1 / 24

Information Technology Audit Process

Information Technology Audit Process. Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008. Overview. What is Internal Audit IT Audit Process Common IT Audit Observations So What Should We Do Questions. Authority and Policies. What is Internal Audit?

kbriggs
Download Presentation

Information Technology Audit Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008

  2. Overview What is Internal Audit IT Audit Process Common IT Audit Observations So What Should We Do Questions

  3. Authority and Policies What is Internal Audit? Internal auditing is an independent,objective assurance and advisory activity designed to add value and improvean organization’s operations. Internal Audit helps organizations accomplish their objectives by evaluating business risk and controls and where appropriate, offer recommendations to improve risk management and governance processes.

  4. Audit Process Planning Follow-up Testing Reporting

  5. Planning • Annual Risk Assessment • Preliminary Audit Plan • Board of Visitors Approval • Notification and Request for Information • Understand Your Risks and Controls • Opening Conference

  6. Testing • Security • Backup & Recovery • Resource Management • Web Site

  7. Security TestingRemote Vulnerability Scans Servers If it’s on the network we scan it! Printers Routers Nmap & Nessus Workstations Laptops

  8. Security TestingOn-Site, Follow-up Vulnerability Tests We Test Computers That May Have Security Vulnerabilities! CIS Tools & Benchmarks MSBA WinAudit Workstations Laptops Servers

  9. Backup & Recovery Testing You Must Have Effective Controls to Backup & Recover “Critical Data”

  10. Resource Management Testing Computer Hardware & Software Procurement through Surplus

  11. Web Site Testing • University Relations Web Guidelines & Procedures • Web Development Best Practices • Content Recommendations • Templates • Privacy Statement (Policy 7030) • Web Server & Application Security

  12. ReportingObservations When Unexpected Results are Noted We Solicit Your Comments

  13. ReportingRecommendations We May Recommend Opportunities To Improve Your Controls

  14. ReportingManagement Action Plans You Develop Plans, Schedules, and Priorities To Implement Solutions

  15. Reporting A Final Report is Sent to The Board of Visitors

  16. Follow-Up • Follow-Up Actions are Based on Your “Management Action Plan” • Progress is Monitored • Some Re-Testing May be Necessary • Board of Visitors is Updated • Audit is closed

  17. Common Audit Observations Weak Security Settings Windows Operating System

  18. Common Audit Observations Missing Security Patches Operating Systems Applications Databases

  19. Common Audit Observations Misconfigured Anti-Malware Tools Out-of-Date Threat Signatures Scans Not Scheduled

  20. Common Audit Observations Inadequate Access Controls Weak Passwords & File Permissions

  21. Common Audit Observations Open Communication Ports The Hacker’s Point of Entry

  22. Common Audit Observations “The System Administrator’s Dilemma” How Much Risk is Senior Management Willing to Accept? Convenience Security

  23. So What Should We Do? • Harden Security Settings • Keep Everything Patched • Install and Use Anti-Malware Tools • Enforce Strong Passwords • Close or Filter Communication Ports • Test Your Systems • Support Your System Administrator!

  24. Questions “Success Redefined”

More Related