IT Security Auditing

Martin Goldberg

Today’s Topics

Defining IT Audit and the Auditor

Steps of an IT Audit

Preparing to be Audited

How IT Audit Applications

Defining IT Security Audit

Financial Audit IRS

Physical Audit Inventory

Defining IT Security Audit (cont.)

IT Audit Independent review and examination of records

and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend changes in controls, policies, or procedures - DL 1.1.9

Good Amount of Vagueness Ultimately defined by where you work

Who is an IT Auditor

Accountant Raised to a CS Major CPA, CISA, CISM, Networking, Hardware, Software,

Information Assurance, Cryptography Some one who knows everything an accountant

does plus everything a BS/MS does about CS and Computer Security - Not likely to exist

IT Audits Are Done in Teams Accountant + Computer Geek = IT Audit Team Scope to large Needed expertise varies

CISA? CISM?

CISA - Certified Information Systems Auditor

CISM - Certified Information Systems Mangager - new

www.isaca.org (Information Systems Audit and Control Organization) Teaching financial auditors to talk to CS people

CISA

Min. of 5 years of IS auditing, control or security work experience

Code of professional ethics Adhering to IS auditing standards Exam topics:

1. Management, Planning, and Organization of IS 2. Technical Infrastructure and Operational Practices 3. Protection of Information Assets

CISA (cont.)

Exam topics: (cont.) 4. Disaster Recovery and Business Continuity 5. Business Application System Development,

Acquisition, Implementation, and Maintenance 6. Business Process Evaluation and Risk

Management 7. The IS Audit Process

CISM

Next step above CISA

Exam topics: 1. Information Security Governance 2. Risk Management 3. Information Security Program Management 4. Information Security Management 5. Response Management

Steps of An IT Audit

1. Planning Phase

2. Testing Phase

3. Reporting Phase

Ideally it’s a continuous cycle Again not always the case

Planning Phase

Entry Meeting

Define Scope

Learn Controls

Historical Incidents

Past Audits

Site Survey

Review Current Policies

Questionnaires

Define Objectives

Develop Audit Plan / Checklist

Defining Objectives & Data Collection Some Points to Keep in Mind

OTS (Department of Treasury - Office of Thrift Savings) - Banking Regulations

SEC (Securities and Exchange Commission) - Mutual Funds

HIPPA - Health Care Sarbanes Oxley - Financial Reports, Document Retention Gramm-Leach Bliley - Consumer Financial Information FERPA (Family Education Rights and Privacy Act) -

Student Records Clearence

Example Checklist

“An Auditor’s Checklist for Performing a Perimeter Audit of on IBM ISERIES (AS/400) System” - Craig ReiseScope of the audit does not include the

Operating SystemPhysical securityServices running

Testing Phase

Meet With Site ManagersWhat data will be collectedHow/when will it be collectedSite employee involvementAnswer questions

Testing Phase (cont.)

Data CollectionBased on scope/objectives

Types of DataPhysical security Interview staffVulnerability assessmentsAccess Control assessments

Reporting Phase

Exit Meeting - Short Report Immediate problemsQuestions & answer for site managersPreliminary findingsNOT able to give in depth information

Reporting Phase (cont.)

Long Report After Going Through Data Intro defining objectives/scope How data was collected Summary of problems

Table format Historical data (if available) Ratings Fixes Page # where in depth description is

Reporting Phase (cont.)

In depth description of problem How problem was discovered Fix (In detail) Industry standards (if available)

Glossary of termsReferences

Note: The Above Varies Depending on Where You Work

Preparing To Be Audited

This Is NOT a Confrontation

Make Your Self Available

Know What The Scope/Objectives Are

Know What Type of Data Will be Collected

Know What Data Shouldn’t be Collected

Example - Auditing User & Groups

Application Audit

An assessment Whose Scope Focuses on a Narrow but Business Critical Processes or Application Excel spreadsheet with embedded macros used to

analyze data Payroll process that may span across several different

servers, databases, operating systems, applications, etc.

The level of controls is dependent on the degree of risk involved in the incorrect or unauthorized processing of data

Application Audit (cont.)

1. Administration 2. Inputs, Processing, Outputs 3. Logical Security 4. Disaster Recovery Plan 5. Change Management 6. User Support 7. Third Party Services 8 . General Controls

Application Audit - Administration

Probably the most important area of the audit, because this area focuses on the overall ownership and accountability of the applicationRoles & Responsibilities - development,

change approval, access authorizationLegal or regulatory compliance issues

Application Audit - Inputs, Processing, Outputs

Looking for evidence of data preparation procedures, reconciliation processes, handling requirements, etc.Run test transactions against the

application Includes who can enter input and see

outputRetention of output and its destruction

Application Audit - Logical Security

Looking at user creation and authorization as governed by the application its self User ID linked to a real person Number of allowable unsuccessful log-on attempts Minimum password length Password expiration Password Re-use ability

Application Audit - Disaster Recovery Plan

Looking for an adequate and performable disaster recovery plan that will allow the application to be recovered in a reasonable amount of time after a disasterBackup guidelines, process documentation,

offsite storage guidelines, SLA’s with offsite storage vendors, etc.

Application Audit - Change Management

Examines the process changes to an application go through Process is documented, adequate and followed Who is allowed to make a request a change,

approve a change and make the change Change is tested and doesn’t break compliance

(determined in Administration) before being placed in to production

Application Audit - User Support

One of the most overlooked aspects of an applicationUser documentation (manuals, online help,

etc.) - available & up to dateUser training - productivity, proper use,

securityProcess for user improvement requests

Application Audit - Third Party Services Look at the controls around any 3rd party

services that are required to meet business objectives for the application or system Liaison to 3rd party vendor Review contract agreement SAS (Statement on Auditing Standards) N0. 70 -

Service organizations disclose their control activities and processes to their customers and their customers’ auditors in a uniform reporting format

Application Audit - General Controls Examining the environment the application

exists within that affect the application System administration / operations Organizational logical security Physical security Organizational disaster recovery plans Organizational change control process License control processes Virus control procedures

References

www.isaca.org “An Auditor’s Checklist for Performing a

Perimeter Audit of on IBM ISERIES (AS/400) System” - Craig Reise

“Conducting a Security Audit: An Introductory Overview” - Bill Hayes

“The Application Audit Process - A Guide for Information Security Professionals” - Robert Hein