Professional Documents
Culture Documents
Information Technology Audit PDF
Information Technology Audit PDF
Information Technology Audit PDF
Presenta�on on
Informa�on
Technology
Audit
Concept,
Approach,
and
Methodologies
indrajit@post.harvard.edu
www.eko-‐indrajit.com
IT-Audit Concept, Approach
and Methodologies
IT-Audit Concept, Approach and Methodologies
Internal IT Audit
n Stakeholder in the Internal IT Audit Process
n Key Objectives & Requirements
n Methodological Framework
n Internal IT Audit Organization and Scope
n Proposed Approach and Methodology
n Co-ordination with External Regulatory and Auditing Bodies
n Conclusion
Internal IT Audit
IT project involvement
8 Stress point matrix
8 Infrastructure / Application Interface
Frequency of reviews
8 PASKOR planning
Standardisation and depth of reviews
8 TCC concept
Recommendations
8 Primary controls audit (PCA)
8 Primary controls review (PCR)
8 Self Assessment approach (SA)
Methodological Framework
Main Areas of Use
n IT audits
n Risk analysis
n Health checks (security benchmarking)
n Security concepts
n Security manuals / handbooks
IT Audit Methodologies
n CobiT
n www.isaca.org
n BS 7799 - Code of Practice (CoP)
n www.bsi.org.uk/disc/
n BSI -IT baseline protection manual
n www.bsi.bund.de/gshb/english/menue.htm
n ITSEC
n www.itsec.gov.uk
n Common Criteria (CC)
n csrc.nist.gov/cc/
SAM User Conference, 2000
IT-Audit Concept, Approach and Methodologies
BS 7799
Update frequency Certifyability
BSI
ITSEC
Efficiency Applicability in
practice
Presentation of Adaptability
results
Extent of scope
SAM User Conference, 2000
IT-Audit Concept, Approach and Methodologies
IT Risk Management
n responsibility of ensuring n independent risk manage-
proper management lies at ment function with clearly
the execution level roles and responsibility
IT Risk Management
measurement & reporting categories of risk risk mgmt process
n controls in place to ensure n clearly segmented categories n structured interview process,
completeness, accuracy and defines which are easily risk collection and feedback
timeliness of risk capture understood throughout the programme
organization
n measures continually evolve n minimal administrative burden;
as advances in methodo- n comprehensive categories usage of automated tools
logies and modeling to capture all risks (intranet, database etc)
techniques improve wherever possible
SAM User Conference, 2000
IT-Audit Concept, Approach and Methodologies
IT Risk Categories
Org risk categories IT risk categories reputation risk
business / IT alignment
Strategic business value of IT Impacts on:
emerging technology
Credit risk
project evaluation n Customer /
IT architecture management
project management
clients
Market risk IT development development standards
Funding risk
IT development project risk n Shareholders
data and information management
development / testing environments
Operational risk operation management n Counterparties
IT delivery production availability
IT risk IT change management
system and network security n Suppliers
Legal risk contingency & capacity planning
Actual: Generalists
Mainstream distributed
CoE
technologies
Future: Specialists
Mainstream distributed
CoE
technologies
Generic IT Environment
Application Architecture (AA)
Application Audit Application: Development Environment, Application Security
Middleware / Services
System Management &
Operations
IT Audit Operating System Telecommunication
Technical Security
Hardware
Generic IT Environment
Products Application audit
Overall project mgmt
appl level security
a b c d app/business controls
business contingency
Applications system functionality
user testing
a b c d
Primary
Controls Audit
(PCA)
TCC / CoE
Primary Self-Assessment
Controls Review (SA)
(PCR)
Primary
project plan existing processes Controls Audit
(PCA)
TCC / CoE
results
Primary Self-
stress point matrix Controls Review Assessment (SA)
testing (PCR)
Requirements
n Audit areas
n Audit objectives
n Divisions
n Legal entities
n Processes
IT Audit Methodologies
IT Audit Methodoloies
IT Audit Methodologies
n CobiT
n BS 7799 - Code of Practice (CoP)
n BSI - IT Baseline Protection Manual
n ITSEC
n Common Criteria (CC)
IT Audit Methodoloies
Security Definition
n Confidentiality
n Integrity
n Correctness
n Completeness
n Availability
IT Audit Methodoloies
CobiT
n Governance, Control & Audit for IT
n Developed by ISACA
n Releases
n CobiT 1: 1996
n 32 Processes
n 271 Control Objectives
n CobiT 2: 1998
n 34 Processes
n 302 Control Objectives
IT Audit Methodoloies
CobiT - Framework
IT Audit Methodoloies
CobiT - Structure
n 4 Domains
n PO - Planning & Organisation
n 11 processes (high-level control objectives)
n AI - Acquisition & Implementation
n 6 processes (high-level control objectives)
n DS - Delivery & Support
n 13 processes (high-level control objectives)
n M - Monitoring
n 4 processes (high-level control objectives)
IT Audit Methodoloies
M - Monitoring
n M1 Monitor the Processes
n M2 Assess Internal Control Adequacy
n M3 Obtain Independent Assurance
n M4 Provide for Independent Audit
IT Audit Methodoloies
n Compliance
n Reliability
IT Processes
IT Audit Methodoloies
CobiT - Summary
n Mainly used for IT audits, incl. security aspects
n No detailed evaluation methodology described
n Developed by international organisation (ISACA)
n Up-to-date: Version 2 released in 1998
n Only high-level control objectives described
n Detailed IT control measures are not documented
n Not very user friendly - learning curve!
n Evaluation results not shown in graphic form
IT Audit Methodoloies
CobiT - Summary
n May be used for self assessments
n Useful aid in implementing IT control systems
n No suitable basis to write security handbooks
n CobiT package from ISACA: $ 100.--
n 3 parts freely downloadable from ISACA site
n Software available from Methodware Ltd., NZ (www.methodware.co.nz)
n CobiT Advisor 2nd edition: US$ 600.--
IT Audit Methodoloies
BS 7799 - CoP
n Code of Practice for Inform. Security Manag.
n Developed by UK DTI, BSI: British Standard
n Releases
n CoP: 1993
n BS 7799: Part 1: 1995
n BS 7799: Part 2: 1998
n Certification & Accreditation scheme (c:cure)
IT Audit Methodoloies
BS7799 - Summary
n Main use: Security Concepts & Health Checks
n No evaluation methodology described
n British Standard, developed by UK DTI
n Certification scheme in place (c:cure)
n BS7799, Part1, 1995 is being revised in 1999
n Lists 109 ready-to-use security controls
n No detailed security measures described
n Very user friendly - easy to learn
IT Audit Methodoloies
BS7799 - Summary
n Evaluation results not shown in graphic form
n May be used for self assessments
n BS7799, Part1: £ 94.--
n BS7799, Part2: £ 36.--
n BSI Electronic book of Part 1: £ 190.-- + VAT
n Several BS7799 c:cure publications from BSI
n CoP-iT software from SMH, UK: £349+VAT (www.smhplc.com)
IT Audit Methodoloies
BSI - Approach
IT Audit Methodoloies
BSI - Approach
n Used to determine IT security measures for medium-level protection requirements
n Straight forward approach since detailed risk analysis is not performed
n Based on generic & platform specific security requirements detailed protection
measures are constructed using given building blocks
n List of assembled security measures may be used to establish or enhance baseline
protection
IT Audit Methodoloies
BSI - Structure
n IT security measures
n 7 areas
n 34 modules (building blocks)
n Safeguards catalogue
n 6 categories of security measures
n Threats catalogue
n 5 categories of threats
IT Audit Methodoloies
BSI - Infrastructure
n 4.1 Buildings
n 4.2 Cabling
n 4.3 Rooms
n 4.3.1 Office
n 4.3.2 Server Room
n 4.3.3 Storage Media Archives
n 4.3.4 Technical Infrastructure Room
n 4.4 Protective cabinets
n 4.5 Home working place
IT Audit Methodoloies
BSI - LANs
n 6.1 Server-Based Network
n 6.2 Networked Unix Systems
n 6.3 Peer-to-Peer Network
n 6.4 Windows NT network
n 6.5 Novell Netware 3.x
n 6.6 Novell Netware version 4.x
n 6.7 Heterogeneous networks
IT Audit Methodoloies
BSI - Telecommunications
n 8.1 Telecommunication system
n 8.2 Fax Machine
n 8.3 Telephone Answering Machine
n 8.4 LAN integration of an IT system via ISDN
IT Audit Methodoloies
BSI - Summary
n Main use: Security concepts & manuals
n No evaluation methodology described
n Developed by German BSI (GISA)
n Updated version released each year
n Lists 209 threats & 420 security measures
n 34 modules cover generic & platform specific security requirements
IT Audit Methodoloies
BSI - Summary
n User friendly with a lot of security details
n Not suitable for security risk analysis
n Results of security coverage not shown in graphic form
n Manual in HTML format on BSI web server
n Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
ITSEC - Methodology
n Based on systematic, documented approach for security evaluations of systems &
products
n Open ended with regard to defined set of security objectives
n ITSEC Functionality classes; e.g. FC-C2
n CC protection profiles
n Evaluation steps:
n Definition of functionality
n Assurance: confidence in functionality
IT Audit Methodoloies
ITSEC - Functionality
n Security objectives (Why)
n Risk analysis (Threats, Countermeasures)
n Security policy
n Security enforcing functions (What)
n technical & non-technical
n Security mechanisms (How)
n Evaluation levels
IT Audit Methodoloies
ITSEC - Assurance
n Goal: Confidence in functions & mechanisms
n Correctness
n Construction (development process & environment)
n Operation (process & environment)
n Effectiveness
n Suitability analysis
n Strength of mechanism analysis
n Vulnerabilities (construction & operation)
IT Audit Methodoloies
CC - Security Concept
IT Audit Methodoloies
CC - Evaluation Goal
IT Audit Methodoloies
CC - Documentation
CC Part 3
Assurance Requirements
CC Part 2 n Assurance Classes
Functional Requirements n Assurance Families
n Functional Classes
CC Part 1 n Assurance Components
Introduction and Model n Functional Families
n Introduction to n Detailed Requirements
n Functional
Approach Components n Evaluation Assurance
n Terms and Model Levels (EAL)
n Detailed Requirements
n Requirements for
Protection Profiles (PP)
and Security Targets (ST)
IT Audit Methodoloies
CC - Security Requirements
ITSEC, CC - Summary
n Used primarily for security evaluations and not for generalized IT audits
n Defines evaluation methodology
n Based on International Standard (ISO 15408)
n Certification scheme in place
n Updated & enhanced on a yearly basis
n Includes extensible standard sets of security requirements (Protection Profile libraries)
IT Audit Methodoloies
CobiT - Assessment
IT Audit Methodoloies
BS 7799 - Assessment
IT Audit Methodoloies
BSI - Assessment
IT Audit Methodoloies
ITSEC/CC - Assessment
IT Audit Methodoloies
indrajit@post.harvard.edu
www.eko-‐indrajit.com