UNIT 7

INFORMATION SECURITY
AUDIT AND FEATURES
INFORMATION SYSTEMS AUDIT VERSUS INFORMATION SECURITY
AUDIT - SCOPE OF THE AUDIT - CONSTRAINTS OF A SECURITY
AUDIT - TYPES OF SECURITY AUDITS - PHASES OF INFORMATION
SECURITY AUDIT - INFORMATION SECURITY AUDIT
METHODOLOGY - SECURITY TESTING FRAMEWORKS - AUDIT
PROCESS - AUDITING SECURITY PRACTICES - TESTING SECURITY
TECHNOLOGY - ROLE OF AN AUDITOR - AUDITOR ACTIVITIES -
INFORMATION SECURITY AUDIT CONSULTANTS - REQUIRED SKILLS
SETS OF AN INFORMATION SECURITY AUDITOR
• An information security audit is one of the best ways to determine the security
of an organization's information without incurring the cost and other associated
damages of a security incident.
• Information system audit and information security audit are two tools that are
used to ensure safety and integrity of information and sensitive data.
 INFORMATION SECURITY AUDIT

 The three main types of security diagnostics:

 Information security audits

 Vulnerability assessments
 Penetration testing
 Security audits are a formal process, carried out by certified auditing professionals to measure an
information system's performance against a list of criteria.
 INFORMATION SECURITY AUDIT

 Computer security auditors work with the full knowledge and support of the organization, in order
to carry out the audit. This usually includes receiving documentation and access by the
organization representative.
 A security analyst may be assigned to support and facilitate the audit.

 Computer security auditors perform their work though personal interviews, reviewing policies,
vulnerability scans, examination of operating system settings, analyses of network shares, and
historical data and logs.
 PURPOSES OF AUDITS

Some of the purposes of audits are listed below:

 Build awareness of current practices and risks

 Reducing risk, by evaluating, planning and supplementing security efforts

 Strengthening controls including both automated and human

 Compliance with customer and regulatory requirements and expectations

 Building awareness and interaction between technology and business teams

 Improving overall IT governance in the organization

 SCOPE OF THE AUDIT

The scope of the audit depends upon:

 Business plan
 Type of data assets to be protected
 Value of importance of the data and relative priority
 Previous security incidents
 Time available
 Auditors experience and expertise
 WHAT SHOULD BE COVERED IN AUDITS

Access control Accountability and audit Application hosting Application penetration

Application security Application support Application testing Awareness and training

Certification, accreditation and Computer assets, servers and Configuration management

Business continuity security assessments storage networks

Content management Contingency planning Disaster recovery planning Endpoints/edge devices

Identification, authentication Infrastructure devices (e.g.

Incident response Intrusion detection/prevention
and access management routers, firewall services)

Maintenance Media protection Messaging Networks (wired and wireless)

Physical and environmental Security incident management

Personnel security protection Risk assessment

Security of infrastructure Security planning Software Storage devices

System and Systems and Third party security

System services and acquisition management
information integrity communications protection
Web security
There are a number of key questions that security audits attempt to answer which include but are not
limited

Are passwords secure and difficult to crack?

 Are access control lists (acls) in place on network devices to control who has access to shared
data?

 Are there audit logs to record to identify who accesses data?

 Are the audit logs reviewed effectively and how are they reviewed?

 Are the security settings for operating systems in accordance with accepted industry security
practices?
 How are unnecessary applications and computer services managed? Are they eliminated in a
timely and effective manner for each system?

 Are these operating systems and commercial applications patched? How and when did the
patching take place?

 How is backup media stored? What is the backup policy and is it followed? Who has Access to the
backup media and is it up-to-date?

 Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the
disaster recovery plan? Does it have gaps in its construct?
 Are there adequate cryptographic tools in place to govern data encryption, and have these tools
been properly configured?

 What security considerations were used while writing custom-built applications, are these
adequate and well documented?

 How have these custom applications been tested for security flaws?

 How are configuration and code changes documented at every level? How are these records
reviewed and who conducts the review
 The duration of the cross-cutting audit depends on the size as well as the complexity of the
organization.

 The size of the organization is determined by the number of employees and locations.
The selection of the level of complexity of an organization can only be performed on an organization-by-
organization basis according to the following criteria, for example:

What does the system landscape look like (number of systems and level of heterogeneity of the systems
used)?

How many network gateways are there?

Which and how many it applications are used in the organization? Are they used to support critical business
processes?

Are higher-level procedures used that may affect realms outside of the organization?

How high is the protection requirement for the infrastructure, systems, and it applications?

Is the organization active in areas critical to security (for example, is it a security agency)?
 ELEMENTS OF GOOD SECURITY AUDIT?

 The development and dissemination of the IS auditing standards by information systems audit and
control association (ISACA) is already in circulation for further information.

 A good security audit is part of a regular and comprehensive framework of information security.

 A good security audit may likely include the following:

 Clearly defined objectives

 Coverage of security is comprehensive and cross-cutting audit across the entire organization.
Partial audits may be done for specific purposes.

 There is unrestricted right to obtain and view information.

 Audit team is experienced, independent and objective. Every audit team should consist of at least
two auditors to guarantee the independence and objectivity of the audit (” two - person rule”).
There credentials should be verifiable.

 Important IS audit meetings such as the opening and the closing meetings as well as the interviews
should be conducted as a team. This procedure ensures objectivity, thoroughness, and impartiality.

 No member of the audit team, for reasons of independence and objectivity, should have
participated directly in supporting or managing the areas to be audited, e.g. They must not have
been involved in the development of concepts or the configuration of the IT systems.
 It should be ensured that actual operations in the organization are not significantly disrupted by the
audit when initiating the audit. The auditors never actively intervene in systems, and therefore
should not provide any instructions for making changes to the objects being audited.

 Management responsibility for supporting the conduct of a fair and comprehensive audit.

 Appropriate communication and appointment of central point of contact and other support for the
auditors. The execution is planned and carried out in a phase wise manner
 FUNCTIONS IN AN AUDIT

All audits have common functions that must be performed if they are to be successful. These usually
include:

1. Define the security perimeter – what is being examined?

Determine how intensive the audit is going to be. Are all facets of the organization to be examined,
or is this to be a common ‘security’ audit based on the IT infrastructure.

Detail how intrusive the audit is. It is important to avoid adversely impacting the production
environment during the audit process; whether this is by equipment downtime or personnel being
taken away from their primary duties to participate in the audit.

Does the corporation have existing methodologies to actively mitigate risk on an ongoing basis?
 FUNCTIONS

2. describe the components – and be detailed about it.

 assemble a detailed list of the components within the security perimeter. while this is not an
exhaustive list, these devices often include:
 computing equipment (main frames, servers, desktops, laptops, terminals).
 networking equipment (firewalls, routers, and switches, hubs, and ups devices).
 communications equipment (PBX, phones, cell/smart phones, PDA’s, fax machines).
 input / output devices (printers, copiers, scanners, cameras, web-cams, tablets).
 data storage (databases: sales, customer, employee, other; email, voicemail, files on
server, files in cabinets, customer and employee information, log files).
 common security items (passwords, access scanners / cards and id cards, physical
 security, data diagrams, daily schedules and employee activity charts).
 internet exposure (company websites: internet and intranet, collaborative sites,
outbound access availability and restrictions, open ports and other visible devices).
 FUNCTIONS

3. Determine threats – what kinds of damage could be done to the systems

 Generate a list of threat vectors based on the scope of the audit. I.E.: If physical security is
beyond the scope of the audit you won’t have to check to see if the server room is locked.
 Examine each type of device on the components list for known vulnerabilities.
4. Delineate the available tools – what documents and tools are in use or need to be created?
 Assemble the various documents and datagrams of the systems under audit.
 Gather the tools already in use to mitigate risk
 Determine if the existing tools are functional.
 Determine if new tools are needed.
 FUNCTIONS

5. Reporting mechanism – how will you show progress and achieve validation in all areas?

Determine what the reporting mechanism will be.

 What is the report format?
 Who will sign off on the report as being acceptable?
 Who determines that a specific threat on a particular component is mitigated?

6. Review history – is there institutional knowledge about existing threats?

 Determine what threats existed in the past and determine if those have been mitigated.
 Interview members of the institution to determine if any known threats exist.
 FUNCTIONS

7. Determine network access control list – who really needs access to this?

 Develop a matrix of all personnel that need access to each device on the component chart.
 Develop a matrix of all devices that need access to other devices on the component chart.
 Each device on the component list should have a minimal set of entry points.
 How much privilege is required for each person or system to perform their functions?

8. Prioritize risk – calculate risk as risk = probability * harm

 Given the list of possible threats, what are the possibilities a given threat will materialize.
 If a threat were to materialize, how great would its impact be?
 Establish the greatest pain points for the company. Determine if the approach is to work on the
big stuff first, or get all of the minor issues out of the way before making any major changes.
 FUNCTIONS

9. Delineate mitigation plan – what are the exact steps required to minimize the threats?

 Generate a detailed project plan to reach the goal. Include tasking, timelines, costs, reporting
methods, checkpoints – all the components of a successful project plan are necessary.
 Ensure that the organization is in agreement with the plan to mitigate risks.

10. Implement procedures – start making changes.

 Begin the mitigation process, using the priority decided upon by the stakeholders.
 FUNCTIONS

11. Review results – perform an after action review (AAR) on the audit process

 Perform a standard AAR on the audit.

 What went well?
 What process needs revision before it will go well?
 What issues are still outstanding at this time?
 Who is responsible for ensuring that outstanding issues will be addressed?
 What is the timeline for issue resolution?
 Who will validate issue resolution?
 Risks that are extremely unlikely happen but that have the potential to cause catastrophic damage
are called ‘black swans’.

 These risks are often not cost effective to address, so a formal acceptance from management for
these risks may the only strategy available.

 Every audit needs to have management’s participation to be completely successful.

 CONSTRAINTS OF A SECURITY AUDIT

 Time constraints
 Third party access constraints
 Business operations continuity constraints
 Scope of audit engagement
 Technology tools constraints
 TYPES OF SECURITY AUDITS

Broadly, there are two types of audit, internal and external.

External audits are commonly conducted by independent, certified parties in an objective manner.
They are scoped in advance, finally limited to identifying and reporting any implementation and
control gaps based on stated policies and standards such as the COBIT (control objectives for
information and related technology). At the end the objective is to lead the client to a source of
accepted principles and sometimes correlated to current best practices

Internal audits usually are conducted by experts linked to the organization, and it involves a
feedback process where the auditor may not only audit the system but also potentially provide advice
in a limited fashion. They differ from the external audit in allowing the auditor to discuss mitigation
strategies with the owner of the system that is being audited.
 TYPES OF SECURITY AUDITS

 There is a large variety of audit types based on standards followed. Some examples include SSAE 16 audits
(type I or II), audits of ISO 9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security standard and
audits of industry specific standards such as HIPPA controls.

 Within the broad scope of auditing information security there are multiple types of audits, multiple objectives
for different audits, etc. Audits can be broken down into a number of types, from the simple analysis of
security architecture based on opinion, to a full-blown, end-to-end audit against a security framework such as
ISO27001. Auditing information security covers topics from auditing the physical security of data centres to
auditing the logical security of databases and highlights key components to look for and different methods for
auditing these areas. When centred on the IT aspects of information security, it can be seen as a part of an
information technology audit. It is often then referred to as an information technology security audit or a
computer security audit. However, information security encompasses much more than IT.
 SECURITY REVIEW

 A security review is when the security posture of an organization is examined based on

professional experience and opinion.
 In this type of examination, issues that stand out are sought as a way to help define the starting
point for further activities. Running a vulnerability scanner such as Nessus would fall under this
category.
 The tool generates a list of potential security issues, but the data must be analysed further to
determine on what needs to be acted on.
 This is the most basic form of security analysis and the primary output is in the form of an
opinion. Examples include: penetration test, vulnerability scan, architecture review, policy
review, compliance review, risk analysis
 SECURITY ASSESSMENT

 Security assessments utilize professional opinion and expertise, but they also analyse the output
for relevancy and criticality to the organization.
 The analysis aspect of an assessment attempts to quantify the risk associated with the items
discovered to determine the extent of the problem.
 If you an organisation has two servers with the same vulnerability, but one is the financial server,
and the other operates as a print server a security assessment would rank the financial server as a
high risk and the print server as a lower risk based on the severity and damage potential.
 The biggest differentiator between an assessment and a review is the depth to which the auditor
examines the system and analyses the results.
 Examples include: vulnerability assessment, risk assessment, architecture assessment, policy
assessment
 SECURITY AUDIT

 A security audit examines the organization’s security posture against an industry standard
(ISO27001 or COBIT) and/or industry regulatory compliance such as HIPAA or PCI.
 An audit includes review and assessment; it also conducts a gap analysis against standards to
measure how well the organization complies.
 Audits take into account people, processes, and technologies, and it compares them to a
benchmark in a standardized and repeatable way.
 Examples include: compliance audit, policy audit, procedure audit, risk audit.
 AUDITS

Some of the specific audits that can be included in the above categories are:

 Penetration test  Architecture, design and code review

 Vulnerability audit  Wireless Systems Audit

 Embedded Systems Audit
 Web application security audit
 Information Protection Audit
 Mobile application security audit  Roles and Rights Audit

 Audit overall concept  Endpoint Audit (clients)

 Digital Guard Service
 It-risk analyses
 Configuration Audit (firewalls, servers, etc.)
 Audit access control / social engineering
 PHASES OF INFORMATION SECURITY AUDIT

Phases of information security audit are

Pre-audit agreement stage

Initiation and planning stage

Data collection and fieldwork (test phase)

Analysis

Reporting

Follow- Through
 PRE-AUDIT AGREEMENT STAGE

 Agree on scope and objective of the audit. Agree on the level of support that will be provided.

 Agree on locations, duration and other parameters of the audit. Agree on financial and other
considerations.

 Confidentiality agreements and contracting to be completed at this stage.

 Developing/creating a formal agreement (e.g., Statement of work, audit memorandum, or

engagement memo) to state the audit objectives, scope, and audit protocol
 INITIATION AND PLANNING STAGE

 Conducting a preliminary review of the client’s environment, mission, operations, polices, and
practices. Performing risk assessments of client environment, data, and technology resources.

 Completing research of regulations, industry standards, practices, and issues. Reviewing current
policies, controls, operations, and practices.

 Holding an entrance meeting to review the engagement memo, to request items from the client,
schedule client resources, and to answer client questions.

 This will also include laying out the time line and specific methods to be used for the various
activities.
 DATA COLLECTION AND FIELDWORK
(TEST PHASE)
 This stage is to accumulate and verify sufficient, competent, relevant, and useful evidence to reach
a conclusion related to the audit objectives and to support audit findings and recommendations.

 During this phase, the auditor will conduct interviews, observe procedures and practices, perform
automated and manual tests, and other tasks.

 Fieldwork activities may be performed at the client’s worksite(s) or at remote locations, depending
on the nature of the audit.
 ANALYSIS

 Analyses are performed after documentation of all evidence and data, to arrive at the audit findings
and recommendations. Any inconsistencies or open issues are addressed at this time.

 The auditor may remain on-site during this phase to enable prompt resolution of questions and
issues.

 At the end of this phase, the auditor will hold an exit meeting with the client to discuss findings and
recommendations, address client questions, discuss corrective actions, and resolve any outstanding
issues.

 A first draft of the findings and recommendations may be presented to the client during the exit
meeting
 REPORTING

 Generally, the information security audit program will provide a draft audit report after completing
fieldwork and analysis.

 Based on client response if changes are required to the draft, the auditor may issue a second draft.

 Once the client is satisfied that the terms of the audit are complied with the final report will be
issued with the auditor’s findings and recommendations.
 FOLLOW-THROUGH

 Depending on expectations and agreements the auditor will evaluate the effectiveness of the
corrective action taken by the client, and, if necessary, advise the client on alternatives that may be
utilized to achieve desired improvements.

 In larger, more complex audit situations, follow-up may be repeated several times as additional
changes are initiated. Additional audits may be performed to ensure adequate implementation of
recommendations.

 The level of risk and severity of the control weakness or vulnerability dictate the time allowed
between the reporting phase and the follow-up phase.

 The follow-up phase may require additional documentation for the audit client.
 INFORMATION SECURITY AUDIT
METHODOLOGY
Need for a methodology

Audits need to be planned and have a certain methodology to cover the total material risks of an
Organization.

A planned methodology is also important as this clarifies the way forward to all in the

Organization and the audit teams. Which methodology and technique is used is less important than
having all the participants within the audit approach the subject in the same manner.

Audit methodologies

There are two primary methods by which audits are performed. Start with the overall view of the
Corporate structure and drill down to the minutiae; or begin with a discovery process that builds up a view
of the organization.
 TYPES OF AUDITING METHODS

Audit methods may also be classified according to type of activity. These include three types

Testing – pen tests and other testing methodologies are used to explore vulnerabilities. In other
words, exercising one or more assessment objects to compare actual and expected behaviors.

Examination and review – this include reviewing policies, processes, logs, other documents,
practices, briefings, situation handling, etc. In other words, checking, inspecting, reviewing,
observing, studying, or analyzing assessment objects

Interviews and discussion – this involves group discussions, individual interviews, etc.

The three methods combine together to form an effective methodology for an overall audit.
 AUDITING TECHNIQUES:
There are various auditing techniques used:

Examination techniques

Examination techniques, generally conducted manually to evaluate systems, applications, networks,

policies, and procedures to discover vulnerabilities

 Techniques include

Documentation review

Log review

Ruleset and system configuration review

Network sniffing

File integrity checking

 TARGET IDENTIFICATION AND ANALYSIS
TECHNIQUES

 Testing techniques, generally performed using automated tools used to identify systems, ports,
services and potential vulnerabilities.

 Techniques include

Network discovery

Network port and service identification

Vulnerability scanning

Wireless scanning

Application security examination

 TARGET VULNERABILITY VALIDATION
TECHNIQUES

 Testing techniques that corroborate the existence of vulnerabilities, these may be performed
manually or with automated tools

 Techniques include

 Password cracking

 Penetration testing

 Social engineering

 Application security testing

 Organizations use a combination of these techniques to ensure effectiveness and meeting the
objectives of the audit.
 SECURITY TESTING FRAMEWORKS
 There are numerous security testing methodologies being used today by security auditors for
technical control assessment.

 Four of the most common are as follows:

 Open source security testing methodology manual (OSSTMM)

 Information systems security assessment framework (ISSAF)

 NIST 800-115

 Open web application security project (OWASP)

 All of these frameworks provide a detailed, process-oriented manner in which to conduct a

security test, and each has its particular strengths and weaknesses.

 Most auditors and penetration testers use these frameworks as a starting point to create their own
testing process, and they find a lot of value in referencing them.
 OSSTMM
OSSTMM manual highlights the systems approach to security testing by dividing assessment areas into
six interconnected modules:

Information security: data leakage, and privacy review

Process security: access granting processes and social engineering testing

Internet technologies security: network mapping, port scanning, service and operating system (OS)
identification, vulnerability scanning, internet app testing, router/firewall testing, IDS testing, malicious
code detection, password cracking, denial of service, and policy review

Communications security: private branch exchange (PBX)/phone fraud, voicemail, fax, and modem

Wireless security: 802.11, bluetooth, handheld scanning, surveillance, radio frequency identification
(RFID), and infrared

Physical security: perimeter, monitoring, access control, alarm systems, and environment
 ISSAF

 The ISSAF is one of the largest free-assessment methodologies available. Each control test has
detailed instruction for operating testing tools and what results to look for.

 It is split into two primary documents.

 One is focused on the business aspect of security, and the other is designed as a penetration test
framework.

 The level of detailed explanation of services, security tools to use, and potential exploits is high
and can help an experienced security auditor and someone getting started in auditing.
 NIST 800-115

 The NIST 800-115, technical guide to information security testing, provides guidance and a
methodology for reviewing security that is required for the U.S. Government's various
departments to follow.

 Like all NIST-created documents, 800-115 is free for use in the private sector.

 It includes templates, techniques, and tools that can be used for assessing many types of systems
and scenarios.

 It is not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for the
conduction of security reviews.
 NIST 800-115
The document includes guidance on the following:
Security testing policies
Management's role in security testing
Testing methods
Security review techniques
Identification and analysis of systems
Scanning and vulnerability assessments
Vulnerability validation (pen testing)
Information security test planning
Security test execution
Post-test activities
 OWASP

 The OWASP testing guide was created to assist web developers and security practitioners to better
secure web applications.

 A proliferation of poorly written and executed web applications has resulted in numerous, easily
exploitable vulnerabilities that put the internet community at risk to malware, identity theft, and
other attacks.

 The OWASP testing guide has become the standard for web application testing and has helped
increase the awareness of security issues in web applications through testing and better coding
practices.
 OWASP
The OWASP testing methodology is split as follows:
Information gathering
Configuration management
Authentication testing
Session management
Authorization testing
Business logic testing
Data validation testing
Denial of service testing
Web services testing
AJAX testing
 OWASP

 The OWASP project also has a subproject called WEBGOAT that enables one to load a vulnerable
website in a controlled environment to test these techniques against a live system.

 Whatever the approach is to testing security controls, it must be ensured that it is consistent,
repeatable, and based on best practices.
 AUDIT PROCESS

A successful audit will minimally:

Establish a prioritized list of risks to an organization.

Delineate a plan to alleviate those risks.

Validate that the risks have been mitigated.

Develop an ongoing process to minimize risk.

Establish a cycle of reviews to validate the process on a perpetual basis.

 AUDITING SECURITY PRACTICES
 The first step for evaluating security controls is to examine the organization’s policies, security
governance structure, and security objectives because these three areas encompass the business
practices of security.

 Security controls are selected and implemented because of security policies or security
requirements mandated by law.

 Security is a service provided by it to the business, so measuring it as such enables you to see
many of the connections to the various functions of the business. There are standards, laws, and
benchmarks that you can use as your baseline to compare against.

 Normally, you include content from multiple areas, as businesses may have more than one
regulation with which they must comply. It is easiest to start with the organization’s policies and
build your security auditing plan from there.
 AUDITING SECURITY PRACTICES

Some criteria you can use to compare the service of security against are:

Evaluation against the organization’s own security policy and security baselines

Regulatory/industry compliance—health insurance portability and accountability act (HIPAA),

sarbanes-oxley act (SOX), grahmm-leach-bliley act (GLBA), and payment card industry (PCI)

Evaluation against standards such as NIST 800 or ISO 27002

Governance frameworks such as COBIT or COSO

 AUDITING SECURITY PRACTICES

 After you have identified the security audit criteria that the organization needs to comply with, the
next phase is to perform assessments to determine how well they achieve their goals.

 A number of assessments are usually required to determine appropriate means for referring back to
the scope, which defines the boundaries of the audit.

 The following are types of assessments that might be performed to test security controls:

 Risk assessments  Security process review

 Interview
 Policy assessment
 Observation
 Social engineering
 Document review
 Security design review  Technical review
Risk assessments:

This type of assessment examines potential threats to the organization by listing areas that could be
sources of loss such as corporate espionage, service outages, disasters, and data theft.

Each is prioritized by severity, matched to the identified vulnerabilities, and used to determine
whether the organization has adequate controls to minimize the impact.

Policy assessment:

This assessment reviews policy to determine whether the policy meets best practices, is
unambiguous, and accomplishes the business objectives of the organization.
Social engineering

This involves penetration testing against people to identify whether security awareness training,
physical security, and facilities are properly protected.

Security design review

The security design review is conducted to assess the deployment of technology for compliance
with policy and best practices.

These types of tests involve reviewing network architecture and design and monitoring and alerting
capabilities.
 SECURITY PROCESS REVIEW

 The security process review identifies weaknesses in the execution of security procedures and
activities. All security activities should have written processes that are communicated and
consistently followed.

 The two most common methods for assessing security processes are through interviews and
observation:
 INTERVIEWS

 Talking to the actual people responsible for maintaining security, from users to systems
administrators, provides a wealth of evidence about the people aspect of security.

 How do they feel about corporate security methods? Can they answer basic security policy
questions? Do they feel that security is effective? The kind of information gathered helps identify
any weakness in training and the organization’s commitment to adhering to policy.
 OBSERVATION

 Physical security can be tested by walking around the office and observing how employees
conduct themselves from a security perspective.

 Do they walk away without locking their workstations or have sensitive documents sitting on their
desks? Do they leave the data centre door propped open, or do they not have a sign-out procedure
for taking equipment out of the building? It is amazing what a stroll through the cubicles of a
company can reveal about the security posture of an organization.
Document review:

Checking the effectiveness and compliance of the policy, procedure, and standards documents is
one of the primary ways an auditor can gather evidence.

Checking logs, incident reports, and trouble tickets can also provide data about how it operates on a
daily basis.

Technical review:

This is where penetration testing and technical vulnerability testing come into play.

One of the most important services an auditor offers is to evaluate the competence and effectiveness
of the technologies relied upon to protect a corporation’s assets.
 This section covered evaluation techniques for auditing security practices within an organization.

 Many of the security practices used to protect a company are process- and policy-focused.

 They represent the primary drivers for technology purchases and deployment.

 Technology can automate many of these processes and policies and needs a different approach to
testing effectiveness.

 The remainder of this chapter covers tools that can be used to test security technologies.
 TESTING SECURITY TECHNOLOGY
 There are many terms used to describe the technical review of security controls.

 Ethical hacking, penetration test, and security testing are often used interchangeably to describe a
process that attempts to validate security configuration and vulnerabilities by exploiting them in a
controlled manner to gain access to computer systems and networks.

 There are various ways that security testing can be conducted, and the choice of methods used
ultimately comes down to the degree to which the test examines security as a system.
There are generally two distinct levels of security testing commonly performed today:

Vulnerability assessment:

This technical assessment is intended to identify as many potential weaknesses in a host, application, or
entire network as possible, based on the scope of the engagement.

Configurations, policies, and best practices are all used to identify potential weaknesses in the
deployment or design of the entity being tested.

These types of assessments are notorious for finding an enormous amount of potential problems that
require a security expert to prioritize and validate real issues that need to be addressed.

Running vulnerability scanning software can result in hundreds of pages of items being flagged as
vulnerable when in reality they are not exploitable.
 PENETRATION TEST

 The penetration test is intended to assess the prevention, detection, and correction controls of a
network by attempting to exploit vulnerabilities and gain control of systems and services.

 Penetration testers (also known as pentesters) scan for vulnerabilities as part of the process just
like a vulnerability assessment, but the primary difference between the two is that a pentester

 Also attempts to exploit those vulnerabilities as a method of validating that there is an exploitable
weakness.

 Successfully taking over a system does not show all possible vectors of entry into the network, but
can identify where key controls fail. If someone is able to exploit a device without triggering any
alarms, then detective controls need to be strengthened so that the organization can better monitor
for anomalies.
 PENETRATION TEST

 Security control testing is an art form in addition to a technical security discipline. It takes a
certain type of individual and mind-set to figure out new vulnerabilities and exploits.

 Penetration testers usually fit this mould, and they must constantly research new attack techniques
and tools.

 Auditors, on the other hand, might not test to that degree and will more than likely work with a
penetration tester or team if a significant level of detailed knowledge in required for the audit.

 When performing these types of engagements, four classes of penetration tests can be conducted
and are differentiated by how much prior knowledge the penetration tester has about the system.
 PENETRATION TEST TYPES

The four types are:

Red team/blue team assessment

White-box

Black-box

Gray-box
 RED TEAM/BLUE TEAM ASSESSMENT

 The terms red and blue team come from the military where combat teams are tested to determine
operational readiness.

 In the computer world, a red and blue team assessment is like a war game, where the organization
being tested is put to the test in as real a scenario as possible. Red team assessments are intended to
show all of the various methods an attacker can use to gain entry.

 It is the most comprehensive of all security tests. This assessment method tests policy and
procedures, detection, incident handling, physical security, security awareness, and other areas that
can be exploited. Every vector of attack is fair game in this type of assessment.
 RED TEAM/BLUE TEAM ASSESSMENT

 This is used to simulate attacks and test the ability to develop defences for these attacks. The red
team designate as the attacker and the blue team as the defence mechanism builder.

 The two teams sharpen an organization’s detection and response capability. This is through sharing
of intelligence data, understanding threat actors' TTPs, mimicking these TTPs through a series of
scenarios and configuring, tuning and improving the detection and response capability.

 Penetration tests as part of auditing can be conducted in several ways. The most common difference
is the amount of knowledge of the implementation details of the system being tested that are
available to the testers.
Black box testing

This assumes no prior knowledge of the infrastructure to be tested.

The testers must first determine the location and extent of the systems before commencing their analysis.

white box testing

This provides the testers with complete knowledge of the infrastructure to be tested, often including
network diagrams, source code, and IP addressing information.

Grey box testing

These are the several variations in between the white and the black box, where the testers have partial
information.

Penetration tests can also be described as "full disclosure" (white box), "partial disclosure“ (grey box), or
"blind" (black box) tests based on the amount of information provided to the testing party.
 FEATURES AND USES

 Black box testing simulates an attack from someone who is unfamiliar with the system.

 White box testing simulates what might happen during an "inside job" or after a "leak" of sensitive
information, where the attacker has access to source code, network layouts, and possibly even
some passwords.

 White box techniques involve direct analysis of the application’s source code, and black box
techniques are performed against the application’s binary executable without source code
knowledge. Most assessments of custom applications are performed with white box techniques,
since source code is usually available—however, these techniques cannot detect security defects in
interfaces between components, nor can they identify security problems caused during
compilation, linking, or installation-time configuration of the application.
 White box techniques still tend to be more efficient and cost-effective for finding security defects
in custom applications than black box techniques.

 Black box techniques should be used primarily to assess the security of individual high-risk
compiled components; interactions between components; and interactions between the entire
application or application system with its users, other systems, and the external environment.

 Black box techniques should also be used to determine how effectively an application or
application system can handle threats.

 Auditors should have a base knowledge of testing tools and techniques. Using testing frameworks
is a useful way to develop a technical testing planning.
 RELIANCE ON CHECKLISTS AND TEMPLATES

 It is important to develop and use standard checklists for audits as this ensures that data is
collected in a uniform manner.

 It also ensures that no data point or activity critical to be covered is omitted.

 One must ensure the templates and checklists are agreed upon prior to use and from recognized
sources. These should be understood commonly by all participating in the audit.

 It is important that those carrying out the audit understand the importance of capturing information
in detail.
 ROLE OF AN AUDITOR

 The role of the auditor is to identify, measure, and report on risk. The auditor is not tasked to fix

the problem, but to give a snapshot in time of the effectiveness of the security program.

 The objective of the auditor is to report on security weakness.

 Auditors ask the questions, test the controls, and determine whether the security policies are

followed in a manner that protects the assets the controls are intended to secure by measuring the

organization’s activities versus its security best practices.

 The auditor functions as an independent advisor and inspector.

 ROLE OF AN AUDITOR

 The auditor is responsible for planning and conducting audits in a manner that is fair and

consistent to the people and processes that are examined.

 The auditing charter or engagement letter defines the conduct and responsibilities of an auditor.

 Depending on how a company’s auditing program is structured, ultimate accountability for the

auditor is usually to senior management or the board of directors.

 Auditors are usually required to present a report to management about the findings of the audit and

also make recommendations about how to reduce the risk identified.

 RESPONSIBLITIES
 Plan, execute and lead security audits across an organization.

 Inspect and evaluate financial and information systems, management procedures and security

controls

 Evaluate the efficiency, effectiveness and compliance of operation processes with corporate security

policies and related government regulations

 Develop and administer risk-focused exams for IT systems

 Review or interview personnel to establish security risks and complications

 Execute and properly document the audit process on a variety of computing environments and

computer applications
 RESPONSIBLITIES
 Assess the exposures resulting from ineffective or missing control practices

 Accurately interpret audit results against defined criteria

 Weigh the relevancy, accuracy and perspective of conclusions against audit evidence provide a

written and verbal report of audit findings

 Develop rigorous “best practice” recommendations to improve security on all levels

 Work with management to ensure security recommendations comply with company procedure

 Collaborate with departments to improve security compliance, manage risk and bolster

effectiveness
 AUDITOR ACTIVITIES

The following tasks and activities area carried out by the auditor in discharging their responsibilities

Auditing the information asset management process will verify that the critical assets are being
managed in accordance with the IT/IS policies.

The auditor audits the information security and privacy policies and standards. The auditor begins
with policies and standards related to access control, data classification and network security.

In addition, they focus on other policies and standards such as vendor management, vulnerability
management and data leakage prevention.
 One of the important roles of audit is to verify that the policies and standards are not just
documented but are actually being implemented by users across the enterprise. This verification
can be accomplished by performing an audit of the security training and awareness program

 Instead of focusing on the actual access of each user, the auditor focuses on the IAM process and
verify that the IAM process is working as designed.

 Auditing an automated IAM process ensures the integrity of the process. The audit also focuses on
the workflow, which includes the approval hierarchy. Several IAM vendors are starting to provide
mechanisms to incorporate segregation of duties (sod) checks within the workflow.

 If an organization has incorporated the sod checks in the workflow, it is important to include this
process within its audit scope.
 During the audit of policies and standards, the auditor should understand how the policies and
standards are being communicated across the enterprise.

 Every organization has a communication method (e-mail, posting on an intranet web page, periodic
security seminars, monthly security awareness training, lunch-n-learns, etc.).

 The responsible auditor should determine if logging is enabled in critical systems. Where logs are
enabled, the auditor verifies that there is a process for monitoring.

 The auditor also verifies that the process has been assigned to a person and that this person is
executing this process. The focus here is on data leakage prevention (DLP).
 Besides verifying that the proper access is granted to each individual, the auditor focuses on how
the approved users are using the data assets.

 Are data being encrypted properly before they are sent outside of the organization? Depending on
an organization’s DLP policy, the SIEM system can potentially help the auditor determine if the
data are being copied on USB drives and leaving the organization.

 In today’s business environment, governance, risk management and compliance (grc) processes are
critical to the auditor. The auditor examines corporate governance processes and verifies that an
infrastructure has been created to identify and manage risks.
 The governance structure should be active and ongoing, which means that the executives should
conduct periodic meetings to address risks.

 The auditor also identifies all relevant regulations and industry standards and performs periodic
compliance reviews based on identified and relevant risks. Noncompliance should be tracked and
managed by executive management.

 The internal auditor should identify how the organization is connected to the outside, and who on
the outside is connected to the organization. There is a total reliance by some organizations on
statement on auditing standards no. 70 (SAS 70) type II reports for review of external vendors.

 While SAS 70 is good, it is not final. The auditor first verifies that there is a policy in place to
address third-party connections.
 In addition to the SAS 70 report, the organization should periodically perform its own audit of the
vendor to certify that its policies and security needs are being adequately addressed (the
organization may have to ensure that the vendor contracts allow for this audit).

 Changes performed by the third-party vendor on systems affecting the organization should follow
the organization’s normal change management process.

 Also, the auditor should follow the entire process within the extended enterprise where the critical
data assets reside. For example, an enterprise may do an exceptional job of protecting critical data
assets within the enterprise, but an unencrypted backup tape can fall off a vendor’s truck and
expose critical information and put the enterprise at risk.
 An audit of the entire process will definitely reduce the risks associated with the extended
enterprise. This extended enterprise may exist globally and could add more complexity to the audit
plans.

 The auditor verifies that a business continuity plan exists and is maintained and tested periodically.

 The auditor should also make sure that the plan covers all the risks associated with the business and
that it is enough to keep the business in operation in times of disruption.

 The IT auditor should understand the difference between business continuity and disaster recovery
and make sure that each is adequately addressed and periodically tested.
 The auditor identifies a catalog of it initiatives, reviews the business reasons for the project and
identifies the executive sponsor for the project.

 The auditor obtains and reviews the management reports from IT to executive management and
verifies that sufficient information is provided to management.

 The auditor verifies that IT initiatives are adequately aligned with business objectives.
 INFORMATION SECURITY AUDIT
CONSULTANTS
 Information security audit consultants – these consultants (individual or organizations) are usually
found in advising or auditing roles for information security.

 Security consultants generally fall into one of three categories:

 Management

 Technical

 Forensic
 INFORMATION SECURITY AUDIT CONSULTANTS

 The first step in hiring a reliable consultant is to define the requirements of the job.

 Does it involve the analysis of risk, implementation of security systems, regulatory compliance,
management consulting, training or defence of an inadequate security claim? Only after the
requirements of the job are defined can you select the right type of consultant to complete the
work.

 A consultant should be independent and not affiliated with a product or service.

 If your consultant is not independent, you should know about his or her relationship with a
product or service line and understand that it may result in a conflict of interest
 HIRING AN INFORMATION SECURITY AUDITOR
The following things has to be borne in mind before hiring of an audit company as auditors:

Does the consultant organization offer a comprehensive suite of services, tailored to specific
requirements?

Does the consulting organization have a quality certification?

Does the consulting organization have a track record of having handled a similar assignment for security
consulting?

Are the organization’s security professional having certificates like CISSP, CISA, CSM and CIPP?

Does the organization have sound methodology to follow?

Is the organization recognized contributor within the security industry in terms of research and
publication etc.?
 REQUIRED SKILLS SETS OF AN INFORMATION
SECURITY AUDITOR
A good auditor requires the following skills and knowledge in the various areas listed below:

Organization wide security program planning and management

Access control

Application software development and change control

System software

Segregation of duties

Service continuity

Application controls
 ORGANIZATION WIDE SECURITY PROGRAM
PLANNING AND MANAGEMENT
 Knowledge of the legislative requirements for an agency security program

 Knowledge of the sensitivity of data and the risk management process through risk assessment
and risk mitigation

 Knowledge of the risks associated with a deficient security program

 Knowledge of the elements of a good security program

 Ability to analyse and evaluate an organization’s security policies and procedures and identify
their strengths and weaknesses
 ACCESS CONTROL

 Knowledge across platforms of the access paths into computer systems and of the functions of associated
hardware and software providing an access path

 Knowledge of access level privileges granted to users and the technology used to provide control to them

 Knowledge of the procedures, tools, and techniques that provide for good physical, technical, and
administrative controls over access

 Knowledge of the risks associated with inadequate access controls

 Ability to analyse and evaluate an organization’s access controls and identify the strengths and
weaknesses

 Skills to review security software reports and identify access control weaknesses

 Skills to perform penetration testing of the organization’s applications and supporting computer systems
 APPLICATION SOFTWARE DEVELOPMENT AND
CHANGE CONTROL

 Knowledge of the concept of a system life cycle and of the system development life cycle (SDLC)
process

 Knowledge of the auditor’s role during system development and of federal guidelines for
designing controls into systems during development

 Knowledge of the procedures, tools, and techniques that provide control over application software
development and modification

 Knowledge of the risks associated with the development and modification of application software

 Ability to analyse and evaluate the organization’s methodology and procedures for system
development and modification and identify the strengths and weaknesses
 SYSTEM SOFTWARE

 Knowledge of the different types of system software and their functions

 Knowledge of the risks associated with system software

 Knowledge of the procedures, tools, and techniques that provide control over the implementation,
modification, and use of system software

 Ability to analyse and evaluate an organization’s system software controls and identify the
strengths and weaknesses

 Skills to use software products to review system software integrity

 SEGREGATION OF DUTIES

 Knowledge of the different functions involved with information systems and data processing and
incompatible duties associated with these functions knowledge of the risks associated with
inadequate segregation of duties

 Ability to analyse and evaluate an organization’s organizational structure and segregation of duties
and identify the strengths and weaknesses
 SERVICE CONTINUITY

 Knowledge of the procedures, tools, and techniques that provide for service continuity

 Knowledge of the risks that exist when measures are not taken to provide for service continuity

 Ability to analyse and evaluate an organization’s program and plans for service continuity and
identify the strengths and weaknesses
 APPLICATION CONTROLS

 Knowledge about the practices, procedures, and techniques that provide for the authorization,
completeness, and accuracy of application data

 Knowledge of typical applications in each business transaction cycle

 Ability to analyse and evaluate an organization’s application controls and identify the strengths
and weaknesses

 Skills to use a generalized audit software package to conduct data analyses and tests of application
data, and to plan, extract, and evaluate data samples
 Auditors performing tasks in two of the above areas, access controls (which includes penetration
testing) and system software, require additional specialized technical skills. Such technical
specialists should have skills in one or more of the categories listed below:

Network analyst

 Advanced knowledge of network hardware and software

 Understanding of data communication protocols

 Ability to evaluate the configuration of routers and firewalls

 Ability to perform external and internal vulnerability tests with manual and automated tools

 Knowledge of the operating systems used by servers

Windows/Novell analyst

Detailed understanding of microcomputer and network architectures

Ability to evaluate the configuration of servers and the major applications hosted on servers

Ability to perform internal vulnerability tests with manual and automated tools
Unix analyst

Detailed understanding of the primary variants of the unix architectures

Ability to evaluate the configuration of servers and the major applications hosted on servers

Ability to perform internal vulnerability tests with manual and automated tools
Database analyst

Understanding of the control functions of the major database management systems

Understanding of the control considerations of the typical application designs that use database
systems

Ability to evaluate the configuration of major database software products

Mainframe system software analyst

Detailed understanding of the design and function of the major components of the operating system

Ability to develop or modify tools necessary to extract and analyse control information from
mainframe computers

Ability to use audit software tools ability to analyse modifications to system software components
Mainframe access control analyst

Detailed understanding of auditing access control security software such as ACF2, top secret, and
RACF

Ability to analyse mainframe audit log data

Ability to develop or modify tools to extract and analyse access control information
 The information systems audit and control association (ISACA) set forth a code governing the
professional conduct and ethics of all certified IS auditors and members of the association. As a CISA,
they expect them to be bound to uphold this code.

 The following points form part of this code: the auditor agrees to

 Support the implementation of, and encourage compliance with, appropriate standards and procedures for
the effective governance and management of enterprise information systems and technology, including:
audit, control, security and risk management.

 Perform their duties with objectivity, due diligence and professional care, in accordance with professional
standards. Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of
conduct and character, and not discrediting their profession or the association.
 Maintain the privacy and confidentiality of information obtained in the course of their activities
unless disclosure is required by legal authority. Such information shall not be used for personal
benefit or released to inappropriate parties.
 Maintain competency in their respective fields and agree to undertake only those activities they
can reasonably expect to complete with the necessary skills, knowledge and competence.
 Inform appropriate parties of the results of work performed including the disclosure of all
significant facts known to them that, if not disclosed, may distort the reporting of the results.
 Support the professional education of stakeholders in enhancing their understanding of the
governance and management of enterprise information systems and technology, including:
Audit, control, security and risk management. The failure of a CISA to comply with this code
of professional ethics may result in an investigation with possible sanctions or disciplinary
measures.
 ETHICS OF AN INFORMATION SECURITY
AUDITOR
Their code also states that:

Ethics statements are necessary to demonstrate the level of honesty and professionalism expected of
every auditor.

Overall, the profession requires them to be honest and fair in all representations they make.

The goal is to build trust with clients. Their behaviour should reflect a positive image on their
profession.

All is auditors are depending on them to help maintain the high quality and integrity that clients
expect from a cisa.
 WHAT MAKES AN INFORMATION SECURITY AUDITOR

At minimum, a bachelor's degree

Certification is often highly recommended and may be required by some employers prior to hiring.

A certified information systems auditor or CISA is an independent expert who is qualified to

perform information systems audit.

This has uplifted the status of the CISA designation, which is often a mandatory qualification for an
information systems auditor.
 ABOUT CISA
 This certification is recognized worldwide as completion of a standardized security auditing
certification program.
 Information systems audit and control association (ISACA) is a world recognized body that was
founded in 1969.
 The CISA examination and certification was initiated by ISACA in 1978, to address industry
requirements.
 CISA
 The CISA designation is awarded to individuals with an interest in information systems auditing,
control and security who meet the following requirements:

 Successful completion of the CISA examination

 Submit an application for CISA certification

 Adherence to the code of professional ethics

 Adherence to the continuing professional education program

 Compliance with the information systems auditing standards

 It is important to note that many individuals choose to take the CISA exam prior to meeting the
experience requirements. This practice is acceptable and encouraged although the CISA
designation will not be awarded until all requirements are met.
 ABOUT CISSP

 CISSP (certified information systems security professional) is a vendor-neutral CISSP certification

is for those with proven deep technical and managerial competence, skills, experience, and
credibility to design, engineer, implement, and manage their overall information security program
to protect organizations from growing sophisticated attacks.

 Backed by (ISC), the globally recognized, not-for profit organization dedicated to advancing the
information security field.