Information Technology Audit PDF

n Special
Presenta�on on
Informa�on
Technology Audit
Concept, Approach, and
Methodologies
Prof. Richardus Eko Indrajit

Chairman of ID-‐SIRTII and APTIKOM
indrajit@post.harvard.edu
www.eko-‐indrajit.com
IT-Audit Concept, Approach
and Methodologies
IT-Audit Concept, Approach and Methodologies
Internal IT Audit
n  Stakeholder in the Internal IT Audit Process
n  Key Objectives & Requirements
n  Methodological Framework
n  Internal IT Audit Organization and Scope
n  Proposed Approach and Methodology
n  Co-ordination with External Regulatory and Auditing Bodies
n  Conclusion
SAM User Conference, 2000

Stakeholders in the Internal IT Audit Process

Internal n  WDR, PB, AM, n  Perot Systems External
IT n  PC&C IT n  Systor IT
n  IT Security
Internal IT Audit
Internal n  GIA Business n  Regulatory External

Audit & Business n  line n  Bodies to Org
n  BOD/GEB, ASB, n  External Audit
n  AC n  Prof Bodies
n  Business lines

Stakeholder Demands on Internal IT Audit

Internal IT
Internal IT Audit
n  Breadth vs Depth
n  Increased technological solutions
n  Quality/Relevance of recommendations
n  Increased involvement up front
n  Detailed knowledge over increasingly
specialized areas
n 
n  Rationalization of Bank’s
n  systems/technology
n  Global Focus, Adherence to standards


External IT
Internal IT Audit
n  Staff Recruitment/Retention
n  Increased technological complexity/
n  new technologies
n  Pace of IT Technology Development &
n  Implementation
n  Increased reliance on technical
solutions
n  Outsourcing
n  Best practices/benchmarks


Internal Audit and Business
Internal IT Audit
n  Ensure completeness of coverage
n  between IT & Fin audit
n  Budgetary, Headcount
n  Standards & Quality of work
n  Resource allocation
n  Reporting & Follow Up


External to Org
Internal IT Audit
n  Acquisitions & JVs - economies
n  through/leveraging technology
n  Globalization - increased regulatory
n  requirement
n  Costs reduction - rationalization
n  across group
n  Increased regulatory requirements

Key Objectives and Requirements

n  Global and independent
n  Risk focus
n  Experts in IT internal control
n  IT project involvement
n  Frequency of reviews
n  Standardization and depth of reviews
n  Recommendations
n  IT and control knowledge
n  Effective co-ordination with external and regulatory bodies
n  Application / infrastructure audit co-ordination

Objective Course of Action
Global and independent

8  Independence - the reporting structure
of Group Audit within the bank ensures this
8  Organization & Technical
Competence Center (TCC) concept
Risk focus
8  PASKOR planning (risk-planning)
8  Incorporation of IT risk framework
in Internal IT Audit fieldwork & reporting
8  self assessment process and IT Audit
risk & control database
Experts in IT internal control
8  CobiT framework and IT Audit
planning and fieldwork with
technology competence
centre

IT project involvement
8  Stress point matrix
8  Infrastructure / Application Interface
Frequency of reviews
8  PASKOR planning
Standardisation and depth of reviews
8  TCC concept
Recommendations
8  Primary controls audit (PCA)
8  Primary controls review (PCR)
8  Self Assessment approach (SA)


IT and control knowledge

8  TCC concept
8  Training re-emphasis
Effective co-ordination with external and regulatory bodies
8  Planning and co-ordination of requirements
8  Outsourcing of work (external lead)
8  Insourcing on IT Audit (internal lead)
8  IT Audit work standards
8  IT Audit location database
Application / infrastructure audit co-ordination
8  Scope and coverage definition
8  Infrastructure / Application Interface

Methodological Framework
Main Areas of Use
n  IT audits
n  Risk analysis
n  Health checks (security benchmarking)
n  Security concepts
n  Security manuals / handbooks

IT Audit Methodologies
n  CobiT
n  www.isaca.org
n  BS 7799 - Code of Practice (CoP)
n  www.bsi.org.uk/disc/
n  BSI -IT baseline protection manual
n  www.bsi.bund.de/gshb/english/menue.htm
n  ITSEC
n  www.itsec.gov.uk
n  Common Criteria (CC)
n  csrc.nist.gov/cc/
Comparison of Methods - Results

Standardisation
Ease of use Independence

CobiT
BS 7799
Update frequency Certifyability
BSI
ITSEC
Efficiency Applicability in
practice
Presentation of Adaptability
results
Extent of scope
Methods: Example for CobiT

CobiT Processes PASKOR AutoAudit
Monitoring Audit Type Risk control

matrices
Planning & Mgmt & Control
organization Year 2000 (detailed risks &
IT Development controls
Acquisition & CobiT
implementation IT Operations objectives)
IT Network
Delivery & IT Security
support
DR & CP
Change Mgmt
CobiT control objectives

IT Risk Management
n  responsibility of ensuring n  independent risk manage-
proper management lies at ment function with clearly
the execution level roles and responsibility
n  apply IT risk management n  link between risk manage-

within a consistent and ment group, strategic plan-
repeatable framework ning and the IT management
strategy & governance risk mgmt organisation
IT Risk Management
measurement & reporting categories of risk risk mgmt process
n  controls in place to ensure n  clearly segmented categories n  structured interview process,
completeness, accuracy and defines which are easily risk collection and feedback
timeliness of risk capture understood throughout the programme
organization
n  measures continually evolve n  minimal administrative burden;
as advances in methodo- n  comprehensive categories usage of automated tools
logies and modeling to capture all risks (intranet, database etc)
techniques improve wherever possible
IT Risk Categories
Org risk categories IT risk categories reputation risk
business / IT alignment
Strategic business value of IT Impacts on:
emerging technology
Credit risk
project evaluation n  Customer /
IT architecture management
project management
clients
Market risk IT development development standards
Funding risk
IT development project risk n  Shareholders
data and information management
development / testing environments
Operational risk operation management n  Counterparties
IT delivery production availability
IT risk IT change management
system and network security n  Suppliers
Legal risk contingency & capacity planning
Liability risk IT costs (project and operations) n  Regulators

Financial IT investment appraisal
VAR (system financial exposure)
Compliance risk
skill / knowledge management
Tax risk IT organisation success planning / career mgmt
HR polices
IT / business organisation alignment
Physical/crime supplier & third party management
risk non-conformance to regulations
Legal & compliance regulatory reporting
IT contacts

Internal IT Audit Organization

IT Audit Group
IT Aud Domestic CH IT Aud International CAATT’s Audit SW
Technical CoE Technical Competence Centres TCC

Centre of Excellence
Basel /Zurich (CH) International Basel /Zurich
Distributed technology
EMEA
Asia Pacific
Americas
IT Consulting/Services
SSP Task Forces

CoE, TCC Schematic - Migration Path
Actual: Generalists
General IT audit activities

(good all round knowledge)
techn. techn. techn. techn. depth of

knowledge
TCC or or or or
process process process process
Mainstream distributed
CoE
technologies

CoE, TCC Schematic - Migration Path
Future: Specialists
Specialist Specialist Specialist Specialist

TCC
techn. techn. techn. techn. depth of
or or or or knowledge
process process process process
Mainstream distributed
CoE
technologies

Generic IT Environment
Application Architecture (AA)
Application Audit Application: Development Environment, Application Security
Software Change Management (SCM)
Middleware / Services
System Management &
Operations
IT Audit Operating System Telecommunication
Technical Security
Hardware

Generic IT Environment
Products Application audit
Overall project mgmt
appl level security
a b c d app/business controls
business contingency
Applications system functionality
user testing
a b c d
IT audit Operating system level

System technology security & admin
divisional IT processes disaster recovery
operations & systems
support network
controls capacity
System technology planning database
global IT processes mgmt data access
change mgmt process

Proposed Approach and Methodology

COSO-Model: Internal Control - Integrated Framework
n  Control environment
n  Risk assessment
n  Control activities
n  Pertinent information
n  Monitoring

Production Audit Approach
Primary
Controls Audit
(PCA)
TCC / CoE
Primary Self-Assessment
Controls Review (SA)
(PCR)

Pre- / Post-Implementation Audit

Pre-implementation Post-implementation
Primary
project plan existing processes Controls Audit
(PCA)
TCC / CoE
results
Primary Self-
stress point matrix Controls Review Assessment (SA)
testing (PCR)

Principles and Co-operation

IT Audit / 3rd Party
Regulator external Internal IT Audit
Basis
Laws
Regulations Divisions
Standards
Requirements
n  Audit areas
n  Audit objectives
n  Divisions
n  Legal entities
n  Processes
Special n  Audit areas

Assignments n  Audit objectives
Thank you for your interest in
IT Audit Concept, Approach
and Methodologies
IT Audit
Methodologies
IT Audit Methodoloies
n  CobiT
n  BS 7799 - Code of Practice (CoP)
n  BSI - IT Baseline Protection Manual
n  ITSEC
IT Audit Methodologies - URLs

n  CobiT: www.isaca.org
n  BS7799: www.bsi.org.uk/disc/
n  BSI: www.bsi.bund.de/gshb/english/menue.htm
n  ITSEC: www.itsec.gov.uk
n  CC: csrc.nist.gov/cc/
Main Areas of Use

n  IT Audits
n  Risk Analysis
n  Health Checks (Security Benchmarking)
n  Security Concepts
n  Security Manuals / Handbooks
Security Definition
n  Confidentiality
n  Integrity
n  Correctness
n  Completeness
n  Availability
CobiT
n  Governance, Control & Audit for IT
n  Developed by ISACA
n  Releases
n  CobiT 1: 1996
n  32 Processes
n  271 Control Objectives
n  CobiT 2: 1998
n  34 Processes
n  302 Control Objectives
CobiT - Model for IT Governance

n  36 Control models used as basis:
n  Business control models (e.g. COSO)
n  IT control models (e.g. DTI‘s CoP)
n  CobiT control model covers:
n  Security (Confidentiality, Integrity, Availability)
n  Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information)
n  IT Resources (Data, Application Systems, Technology, Facilities, People)
CobiT - Framework
CobiT - Structure
n  4 Domains
n  PO - Planning & Organisation
n  11 processes (high-level control objectives)
n  AI - Acquisition & Implementation
n  DS - Delivery & Support
n  M - Monitoring
PO - Planning and Organisation

n  PO 1 Define a Strategic IT Plan
n  PO 2 Define the Information Architecture
n  PO 3 Determine the Technological Direction
n  PO 4 Define the IT Organisation and Relationships
n  PO 5 Manage the IT Investment
n  PO 6 Communicate Management Aims and Direction
n  PO 7 Manage Human Resources
n  PO 8 Ensure Compliance with External Requirements
n  PO 9 Assess Risks
n  PO 10 Manage Projects
n  PO 11 Manage Quality
AI - Acquisition and Implementation

n  AI 1 Identify Solutions
n  AI 2 Acquire and Maintain Application Software
n  AI 3 Acquire and Maintain Technology Architecture
n  AI 4 Develop and Maintain IT Procedures
n  AI 5 Install and Accredit Systems
n  AI 6 Manage Changes
DS - Delivery and Support

n  DS 1 Define Service Levels n  DS 8 Assist and Advise IT Customers
n  DS 2 Manage Third-Party Services n  DS 9 Manage the Configuration
n  DS 3 Manage Performance and n  DS 10 Manage Problems and Incidents
Capacity
n  DS 11 Manage Data
n  DS 4 Ensure Continuous Service
n  DS 12 Manage Facilities
n  DS 5 Ensure Systems Security
n  DS 13 Manage Operations
n  DS 6 Identify and Attribute Costs
n  DS 7 Educate and Train Users
M - Monitoring
n  M1 Monitor the Processes
n  M2 Assess Internal Control Adequacy
n  M3 Obtain Independent Assurance
n  M4 Provide for Independent Audit
CobiT - IT Process Matrix

Information Criteria IT Resources
n  Effectiveness n  People
n  Efficiency n  Applications
n  Confidentiality n  Technology
n  Integrity n  Facilities
n  Availability n  Data
n  Compliance
n  Reliability
IT Processes
CobiT - Summary
n  Mainly used for IT audits, incl. security aspects
n  No detailed evaluation methodology described
n  Developed by international organisation (ISACA)
n  Up-to-date: Version 2 released in 1998
n  Only high-level control objectives described
n  Detailed IT control measures are not documented
n  Not very user friendly - learning curve!
n  Evaluation results not shown in graphic form
CobiT - Summary
n  May be used for self assessments
n  Useful aid in implementing IT control systems
n  No suitable basis to write security handbooks
n  CobiT package from ISACA: $ 100.--
n  3 parts freely downloadable from ISACA site
n  Software available from Methodware Ltd., NZ (www.methodware.co.nz)
n  CobiT Advisor 2nd edition: US$ 600.--
BS 7799 - CoP
n  Code of Practice for Inform. Security Manag.
n  Developed by UK DTI, BSI: British Standard
n  Releases
n  CoP: 1993
n  BS 7799: Part 1: 1995
n  BS 7799: Part 2: 1998
n  Certification & Accreditation scheme (c:cure)
BS 7799 - Security Baseline Controls

n  10 control categories
n  32 control groups
n  109 security controls
n  10 security key controls
BS 7799 - Control Categories

n  Information security policy
n  Security organisation
n  Assets classification & control
n  Personnel security
n  Physical & environmental security
n  Computer & network management
BS 7799 - Control Categories

n  System access control
n  Systems development & maintenance
n  Business continuity planning
n  Compliance
BS7799 - 10 Key Controls

n  Information security policy document
n  Allocation of information security responsibilities
n  Information security education and training
n  Reporting of security incidents
n  Virus controls
BS7799 - 10 Key Controls

n  Business continuity planning process
n  Control of proprietary software copying
n  Safeguarding of organizational records
n  Data protection
n  Compliance with security policy
BS7799 - Summary
n  Main use: Security Concepts & Health Checks
n  No evaluation methodology described
n  British Standard, developed by UK DTI
n  Certification scheme in place (c:cure)
n  BS7799, Part1, 1995 is being revised in 1999
n  Lists 109 ready-to-use security controls
n  No detailed security measures described
n  Very user friendly - easy to learn
BS7799 - Summary
n  Evaluation results not shown in graphic form
n  May be used for self assessments
n  BS7799, Part1: £ 94.--
n  BS7799, Part2: £ 36.--
n  BSI Electronic book of Part 1: £ 190.-- + VAT
n  Several BS7799 c:cure publications from BSI
n  CoP-iT software from SMH, UK: £349+VAT (www.smhplc.com)
BSI (Bundesamt für Sicherheit in der

Informationstechnik)
n  IT Baseline Protection Manual
(IT- Grundschutzhandbuch )
n  Developed by German BSI (GISA: German Information Security Agency)
n  Releases:
n  IT security manual: 1992
n  IT baseline protection manual: 1995
n  New versions (paper and CD-ROM): each year
BSI - Approach
BSI - Approach
n  Used to determine IT security measures for medium-level protection requirements
n  Straight forward approach since detailed risk analysis is not performed
n  Based on generic & platform specific security requirements detailed protection
measures are constructed using given building blocks
n  List of assembled security measures may be used to establish or enhance baseline
protection
BSI - Structure
n  IT security measures
n  7 areas
n  34 modules (building blocks)
n  Safeguards catalogue
n  6 categories of security measures
n  Threats catalogue
n  5 categories of threats
BSI - Security Measures (Modules)

n  Protection for generic components
n  Infrastructure
n  Non-networked systems
n  LANs
n  Data transfer systems
n  Telecommunications
n  Other IT components
BSI - Generic Components

n  3.1 Organisation
n  3.2 Personnel
n  3.3 Contingency Planning
n  3.4 Data Protection
BSI - Infrastructure
n  4.1 Buildings
n  4.2 Cabling
n  4.3 Rooms
n  4.3.1 Office
n  4.3.2 Server Room
n  4.3.3 Storage Media Archives
n  4.3.4 Technical Infrastructure Room
n  4.4 Protective cabinets
n  4.5 Home working place
BSI - Non-Networked Systems

n  5.1 DOS PC (Single User)
n  5.2 UNIX System
n  5.3 Laptop
n  5.4 DOS PC (multiuser)
n  5.5 Non-networked Windows NT computer
n  5.6 PC with Windows 95
n  5.99 Stand-alone IT systems
BSI - LANs
n  6.1 Server-Based Network
n  6.2 Networked Unix Systems
n  6.3 Peer-to-Peer Network
n  6.4 Windows NT network
n  6.5 Novell Netware 3.x
n  6.6 Novell Netware version 4.x
n  6.7 Heterogeneous networks
BSI - Data Transfer Systems

n  7.1 Data Carrier Exchange
n  7.2 Modem
n  7.3 Firewall
n  7.4 E-mail
BSI - Telecommunications
n  8.1 Telecommunication system
n  8.2 Fax Machine
n  8.3 Telephone Answering Machine
n  8.4 LAN integration of an IT system via ISDN
BSI - Other IT Components

n  9.1 Standard Software
n  9.2 Databases
n  9.3 Telecommuting
BSI - Module „Data Protection“ (3.4)

n  Threats - Technical failure:
n  T 4.13 Loss of stored data
n  Security Measures - Contingency planning:

n  S 6.36 Stipulating a minimum data protection concept
n  S 6.37 Documenting data protection procedures
n  S 6.33 Development of a data protection concept (optional)
n  S 6.34 Determining the factors influencing data protection (optional)
n  S 6.35 Stipulating data protection procedures (optional)
n  S 6.41 Training data reconstruction
n  Security Measures - Organisation:

n  S 2.41 Employees' commitment to data protection
n  S 2.137 Procurement of a suitable data backup system

BSI - Safeguards (420 safeguards)

n  S1 - Infrastructure ( 45 safeguards)
n  S2 - Organisation (153 safeguards)
n  S3 - Personnel ( 22 safeguards)
n  S4 - Hardware & Software ( 83 safeguards)
n  S5 - Communications ( 62 safeguards)
n  S6 - Contingency Planning ( 55 safeguards)
BSI - S1-Infrastructure (45 safeguards)

n  S 1.7 Hand-held fire extinguishers
n  S 1.10 Use of safety doors
n  S 1.17 Entrance control service
n  S 1.18 Intruder and fire detection devices
n  S 1.27 Air conditioning
n  S 1.28 Local uninterruptible power supply [UPS]
n  S 1.36 Safekeeping of data carriers before and after dispatch
BSI - Security Threats (209 threats)

n  T1 - Force Majeure (10 threats)
n  T2 - Organisational Shortcomings (58 threats)
n  T3 - Human Errors (31 threats)
n  T4 - Technical Failure (32 threats)
n  T5 - Deliberate acts (78 threats)
BSI - T3-Human Errors (31 threats)

n  T 3.1 Loss of data confidentiality/integrity as a result of IT user error
n  T 3.3 Non-compliance with IT security measures
n  T 3.6 Threat posed by cleaning staff or outside staff
n  T 3.9 Incorrect management of the IT system
n  T 3.12 Loss of storage media during transfer
n  T 3.16 Incorrect administration of site and data access rights
n  T 3.24 Inadvertent manipulation of data
n  T 3.25 Negligent deletion of objects
BSI - Summary
n  Main use: Security concepts & manuals
n  No evaluation methodology described
n  Developed by German BSI (GISA)
n  Updated version released each year
n  Lists 209 threats & 420 security measures
n  34 modules cover generic & platform specific security requirements
BSI - Summary
n  User friendly with a lot of security details
n  Not suitable for security risk analysis
n  Results of security coverage not shown in graphic form
n  Manual in HTML format on BSI web server
n  Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
n  Paper copy of manual: DM 118.--

n  Software ‚BSI Tool‘ (only in German): DM 515.--
ITSEC, Common Criteria

n  ITSEC: IT Security Evaluation Criteria
n  Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange
Book)
n  Releases
n  ITSEC: 1991
n  ITSEM: 1993 (IT Security Evaluation Manual)
n  UK IT Security Evaluation & Certification scheme: 1994
ITSEC, Common Criteria

n  Developed by USA, EC: based on ITSEC
n  ISO International Standard
n  Releases
n  CC 1.0: 1996
n  CC 2.0: 1998
n  ISO IS 15408: 1999
ITSEC - Methodology
n  Based on systematic, documented approach for security evaluations of systems &
products
n  Open ended with regard to defined set of security objectives
n  ITSEC Functionality classes; e.g. FC-C2
n  CC protection profiles
n  Evaluation steps:
n  Definition of functionality
n  Assurance: confidence in functionality
ITSEC - Functionality
n  Security objectives (Why)
n  Risk analysis (Threats, Countermeasures)
n  Security policy
n  Security enforcing functions (What)
n  technical & non-technical
n  Security mechanisms (How)
n  Evaluation levels
ITSEC - Assurance
n  Goal: Confidence in functions & mechanisms
n  Correctness
n  Construction (development process & environment)
n  Operation (process & environment)
n  Effectiveness
n  Suitability analysis
n  Strength of mechanism analysis
n  Vulnerabilities (construction & operation)
CC - Security Concept
CC - Evaluation Goal
CC - Documentation
CC Part 3
Assurance Requirements
CC Part 2 n Assurance Classes
Functional Requirements n Assurance Families
n  Functional Classes
CC Part 1 n Assurance Components
Introduction and Model n  Functional Families
n  Introduction to n Detailed Requirements
n  Functional
Approach Components n Evaluation Assurance
n  Terms and Model Levels (EAL)
n  Detailed Requirements
n  Requirements for
Protection Profiles (PP)
and Security Targets (ST)
CC - Security Requirements
Functional Requirements Assurance Requirements

n  for defining security behavior of the n  for establishing confidence in Security
IT product or system: Functions:
n  implemented requirements n  correctness of implementation
n  become security functions n  effectiveness in satisfying
objectives
CC - Security Functional Classes

Class Name
FAU Audit
FCO Communications
FCS Cryptographic Support
FDP User Data Protection
FIA Identification & Authentication
FMT Security Management
FPR Privacy
FPT Protection of TOE Security Functions
FRU Resource Utilization
FTA TOE (Target Of Evaluation) Access
FTP Trusted Path / Channels
CC - Security Assurance Classes

Class Name
ACM Configuration Management
ADO Delivery & Operation
ADV Development
AGD Guidance Documents
ALC Life Cycle Support
ATE Tests
AVA Vulnerability Assessment
APE Protection Profile Evaluation
ASE Security Target Evaluation
AMA Maintenance of Assurance
CC - Eval. Assurance Levels (EALs)

EAL Name *TCSEC
EAL1 Functionally Tested
EAL2 Structurally Tested C1
EAL3 Methodically Tested & Checked C2
EAL4 Methodically Designed, Tested & Reviewed B1
EAL5 Semiformally Designed & Tested B2
EAL6 Semiformally Verified Design & Tested B3
EAL7 Formally Verified Design & Tested A1
*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”

ITSEC, CC - Summary
n  Used primarily for security evaluations and not for generalized IT audits
n  Defines evaluation methodology
n  Based on International Standard (ISO 15408)
n  Certification scheme in place
n  Updated & enhanced on a yearly basis
n  Includes extensible standard sets of security requirements (Protection Profile libraries)
Comparison of Methods - Criteria

n  Standardisation
n  Independence
n  Certifiability
n  Applicability in practice
n  Adaptability
Comparison of Methods - Criteria

n  Extent of Scope
n  Presentation of Results
n  Efficiency
n  Update frequency
n  Ease of Use
Comparison of Methods - Results

CobiT BS 7799 BSI ITSEC/CC
Standardisation 3.4 3.3 3.1 3.9
Independence 3.3 3.6 3.5 3.9
Certifyability 2.7 3.3 3.0 3.7
Applicability in practice 2.8 3.0 3.1 2.5
Adaptability 3.3 2.8 3.3 3.0
Extent of Scope 3.1 2.9 2.7 2.6
Presentation of Results 1.9 2.2 2.6 1.7
Efficiency 3.0 2.8 3.0 2.5
Update frequency 3.1 2.4 3.4 2.8
Ease of Use 2.3 2.7 2.8 2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger
CobiT - Assessment
BS 7799 - Assessment
BSI - Assessment
ITSEC/CC - Assessment
Use of Methods for IT Audits

n  CobiT: Audit method for all IT processes
n  ITSEC, CC: Systematic approach for evaluations
n  BS7799, BSI: List of detailed security measures to be used as best practice
documentation
n  Detailed audit plans, checklists, tools for technical audits (operating systems, LANs,
etc.)
n  What is needed in addition:
n  Audit concept (general aspects, infrastructure audits, application audits)
Herzlichen Dank
für Ihr Interesse an
Thank You
Prof. Richardus Eko Indrajit

Chairman of ID-‐SIRTII and APTIKOM
indrajit@post.harvard.edu
www.eko-‐indrajit.com

Information Technology Audit PDF

Uploaded by

Copyright:

Available Formats

You might also like

Information Technology Audit PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Information Technology Audit PDF

Uploaded by

Copyright:

Available Formats

n Special

Prof. Richardus Eko Indrajit

SAM User Conference, 2000

Stakeholders in the Internal IT Audit Process

Internal n GIA Business n Regulatory External

SAM User Conference, 2000

Stakeholder Demands on Internal IT Audit

SAM User Conference, 2000

Stakeholder Demands on Internal IT Audit

SAM User Conference, 2000

Stakeholder Demands on Internal IT Audit

SAM User Conference, 2000

Stakeholder Demands on Internal IT Audit

SAM User Conference, 2000

Key Objectives and Requirements

Key Objectives and Requirements

Global and independent

Key Objectives and Requirements

SAM User Conference, 2000

Key Objectives and Requirements

IT and control knowledge

SAM User Conference, 2000

SAM User Conference, 2000

Comparison of Methods - Results

Ease of use Independence

Methods: Example for CobiT

Monitoring Audit Type Risk control

CobiT control objectives

SAM User Conference, 2000

n apply IT risk management n link between risk manage-

strategy & governance risk mgmt organisation

Liability risk IT costs (project and operations) n Regulators

SAM User Conference, 2000

Internal IT Audit Organization

IT Aud Domestic CH IT Aud International CAATT’s Audit SW

Technical CoE Technical Competence Centres TCC

SAM User Conference, 2000

CoE, TCC Schematic - Migration Path

General IT audit activities

techn. techn. techn. techn. depth of

SAM User Conference, 2000

CoE, TCC Schematic - Migration Path

Specialist Specialist Specialist Specialist

SAM User Conference, 2000

Software Change Management (SCM)

SAM User Conference, 2000

IT audit Operating system level

SAM User Conference, 2000

Proposed Approach and Methodology

SAM User Conference, 2000

Production Audit Approach

SAM User Conference, 2000

Pre- / Post-Implementation Audit

SAM User Conference, 2000

Principles and Co-operation

Special n Audit areas

IT Audit Methodologies - URLs

n Special

Internal n  GIA Business n  Regulatory External

n  apply IT risk management n  link between risk manage-

Liability risk IT costs (project and operations) n  Regulators

Special n  Audit areas

n  Efficiency n  Applications

n  Confidentiality n  Technology

n  Integrity n  Facilities

n  Availability n  Data

n  Security Measures - Contingency planning:

n  S 6.37 Documenting data protection procedures

n  S 6.33 Development of a data protection concept (optional)

n  S 6.34 Determining the factors influencing data protection (optional)

n  S 6.35 Stipulating data protection procedures (optional)

n  S 6.41 Training data reconstruction

n  Security Measures - Organisation:

n  S 2.137 Procurement of a suitable data backup system

n  Paper copy of manual: DM 118.--