1 / 32

IS Auditing Process

IS Auditing Process. INFS 6310 Dr. Charles H. Apigian capigian@mtsu.edu. Excerpts from Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2 nd edition, SYBEX Publishing, CoBIT 4.1, and ISO17799. A Comprehensive Network Security Assessment.

neviah
Download Presentation

IS Auditing Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IS Auditing Process INFS 6310 Dr. Charles H. Apigian capigian@mtsu.edu Excerpts from Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing, CoBIT 4.1, and ISO17799

  2. A Comprehensive Network Security Assessment • Vulnerability Assessment / Penetration Test • Security Policies (Change Control Policies) • Security Configuration • User Account Provisioning • Security Monitoring • Employee Training • Social Engineering List obtained from FDH Consulting via ISACA – Middle Tennessee Chapter

  3. CISA Job Practice Areas

  4. CISM Job Practice Areas

  5. CISA/CISM Mapping IS Audit Process Information Security Governance IT Governance Information Risk Management Protection of Information Assets Information Security Program Development Systems and Infrastructure Lifecycle Management Information Security Program Management IT Service Delivery and Support Incident Management and Response Business Continuity and Disaster Recovery

  6. Area 5: Protection of Information Assets • To provide assurance that the security architecture (policies, standards, procedures, and controls) ensures the confidentiality, integrity, and availability of information assets.   • 5.1 Evaluate the design, implementation, and monitoring of logical access controls to ensure the confidentiality, integrity, availabilityand authorizeduse of information assets. • 5.2 Evaluate network infrastructure security to ensure confidentiality, integrity, availabilityand authorizeduse of the network and the information transmitted. • 5.3 Evaluate the design, implementation, and monitoring of environmental controls to prevent or minimize loss. • 5.4 Evaluate the design, implementation, and monitoring of physical access controls to ensure that information assets are adequately safeguarded. • 5.5 Evaluate the processes and procedures used to store, retrieve, transport, and dispose of confidential information assets.

  7. Knowledge Areas 5.1  Knowledge of the techniques for the design, implementation and monitoring of security (e.g., threat and risk assessment, sensitivity analysis, privacy impact assessment) 5.2  Knowledge of logical access controls for the identification, authentication, and restriction of users to authorized functions and data (e.g., dynamic passwords, challenge/response, menus, profiles) 5.3  Knowledge of logical access security architectures (e.g., single sign-on, user identification strategies, identity management) 5.4  Knowledge of attack methods and techniques (e.g., hacking, spoofing, Trojan horses, denial of service, spamming) 5.5  Knowledge of processes related to monitoring and responding to security incidents (e.g., escalation procedures, emergency incident response team) 5.6  Knowledge of network and Internet security devices, protocols, and techniques (e.g., SSL, SET, VPN, NAT) 5.7  Knowledge of intrusion detection systems and firewall configuration, implementation, operation, and maintenance 5.8  Knowledge of encryption algorithm techniques (e.g., AESRSA) 5.9 Knowledge of public key infrastructure (PKI) components (e.g., certification authorities, registration authorities) and digital signature techniques 5.10 Knowledge of virus detection tools and control techniques 5.11 Knowledge of security testing and assessment tools (e.g., penetration testing, vulnerability scanning) 5.12 Knowledge of environmental protection practices and devices (e.g., fire suppression, cooling systems, water sensors) 5.13 Knowledge of physical security systems and practices (e.g., biometrics, access cards, cipher locks, tokens) 5.14 Knowledge of data classification schemes (e.g., public, confidential, private, and sensitive data) 5.15 Knowledge of voice communications security (e.g., voice over IP) 5.16 Knowledge of the processes and procedures used to store, retrieve, transport, and dispose of confidential information assets 5.17 Knowledge of controls and risks associated with the use of portable and wireless devices (e.g., PDAs, USB devices, Bluetooth devices)

  8. Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing Intranet IDS Network Admin Utilities VPN Firewall

  9. Terminology • Computer Security: • The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes hardware, software, firmware, in formation/data, and telecommunications). • Information security: • a “well-informed sense of assurance that the information risks and controls are in balance.”

  10. What is Information Security? • is the protection of information from a wide range of threats in order to ensure: • business continuity • minimize business risk • maximize return on investments and business opportunities. • is achieved by implementing a suitable set of controls, including: • These controls need to be established, implemented, monitored, reviewed, and improved, where necessary, to ensure that the specific security and business objectives of the organization are met. This should be done in conjunction with other business management processes. (ISO/IEC 17799:2005(E) – Information technology – Security techniques – Code of practice for information security management) • Policies • Processes • Procedures • structures • Software functions • Hardware functions

  11. Objective of Information Security • is protecting the interests of those relying on information and the systems and communications that deliver the information from harm resulting from failures of confidentiality, integrity, and availability. • The impact of the Internet and the growth of the network economy have added the need for trust in electronic applications. (CobiT Security Baseline, www.itgi.org)

  12. CoBIT Security Baseline 2nd Edition • A comprehensive set of resources that contains the information organizations need to adopt an IT governance and control framework. • COBIT covers security in addition to other risks that can occur with the use of IT. This guide has been updated and aligned with the new COBIT 4.1 framework.

  13. CoBIT Security Baseline 2nd Ed. • This publication focuses on the specific risk of information security in a way that is simple to follow and implement for the home user or the user in small to medium enterprises, as well as for executives and board members of larger organisations. It provides the following elements: • An introduction to information security—what it means and what it covers • An explanation of why security is important, with examples of the most common things that can go wrong • Some thought-provoking questions to help determine risks • The COBIT-based security baseline, providing key controls • In addition to the mapping against COBIT 4.1, a mapping against the updated ISO/IEC 17799:2005 (ISO/IEC 27002:2007) information security standard • Information security survival kits providing essential questions and checklists for varying audiences, including: • home users • professional users • Managers • Executives and boards of directors • An appendix containing a summary of technical security risks

  14. CoBIT Security Baseline 2nd Edition

  15. What should an auditor know? • For an auditor, it is not important to be an expert in every facet of security. However, it is important for the auditor to know all elements of protecting assets and the controls that should be in place. • Threats (risk assessment) • Perpetrators • Attacks • Data (types and authority roles) • Data Retention • Personnel Management • Physical Access • Incident Handling • Violation Reporting • Data Processing Locations • Environmental Controls • Technical Protection

  16. Type of Threats • Errors and Omissions • Fraud and Theft • Employee Sabotage • Loss of Physical and Infrastructure Support • Malicious Hackers • Industrial Espionage • Malicious Code • Threats to Personal Privacy • Other Threats • Technological Obsolescence • Compromises to Intellectual Property • Social Engineering

  17. The Perpetrators • Hackers • Crackers • Script Kiddies • Employee Betrayal • Ethical Hacker Gone Bad • Third Parties • Ignorance

  18. Types of Attacks • Passive Attacks • Network analysis • Host traffic analysis • Eavesdropping • Active Attacks • Social engineering • Phishing • Dumpster diving • Virus • Worm • Logic bomb • Trap door • Root kit • Brute force attack • DOS/DDOS • Maintenance accounts

  19. Types of Attacks (cont.) • Remote Access Attacks • War dialing • War driving/walking • Source routing • Salami technique • Packet replay • Message modification • Email spamming and spoofing

  20. Data – What type? • As part of any IS Security Governance technique, it is important to identify data (information assets), and also categorize the type as well as its data owners, users, and custodians. • Types of data (generalized approach) • Public • Sensitive • Private (internal use only) • Confidential

  21. Authority Roles over Data • Data Owner • Executives and managers responsible for data content. • An auditor would review decisions made by the DO to evaluate of they were appropriate • Data User • Business person who benefits from the computerized data • An auditor would evaluate the effectiveness of management to communicate their controls to the user. • Data Custodian • Responsible for implementing data storage safeguards and ensuring the availability of data.

  22. Data Retention • Specifies the procedure for storing data and how it will be disposed. • Requirements for retention: • Value of data • Its useful life • Legal requirements • Example • Financial records must be accessible for 7 years • Medical are required to be available indefinitely • Sale records of property are to be maintained indefinitely, as are many government records

  23. Personnel Management • All employees should undergo a process of security awareness training. • Training programs • New hire orientation that includes IT security orientation • Physical security safeguards & asset protection • Re/educate existing staff about IT security req. • Introduction of new security requirements • Virus protection • Business continuity

  24. Physical Access • An IS auditor needs to investigate how access is granted for employees, visitors, etc. • Areas of concern • Sensitive areas (computer room) • Service ports • Computer consoles (keyboard of the server)

  25. Terminating Access • The IS auditor should investigate how the organization terminates access and whether it reviews existing access levels. • Review: • Termination procedures • Logs of terminated employees • Access levels of employees • Transfers within the organization and access to previous position

  26. Incident Handling • IS auditors need to investigate how the organization deals with incidents in regards to security implications. • Auditors should ask: • Events that can trigger an incident response • Are users/help desk trained to know where to call • What is the process • Does the response team have an established procedure • Are members formally appointed and trained

  27. Violation reporting • The IS auditor needs to investigate how violations are reported to management • Does a formal process exist • Will a violation report trigger the incident response team

  28. Physical Protection (Barriers) • Closed circuit TV • Guards • Special locks • Traditional tumbler locks • Electronic lock • Cipher lock • Biometrics • Burglar alarm • Environmental sensors

  29. Data Processing Locations • The ID auditor should evaluate the location of DP locations. • Should not draw attention • Be constructed according to national fire-protection codes • 2 hr fire protection rating for floors, ceilings, doors, and walls • Basements are a poor choice (flooding) • Normally between the second floor and one floor below the top floor • Should be monitored and restricted • 3D space considerations

  30. Environmental Controls • Unstable power is the number one threat • Emergency power shutoff • UPS • Standby Generator • Diesel generator • Natural gas generator • Dual power leads • Power transfer system • Heating, ventilation, and air conditioning • Fire, smoke, and heat detection (smoke, heat, and flame) • Fire suppression (wet or dry pipe) • Water detection

  31. Electrical Power Conditions Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing

  32. Environmental Controls (cont.) • Disposal Procedures • Paper, plastic, and photographic data • Durable and magnetic media • Overwriting • Degaussing • Safe Storage • Offsite storage • Media transport Cannon, David L., (2008) “CISA; Certified Information Systems Auditor Study Guide”, 2nd edition, SYBEX Publishing

More Related