it audit methodologies it audit methodoloies. it audit methodologies cobit bs 7799 - code of...
TRANSCRIPT
![Page 1: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/1.jpg)
IT Audit Methodologies
IT Audit Methodoloies
![Page 2: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/2.jpg)
IT Audit MethodologiesCobiTBS 7799 - Code of Practice (CoP)BSI - IT Baseline Protection ManualITSECCommon Criteria (CC)
IT Audit Methodoloies
![Page 3: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/3.jpg)
IT Audit Methodologies - URLsCobiT: www.isaca.orgBS7799: www.bsi.org.uk/disc/BSI: www.bsi.bund.de/gshb/english/menue.htmITSEC:www.itsec.gov.ukCC: csrc.nist.gov/cc/
IT Audit Methodoloies
![Page 4: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/4.jpg)
Main Areas of UseIT AuditsRisk AnalysisHealth Checks (Security Benchmarking)Security ConceptsSecurity Manuals / Handbooks
IT Audit Methodoloies
![Page 5: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/5.jpg)
Security DefinitionConfidentialityIntegrity
CorrectnessCompleteness
Availability
IT Audit Methodoloies
![Page 6: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/6.jpg)
CobiTGovernance, Control & Audit for ITDeveloped by ISACAReleases
CobiT 1: 199632 Processes271 Control Objectives
CobiT 2: 199834 Processes302 Control Objectives
IT Audit Methodoloies
![Page 7: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/7.jpg)
CobiT - Model for IT Governance36 Control models used as basis:
Business control models (e.g. COSO)IT control models (e.g. DTI‘s CoP)
CobiT control model covers:Security (Confidentiality, Integrity, Availability)Fiduciary (Effectiveness, Efficiency, Compliance,
Reliability of Information)IT Resources (Data, Application Systems,
Technology, Facilities, People)
IT Audit Methodoloies
![Page 8: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/8.jpg)
CobiT - Framework
IT Audit Methodoloies
![Page 9: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/9.jpg)
CobiT - Structure4 Domains
PO - Planning & Organisation11 processes (high-level control objectives)
AI - Acquisition & Implementation6 processes (high-level control objectives)
DS - Delivery & Support13 processes (high-level control objectives)
M - Monitoring4 processes (high-level control objectives)
IT Audit Methodoloies
![Page 10: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/10.jpg)
PO - Planning and Organisation PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organisation and Relationships PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality
IT Audit Methodoloies
![Page 11: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/11.jpg)
AI - Acquisition and ImplementationAI 1 Identify SolutionsAI 2 Acquire and Maintain Application SoftwareAI 3 Acquire and Maintain Technology ArchitectureAI 4 Develop and Maintain IT ProceduresAI 5 Install and Accredit SystemsAI 6 Manage Changes
IT Audit Methodoloies
![Page 12: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/12.jpg)
DS - Delivery and Support DS 1 Define Service Levels DS 2 Manage Third-Party
Services DS 3 Manage Performance and
Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Attribute Costs DS 7 Educate and Train Users
IT Audit Methodoloies
DS 8 Assist and Advise IT
Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and
Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
![Page 13: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/13.jpg)
M - MonitoringM 1 Monitor the ProcessesM 2 Assess Internal Control AdequacyM 3 Obtain Independent AssuranceM 4 Provide for Independent Audit
IT Audit Methodoloies
![Page 14: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/14.jpg)
CobiT - IT Process MatrixInformation Criteria
EffectivenessEfficiencyConfidentialit
yIntegrityAvailabilityComplianceReliability
IT Audit Methodoloies
IT Resources People Applications Technology Facilities Data
IT Processes
Microsoft Excel-Tabelle
![Page 15: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/15.jpg)
CobiT - SummaryMainly used for IT audits, incl. security aspectsNo detailed evaluation methodology describedDeveloped by international organisation (ISACA)Up-to-date: Version 2 released in 1998Only high-level control objectives describedDetailed IT control measures are not documentedNot very user friendly - learning curve!Evaluation results not shown in graphic form
IT Audit Methodoloies
![Page 16: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/16.jpg)
CobiT - SummaryMay be used for self assessmentsUseful aid in implementing IT control systemsNo suitable basis to write security handbooksCobiT package from ISACA: $ 100.--3 parts freely downloadable from ISACA siteSoftware available from Methodware Ltd., NZ
(www.methodware.co.nz)
CobiT Advisor 2nd edition: US$ 600.--
IT Audit Methodoloies
![Page 17: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/17.jpg)
BS 7799 - CoPCode of Practice for Inform. Security Manag.Developed by UK DTI, BSI: British StandardReleases
CoP: 1993BS 7799: Part 1: 1995BS 7799: Part 2: 1998
Certification & Accreditation scheme (c:cure)
IT Audit Methodoloies
![Page 18: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/18.jpg)
BS 7799 - Security Baseline Controls10 control categories32 control groups109 security controls10 security key controls
IT Audit Methodoloies
![Page 19: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/19.jpg)
BS 7799 - Control CategoriesInformation security policySecurity organisationAssets classification & controlPersonnel securityPhysical & environmental securityComputer & network management
IT Audit Methodoloies
![Page 20: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/20.jpg)
BS 7799 - Control CategoriesSystem access controlSystems development & maintenanceBusiness continuity planningCompliance
IT Audit Methodoloies
![Page 21: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/21.jpg)
BS7799 - 10 Key ControlsInformation security policy documentAllocation of information security responsibilitiesInformation security education and trainingReporting of security incidentsVirus controls
IT Audit Methodoloies
![Page 22: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/22.jpg)
BS7799 - 10 Key ControlsBusiness continuity planning processControl of proprietary software copyingSafeguarding of organizational recordsData protectionCompliance with security policy
IT Audit Methodoloies
![Page 23: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/23.jpg)
BS7799 - SummaryMain use: Security Concepts & Health ChecksNo evaluation methodology describedBritish Standard, developed by UK DTICertification scheme in place (c:cure)BS7799, Part1, 1995 is being revised in 1999Lists 109 ready-to-use security controlsNo detailed security measures describedVery user friendly - easy to learn
IT Audit Methodoloies
![Page 24: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/24.jpg)
BS7799 - SummaryEvaluation results not shown in graphic formMay be used for self assessmentsBS7799, Part1: £ 94.--BS7799, Part2: £ 36.--BSI Electronic book of Part 1: £ 190.-- + VATSeveral BS7799 c:cure publications from BSICoP-iT software from SMH, UK: £349+VAT
(www.smhplc.com)
IT Audit Methodoloies
![Page 25: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/25.jpg)
BSI (Bundesamt für Sicherheit in der Informationstechnik)IT Baseline Protection Manual
(IT- Grundschutzhandbuch )Developed by German BSI (GISA: German
Information Security Agency)Releases:
IT security manual: 1992IT baseline protection manual: 1995New versions (paper and CD-ROM): each year
IT Audit Methodoloies
![Page 26: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/26.jpg)
BSI - Approach
IT Audit Methodoloies
![Page 27: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/27.jpg)
BSI - ApproachUsed to determine IT security measures for
medium-level protection requirementsStraight forward approach since detailed risk
analysis is not performedBased on generic & platform specific security
requirements detailed protection measures are constructed using given building blocks
List of assembled security measures may be used to establish or enhance baseline protection
IT Audit Methodoloies
![Page 28: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/28.jpg)
BSI - StructureIT security measures
7 areas34 modules (building blocks)
Safeguards catalogue6 categories of security measures
Threats catalogue5 categories of threats
IT Audit Methodoloies
![Page 29: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/29.jpg)
BSI - Security Measures (Modules)Protection for generic componentsInfrastructureNon-networked systemsLANsData transfer systemsTelecommunicationsOther IT components
IT Audit Methodoloies
![Page 30: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/30.jpg)
BSI - Generic Components3.1 Organisation
3.2 Personnel
3.3 Contingency Planning
3.4 Data Protection
IT Audit Methodoloies
![Page 31: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/31.jpg)
BSI - Infrastructure4.1 Buildings
4.2 Cabling
4.3 Rooms
4.3.1 Office
4.3.2 Server Room
4.3.3 Storage Media Archives
4.3.4 Technical Infrastructure Room
4.4 Protective cabinets
4.5 Home working place
IT Audit Methodoloies
![Page 32: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/32.jpg)
BSI - Non-Networked Systems5.1 DOS PC (Single User)
5.2 UNIX System
5.3 Laptop
5.4 DOS PC (multiuser)
5.5 Non-networked Windows NT computer
5.6 PC with Windows 95
5.99 Stand-alone IT systems
IT Audit Methodoloies
![Page 33: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/33.jpg)
BSI - LANs6.1 Server-Based Network
6.2 Networked Unix Systems
6.3 Peer-to-Peer Network
6.4 Windows NT network
6.5 Novell Netware 3.x
6.6 Novell Netware version 4.x
6.7 Heterogeneous networks
IT Audit Methodoloies
![Page 34: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/34.jpg)
BSI - Data Transfer Systems7.1 Data Carrier Exchange
7.2 Modem
7.3 Firewall
7.4 E-mail
IT Audit Methodoloies
![Page 35: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/35.jpg)
BSI - Telecommunications8.1 Telecommunication system
8.2 Fax Machine
8.3 Telephone Answering Machine
8.4 LAN integration of an IT system via ISDN
IT Audit Methodoloies
![Page 36: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/36.jpg)
BSI - Other IT Components9.1 Standard Software
9.2 Databases
9.3 Telecommuting
IT Audit Methodoloies
![Page 37: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/37.jpg)
BSI - Module „Data Protection“ (3.4)Threats -Technical failure:
T 4.13 Loss of stored dataSecurity Measures - Contingency planning:
S 6.36 Stipulating a minimum data protection conceptS 6.37 Documenting data protection proceduresS 6.33 Development of a data protection concept
(optional)S 6.34 Determining the factors influencing data
protection (optional)S 6.35 Stipulating data protection procedures (optional)S 6.41 Training data reconstruction
Security Measures - Organisation:S 2.41 Employees' commitment to data protectionS 2.137 Procurement of a suitable data backup systemIT Audit Methodoloies
![Page 38: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/38.jpg)
BSI - Safeguards (420 safeguards)S1 - Infrastructure ( 45 safeguards)S2 - Organisation (153 safeguards)S3 - Personnel ( 22 safeguards)S4 - Hardware & Software ( 83 safeguards)S5 - Communications ( 62 safeguards)S6 - Contingency Planning ( 55 safeguards)
IT Audit Methodoloies
![Page 39: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/39.jpg)
BSI - S1-Infrastructure (45 safeguards)S 1.7 Hand-held fire extinguishers
S 1.10 Use of safety doors
S 1.17 Entrance control service
S 1.18 Intruder and fire detection devices
S 1.27 Air conditioning
S 1.28 Local uninterruptible power supply [UPS]
S 1.36 Safekeeping of data carriers before and after dispatch
IT Audit Methodoloies
![Page 40: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/40.jpg)
BSI - Security Threats (209 threats)T1 - Force Majeure (10 threats)T2 - Organisational Shortcomings (58 threats)T3 - Human Errors (31 threats)T4 - Technical Failure (32 threats)T5 - Deliberate acts (78 threats)
IT Audit Methodoloies
![Page 41: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/41.jpg)
BSI - T3-Human Errors (31 threats)T 3.1 Loss of data confidentiality/integrity as a result of
IT user error
T 3.3 Non-compliance with IT security measures
T 3.6 Threat posed by cleaning staff or outside staff
T 3.9 Incorrect management of the IT system
T 3.12 Loss of storage media during transfer
T 3.16 Incorrect administration of site and data access rights
T 3.24 Inadvertent manipulation of data
T 3.25 Negligent deletion of objectsIT Audit Methodoloies
![Page 42: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/42.jpg)
BSI - SummaryMain use: Security concepts & manualsNo evaluation methodology describedDeveloped by German BSI (GISA)Updated version released each yearLists 209 threats & 420 security measures34 modules cover generic & platform specific
security requirements
IT Audit Methodoloies
![Page 43: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/43.jpg)
BSI - SummaryUser friendly with a lot of security detailsNot suitable for security risk analysisResults of security coverage not shown in graphic
formManual in HTML format on BSI web serverManual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
Paper copy of manual: DM 118.--
Software ‚BSI Tool‘ (only in German): DM 515.--
IT Audit Methodoloies
![Page 44: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/44.jpg)
ITSEC, Common CriteriaITSEC: IT Security Evaluation CriteriaDeveloped by UK, Germany, France, Netherl. and
based primarily on USA TCSEC (Orange Book)
ReleasesITSEC: 1991ITSEM: 1993 (IT Security Evaluation Manual)UK IT Security Evaluation & Certification scheme:
1994
IT Audit Methodoloies
![Page 45: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/45.jpg)
ITSEC, Common CriteriaCommon Criteria (CC)Developed by USA, EC: based on ITSECISO International StandardReleases
CC 1.0: 1996CC 2.0: 1998ISO IS 15408: 1999
IT Audit Methodoloies
![Page 46: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/46.jpg)
ITSEC - MethodologyBased on systematic, documented approach for
security evaluations of systems & productsOpen ended with regard to defined set of security
objectivesITSEC Functionality classes; e.g. FC-C2CC protection profiles
Evaluation steps:Definition of functionalityAssurance: confidence in functionality
IT Audit Methodoloies
![Page 47: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/47.jpg)
ITSEC - FunctionalitySecurity objectives (Why)
Risk analysis (Threats, Countermeasures)Security policy
Security enforcing functions (What)technical & non-technical
Security mechanisms (How)Evaluation levels
IT Audit Methodoloies
![Page 48: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/48.jpg)
ITSEC - AssuranceGoal: Confidence in functions & mechanismsCorrectness
Construction (development process & environment)Operation (process & environment)
EffectivenessSuitability analysisStrength of mechanism analysisVulnerabilities (construction & operation)
IT Audit Methodoloies
![Page 49: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/49.jpg)
CC - Security Concept
IT Audit Methodoloies
![Page 50: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/50.jpg)
CC - Evaluation Goal
IT Audit Methodoloies
![Page 51: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/51.jpg)
CC - Documentation
IT Audit Methodoloies
CC Part 1Introduction and Model Introduction to
Approach
Terms and Model
Requirements forProtection Profiles (PP)and Security Targets (ST)
CC Part 2Functional Requirements
Functional Classes
Functional Families
FunctionalComponents
Detailed Requirements
CC Part 3Assurance Requirements
Assurance Classes
Assurance Families
Assurance Components
Detailed Requirements
Evaluation AssuranceLevels (EAL)
![Page 52: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/52.jpg)
CC - Security Requirements
IT Audit Methodoloies
Functional Requirements
for defining security behavior of the IT product or system:
implemented requirements become security functions
Assurance Requirements
for establishing confidence in Security Functions:
correctness of implementation effectiveness in satisfying
objectives
![Page 53: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/53.jpg)
CC - Security Functional Classes
IT Audit Methodoloies
NameAuditCommunicationsCryptographic SupportUser Data ProtectionIdentification & AuthenticationSecurity ManagementPrivacyProtection of TOE Security FunctionsResource UtilizationTOE (Target Of Evaluation) AccessTrusted Path / Channels
ClassFAUFCOFCSFDPFIAFMTFPRFPTFRUFTAFTP
![Page 54: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/54.jpg)
CC - Security Assurance Classes
IT Audit Methodoloies
NameConfiguration Management
Delivery & OperationDevelopmentGuidance DocumentsLife Cycle SupportTestsVulnerability AssessmentProtection Profile EvaluationSecurity Target EvaluationMaintenance of Assurance
ClassACMADOADVAGDALCATEAVAAPEASEAMA
![Page 55: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/55.jpg)
CC - Eval. Assurance Levels (EALs)
IT Audit Methodoloies*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”
NameFunctionally TestedStructurally TestedMethodically Tested & CheckedMethodically Designed, Tested & ReviewedSemiformally Designed & TestedSemiformally Verified Design & TestedFormally Verified Design & Tested
EALEAL1EAL2EAL3EAL4EAL5EAL6EAL7
*TCSEC
C1C2B1B2B3A1
![Page 56: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/56.jpg)
ITSEC, CC - SummaryUsed primarily for security evaluations and not for
generalized IT audits Defines evaluation methodologyBased on International Standard (ISO 15408)Certification scheme in placeUpdated & enhanced on a yearly basisIncludes extensible standard sets of security
requirements (Protection Profile libraries)
IT Audit Methodoloies
![Page 57: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/57.jpg)
Comparison of Methods - CriteriaStandardisationIndependenceCertifiabilityApplicability in practiceAdaptability
IT Audit Methodoloies
![Page 58: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/58.jpg)
Comparison of Methods - CriteriaExtent of ScopePresentation of ResultsEfficiencyUpdate frequencyEase of Use
IT Audit Methodoloies
![Page 59: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/59.jpg)
Comparison of Methods - Results
IT Audit Methodoloies
CobiT3.43.32.72.83.33.11.93.03.12.3
StandardisationIndependenceCertifyabilityApplicability in practiceAdaptabilityExtent of ScopePresentation of ResultsEfficiencyUpdate frequencyEase of Use
BS 77993.33.63.33.02.82.92.22.82.42.7
BSI3.13.53.03.13.32.72.63.03.42.8
ITSEC/CC
3.93.93.72.53.02.61.72.52.82.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger
![Page 60: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/60.jpg)
CobiT - Assessment
IT Audit Methodoloies
![Page 61: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/61.jpg)
BS 7799 - Assessment
IT Audit Methodoloies
![Page 62: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/62.jpg)
BSI - Assessment
IT Audit Methodoloies
![Page 63: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/63.jpg)
ITSEC/CC - Assessment
IT Audit Methodoloies
![Page 64: IT Audit Methodologies IT Audit Methodoloies. IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC](https://reader030.vdocuments.us/reader030/viewer/2022012902/551c3e66550346ea388b4b0b/html5/thumbnails/64.jpg)
Use of Methods for IT AuditsCobiT: Audit method for all IT processesITSEC, CC: Systematic approach for evaluationsBS7799, BSI: List of detailed security measures to
be used as best practice documentationDetailed audit plans, checklists, tools for technical
audits (operating systems, LANs, etc.)What is needed in addition:
Audit concept (general aspects, infrastructure audits, application audits)
IT Audit Methodoloies