31
IT Security Auditing Martin Goldberg

Security Audit

Embed Size (px)

DESCRIPTION

Security Audit

Citation preview

  • IT Security AuditingMartin Goldberg

  • Todays TopicsDefining IT Audit and the AuditorSteps of an IT AuditPreparing to be AuditedHow IT Audit Applications

  • Defining IT Security AuditFinancial AuditIRSPhysical AuditInventory

  • Defining IT Security Audit (cont.)IT AuditIndependent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures, and to recommend changes in controls, policies, or procedures - DL 1.1.9Good Amount of VaguenessUltimately defined by where you work

  • Who is an IT AuditorAccountant Raised to a CS MajorCPA, CISA, CISM, Networking, Hardware, Software, Information Assurance, CryptographySome one who knows everything an accountant does plus everything a BS/MS does about CS and Computer Security - Not likely to existIT Audits Are Done in TeamsAccountant + Computer Geek = IT Audit TeamScope to largeNeeded expertise varies

  • CISA? CISM?CISA - Certified Information Systems AuditorCISM - Certified Information Systems Mangager - newwww.isaca.org (Information Systems Audit and Control Organization)Teaching financial auditors to talk to CS people

  • CISAMin. of 5 years of IS auditing, control or security work experienceCode of professional ethicsAdhering to IS auditing standardsExam topics:1. Management, Planning, and Organization of IS2. Technical Infrastructure and Operational Practices3. Protection of Information Assets

  • CISA (cont.)Exam topics: (cont.)4. Disaster Recovery and Business Continuity5. Business Application System Development, Acquisition, Implementation, and Maintenance6. Business Process Evaluation and Risk Management7. The IS Audit Process

  • CISMNext step above CISAExam topics:1. Information Security Governance2. Risk Management3. Information Security Program Management4. Information Security Management5. Response Management

  • Steps of An IT Audit1. Planning Phase2. Testing Phase3. Reporting PhaseIdeally its a continuous cycleAgain not always the case

  • Planning PhaseEntry MeetingDefine ScopeLearn ControlsHistorical IncidentsPast AuditsSite SurveyReview Current PoliciesQuestionnairesDefine ObjectivesDevelop Audit Plan / Checklist

  • Defining Objectives & Data CollectionSome Points to Keep in MindOTS (Department of Treasury - Office of Thrift Savings) - Banking RegulationsSEC (Securities and Exchange Commission) - Mutual FundsHIPPA - Health CareSarbanes Oxley - Financial Reports, Document RetentionGramm-Leach Bliley - Consumer Financial InformationFERPA (Family Education Rights and Privacy Act) - Student RecordsClearence

  • Example ChecklistAn Auditors Checklist for Performing a Perimeter Audit of on IBM ISERIES (AS/400) System - Craig ReiseScope of the audit does not include the Operating SystemPhysical securityServices running

  • Testing PhaseMeet With Site ManagersWhat data will be collectedHow/when will it be collectedSite employee involvementAnswer questions

  • Testing Phase (cont.)Data CollectionBased on scope/objectivesTypes of DataPhysical securityInterview staffVulnerability assessmentsAccess Control assessments

  • Reporting PhaseExit Meeting - Short ReportImmediate problemsQuestions & answer for site managersPreliminary findingsNOT able to give in depth information

  • Reporting Phase (cont.)Long Report After Going Through DataIntro defining objectives/scopeHow data was collectedSummary of problemsTable formatHistorical data (if available)RatingsFixesPage # where in depth description is

  • Reporting Phase (cont.)In depth description of problemHow problem was discoveredFix (In detail)Industry standards (if available)Glossary of termsReferencesNote: The Above Varies Depending on Where You Work

  • Preparing To Be AuditedThis Is NOT a ConfrontationMake Your Self AvailableKnow What The Scope/Objectives AreKnow What Type of Data Will be CollectedKnow What Data Shouldnt be Collected

  • Example - Auditing User & Groups

  • Application AuditAn assessment Whose Scope Focuses on a Narrow but Business Critical Processes or ApplicationExcel spreadsheet with embedded macros used to analyze dataPayroll process that may span across several different servers, databases, operating systems, applications, etc.The level of controls is dependent on the degree of risk involved in the incorrect or unauthorized processing of data

  • Application Audit (cont.)1. Administration2. Inputs, Processing, Outputs3. Logical Security4. Disaster Recovery Plan5. Change Management6. User Support7. Third Party Services8 . General Controls

  • Application Audit - AdministrationProbably the most important area of the audit, because this area focuses on the overall ownership and accountability of the applicationRoles & Responsibilities - development, change approval, access authorizationLegal or regulatory compliance issues

  • Application Audit - Inputs, Processing, OutputsLooking for evidence of data preparation procedures, reconciliation processes, handling requirements, etc.Run test transactions against the applicationIncludes who can enter input and see outputRetention of output and its destruction

  • Application Audit - Logical SecurityLooking at user creation and authorization as governed by the application its selfUser ID linked to a real personNumber of allowable unsuccessful log-on attemptsMinimum password lengthPassword expirationPassword Re-use ability

  • Application Audit - Disaster Recovery PlanLooking for an adequate and performable disaster recovery plan that will allow the application to be recovered in a reasonable amount of time after a disasterBackup guidelines, process documentation, offsite storage guidelines, SLAs with offsite storage vendors, etc.

  • Application Audit - Change ManagementExamines the process changes to an application go throughProcess is documented, adequate and followedWho is allowed to make a request a change, approve a change and make the changeChange is tested and doesnt break compliance (determined in Administration) before being placed in to production

  • Application Audit - User SupportOne of the most overlooked aspects of an applicationUser documentation (manuals, online help, etc.) - available & up to dateUser training - productivity, proper use, securityProcess for user improvement requests

  • Application Audit - Third Party ServicesLook at the controls around any 3rd party services that are required to meet business objectives for the application or systemLiaison to 3rd party vendorReview contract agreementSAS (Statement on Auditing Standards) N0. 70 - Service organizations disclose their control activities and processes to their customers and their customers auditors in a uniform reporting format

  • Application Audit - General ControlsExamining the environment the application exists within that affect the applicationSystem administration / operationsOrganizational logical securityPhysical securityOrganizational disaster recovery plansOrganizational change control processLicense control processesVirus control procedures

  • Referenceswww.isaca.orgAn Auditors Checklist for Performing a Perimeter Audit of on IBM ISERIES (AS/400) System - Craig ReiseConducting a Security Audit: An Introductory Overview - Bill HayesThe Application Audit Process - A Guide for Information Security Professionals - Robert Hein

    This is an audit of how the confidentiatlity, integrity and availablility of an organizations information assets is assured. The point of doing it is to catch problems before an incident occurs and exposes the problem to the world at large.

    Base on where you work the phrase pen test and IT Security Audit may be used interchangalby. However a pen test is a very narrowly foucused attempt to look for security holes in a critical resource, such as a firewall or webserver. With little or no information on your intended target.

    On the other hand and IT Audit is broader range assesment. For example when pen testing a web server you are looking for vulnerabilities in the service and/or underlying system. An IT Security audit you want to know, how has access to this machine, who is allowed to make changes, are there any change logs being kept, how accurate, etc. There is also a full disclosure of the information.What are these and why should you take them seriously?

    ISACA is an international organizationEvaluate the strategy, policies, standards, procedures and related practices for the management, planning, and organization of IS. Policies governing you IS department compared to best practices

    Evaluate the effectiveness and efficiency of the organization's implementation and ongoing management of technical and operational infrastructure to ensure that they adequately support the organization's business objectives.

    Right equipment of the job

    3. Evaluate the logical, environmental, and IT infrastructure security to ensure that it satisfies the organization's business requirements for safeguarding information assets against unauthorized use, disclosure, modification, damage, or loss.

    Really in depth IT Security Area. Checking for things like password usage, encryption, etc.4. Evaluate the process for developing and maintaining documented, communicated, and tested plans for continuity of business operations and IS processing in the event of a disruption.

    Audting of Disaster Recovery Plans

    5. Evaluate the methodology and processes by which the business application system development, acquisition, implementation, and maintenance are undertaken to ensure that they meet the organization's business objectives.

    This area covers Application auditing which I will discuss more

    6. Evaluate business systems and processes to ensure that risks are managed in accordance with the organization's business objectives.

    Auditing risk management procedures and policies

    7. Conduct IS audits in accordance with generally accepted IS audit standards and guidelines to ensure that the organization's information technology and business systems are adequately controlled, monitored, and assessed.

    Following best practicesEstablish and maintain a framework to provide assurance that information security strategies are aligned with business objectives and consistent with applicable laws and regulations

    Higher level view of an organizations IT policies and procedures to make sure they are both useful to the organization on are in complience with laws and regulations that may apply

    2.Identify and manage information security risks to achieve business objectives

    CISA you were looking at risk management from the point of view of one entity within the corporation, here you are examining how a failure in that entity affect the entire organization

    3.Design, develop and manage an information security program to implement the information security governance framework

    For the most part when you are auditng you are a casual observer and make your suggestions at the end. When it comes to the management level your input is expected when developing organizational wide policies and procedures.

    4. Oversee and direct information security activities to execute the information security program

    Again you are expected to take a more proactive role

    5. Develop and manage a capability to respond to and recover from disruptive and destructive information security events

    Same as the last 3General approach to IT Auditing, remember IT Security Auditing is a large subset of IT AuditingControls are management controls, authentication/access controls, physical security, outsider access to systems, system administration controls and procedures, connections to external networks, remote access, incident response, contingency plan.Example of defining objectives and scopeGenerally specific records shouldnt be needed instead an agregaionVery simple, this is an example of a real life example taken form the MTA just really dumbed down. Original one included close to 1,000 users 125 groups.

    Being in 2 groups is ok, all 3 is a violation. Ideally, 1 person in group.

    When clearence or guarded information is involved it puts a heavier burden on the site employeesAn Application Audit, should, at a minimum determine the existence of controls in these areas

    1 to 7 are more important

    While 8 is a bit outside of the scopeRoles & Responsibilities should be segregated. What compliance do you need to followService level agreementApplication doesnt exist within a bubble. Not doing in depth audit on these points


Security Audit Report

Security Audit Report

Documents
IT Security Audit Policy

IT Security Audit Policy

Documents
CUSTOMER Information Security Audit Report · CUSTOMER Information Security Audit Report Version 1.0 Date Wednesday, 18 January 2006 . CUSTOMER Information Security Audit Report –

CUSTOMER Information Security Audit Report · CUSTOMER Information Security Audit Report Version 1.0 Date Wednesday, 18 January 2006 . CUSTOMER Information Security Audit Report –

Documents
Sap security for audit seminar

Sap security for audit seminar

Education
Microsoft Azure Security and Audit Log Managementdownload.microsoft.com/.../AzureSecurityandAuditLogManagement_… · Microsoft Azure Security and Audit Log Management ... Microsoft

Microsoft Azure Security and Audit Log Managementdownload.microsoft.com/.../AzureSecurityandAuditLogManagement_… · Microsoft Azure Security and Audit Log Management ... Microsoft

Documents
9B. Audit and Security

9B. Audit and Security

Documents
Audit and security application

Audit and security application

Education
Security Audit and Security Tools

Security Audit and Security Tools

Technology
IT Security & Audit Policy

IT Security & Audit Policy

Documents
Security Audit Log

Security Audit Log

Documents
CYBER SECURITY AUDIT GUIDE

CYBER SECURITY AUDIT GUIDE

Documents
Information Security Audit Guidance

Information Security Audit Guidance

Documents
Conops Security Audit Services

Conops Security Audit Services

Business
National Information Security Compliance Framework Audit Standard · 2019. 10. 21. · Security Compliance Framework – Audit Standard” - V1.0 - Public, as audit requirements and

National Information Security Compliance Framework Audit Standard · 2019. 10. 21. · Security Compliance Framework – Audit Standard” - V1.0 - Public, as audit requirements and

Documents
Database Security & Audit

Database Security & Audit

Documents
GDSN Security Audit Requirements - GS1 Security Audit... · 2015-09-08 · This security audit requirements document is intended to examine the breadth and depth of a security audit,

GDSN Security Audit Requirements - GS1 Security Audit... · 2015-09-08 · This security audit requirements document is intended to examine the breadth and depth of a security audit,

Documents
MOBILE NETWORK SECURITY AUDIT - LATRO Services Security Audit Sa… · Through LATRO’s Mobile Network Security Audit (MNSA), a process of non-intrusive auditing, most of which is

MOBILE NETWORK SECURITY AUDIT - LATRO Services Security Audit Sa… · Through LATRO’s Mobile Network Security Audit (MNSA), a process of non-intrusive auditing, most of which is

Documents
r Fp Security Audit

r Fp Security Audit

Documents
ICAO Universal Security Audit Programme ICAO Regional Aviation Security Audit Seminar Security... · 2015-01-15 · ICAO Universal Security Audit Programme (USAP) USAP Continuous

ICAO Universal Security Audit Programme ICAO Regional Aviation Security Audit Seminar Security... · 2015-01-15 · ICAO Universal Security Audit Programme (USAP) USAP Continuous

Documents
cloud security audit

cloud security audit

Documents
CYBER SECURITY AUDIT - ISACA · cyber security audit the objective of a cyber security audit is to provide management with an assessment of an organization’s cyber security policies

CYBER SECURITY AUDIT - ISACA · cyber security audit the objective of a cyber security audit is to provide management with an assessment of an organization’s cyber security policies

Documents
Systems Security & Audit Operating Systems security

Systems Security & Audit Operating Systems security

Documents
Security Audit - Cisco€¦ · Security Audit Security Audit is a feature that examines your existing router configurations and then updates your router in order to make your router

Security Audit - Cisco€¦ · Security Audit Security Audit is a feature that examines your existing router configurations and then updates your router in order to make your router

Documents
Sap security for audit seminar1

Sap security for audit seminar1

Education
Audit, Compliance & Security

Audit, Compliance & Security

Documents
Security Audit Pm

Security Audit Pm

Documents
Security Risk Assessment & Audit Report of Security Risk

Security Risk Assessment & Audit Report of Security Risk

Documents
PCI Security Audit Procedures

PCI Security Audit Procedures

Documents
Request for Proposals on Security Audit Services - … Security Audit 2014.pdfRequest for Proposals on Security Audit Services Version 1.0 Date: 15 Aug 2014 Hong Kong Internet Registration

Request for Proposals on Security Audit Services - … Security Audit 2014.pdfRequest for Proposals on Security Audit Services Version 1.0 Date: 15 Aug 2014 Hong Kong Internet Registration

Documents
AUDIT SECURITY

AUDIT SECURITY

Documents