Professional Documents
Culture Documents
Unit 7 Information Security Audit and Features
Unit 7 Information Security Audit and Features
INFORMATION SECURITY
AUDIT AND FEATURES
INFORMATION SYSTEMS AUDIT VERSUS INFORMATION SECURITY
AUDIT - SCOPE OF THE AUDIT - CONSTRAINTS OF A SECURITY
AUDIT - TYPES OF SECURITY AUDITS - PHASES OF INFORMATION
SECURITY AUDIT - INFORMATION SECURITY AUDIT
METHODOLOGY - SECURITY TESTING FRAMEWORKS - AUDIT
PROCESS - AUDITING SECURITY PRACTICES - TESTING SECURITY
TECHNOLOGY - ROLE OF AN AUDITOR - AUDITOR ACTIVITIES -
INFORMATION SECURITY AUDIT CONSULTANTS - REQUIRED SKILLS
SETS OF AN INFORMATION SECURITY AUDITOR
• An information security audit is one of the best ways to determine the security
of an organization's information without incurring the cost and other associated
damages of a security incident.
• Information system audit and information security audit are two tools that are
used to ensure safety and integrity of information and sensitive data.
INFORMATION SECURITY AUDIT
Computer security auditors work with the full knowledge and support of the organization, in order
to carry out the audit. This usually includes receiving documentation and access by the
organization representative.
A security analyst may be assigned to support and facilitate the audit.
Computer security auditors perform their work though personal interviews, reviewing policies,
vulnerability scans, examination of operating system settings, analyses of network shares, and
historical data and logs.
PURPOSES OF AUDITS
Are access control lists (acls) in place on network devices to control who has access to shared
data?
Are the audit logs reviewed effectively and how are they reviewed?
Are the security settings for operating systems in accordance with accepted industry security
practices?
How are unnecessary applications and computer services managed? Are they eliminated in a
timely and effective manner for each system?
Are these operating systems and commercial applications patched? How and when did the
patching take place?
How is backup media stored? What is the backup policy and is it followed? Who has Access to the
backup media and is it up-to-date?
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the
disaster recovery plan? Does it have gaps in its construct?
Are there adequate cryptographic tools in place to govern data encryption, and have these tools
been properly configured?
What security considerations were used while writing custom-built applications, are these
adequate and well documented?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these records
reviewed and who conducts the review
The duration of the cross-cutting audit depends on the size as well as the complexity of the
organization.
The size of the organization is determined by the number of employees and locations.
The selection of the level of complexity of an organization can only be performed on an organization-by-
organization basis according to the following criteria, for example:
What does the system landscape look like (number of systems and level of heterogeneity of the systems
used)?
Which and how many it applications are used in the organization? Are they used to support critical business
processes?
Are higher-level procedures used that may affect realms outside of the organization?
How high is the protection requirement for the infrastructure, systems, and it applications?
Is the organization active in areas critical to security (for example, is it a security agency)?
ELEMENTS OF GOOD SECURITY AUDIT?
The development and dissemination of the IS auditing standards by information systems audit and
control association (ISACA) is already in circulation for further information.
A good security audit is part of a regular and comprehensive framework of information security.
Coverage of security is comprehensive and cross-cutting audit across the entire organization.
Partial audits may be done for specific purposes.
Important IS audit meetings such as the opening and the closing meetings as well as the interviews
should be conducted as a team. This procedure ensures objectivity, thoroughness, and impartiality.
No member of the audit team, for reasons of independence and objectivity, should have
participated directly in supporting or managing the areas to be audited, e.g. They must not have
been involved in the development of concepts or the configuration of the IT systems.
It should be ensured that actual operations in the organization are not significantly disrupted by the
audit when initiating the audit. The auditors never actively intervene in systems, and therefore
should not provide any instructions for making changes to the objects being audited.
Management responsibility for supporting the conduct of a fair and comprehensive audit.
Appropriate communication and appointment of central point of contact and other support for the
auditors. The execution is planned and carried out in a phase wise manner
FUNCTIONS IN AN AUDIT
All audits have common functions that must be performed if they are to be successful. These usually
include:
Determine how intensive the audit is going to be. Are all facets of the organization to be examined,
or is this to be a common ‘security’ audit based on the IT infrastructure.
Detail how intrusive the audit is. It is important to avoid adversely impacting the production
environment during the audit process; whether this is by equipment downtime or personnel being
taken away from their primary duties to participate in the audit.
Does the corporation have existing methodologies to actively mitigate risk on an ongoing basis?
FUNCTIONS
5. Reporting mechanism – how will you show progress and achieve validation in all areas?
Determine what threats existed in the past and determine if those have been mitigated.
Interview members of the institution to determine if any known threats exist.
FUNCTIONS
7. Determine network access control list – who really needs access to this?
Develop a matrix of all personnel that need access to each device on the component chart.
Develop a matrix of all devices that need access to other devices on the component chart.
Each device on the component list should have a minimal set of entry points.
How much privilege is required for each person or system to perform their functions?
Given the list of possible threats, what are the possibilities a given threat will materialize.
If a threat were to materialize, how great would its impact be?
Establish the greatest pain points for the company. Determine if the approach is to work on the
big stuff first, or get all of the minor issues out of the way before making any major changes.
FUNCTIONS
9. Delineate mitigation plan – what are the exact steps required to minimize the threats?
Generate a detailed project plan to reach the goal. Include tasking, timelines, costs, reporting
methods, checkpoints – all the components of a successful project plan are necessary.
Ensure that the organization is in agreement with the plan to mitigate risks.
Begin the mitigation process, using the priority decided upon by the stakeholders.
FUNCTIONS
11. Review results – perform an after action review (AAR) on the audit process
These risks are often not cost effective to address, so a formal acceptance from management for
these risks may the only strategy available.
Time constraints
Third party access constraints
Business operations continuity constraints
Scope of audit engagement
Technology tools constraints
TYPES OF SECURITY AUDITS
External audits are commonly conducted by independent, certified parties in an objective manner.
They are scoped in advance, finally limited to identifying and reporting any implementation and
control gaps based on stated policies and standards such as the COBIT (control objectives for
information and related technology). At the end the objective is to lead the client to a source of
accepted principles and sometimes correlated to current best practices
Internal audits usually are conducted by experts linked to the organization, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide advice
in a limited fashion. They differ from the external audit in allowing the auditor to discuss mitigation
strategies with the owner of the system that is being audited.
TYPES OF SECURITY AUDITS
There is a large variety of audit types based on standards followed. Some examples include SSAE 16 audits
(type I or II), audits of ISO 9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security standard and
audits of industry specific standards such as HIPPA controls.
Within the broad scope of auditing information security there are multiple types of audits, multiple objectives
for different audits, etc. Audits can be broken down into a number of types, from the simple analysis of
security architecture based on opinion, to a full-blown, end-to-end audit against a security framework such as
ISO27001. Auditing information security covers topics from auditing the physical security of data centres to
auditing the logical security of databases and highlights key components to look for and different methods for
auditing these areas. When centred on the IT aspects of information security, it can be seen as a part of an
information technology audit. It is often then referred to as an information technology security audit or a
computer security audit. However, information security encompasses much more than IT.
SECURITY REVIEW
Security assessments utilize professional opinion and expertise, but they also analyse the output
for relevancy and criticality to the organization.
The analysis aspect of an assessment attempts to quantify the risk associated with the items
discovered to determine the extent of the problem.
If you an organisation has two servers with the same vulnerability, but one is the financial server,
and the other operates as a print server a security assessment would rank the financial server as a
high risk and the print server as a lower risk based on the severity and damage potential.
The biggest differentiator between an assessment and a review is the depth to which the auditor
examines the system and analyses the results.
Examples include: vulnerability assessment, risk assessment, architecture assessment, policy
assessment
SECURITY AUDIT
A security audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI.
An audit includes review and assessment; it also conducts a gap analysis against standards to
measure how well the organization complies.
Audits take into account people, processes, and technologies, and it compares them to a
benchmark in a standardized and repeatable way.
Examples include: compliance audit, policy audit, procedure audit, risk audit.
AUDITS
Some of the specific audits that can be included in the above categories are:
Analysis
Reporting
Follow- Through
PRE-AUDIT AGREEMENT STAGE
Agree on scope and objective of the audit. Agree on the level of support that will be provided.
Agree on locations, duration and other parameters of the audit. Agree on financial and other
considerations.
Conducting a preliminary review of the client’s environment, mission, operations, polices, and
practices. Performing risk assessments of client environment, data, and technology resources.
Completing research of regulations, industry standards, practices, and issues. Reviewing current
policies, controls, operations, and practices.
Holding an entrance meeting to review the engagement memo, to request items from the client,
schedule client resources, and to answer client questions.
This will also include laying out the time line and specific methods to be used for the various
activities.
DATA COLLECTION AND FIELDWORK
(TEST PHASE)
This stage is to accumulate and verify sufficient, competent, relevant, and useful evidence to reach
a conclusion related to the audit objectives and to support audit findings and recommendations.
During this phase, the auditor will conduct interviews, observe procedures and practices, perform
automated and manual tests, and other tasks.
Fieldwork activities may be performed at the client’s worksite(s) or at remote locations, depending
on the nature of the audit.
ANALYSIS
Analyses are performed after documentation of all evidence and data, to arrive at the audit findings
and recommendations. Any inconsistencies or open issues are addressed at this time.
The auditor may remain on-site during this phase to enable prompt resolution of questions and
issues.
At the end of this phase, the auditor will hold an exit meeting with the client to discuss findings and
recommendations, address client questions, discuss corrective actions, and resolve any outstanding
issues.
A first draft of the findings and recommendations may be presented to the client during the exit
meeting
REPORTING
Generally, the information security audit program will provide a draft audit report after completing
fieldwork and analysis.
Based on client response if changes are required to the draft, the auditor may issue a second draft.
Once the client is satisfied that the terms of the audit are complied with the final report will be
issued with the auditor’s findings and recommendations.
FOLLOW-THROUGH
Depending on expectations and agreements the auditor will evaluate the effectiveness of the
corrective action taken by the client, and, if necessary, advise the client on alternatives that may be
utilized to achieve desired improvements.
In larger, more complex audit situations, follow-up may be repeated several times as additional
changes are initiated. Additional audits may be performed to ensure adequate implementation of
recommendations.
The level of risk and severity of the control weakness or vulnerability dictate the time allowed
between the reporting phase and the follow-up phase.
The follow-up phase may require additional documentation for the audit client.
INFORMATION SECURITY AUDIT
METHODOLOGY
Need for a methodology
Audits need to be planned and have a certain methodology to cover the total material risks of an
Organization.
A planned methodology is also important as this clarifies the way forward to all in the
Organization and the audit teams. Which methodology and technique is used is less important than
having all the participants within the audit approach the subject in the same manner.
Audit methodologies
There are two primary methods by which audits are performed. Start with the overall view of the
Corporate structure and drill down to the minutiae; or begin with a discovery process that builds up a view
of the organization.
TYPES OF AUDITING METHODS
Audit methods may also be classified according to type of activity. These include three types
Testing – pen tests and other testing methodologies are used to explore vulnerabilities. In other
words, exercising one or more assessment objects to compare actual and expected behaviors.
Examination and review – this include reviewing policies, processes, logs, other documents,
practices, briefings, situation handling, etc. In other words, checking, inspecting, reviewing,
observing, studying, or analyzing assessment objects
Interviews and discussion – this involves group discussions, individual interviews, etc.
The three methods combine together to form an effective methodology for an overall audit.
AUDITING TECHNIQUES:
There are various auditing techniques used:
Examination techniques
Techniques include
Documentation review
Log review
Network sniffing
Testing techniques, generally performed using automated tools used to identify systems, ports,
services and potential vulnerabilities.
Techniques include
Network discovery
Vulnerability scanning
Wireless scanning
Testing techniques that corroborate the existence of vulnerabilities, these may be performed
manually or with automated tools
Techniques include
Password cracking
Penetration testing
Social engineering
Organizations use a combination of these techniques to ensure effectiveness and meeting the
objectives of the audit.
SECURITY TESTING FRAMEWORKS
There are numerous security testing methodologies being used today by security auditors for
technical control assessment.
NIST 800-115
Most auditors and penetration testers use these frameworks as a starting point to create their own
testing process, and they find a lot of value in referencing them.
OSSTMM
OSSTMM manual highlights the systems approach to security testing by dividing assessment areas into
six interconnected modules:
Internet technologies security: network mapping, port scanning, service and operating system (OS)
identification, vulnerability scanning, internet app testing, router/firewall testing, IDS testing, malicious
code detection, password cracking, denial of service, and policy review
Communications security: private branch exchange (PBX)/phone fraud, voicemail, fax, and modem
Wireless security: 802.11, bluetooth, handheld scanning, surveillance, radio frequency identification
(RFID), and infrared
Physical security: perimeter, monitoring, access control, alarm systems, and environment
ISSAF
The ISSAF is one of the largest free-assessment methodologies available. Each control test has
detailed instruction for operating testing tools and what results to look for.
One is focused on the business aspect of security, and the other is designed as a penetration test
framework.
The level of detailed explanation of services, security tools to use, and potential exploits is high
and can help an experienced security auditor and someone getting started in auditing.
NIST 800-115
The NIST 800-115, technical guide to information security testing, provides guidance and a
methodology for reviewing security that is required for the U.S. Government's various
departments to follow.
Like all NIST-created documents, 800-115 is free for use in the private sector.
It includes templates, techniques, and tools that can be used for assessing many types of systems
and scenarios.
It is not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for the
conduction of security reviews.
NIST 800-115
The document includes guidance on the following:
Security testing policies
Management's role in security testing
Testing methods
Security review techniques
Identification and analysis of systems
Scanning and vulnerability assessments
Vulnerability validation (pen testing)
Information security test planning
Security test execution
Post-test activities
OWASP
The OWASP testing guide was created to assist web developers and security practitioners to better
secure web applications.
A proliferation of poorly written and executed web applications has resulted in numerous, easily
exploitable vulnerabilities that put the internet community at risk to malware, identity theft, and
other attacks.
The OWASP testing guide has become the standard for web application testing and has helped
increase the awareness of security issues in web applications through testing and better coding
practices.
OWASP
The OWASP testing methodology is split as follows:
Information gathering
Configuration management
Authentication testing
Session management
Authorization testing
Business logic testing
Data validation testing
Denial of service testing
Web services testing
AJAX testing
OWASP
The OWASP project also has a subproject called WEBGOAT that enables one to load a vulnerable
website in a controlled environment to test these techniques against a live system.
Whatever the approach is to testing security controls, it must be ensured that it is consistent,
repeatable, and based on best practices.
AUDIT PROCESS
Security controls are selected and implemented because of security policies or security
requirements mandated by law.
Security is a service provided by it to the business, so measuring it as such enables you to see
many of the connections to the various functions of the business. There are standards, laws, and
benchmarks that you can use as your baseline to compare against.
Normally, you include content from multiple areas, as businesses may have more than one
regulation with which they must comply. It is easiest to start with the organization’s policies and
build your security auditing plan from there.
AUDITING SECURITY PRACTICES
Some criteria you can use to compare the service of security against are:
Evaluation against the organization’s own security policy and security baselines
After you have identified the security audit criteria that the organization needs to comply with, the
next phase is to perform assessments to determine how well they achieve their goals.
A number of assessments are usually required to determine appropriate means for referring back to
the scope, which defines the boundaries of the audit.
The following are types of assessments that might be performed to test security controls:
This type of assessment examines potential threats to the organization by listing areas that could be
sources of loss such as corporate espionage, service outages, disasters, and data theft.
Each is prioritized by severity, matched to the identified vulnerabilities, and used to determine
whether the organization has adequate controls to minimize the impact.
Policy assessment:
This assessment reviews policy to determine whether the policy meets best practices, is
unambiguous, and accomplishes the business objectives of the organization.
Social engineering
This involves penetration testing against people to identify whether security awareness training,
physical security, and facilities are properly protected.
The security design review is conducted to assess the deployment of technology for compliance
with policy and best practices.
These types of tests involve reviewing network architecture and design and monitoring and alerting
capabilities.
SECURITY PROCESS REVIEW
The security process review identifies weaknesses in the execution of security procedures and
activities. All security activities should have written processes that are communicated and
consistently followed.
The two most common methods for assessing security processes are through interviews and
observation:
INTERVIEWS
Talking to the actual people responsible for maintaining security, from users to systems
administrators, provides a wealth of evidence about the people aspect of security.
How do they feel about corporate security methods? Can they answer basic security policy
questions? Do they feel that security is effective? The kind of information gathered helps identify
any weakness in training and the organization’s commitment to adhering to policy.
OBSERVATION
Physical security can be tested by walking around the office and observing how employees
conduct themselves from a security perspective.
Do they walk away without locking their workstations or have sensitive documents sitting on their
desks? Do they leave the data centre door propped open, or do they not have a sign-out procedure
for taking equipment out of the building? It is amazing what a stroll through the cubicles of a
company can reveal about the security posture of an organization.
Document review:
Checking the effectiveness and compliance of the policy, procedure, and standards documents is
one of the primary ways an auditor can gather evidence.
Checking logs, incident reports, and trouble tickets can also provide data about how it operates on a
daily basis.
Technical review:
This is where penetration testing and technical vulnerability testing come into play.
One of the most important services an auditor offers is to evaluate the competence and effectiveness
of the technologies relied upon to protect a corporation’s assets.
This section covered evaluation techniques for auditing security practices within an organization.
Many of the security practices used to protect a company are process- and policy-focused.
They represent the primary drivers for technology purchases and deployment.
Technology can automate many of these processes and policies and needs a different approach to
testing effectiveness.
The remainder of this chapter covers tools that can be used to test security technologies.
TESTING SECURITY TECHNOLOGY
There are many terms used to describe the technical review of security controls.
Ethical hacking, penetration test, and security testing are often used interchangeably to describe a
process that attempts to validate security configuration and vulnerabilities by exploiting them in a
controlled manner to gain access to computer systems and networks.
There are various ways that security testing can be conducted, and the choice of methods used
ultimately comes down to the degree to which the test examines security as a system.
There are generally two distinct levels of security testing commonly performed today:
Vulnerability assessment:
This technical assessment is intended to identify as many potential weaknesses in a host, application, or
entire network as possible, based on the scope of the engagement.
Configurations, policies, and best practices are all used to identify potential weaknesses in the
deployment or design of the entity being tested.
These types of assessments are notorious for finding an enormous amount of potential problems that
require a security expert to prioritize and validate real issues that need to be addressed.
Running vulnerability scanning software can result in hundreds of pages of items being flagged as
vulnerable when in reality they are not exploitable.
PENETRATION TEST
The penetration test is intended to assess the prevention, detection, and correction controls of a
network by attempting to exploit vulnerabilities and gain control of systems and services.
Penetration testers (also known as pentesters) scan for vulnerabilities as part of the process just
like a vulnerability assessment, but the primary difference between the two is that a pentester
Also attempts to exploit those vulnerabilities as a method of validating that there is an exploitable
weakness.
Successfully taking over a system does not show all possible vectors of entry into the network, but
can identify where key controls fail. If someone is able to exploit a device without triggering any
alarms, then detective controls need to be strengthened so that the organization can better monitor
for anomalies.
PENETRATION TEST
Security control testing is an art form in addition to a technical security discipline. It takes a
certain type of individual and mind-set to figure out new vulnerabilities and exploits.
Penetration testers usually fit this mould, and they must constantly research new attack techniques
and tools.
Auditors, on the other hand, might not test to that degree and will more than likely work with a
penetration tester or team if a significant level of detailed knowledge in required for the audit.
When performing these types of engagements, four classes of penetration tests can be conducted
and are differentiated by how much prior knowledge the penetration tester has about the system.
PENETRATION TEST TYPES
White-box
Black-box
Gray-box
RED TEAM/BLUE TEAM ASSESSMENT
The terms red and blue team come from the military where combat teams are tested to determine
operational readiness.
In the computer world, a red and blue team assessment is like a war game, where the organization
being tested is put to the test in as real a scenario as possible. Red team assessments are intended to
show all of the various methods an attacker can use to gain entry.
It is the most comprehensive of all security tests. This assessment method tests policy and
procedures, detection, incident handling, physical security, security awareness, and other areas that
can be exploited. Every vector of attack is fair game in this type of assessment.
RED TEAM/BLUE TEAM ASSESSMENT
This is used to simulate attacks and test the ability to develop defences for these attacks. The red
team designate as the attacker and the blue team as the defence mechanism builder.
The two teams sharpen an organization’s detection and response capability. This is through sharing
of intelligence data, understanding threat actors' TTPs, mimicking these TTPs through a series of
scenarios and configuring, tuning and improving the detection and response capability.
Penetration tests as part of auditing can be conducted in several ways. The most common difference
is the amount of knowledge of the implementation details of the system being tested that are
available to the testers.
Black box testing
The testers must first determine the location and extent of the systems before commencing their analysis.
This provides the testers with complete knowledge of the infrastructure to be tested, often including
network diagrams, source code, and IP addressing information.
These are the several variations in between the white and the black box, where the testers have partial
information.
Penetration tests can also be described as "full disclosure" (white box), "partial disclosure“ (grey box), or
"blind" (black box) tests based on the amount of information provided to the testing party.
FEATURES AND USES
Black box testing simulates an attack from someone who is unfamiliar with the system.
White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive
information, where the attacker has access to source code, network layouts, and possibly even
some passwords.
White box techniques involve direct analysis of the application’s source code, and black box
techniques are performed against the application’s binary executable without source code
knowledge. Most assessments of custom applications are performed with white box techniques,
since source code is usually available—however, these techniques cannot detect security defects in
interfaces between components, nor can they identify security problems caused during
compilation, linking, or installation-time configuration of the application.
White box techniques still tend to be more efficient and cost-effective for finding security defects
in custom applications than black box techniques.
Black box techniques should be used primarily to assess the security of individual high-risk
compiled components; interactions between components; and interactions between the entire
application or application system with its users, other systems, and the external environment.
Black box techniques should also be used to determine how effectively an application or
application system can handle threats.
Auditors should have a base knowledge of testing tools and techniques. Using testing frameworks
is a useful way to develop a technical testing planning.
RELIANCE ON CHECKLISTS AND TEMPLATES
It is important to develop and use standard checklists for audits as this ensures that data is
collected in a uniform manner.
One must ensure the templates and checklists are agreed upon prior to use and from recognized
sources. These should be understood commonly by all participating in the audit.
It is important that those carrying out the audit understand the importance of capturing information
in detail.
ROLE OF AN AUDITOR
The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to fix
the problem, but to give a snapshot in time of the effectiveness of the security program.
Auditors ask the questions, test the controls, and determine whether the security policies are
followed in a manner that protects the assets the controls are intended to secure by measuring the
The auditor is responsible for planning and conducting audits in a manner that is fair and
The auditing charter or engagement letter defines the conduct and responsibilities of an auditor.
Depending on how a company’s auditing program is structured, ultimate accountability for the
Auditors are usually required to present a report to management about the findings of the audit and
Inspect and evaluate financial and information systems, management procedures and security
controls
Evaluate the efficiency, effectiveness and compliance of operation processes with corporate security
Execute and properly document the audit process on a variety of computing environments and
computer applications
RESPONSIBLITIES
Assess the exposures resulting from ineffective or missing control practices
Weigh the relevancy, accuracy and perspective of conclusions against audit evidence provide a
Work with management to ensure security recommendations comply with company procedure
Collaborate with departments to improve security compliance, manage risk and bolster
effectiveness
AUDITOR ACTIVITIES
The following tasks and activities area carried out by the auditor in discharging their responsibilities
Auditing the information asset management process will verify that the critical assets are being
managed in accordance with the IT/IS policies.
The auditor audits the information security and privacy policies and standards. The auditor begins
with policies and standards related to access control, data classification and network security.
In addition, they focus on other policies and standards such as vendor management, vulnerability
management and data leakage prevention.
One of the important roles of audit is to verify that the policies and standards are not just
documented but are actually being implemented by users across the enterprise. This verification
can be accomplished by performing an audit of the security training and awareness program
Instead of focusing on the actual access of each user, the auditor focuses on the IAM process and
verify that the IAM process is working as designed.
Auditing an automated IAM process ensures the integrity of the process. The audit also focuses on
the workflow, which includes the approval hierarchy. Several IAM vendors are starting to provide
mechanisms to incorporate segregation of duties (sod) checks within the workflow.
If an organization has incorporated the sod checks in the workflow, it is important to include this
process within its audit scope.
During the audit of policies and standards, the auditor should understand how the policies and
standards are being communicated across the enterprise.
Every organization has a communication method (e-mail, posting on an intranet web page, periodic
security seminars, monthly security awareness training, lunch-n-learns, etc.).
The responsible auditor should determine if logging is enabled in critical systems. Where logs are
enabled, the auditor verifies that there is a process for monitoring.
The auditor also verifies that the process has been assigned to a person and that this person is
executing this process. The focus here is on data leakage prevention (DLP).
Besides verifying that the proper access is granted to each individual, the auditor focuses on how
the approved users are using the data assets.
Are data being encrypted properly before they are sent outside of the organization? Depending on
an organization’s DLP policy, the SIEM system can potentially help the auditor determine if the
data are being copied on USB drives and leaving the organization.
In today’s business environment, governance, risk management and compliance (grc) processes are
critical to the auditor. The auditor examines corporate governance processes and verifies that an
infrastructure has been created to identify and manage risks.
The governance structure should be active and ongoing, which means that the executives should
conduct periodic meetings to address risks.
The auditor also identifies all relevant regulations and industry standards and performs periodic
compliance reviews based on identified and relevant risks. Noncompliance should be tracked and
managed by executive management.
The internal auditor should identify how the organization is connected to the outside, and who on
the outside is connected to the organization. There is a total reliance by some organizations on
statement on auditing standards no. 70 (SAS 70) type II reports for review of external vendors.
While SAS 70 is good, it is not final. The auditor first verifies that there is a policy in place to
address third-party connections.
In addition to the SAS 70 report, the organization should periodically perform its own audit of the
vendor to certify that its policies and security needs are being adequately addressed (the
organization may have to ensure that the vendor contracts allow for this audit).
Changes performed by the third-party vendor on systems affecting the organization should follow
the organization’s normal change management process.
Also, the auditor should follow the entire process within the extended enterprise where the critical
data assets reside. For example, an enterprise may do an exceptional job of protecting critical data
assets within the enterprise, but an unencrypted backup tape can fall off a vendor’s truck and
expose critical information and put the enterprise at risk.
An audit of the entire process will definitely reduce the risks associated with the extended
enterprise. This extended enterprise may exist globally and could add more complexity to the audit
plans.
The auditor verifies that a business continuity plan exists and is maintained and tested periodically.
The auditor should also make sure that the plan covers all the risks associated with the business and
that it is enough to keep the business in operation in times of disruption.
The IT auditor should understand the difference between business continuity and disaster recovery
and make sure that each is adequately addressed and periodically tested.
The auditor identifies a catalog of it initiatives, reviews the business reasons for the project and
identifies the executive sponsor for the project.
The auditor obtains and reviews the management reports from IT to executive management and
verifies that sufficient information is provided to management.
The auditor verifies that IT initiatives are adequately aligned with business objectives.
INFORMATION SECURITY AUDIT
CONSULTANTS
Information security audit consultants – these consultants (individual or organizations) are usually
found in advising or auditing roles for information security.
Management
Technical
Forensic
INFORMATION SECURITY AUDIT CONSULTANTS
The first step in hiring a reliable consultant is to define the requirements of the job.
Does it involve the analysis of risk, implementation of security systems, regulatory compliance,
management consulting, training or defence of an inadequate security claim? Only after the
requirements of the job are defined can you select the right type of consultant to complete the
work.
If your consultant is not independent, you should know about his or her relationship with a
product or service line and understand that it may result in a conflict of interest
HIRING AN INFORMATION SECURITY AUDITOR
The following things has to be borne in mind before hiring of an audit company as auditors:
Does the consultant organization offer a comprehensive suite of services, tailored to specific
requirements?
Does the consulting organization have a track record of having handled a similar assignment for security
consulting?
Are the organization’s security professional having certificates like CISSP, CISA, CSM and CIPP?
Is the organization recognized contributor within the security industry in terms of research and
publication etc.?
REQUIRED SKILLS SETS OF AN INFORMATION
SECURITY AUDITOR
A good auditor requires the following skills and knowledge in the various areas listed below:
Access control
System software
Segregation of duties
Service continuity
Application controls
ORGANIZATION WIDE SECURITY PROGRAM
PLANNING AND MANAGEMENT
Knowledge of the legislative requirements for an agency security program
Knowledge of the sensitivity of data and the risk management process through risk assessment
and risk mitigation
Ability to analyse and evaluate an organization’s security policies and procedures and identify
their strengths and weaknesses
ACCESS CONTROL
Knowledge across platforms of the access paths into computer systems and of the functions of associated
hardware and software providing an access path
Knowledge of access level privileges granted to users and the technology used to provide control to them
Knowledge of the procedures, tools, and techniques that provide for good physical, technical, and
administrative controls over access
Ability to analyse and evaluate an organization’s access controls and identify the strengths and
weaknesses
Skills to review security software reports and identify access control weaknesses
Skills to perform penetration testing of the organization’s applications and supporting computer systems
APPLICATION SOFTWARE DEVELOPMENT AND
CHANGE CONTROL
Knowledge of the concept of a system life cycle and of the system development life cycle (SDLC)
process
Knowledge of the auditor’s role during system development and of federal guidelines for
designing controls into systems during development
Knowledge of the procedures, tools, and techniques that provide control over application software
development and modification
Knowledge of the risks associated with the development and modification of application software
Ability to analyse and evaluate the organization’s methodology and procedures for system
development and modification and identify the strengths and weaknesses
SYSTEM SOFTWARE
Knowledge of the procedures, tools, and techniques that provide control over the implementation,
modification, and use of system software
Ability to analyse and evaluate an organization’s system software controls and identify the
strengths and weaknesses
Knowledge of the different functions involved with information systems and data processing and
incompatible duties associated with these functions knowledge of the risks associated with
inadequate segregation of duties
Ability to analyse and evaluate an organization’s organizational structure and segregation of duties
and identify the strengths and weaknesses
SERVICE CONTINUITY
Knowledge of the procedures, tools, and techniques that provide for service continuity
Knowledge of the risks that exist when measures are not taken to provide for service continuity
Ability to analyse and evaluate an organization’s program and plans for service continuity and
identify the strengths and weaknesses
APPLICATION CONTROLS
Knowledge about the practices, procedures, and techniques that provide for the authorization,
completeness, and accuracy of application data
Ability to analyse and evaluate an organization’s application controls and identify the strengths
and weaknesses
Skills to use a generalized audit software package to conduct data analyses and tests of application
data, and to plan, extract, and evaluate data samples
Auditors performing tasks in two of the above areas, access controls (which includes penetration
testing) and system software, require additional specialized technical skills. Such technical
specialists should have skills in one or more of the categories listed below:
Network analyst
Ability to perform external and internal vulnerability tests with manual and automated tools
Ability to evaluate the configuration of servers and the major applications hosted on servers
Ability to perform internal vulnerability tests with manual and automated tools
Unix analyst
Ability to evaluate the configuration of servers and the major applications hosted on servers
Ability to perform internal vulnerability tests with manual and automated tools
Database analyst
Understanding of the control considerations of the typical application designs that use database
systems
Detailed understanding of the design and function of the major components of the operating system
Ability to develop or modify tools necessary to extract and analyse control information from
mainframe computers
Ability to use audit software tools ability to analyse modifications to system software components
Mainframe access control analyst
Detailed understanding of auditing access control security software such as ACF2, top secret, and
RACF
Ability to develop or modify tools to extract and analyse access control information
The information systems audit and control association (ISACA) set forth a code governing the
professional conduct and ethics of all certified IS auditors and members of the association. As a CISA,
they expect them to be bound to uphold this code.
The following points form part of this code: the auditor agrees to
Support the implementation of, and encourage compliance with, appropriate standards and procedures for
the effective governance and management of enterprise information systems and technology, including:
audit, control, security and risk management.
Perform their duties with objectivity, due diligence and professional care, in accordance with professional
standards. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the association.
Maintain the privacy and confidentiality of information obtained in the course of their activities
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
Maintain competency in their respective fields and agree to undertake only those activities they
can reasonably expect to complete with the necessary skills, knowledge and competence.
Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the results.
Support the professional education of stakeholders in enhancing their understanding of the
governance and management of enterprise information systems and technology, including:
Audit, control, security and risk management. The failure of a CISA to comply with this code
of professional ethics may result in an investigation with possible sanctions or disciplinary
measures.
ETHICS OF AN INFORMATION SECURITY
AUDITOR
Their code also states that:
Ethics statements are necessary to demonstrate the level of honesty and professionalism expected of
every auditor.
Overall, the profession requires them to be honest and fair in all representations they make.
The goal is to build trust with clients. Their behaviour should reflect a positive image on their
profession.
All is auditors are depending on them to help maintain the high quality and integrity that clients
expect from a cisa.
WHAT MAKES AN INFORMATION SECURITY AUDITOR
Certification is often highly recommended and may be required by some employers prior to hiring.
This has uplifted the status of the CISA designation, which is often a mandatory qualification for an
information systems auditor.
ABOUT CISA
This certification is recognized worldwide as completion of a standardized security auditing
certification program.
Information systems audit and control association (ISACA) is a world recognized body that was
founded in 1969.
The CISA examination and certification was initiated by ISACA in 1978, to address industry
requirements.
CISA
The CISA designation is awarded to individuals with an interest in information systems auditing,
control and security who meet the following requirements:
It is important to note that many individuals choose to take the CISA exam prior to meeting the
experience requirements. This practice is acceptable and encouraged although the CISA
designation will not be awarded until all requirements are met.
ABOUT CISSP
Backed by (ISC), the globally recognized, not-for profit organization dedicated to advancing the
information security field.