Practical Guidance for Auditing IT General Controls

Chase Whitaker CPA CIAChase Whitaker, CPA, CIASeptember 2, 2009

About Hospital Corporation of America

$28B annual revenue

$24B total assets

$4.6B EBDITA

$673M Net Income

Fortune 100 Company

~180 000 employees~180,000 employees

~170 hospitals

~110 surgery centers110 surgery centers

Common line of business, systems, and security

2

model

Session Objectives

IT general controls and significance for regulatory compliance

COBIT 4.1 IT control framework

IT general controls scope areas including:– Infrastructure/logical security

– User access

– Physical security/environmental controls

Ch t– Change management

– Disaster recovery/business continuity

How to plan and execute a risk based IT general3

How to plan and execute a risk‐based IT general controls review

What are IT general controls?

Encompassing controls designed to cover the entire i i ’ IT i f h h ifi li iorganization’s IT infrastructure rather than specific applications

IT general controls help ensure CIA:– Confidentiality– Confidentiality

– Integrity 

– Availability

Contribute to safeguarding of data and promotion of regulatory compliance.

Key control assessment would focus on IT general controls andKey control assessment would focus on IT general controls and application‐specific controls (not covered)

4

Regulatory Compliance Significance

Health Insurance Portability and Accountability Act (HIPAA)

Payment Card Industry (PCI)

Gramm‐Leach‐Bliley Act (GLBA)

Sarbanes‐Oxley (SOX)– IT plays a major role in supporting financial reporting integrity

S ti 404 i i t l t l t– Section 404 requires an internal control report

– Management must use a recognized internal control framework (e.g., COBIT, COSO)

5

( g , , )

Frameworks

COBIT– Control Objectives for Information Technology

COSO– Most widely used internal control framework (commonly used for SOX compliance)

ISO 17799 / 27001ISO 17799 / 27001– Detailed information security standards (commonly used to benchmark a company’s policies/standards)benchmark a company s policies/standards)

6

Additional Frameworks

NIST 800 Series– U.S. federal government computer security policies, procedures, and guidelines

GAIT M th d l (IIA)GAIT Methodology (IIA)– Focused on IT general controls

7

COBIT 4.1 Framework

COBIT – Control Objectives for Information and Related Technology

IT governance framework issued by ISACAIT governance framework issued by ISACA (free)

Control objectives for safeguardingControl objectives for safeguarding information assets

4 1 l d i M 2007 (fi t bli h d i4.1 released in May 2007 (first published in 1996)

8

COBIT 4.1 Framework

Contains 210 detailed control objectives

COBIT Control Practices (for COBIT subscribers)

IT Assurance Guide (for ISACA members)IT Assurance Guide (for ISACA members) 

Framework adopted by many companies to l ith l i l ti h SOXcomply with legislation such as SOX

9

PO1 Define a strategic IT PlanPO2 Define the information architecturePO3 Determine technological directionPO4 Define the IT processes, organisation, relationshipsPO5 Manage the IT investmentPO6 C i t t i d di tiME1 Monitor & evaluate IT performance

Version 4.1IT RESOURCES

• Applications• Information• Infrastructure

PO6 Communicate management aims and directionPO7 Manage IT human resourcesPO8 Manage qualityPO9 Assess and manage IT risksPO10 Manage Projects

ME1 Monitor & evaluate IT performanceME2 Monitor & evaluate internal controlME3 Ensure compliance with external

requirementsME4 Provide IT governance

Infrastructure• People

MONITOR AND EVALUATE CCOBIOBITT PLAN ANDORGANISE

ACQUIRE ANDIMPLEMENT

CCOBIOBITTDELIVER AND

SUPPORT

AI1 Identify automated solutionsDS1 Define & manage service levelsDS2 Manage third-party services AI2 Acquire and maintain application software

AI3 Acquire and maintain technology infrastructure AI4 Enable operation and useAI5 Procure IT resourcesAI6 Manage changesAI7 Install and accredit solutions and changes

DS2 Manage third-party servicesDS3 Manage performance and capacityDS4 Ensure continuous serviceDS5 Ensure systems securityDS6 Identify and allocate costsDS7 Educate and train usersDS8 Manage service desk and incidentsDS9 Manage the configurationDS10 Manage problemsDS11 Manage dataDS12 Manage the physical environmentDS13 Manage operations COBIT® Copyright 2007 by IT Governance Institute

Infrastructure Platforms

Operating Systems (O/S)  

– Controls program execution, allocation of hardware resources, access to programs, etc.

– Examples: Windows, Linux, UNIX, Mainframe

Database Management Systems (DBMS)

– System of programs used to define, maintain, and manage access to large collections of data

– Examples: Oracle, DB2, SQL Server

Applications

11– Web‐based (thin‐client)

– Thick client 

Logical Security (DS5) ‐ Overview

Logical security controls should ensure confidentiality, integrity, and availability over systems and data.

Strong authentication controls should prevent user accounts from being compromised.user accounts from being compromised.

File shares should be adequately restricted to appropriate usersappropriate users.

Patches/system updates should be applied ti l

12

timely.

Logical Security (DS5) – Overview (continued)

Network services should be closed unless necessary for business reasons.

Anti‐virus software should be installed and up‐Anti virus software should be installed and upto‐date.

Sensitive data should be encryptedSensitive data should be encrypted.

13

Logical Security ‐ Risks

Authentication controls may not provide reasonable measures to protect against unauthorized access.

Excessive file shares allowing inappropriate access to sensitive data.access to sensitive data.

Systems may be susceptible to extended downtime viruses unauthorized access ordowntime, viruses, unauthorized access, or other malicious activity due to outdated patches and virus updates

14

patches and virus updates.

Logical Security – Risks (continued)

Inadequate protection over sensitive data resulting in unintended disclosure. 

Unnecessary network services may beUnnecessary network services may be exploited to gain unauthorized access to sensitive data.sensitive data.

15

Logical Security – Audit Tests

Compare password controls (e.g. length, complexity, expiration, history) to organizational standards or best practices.

Review network file shares for appropriateness and necessity.and necessity.  

Ensure sensitive information is not inappropriately sharedinappropriately shared.

16

Logical Security – Audit Tests (cont.)

Evaluate the process to apply patches/updates to the  O/S, DBMS, and application.  

Ensure patches are applied timely to remediateEnsure patches are applied timely to remediate known vulnerabilities. 

Observe anti‐virus settings to ensureObserve anti‐virus settings to ensure definitions are up‐to‐date

17

Logical Security – Audit Tests (cont.)

Determine if anti‐virus application is scanning drives regularly.

Determine if sensitive data is encrypted withinDetermine if sensitive data is encrypted within databases, on hard drives, and during network transmissions.transmissions.

Perform security scans to identify vulnerable services unnecessary for the role of the serverservices unnecessary for the role of the server (e.g., FTP, HTTP, SMTP, Telnet, etc.).

18

User Access (DS5) ‐ Overview

Users and their system activity should be uniquely identifiable.

User access requests, modifications, and removals should be documented and approved. 

Terminated users should have access removed timely. 

Access levels should based on a user’s job duties (least privilege principle).

Remote access should rely on secure protocols.

19

User Access – Risks

Undetected fraudulent/inappropriate use of critical systems and data

Access granted without valid approval

Access to critical systems and data by unauthorized users

Appropriate access not defined for each specific job role (i.e., role‐based security)

Remote access to critical systems/data not configured correctly or using insecure protocols (e.g., modems, public networks)

20

public networks)

User Access – Audit Tests

Ensure user administration procedures have been developed d i f dand review for adequacy.  

Review system accounts to determine if any terminated employees/unauthorized users have active accounts.employees/unauthorized users have active accounts.  

Evaluate user access, including administrator‐level accounts, for adequacy and appropriateness based on the user’s job dduties.

Determine how remote access is granted, and recommend the replacement of insecure solutions.replacement of insecure solutions.

Ensure audit logging is enabled on critical systems/accounts, and logs are reviewed timely.

21

Physical/Environmental Controls (DS12) ‐ Overview

Physical security/environmental controls should protect the data center, server rooms, network closets, and other controlled areas.

Access to these areas should be restricted to appropriate personnel to reduce business interruptions from theft or destruction of computerinterruptions from theft or destruction of computer equipment.

Monitoring of environmental factors should reduceMonitoring of environmental factors should reduce business interruptions from damage to computer equipment and personnel. 

22

q p p

Physical/Environmental Controls – Risks

Unauthorized individuals may gain access to sensitive/controlled areas and may view modify or destroysensitive/controlled areas and may view, modify, or destroy equipment or sensitive business data.Unauthorized/improper access to controlled areas may go 

i d d i i iunnoticed due to improper monitoring.Business disruption in the event of an environmental incident (e.g., fire, flood, power failure, excessive heat/humidity, etc.) g p ybecause of inadequate protection of IT assetsUnmanageable network environments and/or extended network downtime due to poorly configured wiring withinnetwork downtime due to poorly configured wiring within server rooms, communication closets, etc. 

23

Physical/Environmental Controls – Audit Tests

Review list of individuals with access to controlled areas.

Review visitor logs for controlled areas.

Review maintenance/test logs for environmental control devices (e.g., testing of backup generators, 

i f HVAC i i f UPS )maintenance of HVAC units, testing of UPS systems).

24

Physical/Environmental Controls – Audit Tests (cont.)

Walk‐through controlled areas to evaluate adequacy of physical and environmental.– Fire suppression systems and smoke detectors

– Water/moisture detection sensors

– Temperature/humidity sensors

– Well‐maintained network wiring

25

Change Management (AI6 & AI7) ‐ Overview

Managing changes addresses how an organization modifies system functionality to meet business needs.

Requests for changes should be documented and follow defined change management procedures.

Emergency changes should follow a defined process.

Changes should be properly tested (in separate environments) to ensure functionality meets defined 

i trequirements.

Controls should restrict migration of program changes to production by authorized and appropriate

26

to production by authorized and appropriate individuals.

Change Management – Risks

Unauthorized/unapproved changes implemented into production environments.

Changes not adequately logged for monitoring and documentation purposes and to back out changes if change causes a system failure.

I f i li (iIncorrect system functionality (i.e., erroneous processing) due to inadequate testing of changes

D l ith t i t d i tDevelopers with access to migrate code into production may implement unauthorized changes.

27

Change Management – Audit Tests

Evaluate change management procedures (including emergency changes) for adequacy.

Compare changes from the request system to implemented changes (usually obtained through system logs) to identify unauthorized changes.

R i l f ll i l dReview proper approvals for all implemented changes.

Routine– Routine

– Emergency

28

Change Management – Audit Tests (cont.)

Assess adequacy of change testing.

Determine if regression and end‐user acceptance testing was performed.

Review for adequate segregation of duties between development, testing, and change implementation.

29

Disaster Recovery/Business Continuity (DS4) ‐ Overview

DR/BC plans help minimize business impact in the event of an IT service interruption.

DR/BC plans should be updated regularly andDR/BC plans should be updated regularly and routinely tested to ensure systems and data can be recovered timely following a disaster orcan be recovered timely following a disaster or other interruption.

30

Disaster Recovery/Business Continuity (DS4) –Overview (continued)Overview (continued)

DR/BC plans and data backups should be stored offsite for recovery needs.

Quality of backup media and restoration testsQuality of backup media and restoration tests should be periodically performed to ensure success of backup processes.success of backup processes.

31

32

Disaster Recovery/Business Continuity – Risks

Backups may not include all necessary business data for comprehensive recovery in the event of unexpected system downtime or a disaster.

Data may be compromised by unauthorized individuals due to improper securing of backup mediamedia.

Extended downtime in the event of a disaster due to inadequate/lack of disaster recovery testing orinadequate/lack of disaster recovery testing or thoroughly documented plans

Lack of executive/senior management support

33

Lack of executive/senior management support

Disaster Recovery and Business Continuity – Audit Tests

Ensure plans are comprehensive, up‐to‐date, and approved.

Determine if plans are tested regularly andDetermine if plans are tested regularly and results are documented (post‐exercise assessments).assessments).

Review backup logs to determine if data and system configurations are backing upsystem configurations are backing up successfully.

34

Disaster Recovery and Business Continuity –Audit Tests (continued)Audit Tests (continued)

Determine if data is routinely test‐restored to confirm backups are recoverable.

Evaluate storage of backup mediaEvaluate storage of backup media (logical/physical) and location (e.g., fireproof safe, offsite location, encrypted, etc.).safe, offsite location, encrypted, etc.).

35

Freeware Tools for Assessing ITGC

Caveat – work with your information technology and security d b i i h ldepartments about permission to use these tools.

DumpSec– www.somarsoft.com/– Logical security tool to assess local accounts, password configurations, 

audit log settings, etc. on Windows systems. – User must have administrator rights to get full results.

Microsoft Baseline Security Analyzer  ‐MBSA– technet.microsoft.com/en‐us/security/cc184924.aspx– Logical security tool to identify security vulnerabilities (i.e., missing 

patches) and configuration best practices on Windows systems.

36

Some More Freeware Tools

Nmap– nmap.org/download.html– Logical security tool for Linux or Windows– Scans for network services (i.e., open ports), detects Scans for network services (i.e., open ports), detectsnetwork devices, performs O/S fingerprinting, etc.

– Can run against single IP addresses or entire IP address rangesranges.

BackTrack3– www.remote‐exploit.org/backtrack.html– Bootable Linux distribution – used for logical security (penetration)

37

(penetration).– Contains over 300 security tools.

Hey, Even MORE Freeware Tools!

Nessus– Free download at: www.nessus.org/– Linux or Windows scanning tool used to identify vulnerable network services (i.e., open ports), perform O/S network services (i.e., open ports), perform O/Sfingerprinting, etc. across all system platforms.

– Can run against single IP addresses or IP address ranges.

Kismet – www.kismetwireless.net/download.shtml– Linux‐based wireless network detection tool used to identify and evaluate encryption of wireless access points.

– A similar tool for use on Windows systems is also available

38

A similar tool for use on Windows systems is also available (Wireshark).

Planning and Executing a risk‐based IT General Controls ReviewsIT General Controls Reviews

Perform a risk assessment– Risk = Likelihood * Impact

Develop the audit scopeDevelop the audit scope– Focus on high‐risk areas identified during the risk assessmentassessment

– Auditing all IT general controls is likely not feasible, practical, or necessaryp , y

39

Planning and Executing a risk‐based IT General Controls ReviewsIT General Controls Reviews

Audit planning and program development

Complete testing to evaluate control effectivenesseffectiveness

Report results to company management

40

Summary

Sound IT general controls help promote regulatory compliance

Must ensure controls effectively mitigate the associated risk.

An IT control framework such as COBIT 4.1 may help i l i h l icompanies comply with regulations.

Performing risk‐based IT general controls reviews will h l f d th thelp ensure scarce resources are focused on the most significant areas to the company.

Many freeware tools are available to assist the41

Many freeware tools are available to assist the auditor in performing IT general controls reviews.

Contact Information

Chase Whitaker

Director of Internal Audit ‐ IT

(615) 344‐5973( )

Chase.Whitaker@HCAHealthcare.com

42