IT-Audit Methodologies.ppt

IT AuditMethodologiesIT Audit Methodologies

IT Audit MethodologiesCobiTBS 7799 - Code of Practice (CoP)BSI - IT Baseline Protection ManualITSECCommon Criteria (CC)

Titelwiederholung des ersten Kapitels

IT Audit Methodologies - URLsCobiT:www.isaca.orgBS7799:www.bsi.org.uk/disc/BSI:www.bsi.bund.de/gshb/english/menue.htmITSEC:www.itsec.gov.ukCC:csrc.nist.gov/cc/


Main Areas of UseIT AuditsRisk AnalysisHealth Checks (Security Benchmarking)Security ConceptsSecurity Manuals / Handbooks


Security DefinitionConfidentialityIntegrityCorrectnessCompletenessAvailability


CobiTGovernance, Control & Audit for ITDeveloped by ISACAReleasesCobiT 1: 199632 Processes271 Control ObjectivesCobiT 2: 199834 Processes302 Control Objectives


CobiT - Model for IT Governance36 Control models used as basis:Business control models (e.g. COSO)IT control models (e.g. DTIs CoP)CobiT control model covers:Security (Confidentiality, Integrity, Availability)Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information)IT Resources (Data, Application Systems, Technology, Facilities, People)


CobiT - Framework


CobiT - Structure4 DomainsPO - Planning & Organisation11 processes (high-level control objectives)AI - Acquisition & Implementation6 processes (high-level control objectives)DS - Delivery & Support13 processes (high-level control objectives)M - Monitoring4 processes (high-level control objectives)


PO - Planning and OrganisationPO 1 Define a Strategic IT PlanPO 2 Define the Information ArchitecturePO 3 Determine the Technological DirectionPO 4 Define the IT Organisation and RelationshipsPO 5 Manage the IT InvestmentPO 6 Communicate Management Aims and DirectionPO 7 Manage Human ResourcesPO 8 Ensure Compliance with External RequirementsPO 9 Assess RisksPO 10 Manage ProjectsPO 11 Manage Quality


AI - Acquisition and ImplementationAI 1 Identify SolutionsAI 2 Acquire and Maintain Application SoftwareAI 3 Acquire and Maintain Technology ArchitectureAI 4 Develop and Maintain IT ProceduresAI 5 Install and Accredit SystemsAI 6 Manage Changes


DS - Delivery and SupportDS 1 Define Service LevelsDS 2 Manage Third-Party ServicesDS 3Manage Performance and CapacityDS 4 Ensure Continuous ServiceDS 5 Ensure Systems SecurityDS 6 Identify and Attribute CostsDS 7 Educate and Train UsersDS 8 Assist and Advise IT CustomersDS 9 Manage the ConfigurationDS 10 Manage Problems and IncidentsDS 11 Manage DataDS 12 Manage FacilitiesDS 13 Manage Operations


M - MonitoringM 1Monitor the ProcessesM 2Assess Internal Control AdequacyM 3Obtain Independent AssuranceM 4Provide for Independent Audit


CobiT - IT Process MatrixInformation CriteriaEffectivenessEfficiencyConfidentialityIntegrityAvailabilityComplianceReliabilityIT ResourcesPeopleApplicationsTechnologyFacilitiesData


CobiT - SummaryMainly used for IT audits, incl. security aspectsNo detailed evaluation methodology describedDeveloped by international organisation (ISACA)Up-to-date: Version 2 released in 1998Only high-level control objectives describedDetailed IT control measures are not documentedNot very user friendly - learning curve!Evaluation results not shown in graphic form


CobiT - SummaryMay be used for self assessmentsUseful aid in implementing IT control systemsNo suitable basis to write security handbooksCobiT package from ISACA: $ 100.--3 parts freely downloadable from ISACA siteSoftware available from Methodware Ltd., NZ (www.methodware.co.nz)CobiT Advisor 2nd edition:US$ 600.--


BS 7799 - CoPCode of Practice for Inform. Security Manag.Developed by UK DTI, BSI: British StandardReleasesCoP: 1993BS 7799: Part 1: 1995BS 7799: Part 2: 1998Certification & Accreditation scheme (c:cure)


BS 7799 - Security Baseline Controls10 control categories32 control groups109 security controls10 security key controls


BS 7799 - Control CategoriesInformation security policySecurity organisationAssets classification & controlPersonnel securityPhysical & environmental securityComputer & network management


BS 7799 - Control CategoriesSystem access controlSystems development & maintenanceBusiness continuity planningCompliance


BS7799 - 10 Key ControlsInformation security policy documentAllocation of information security responsibilitiesInformation security education and trainingReporting of security incidentsVirus controls


BS7799 - 10 Key ControlsBusiness continuity planning processControl of proprietary software copyingSafeguarding of organizational recordsData protectionCompliance with security policy


BS7799 - SummaryMain use: Security Concepts & Health ChecksNo evaluation methodology describedBritish Standard, developed by UK DTICertification scheme in place (c:cure)BS7799, Part1, 1995 is being revised in 1999Lists 109 ready-to-use security controlsNo detailed security measures describedVery user friendly - easy to learn


BS7799 - SummaryEvaluation results not shown in graphic formMay be used for self assessmentsBS7799, Part1: 94.--BS7799, Part2: 36.--BSI Electronic book of Part 1: 190.-- + VATSeveral BS7799 c:cure publications from BSICoP-iT software from SMH, UK: 349+VAT (www.smhplc.com)


BSI (Bundesamt fr Sicherheit in der Informationstechnik)IT Baseline Protection Manual (IT- Grundschutzhandbuch )Developed by German BSI (GISA: German Information Security Agency)Releases:IT security manual:1992IT baseline protection manual:1995New versions (paper and CD-ROM):each year


BSI - Approach


BSI - ApproachUsed to determine IT security measures for medium-level protection requirementsStraight forward approach since detailed risk analysis is not performedBased on generic & platform specific security requirements detailed protection measures are constructed using given building blocksList of assembled security measures may be used to establish or enhance baseline protection


BSI - StructureIT security measures7 areas34 modules (building blocks)Safeguards catalogue6 categories of security measuresThreats catalogue5 categories of threats


BSI - Security Measures (Modules)Protection for generic componentsInfrastructureNon-networked systemsLANsData transfer systemsTelecommunicationsOther IT components


BSI - Generic Components3.1Organisation3.2Personnel3.3Contingency Planning3.4Data Protection


BSI - Infrastructure4.1Buildings4.2Cabling4.3Rooms4.3.1Office4.3.2Server Room4.3.3Storage Media Archives4.3.4Technical Infrastructure Room4.4Protective cabinets4.5Home working place


BSI - Non-Networked Systems5.1DOS PC (Single User)5.2UNIX System5.3Laptop5.4DOS PC (multiuser)5.5Non-networked Windows NT computer5.6PC with Windows 955.99Stand-alone IT systems


BSI - LANs6.1Server-Based Network6.2Networked Unix Systems6.3Peer-to-Peer Network6.4Windows NT network6.5Novell Netware 3.x6.6Novell Netware version 4.x6.7Heterogeneous networks


BSI - Data Transfer Systems7.1Data Carrier Exchange7.2Modem7.3Firewall7.4E-mail


BSI - Telecommunications8.1Telecommunication system8.2Fax Machine8.3Telephone Answering Machine8.4LAN integration of an IT system via ISDN


BSI - Other IT Components9.1Standard Software 9.2Databases9.3Telecommuting


BSI - Module Data Protection (3.4)Threats -Technical failure:T 4.13Loss of stored dataSecurity Measures -Contingency planning:S 6.36Stipulating a minimum data protection conceptS 6.37Documenting data protection proceduresS 6.33Development of a data protection concept (optional)S 6.34Determining the factors influencing data protection (optional)S 6.35Stipulating data protection procedures (optional)S 6.41Training data reconstructionSecurity Measures -Organisation:S 2.41Employees' commitment to data protectionS 2.137Procurement of a suitable data backup system


BSI - Safeguards (420 safeguards)S1 - Infrastructure( 45safeguards)S2 - Organisation(153safeguards)S3 - Personnel( 22safeguards)S4 - Hardware & Software ( 83 safeguards)S5 - Communications ( 62 safeguards)S6 - Contingency Planning ( 55 safeguards)


BSI - S1-Infrastructure (45 safeguards)S 1.7Hand-held fire extinguishersS 1.10Use of safety doorsS 1.17Entrance control serviceS 1.18Intruder and fire detection devicesS 1.27Air conditioningS 1.28Local uninterruptible power supply [UPS]S 1.36Safekeeping of data carriers before and after dispatch


BSI - Security Threats (209 threats)T1 - Force Majeure(10threats)T2 - Organisational Shortcomings(58threats)T3 - Human Errors(31threats)T4 - Technical Failure(32threats)T5 - Deliberate acts(78threats)


BSI - T3-Human Errors (31 threats)T 3.1Loss of data confidentiality/integrity as a result of IT user errorT 3.3Non-compliance with IT security measuresT 3.6Threat posed by cleaning staff or outside staffT 3.9Incorrect management of the IT systemT 3.12Loss of storage media during transferT 3.16Incorrect administration of site and data access rightsT 3.24Inadvertent manipulation of dataT 3.25Negligent deletion of objects


BSI - SummaryMain use: Security concepts & manualsNo evaluation methodology describedDeveloped by German BSI (GISA)Updated version released each yearLists 209 threats & 420 security measures34 modules cover generic & platform specific security requirements


BSI - SummaryUser friendly with a lot of security detailsNot suitable for security risk analysisResults of security coverage not shown in graphic formManual in HTML format on BSI web serverManual in Winword format on CD-ROM (first CD free, additional CDs cost DM 50.-- each)Paper copy of manual: DM 118.--Software BSI Tool (only in German): DM 515.--


ITSEC, Common CriteriaITSEC: IT Security Evaluation CriteriaDeveloped by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book)ReleasesITSEC: 1991ITSEM: 1993 (IT Security Evaluation Manual)UK IT Security Evaluation & Certification scheme: 1994


ITSEC, Common CriteriaCommon Criteria (CC)Developed by USA, EC: based on ITSECISO International StandardReleasesCC 1.0: 1996CC 2.0: 1998ISO IS 15408: 1999


ITSEC - MethodologyBased on systematic, documented approach for security evaluations of systems & productsOpen ended with regard to defined set of security objectivesITSEC Functionality classes; e.g. FC-C2CC protection profilesEvaluation steps:Definition of functionalityAssurance: confidence in functionality


ITSEC - FunctionalitySecurity objectives (Why)Risk analysis (Threats, Countermeasures)Security policySecurity enforcing functions (What)technical & non-technicalSecurity mechanisms (How)Evaluation levels


ITSEC - AssuranceGoal: Confidence in functions & mechanismsCorrectnessConstruction (development process & environment)Operation (process & environment)EffectivenessSuitability analysisStrength of mechanism analysisVulnerabilities (construction & operation)


CC - Security Concept


CC - Evaluation Goal


CC - Documentation


CC - Security RequirementsFunctional Requirements

for defining security behavior of the IT product or system:implemented requirements become security functions

Assurance Requirements for establishing confidence in Security Functions:correctness of implementationeffectiveness in satisfying objectives


CC - Security Functional Classes


CC - Security Assurance Classes


CC - Eval. Assurance Levels (EALs)*TCSEC = Trusted Computer Security Evaluation Criteria --Orange Book


ITSEC, CC - SummaryUsed primarily for security evaluations and not for generalized IT audits Defines evaluation methodologyBased on International Standard (ISO 15408)Certification scheme in placeUpdated & enhanced on a yearly basisIncludes extensible standard sets of security requirements (Protection Profile libraries)


Comparison of Methods - CriteriaStandardisationIndependenceCertifiabilityApplicability in practiceAdaptability


Comparison of Methods - CriteriaExtent of ScopePresentation of ResultsEfficiencyUpdate frequencyEase of Use


Comparison of Methods - Results


Tabelle1

CobiTBS 7799BSIITSEC/CC

3.43.33.13.9

3.33.63.53.9

2.73.33.03.7

2.83.03.12.5

3.32.83.33.0

3.12.92.72.6

1.92.22.61.7

3.02.83.02.5

3.12.43.42.8

2.32.72.82.0

&L&8&F / WNP&R&8&D

Tabelle2

Tabelle3

CobiT - Assessment


BS 7799 - Assessment


BSI - Assessment


ITSEC/CC - Assessment


Use of Methods for IT AuditsCobiT: Audit method for all IT processesITSEC, CC: Systematic approach for evaluationsBS7799, BSI: List of detailed security measures to be used as best practice documentationDetailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.)What is needed in addition:Audit concept (general aspects, infrastructure audits, application audits)


Herzlichen Dank fr Ihr Interesse an IT Audit Methodologies

IT-Audit Methodologies.ppt

Documents

Transcript of IT-Audit Methodologies.ppt