![Page 1: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/1.jpg)
IT Security Auditing
Martin Goldberg
![Page 2: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/2.jpg)
Today’s Topics
Defining IT Audit and the Auditor
Steps of an IT Audit
Preparing to be Audited
How IT Audit Applications
![Page 3: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/3.jpg)
Defining IT Security Audit
Financial Audit IRS
Physical Audit Inventory
![Page 4: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/4.jpg)
Defining IT Security Audit (cont.)
IT Audit Independent review and examination of records
and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend changes in controls, policies, or procedures - DL 1.1.9
Good Amount of Vagueness Ultimately defined by where you work
![Page 5: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/5.jpg)
Who is an IT Auditor
Accountant Raised to a CS Major CPA, CISA, CISM, Networking, Hardware, Software,
Information Assurance, Cryptography Some one who knows everything an accountant
does plus everything a BS/MS does about CS and Computer Security - Not likely to exist
IT Audits Are Done in Teams Accountant + Computer Geek = IT Audit Team Scope to large Needed expertise varies
![Page 6: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/6.jpg)
CISA? CISM?
CISA - Certified Information Systems Auditor
CISM - Certified Information Systems Mangager - new
www.isaca.org (Information Systems Audit and Control Organization) Teaching financial auditors to talk to CS people
![Page 7: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/7.jpg)
CISA
Min. of 5 years of IS auditing, control or security work experience
Code of professional ethics Adhering to IS auditing standards Exam topics:
1. Management, Planning, and Organization of IS 2. Technical Infrastructure and Operational Practices 3. Protection of Information Assets
![Page 8: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/8.jpg)
CISA (cont.)
Exam topics: (cont.) 4. Disaster Recovery and Business Continuity 5. Business Application System Development,
Acquisition, Implementation, and Maintenance 6. Business Process Evaluation and Risk
Management 7. The IS Audit Process
![Page 9: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/9.jpg)
CISM
Next step above CISA
Exam topics: 1. Information Security Governance 2. Risk Management 3. Information Security Program Management 4. Information Security Management 5. Response Management
![Page 10: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/10.jpg)
Steps of An IT Audit
1. Planning Phase
2. Testing Phase
3. Reporting Phase
Ideally it’s a continuous cycle Again not always the case
![Page 11: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/11.jpg)
Planning Phase
Entry Meeting
Define Scope
Learn Controls
Historical Incidents
Past Audits
Site Survey
Review Current Policies
Questionnaires
Define Objectives
Develop Audit Plan / Checklist
![Page 12: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/12.jpg)
Defining Objectives & Data Collection Some Points to Keep in Mind
OTS (Department of Treasury - Office of Thrift Savings) - Banking Regulations
SEC (Securities and Exchange Commission) - Mutual Funds
HIPPA - Health Care Sarbanes Oxley - Financial Reports, Document Retention Gramm-Leach Bliley - Consumer Financial Information FERPA (Family Education Rights and Privacy Act) -
Student Records Clearence
![Page 13: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/13.jpg)
Example Checklist
“An Auditor’s Checklist for Performing a Perimeter Audit of on IBM ISERIES (AS/400) System” - Craig ReiseScope of the audit does not include the
Operating SystemPhysical securityServices running
![Page 14: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/14.jpg)
Testing Phase
Meet With Site ManagersWhat data will be collectedHow/when will it be collectedSite employee involvementAnswer questions
![Page 15: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/15.jpg)
Testing Phase (cont.)
Data CollectionBased on scope/objectives
Types of DataPhysical security Interview staffVulnerability assessmentsAccess Control assessments
![Page 16: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/16.jpg)
Reporting Phase
Exit Meeting - Short Report Immediate problemsQuestions & answer for site managersPreliminary findingsNOT able to give in depth information
![Page 17: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/17.jpg)
Reporting Phase (cont.)
Long Report After Going Through Data Intro defining objectives/scope How data was collected Summary of problems
Table format Historical data (if available) Ratings Fixes Page # where in depth description is
![Page 18: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/18.jpg)
Reporting Phase (cont.)
In depth description of problem How problem was discovered Fix (In detail) Industry standards (if available)
Glossary of termsReferences
Note: The Above Varies Depending on Where You Work
![Page 19: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/19.jpg)
Preparing To Be Audited
This Is NOT a Confrontation
Make Your Self Available
Know What The Scope/Objectives Are
Know What Type of Data Will be Collected
Know What Data Shouldn’t be Collected
![Page 20: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/20.jpg)
Example - Auditing User & Groups
![Page 21: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/21.jpg)
Application Audit
An assessment Whose Scope Focuses on a Narrow but Business Critical Processes or Application Excel spreadsheet with embedded macros used to
analyze data Payroll process that may span across several different
servers, databases, operating systems, applications, etc.
The level of controls is dependent on the degree of risk involved in the incorrect or unauthorized processing of data
![Page 22: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/22.jpg)
Application Audit (cont.)
1. Administration 2. Inputs, Processing, Outputs 3. Logical Security 4. Disaster Recovery Plan 5. Change Management 6. User Support 7. Third Party Services 8 . General Controls
![Page 23: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/23.jpg)
Application Audit - Administration
Probably the most important area of the audit, because this area focuses on the overall ownership and accountability of the applicationRoles & Responsibilities - development,
change approval, access authorizationLegal or regulatory compliance issues
![Page 24: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/24.jpg)
Application Audit - Inputs, Processing, Outputs
Looking for evidence of data preparation procedures, reconciliation processes, handling requirements, etc.Run test transactions against the
application Includes who can enter input and see
outputRetention of output and its destruction
![Page 25: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/25.jpg)
Application Audit - Logical Security
Looking at user creation and authorization as governed by the application its self User ID linked to a real person Number of allowable unsuccessful log-on attempts Minimum password length Password expiration Password Re-use ability
![Page 26: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/26.jpg)
Application Audit - Disaster Recovery Plan
Looking for an adequate and performable disaster recovery plan that will allow the application to be recovered in a reasonable amount of time after a disasterBackup guidelines, process documentation,
offsite storage guidelines, SLA’s with offsite storage vendors, etc.
![Page 27: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/27.jpg)
Application Audit - Change Management
Examines the process changes to an application go through Process is documented, adequate and followed Who is allowed to make a request a change,
approve a change and make the change Change is tested and doesn’t break compliance
(determined in Administration) before being placed in to production
![Page 28: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/28.jpg)
Application Audit - User Support
One of the most overlooked aspects of an applicationUser documentation (manuals, online help,
etc.) - available & up to dateUser training - productivity, proper use,
securityProcess for user improvement requests
![Page 29: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/29.jpg)
Application Audit - Third Party Services Look at the controls around any 3rd party
services that are required to meet business objectives for the application or system Liaison to 3rd party vendor Review contract agreement SAS (Statement on Auditing Standards) N0. 70 -
Service organizations disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format
![Page 30: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/30.jpg)
Application Audit - General Controls Examining the environment the application
exists within that affect the application System administration / operations Organizational logical security Physical security Organizational disaster recovery plans Organizational change control process License control processes Virus control procedures
![Page 31: IT Security Auditing Martin Goldberg. Today’s Topics Defining IT Audit and the Auditor Steps of an IT Audit Preparing to be Audited How IT Audit Applications](https://reader035.vdocuments.us/reader035/viewer/2022062714/56649d615503460f94a42820/html5/thumbnails/31.jpg)
References
www.isaca.org “An Auditor’s Checklist for Performing a
Perimeter Audit of on IBM ISERIES (AS/400) System” - Craig Reise
“Conducting a Security Audit: An Introductory Overview” - Bill Hayes
“The Application Audit Process - A Guide for Information Security Professionals” - Robert Hein