunctionalComponents

* Detailed Requirements

* Assurance Classes

* Assurance Families

* AssuranceComponents

* Detailed Requirements

* Evaluation AssuranceLevels (EAL)

51iCorpCo


CC - Security RequirementsCC - Security Requirements

Functional Requirements- for defining security behavior of the IT product or system:• implemented requirements become security functions

Assurance Requirements- for establishing confidence in Security Functions:• correctness of implementation• effectiveness in satisfying objectives

52iCorpCo


CC - Security Functional ClassesCC - Security Functional Classes

ClassFAUFCOFCSFDPFIAFMTFPRFPTFRUFTAFTP

NameAuditCommunicationsCryptographic SupportUser Data ProtectionIdentification & AuthenticationSecurity ManagementPrivacyProtection of TOE Security FunctionsResource UtilizationTOE (Target Of Evaluation) AccessTrusted Path / Channels

53iCorpCo


CC - Security Assurance ClassesCC - Security Assurance Classes

ClassACMADOADVAGDALCATEAVAAPEASEAMA

NameConfiguration ManagementDelivery & OperationDevelopmentGuidance DocumentsLife Cycle SupportTestsVulnerability AssessmentProtection Profile EvaluationSecurity Target EvaluationMaintenance of Assurance

54iCorpCo


CC - Eval. Assurance Levels (EALs)CC - Eval. Assurance Levels (EALs)

*TCSEC

C1C2B1B2B3A1

EALEAL1EAL2EAL3EAL4EAL5EAL6EAL7

NameFunctionally TestedStructurally TestedMethodically Tested & CheckedMethodically Designed, Tested & ReviewedSemiformally Designed & TestedSemiformally Verified Design & TestedFormally Verified Design & Tested

*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”

55iCorpCo


ITSEC, CC - Summary Used primarily for security evaluations and not

for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place Updated & enhanced on a yearly basis Includes extensible standard sets of security

requirements (Protection Profile libraries)

56iCorpCo


ITSEC, CC - Summary

Allows to determine confidence level in planned resp. implemented security

Evaluation results not shown in graphic form Not very user friendly - learning curve! Detailed documentation in electronic PDF

format freely available on web server

57iCorpCo


Comparison of Methods - Criteria

Standardisation Independence Certifiability Applicability in practice Adaptability

58iCorpCo


Comparison of Methods - Criteria

Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use

59iCorpCo


Comparison of Methods - Results

CobiT BS 7799 BSI ITSEC/CCStandardisation 3.4 3.3 3.1 3.9Independence 3.3 3.6 3.5 3.9Certifyability 2.7 3.3 3.0 3.7Applicability in practice 2.8 3.0 3.1 2.5Adaptability 3.3 2.8 3.3 3.0Extent of Scope 3.1 2.9 2.7 2.6Presentation of Results 1.9 2.2 2.6 1.7Efficiency 3.0 2.8 3.0 2.5Update frequency 3.1 2.4 3.4 2.8Ease of Use 2.3 2.7 2.8 2.0Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger

60iCorpCo


CobiT - Assessment

61iCorpCo


BS 7799 - Assessment

62iCorpCo


BSI - Assessment

63iCorpCo


ITSEC/CC - Assessment

64iCorpCo


Use of Methods for IT Audits CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures

to be used as best practice documentation Detailed audit plans, checklists, tools for

technical audits (operating systems, LANs, etc.) What is needed in addition:

Audit concept (general aspects, infrastructure audits, application audits)

IT Audit Methodologies

Documents

Transcript of IT Audit Methodologies