IT Security Auditing

Martin Goldberg
Today’s Topics

 Defining IT Audit and the Auditor

 Steps of an IT Audit
 Preparing to be Audited
 How IT Audit Applications
Defining IT Security Audit

 Financial Audit
 IRS
 Physical Audit
 Inventory
Defining IT Security Audit (cont.)
 IT Audit
 Independent review and examination of records
and activities to assess the adequacy of system
controls, to ensure compliance with established
policies and operational procedures, and to
recommend changes in controls, policies, or
procedures - DL 1.1.9
 Good Amount of Vagueness
 Ultimately defined by where you work
Who is an IT Auditor
 Accountant Raised to a CS Major
 CPA, CISA, CISM, Networking, Hardware, Software,
Information Assurance, Cryptography
 Some one who knows everything an accountant does
plus everything a BS/MS does about CS and
Computer Security - Not likely to exist
 IT Audits Are Done in Teams
 Accountant + Computer Geek = IT Audit Team
 Scope to large
 Needed expertise varies
CISA? CISM?

 CISA - Certified Information Systems Auditor

 CISM - Certified Information Systems
Mangager - new
 www.isaca.org (Information Systems Audit
and Control Organization)
 Teaching financial auditors to talk to CS people
CISA
 Min. of 5 years of IS auditing, control or security
work experience
 Code of professional ethics
 Adhering to IS auditing standards
 Exam topics:
 1. Management, Planning, and Organization of IS
 2. Technical Infrastructure and Operational Practices
 3. Protection of Information Assets
CISA (cont.)

 Exam topics: (cont.)

 4. Disaster Recovery and Business Continuity
 5. Business Application System Development,
Acquisition, Implementation, and Maintenance
 6. Business Process Evaluation and Risk
Management
 7. The IS Audit Process
CISM

 Next step above CISA

 Exam topics:
 1. Information Security Governance
 2. Risk Management
 3. Information Security Program Management
 4. Information Security Management
 5. Response Management
Steps of An IT Audit

 1. Planning Phase
 2. Testing Phase
 3. Reporting Phase

 Ideally it’s a continuous cycle

 Again not always the case
Planning Phase

 Entry Meeting  Site Survey

 Define Scope  Review Current
 Learn Controls Policies
 Historical Incidents  Questionnaires
 Past Audits  Define Objectives
 Develop Audit Plan /
Checklist
Defining Objectives & Data
Collection
 Some Points to Keep in Mind
 OTS (Department of Treasury - Office of Thrift Savings) - Banking
Regulations
 SEC (Securities and Exchange Commission) - Mutual Funds
 HIPPA - Health Care
 Sarbanes Oxley - Financial Reports, Document Retention
 Gramm-Leach Bliley - Consumer Financial Information
 FERPA (Family Education Rights and Privacy Act) - Student Records
 Clearence
Example Checklist

 “An Auditor’s Checklist for Performing a

Perimeter Audit of on IBM ISERIES
(AS/400) System” - Craig Reise
 Scope of the audit does not include the
Operating System
 Physical security
 Services running
Testing Phase

 Meet With Site Managers

 What data will be collected
 How/when will it be collected
 Site employee involvement
 Answer questions
Testing Phase (cont.)

 Data Collection
 Based on scope/objectives
 Types of Data
 Physical security
 Interview staff
 Vulnerability assessments
 Access Control assessments
Reporting Phase

 Exit Meeting - Short Report

 Immediate problems
 Questions & answer for site managers
 Preliminary findings
 NOT able to give in depth information
Reporting Phase (cont.)

 Long Report After Going Through Data

 Intro defining objectives/scope
 How data was collected
 Summary of problems
 Table format
 Historical data (if available)
 Ratings
 Fixes
 Page # where in depth description is
Reporting Phase (cont.)
 In depth description of problem
 How problem was discovered
 Fix (In detail)
 Industry standards (if available)
 Glossary of terms
 References
 Note: The Above Varies Depending on
Where You Work
Preparing To Be Audited

 This Is NOT a Confrontation

 Make Your Self Available
 Know What The Scope/Objectives Are
 Know What Type of Data Will be
Collected
 Know What Data Shouldn’t be Collected
Example - Auditing User & Groups
Application Audit
 An assessment Whose Scope Focuses on a Narrow
but Business Critical Processes or Application
 Excel spreadsheet with embedded macros used to
analyze data
 Payroll process that may span across several different
servers, databases, operating systems, applications, etc.
 The level of controls is dependent on the degree of risk
involved in the incorrect or unauthorized processing of
data
Application Audit (cont.)
 1. Administration
 2. Inputs, Processing, Outputs
 3. Logical Security
 4. Disaster Recovery Plan
 5. Change Management
 6. User Support
 7. Third Party Services
 8 . General Controls
Application Audit - Administration

 Probably the most important area of the

audit, because this area focuses on the
overall ownership and accountability of
the application
 Roles & Responsibilities - development,
change approval, access authorization
 Legal or regulatory compliance issues
Application Audit - Inputs,
Processing, Outputs
 Looking for evidence of data preparation
procedures, reconciliation processes,
handling requirements, etc.
 Run test transactions against the
application
 Includes who can enter input and see
output
 Retention of output and its destruction
Application Audit - Logical Security

 Looking at user creation and authorization as

governed by the application its self
 User ID linked to a real person
 Number of allowable unsuccessful log-on attempts
 Minimum password length
 Password expiration
 Password Re-use ability
Application Audit - Disaster
Recovery Plan
 Looking for an adequate and
performable disaster recovery plan that
will allow the application to be recovered
in a reasonable amount of time after a
disaster
 Backup guidelines, process documentation,
offsite storage guidelines, SLA’s with offsite
storage vendors, etc.
Application Audit - Change
Management
 Examines the process changes to an
application go through
 Process is documented, adequate and followed
 Who is allowed to make a request a change,
approve a change and make the change
 Change is tested and doesn’t break compliance
(determined in Administration) before being placed
in to production
Application Audit - User Support

 One of the most overlooked aspects of

an application
 User documentation (manuals, online help,
etc.) - available & up to date
 User training - productivity, proper use,
security
 Process for user improvement requests
Application Audit - Third Party
Services
 Look at the controls around any 3rd party
services that are required to meet business
objectives for the application or system
 Liaison to 3rd party vendor
 Review contract agreement
 SAS (Statement on Auditing Standards) N0. 70 -
Service organizations disclose their control activities
and processes to their customers and their
customers’ auditors in a uniform reporting format
Application Audit - General
Controls
 Examining the environment the application
exists within that affect the application
 System administration / operations
 Organizational logical security
 Physical security
 Organizational disaster recovery plans
 Organizational change control process
 License control processes
 Virus control procedures
References
 www.isaca.org
 “An Auditor’s Checklist for Performing a Perimeter
Audit of on IBM ISERIES (AS/400) System” - Craig
Reise
 “Conducting a Security Audit: An Introductory
Overview” - Bill Hayes
 “The Application Audit Process - A Guide for
Information Security Professionals” - Robert Hein