IT Audit Methodologies
description
Transcript of IT Audit Methodologies
1iCorpCo
IT Audit Methodologies
IT Audit Methodologies
CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC)
2iCorpCo
IT Audit Methodologies
IT Audit Methodologies - URLs
CobiT: www.isaca.org BS7799: www.bsi.org.uk/disc/ BSI: www.bsi.bund.de/gshb/english/menue.htm ITSEC: www.itsec.gov.uk CC: csrc.nist.gov/cc/
3iCorpCo
IT Audit Methodologies
Main Areas of Use
IT Audits Risk Analysis Health Checks (Security Benchmarking) Security Concepts Security Manuals / Handbooks
4iCorpCo
IT Audit Methodologies
Security Definition
Confidentiality Integrity
Correctness Completeness
Availability
5iCorpCo
IT Audit Methodologies
CobiT
Governance, Control & Audit for IT Developed by ISACA Releases
CobiT 1: 199632 Processes271 Control Objectives
CobiT 2: 199834 Processes302 Control Objectives
6iCorpCo
IT Audit Methodologies
CobiT - Model for IT Governance 36 Control models used as basis:
Business control models (e.g. COSO) IT control models (e.g. DTI‘s CoP)
CobiT control model covers: Security (Confidentiality, Integrity, Availability) Fiduciary (Effectiveness, Efficiency, Compliance,
Reliability of Information) IT Resources (Data, Application Systems,
Technology, Facilities, People)
7iCorpCo
IT Audit Methodologies
CobiT - Framework
8iCorpCo
IT Audit Methodologies
CobiT - Structure
4 Domains PO - Planning & Organisation
11 processes (high-level control objectives) AI - Acquisition & Implementation
6 processes (high-level control objectives) DS - Delivery & Support
13 processes (high-level control objectives) M - Monitoring
4 processes (high-level control objectives)
9iCorpCo
IT Audit Methodologies
PO - Planning and Organisation PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organisation and Relationships PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality
10iCorpCo
IT Audit Methodologies
AI - Acquisition and Implementation
AI 1 Identify Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Architecture AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes
11iCorpCo
IT Audit Methodologies
DS - Delivery and Support DS 1 Define Service Levels DS 2 Manage Third-Party Services DS 3 Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Attribute Costs DS 7 Educate and Train Users DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations
12iCorpCo
IT Audit Methodologies
M - Monitoring
M 1 Monitor the Processes M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit
13iCorpCo
IT Audit Methodologies
CobiT - IT Process Matrix
Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability
IT Resources People Applications Technology Facilities Data
IT ProcessesMicrosoft Excel-Tabelle
14iCorpCo
IT Audit Methodologies
CobiT - Summary Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form
15iCorpCo
IT Audit Methodologies
CobiT - Summary
May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.-- 3 parts freely downloadable from ISACA site Software available from Methodware Ltd., NZ
(www.methodware.co.nz)
CobiT Advisor 2nd edition: US$ 600.--
16iCorpCo
IT Audit Methodologies
BS 7799 - CoP
Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases
CoP: 1993 BS 7799: Part 1: 1995 BS 7799: Part 2: 1998
Certification & Accreditation scheme (c:cure)
17iCorpCo
IT Audit Methodologies
BS 7799 - Security Baseline Controls
10 control categories 32 control groups 109 security controls 10 security key controls
18iCorpCo
IT Audit Methodologies
BS 7799 - Control Categories
Information security policy Security organisation Assets classification & control Personnel security Physical & environmental security Computer & network management
19iCorpCo
IT Audit Methodologies
BS 7799 - Control Categories
System access control Systems development & maintenance Business continuity planning Compliance
20iCorpCo
IT Audit Methodologies
BS7799 - 10 Key Controls
Information security policy document Allocation of information security
responsibilities Information security education and training Reporting of security incidents Virus controls
21iCorpCo
IT Audit Methodologies
BS7799 - 10 Key Controls
Business continuity planning process Control of proprietary software copying Safeguarding of organizational records Data protection Compliance with security policy
22iCorpCo
IT Audit Methodologies
BS7799 - Summary Main use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure) BS7799, Part1, 1995 is being revised in 1999 Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn
23iCorpCo
IT Audit Methodologies
BS7799 - Summary
Evaluation results not shown in graphic form May be used for self assessments BS7799, Part1: £ 94.-- BS7799, Part2: £ 36.-- BSI Electronic book of Part 1: £ 190.-- +
VAT Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK: £349+VAT
(www.smhplc.com)
24iCorpCo
IT Audit Methodologies
BSI (Bundesamt für Sicherheit in der Informationstechnik)
IT Baseline Protection Manual(IT- Grundschutzhandbuch )
Developed by German BSI (GISA: German Information Security Agency)
Releases: IT security manual: 1992 IT baseline protection manual: 1995 New versions (paper and CD-ROM): each year
25iCorpCo
IT Audit Methodologies
BSI - Approach
26iCorpCo
IT Audit Methodologies
BSI - Approach Used to determine IT security measures for
medium-level protection requirements Straight forward approach since detailed risk
analysis is not performed Based on generic & platform specific security
requirements detailed protection measures are constructed using given building blocks
List of assembled security measures may be used to establish or enhance baseline protection
27iCorpCo
IT Audit Methodologies
BSI - Structure
IT security measures 7 areas 34 modules (building blocks)
Safeguards catalogue 6 categories of security measures
Threats catalogue 5 categories of threats
28iCorpCo
IT Audit Methodologies
BSI - Security Measures (Modules)
Protection for generic components Infrastructure Non-networked systems LANs Data transfer systems Telecommunications Other IT components
29iCorpCo
IT Audit Methodologies
BSI - Generic Components
3.1 Organisation
3.2 Personnel
3.3 Contingency Planning
3.4 Data Protection
30iCorpCo
IT Audit Methodologies
BSI - Infrastructure 4.1 Buildings
4.2 Cabling
4.3 Rooms
4.3.1 Office
4.3.2 Server Room
4.3.3 Storage Media Archives
4.3.4 Technical Infrastructure Room
4.4 Protective cabinets
4.5 Home working place
31iCorpCo
IT Audit Methodologies
BSI - Non-Networked Systems
5.1 DOS PC (Single User)
5.2 UNIX System
5.3 Laptop
5.4 DOS PC (multiuser)
5.5 Non-networked Windows NT computer
5.6 PC with Windows 95
5.99 Stand-alone IT systems
32iCorpCo
IT Audit Methodologies
BSI - LANs
6.1 Server-Based Network
6.2 Networked Unix Systems
6.3 Peer-to-Peer Network
6.4 Windows NT network
6.5 Novell Netware 3.x
6.6 Novell Netware version 4.x
6.7 Heterogeneous networks
33iCorpCo
IT Audit Methodologies
BSI - Data Transfer Systems
7.1 Data Carrier Exchange
7.2 Modem
7.3 Firewall
7.4 E-mail
34iCorpCo
IT Audit Methodologies
BSI - Telecommunications
8.1 Telecommunication system
8.2 Fax Machine
8.3 Telephone Answering Machine
8.4 LAN integration of an IT system via ISDN
35iCorpCo
IT Audit Methodologies
BSI - Other IT Components
9.1 Standard Software
9.2 Databases
9.3 Telecommuting
36iCorpCo
IT Audit Methodologies
BSI - Module „Data Protection“ (3.4) Threats - Technical failure:
T 4.13 Loss of stored data Security Measures - Contingency planning:
S 6.36 Stipulating a minimum data protection concept S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional) S 6.34 Determining the factors influencing data protection
(optional) S 6.35 Stipulating data protection procedures (optional) S 6.41 Training data reconstruction
Security Measures - Organisation:
S 2.41 Employees' commitment to data protection S 2.137 Procurement of a suitable data backup system
37iCorpCo
IT Audit Methodologies
BSI - Safeguards (420 safeguards)
S1 - Infrastructure ( 45 safeguards) S2 - Organisation (153 safeguards) S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards) S5 - Communications ( 62 safeguards) S6 - Contingency Planning ( 55 safeguards)
38iCorpCo
IT Audit Methodologies
BSI - S1-Infrastructure (45 safeguards)
S 1.7 Hand-held fire extinguishers
S 1.10 Use of safety doors
S 1.17 Entrance control service
S 1.18 Intruder and fire detection devices
S 1.27 Air conditioning
S 1.28 Local uninterruptible power supply [UPS]
S 1.36 Safekeeping of data carriers before and after dispatch
39iCorpCo
IT Audit Methodologies
BSI - Security Threats (209 threats)
T1 - Force Majeure (10 threats) T2 - Organisational Shortcomings (58
threats) T3 - Human Errors (31 threats) T4 - Technical Failure(32 threats) T5 - Deliberate acts (78 threats)
40iCorpCo
IT Audit Methodologies
BSI - T3-Human Errors (31 threats)
T 3.1 Loss of data confidentiality/integrity as a result of IT user error
T 3.3 Non-compliance with IT security measures
T 3.6 Threat posed by cleaning staff or outside staff
T 3.9 Incorrect management of the IT system
T 3.12 Loss of storage media during transfer
T 3.16 Incorrect administration of site and data access rights
T 3.24 Inadvertent manipulation of data
T 3.25 Negligent deletion of objects
41iCorpCo
IT Audit Methodologies
BSI - Summary
Main use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year Lists 209 threats & 420 security measures 34 modules cover generic & platform specific
security requirements
42iCorpCo
IT Audit Methodologies
BSI - Summary User friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in
graphic form Manual in HTML format on BSI web server Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
Paper copy of manual: DM 118.--
Software ‚BSI Tool‘ (only in German): DM 515.--
43iCorpCo
IT Audit Methodologies
ITSEC, Common Criteria
ITSEC: IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl.
and based primarily on USA TCSEC (Orange Book) Releases
ITSEC: 1991 ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification
scheme: 1994
44iCorpCo
IT Audit Methodologies
ITSEC, Common Criteria
Common Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases
CC 1.0: 1996 CC 2.0: 1998 ISO IS 15408: 1999
45iCorpCo
IT Audit Methodologies
ITSEC - Methodology Based on systematic, documented approach for
security evaluations of systems & products Open ended with regard to defined set of
security objectives ITSEC Functionality classes; e.g. FC-C2 CC protection profiles
Evaluation steps: Definition of functionality Assurance: confidence in functionality
46iCorpCo
IT Audit Methodologies
ITSEC - Functionality
Security objectives (Why) Risk analysis (Threats, Countermeasures) Security policy
Security enforcing functions (What) technical & non-technical
Security mechanisms (How) Evaluation levels
47iCorpCo
IT Audit Methodologies
ITSEC - Assurance
Goal: Confidence in functions & mechanisms Correctness
Construction (development process & environment) Operation (process & environment)
Effectiveness Suitability analysis Strength of mechanism analysis Vulnerabilities (construction & operation)
48iCorpCo
IT Audit Methodologies
CC - Security Concept
49iCorpCo
IT Audit Methodologies
CC - Evaluation Goal
50iCorpCo
IT Audit Methodologies
CC - Documentation
CC Part 3Assurance Requirements
CC Part 2Functional Requirements
CC Part 1Introduction and Model* Introduction to
Approach
* Terms and Model
* Requirements forProtection Profiles (PP)and Security Targets (ST)
* Functional Classes
* Functional Families
* FunctionalComponents
* Detailed Requirements
* Assurance Classes
* Assurance Families
* AssuranceComponents
* Detailed Requirements
* Evaluation AssuranceLevels (EAL)
51iCorpCo
IT Audit Methodologies
CC - Security RequirementsCC - Security Requirements
Functional Requirements- for defining security behavior of the IT product or system:• implemented requirements become security functions
Assurance Requirements- for establishing confidence in Security Functions:• correctness of implementation• effectiveness in satisfying objectives
52iCorpCo
IT Audit Methodologies
CC - Security Functional ClassesCC - Security Functional Classes
ClassFAUFCOFCSFDPFIAFMTFPRFPTFRUFTAFTP
NameAuditCommunicationsCryptographic SupportUser Data ProtectionIdentification & AuthenticationSecurity ManagementPrivacyProtection of TOE Security FunctionsResource UtilizationTOE (Target Of Evaluation) AccessTrusted Path / Channels
53iCorpCo
IT Audit Methodologies
CC - Security Assurance ClassesCC - Security Assurance Classes
ClassACMADOADVAGDALCATEAVAAPEASEAMA
NameConfiguration ManagementDelivery & OperationDevelopmentGuidance DocumentsLife Cycle SupportTestsVulnerability AssessmentProtection Profile EvaluationSecurity Target EvaluationMaintenance of Assurance
54iCorpCo
IT Audit Methodologies
CC - Eval. Assurance Levels (EALs)CC - Eval. Assurance Levels (EALs)
*TCSEC
C1C2B1B2B3A1
EALEAL1EAL2EAL3EAL4EAL5EAL6EAL7
NameFunctionally TestedStructurally TestedMethodically Tested & CheckedMethodically Designed, Tested & ReviewedSemiformally Designed & TestedSemiformally Verified Design & TestedFormally Verified Design & Tested
*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”
55iCorpCo
IT Audit Methodologies
ITSEC, CC - Summary Used primarily for security evaluations and not
for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place Updated & enhanced on a yearly basis Includes extensible standard sets of security
requirements (Protection Profile libraries)
56iCorpCo
IT Audit Methodologies
ITSEC, CC - Summary
Allows to determine confidence level in planned resp. implemented security
Evaluation results not shown in graphic form Not very user friendly - learning curve! Detailed documentation in electronic PDF
format freely available on web server
57iCorpCo
IT Audit Methodologies
Comparison of Methods - Criteria
Standardisation Independence Certifiability Applicability in practice Adaptability
58iCorpCo
IT Audit Methodologies
Comparison of Methods - Criteria
Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use
59iCorpCo
IT Audit Methodologies
Comparison of Methods - Results
CobiT BS 7799 BSI ITSEC/CCStandardisation 3.4 3.3 3.1 3.9Independence 3.3 3.6 3.5 3.9Certifyability 2.7 3.3 3.0 3.7Applicability in practice 2.8 3.0 3.1 2.5Adaptability 3.3 2.8 3.3 3.0Extent of Scope 3.1 2.9 2.7 2.6Presentation of Results 1.9 2.2 2.6 1.7Efficiency 3.0 2.8 3.0 2.5Update frequency 3.1 2.4 3.4 2.8Ease of Use 2.3 2.7 2.8 2.0Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger
60iCorpCo
IT Audit Methodologies
CobiT - Assessment
61iCorpCo
IT Audit Methodologies
BS 7799 - Assessment
62iCorpCo
IT Audit Methodologies
BSI - Assessment
63iCorpCo
IT Audit Methodologies
ITSEC/CC - Assessment
64iCorpCo
IT Audit Methodologies
Use of Methods for IT Audits CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures
to be used as best practice documentation Detailed audit plans, checklists, tools for
technical audits (operating systems, LANs, etc.) What is needed in addition:
Audit concept (general aspects, infrastructure audits, application audits)