Computer Audit

Information security audit

INFORMATION SECURITY AUDIT
audit on the level of information security in an organization.
there are multiple type of audits, multiple objectives for different audits, etc.
Most commonly the controls being audited can be categorized to
Technical
Physical
Administrative
Auditing information security covers topics from auditing the physical security of data centers to
the auditing logical security of databases and highlights key components to look for and different
methods for auditing these areas.
When centered on the IT aspects of information security, it can be seen as a part of an
information technology audit.
It is often then referred to as an Information technology security audit or a Computer security
audit.
COMPUTER AUDIT
Computer security audit is a manual or systematic measurable technical assessment of a system
or application.
Manual assessments
include interviewing staff,
performing security vulnerability scans,
reviewing application and operating system access controls,
analyzing physical access to the systems.
Automated assessments, or Computer Assigned Auditing Technique's, include
system generated audit reports
or using software to monitor and report changes to files and settings on a system.

Computer Audit
Systems can include personal computers, servers, mainframes, network routers,
switches. Applications can include Web Services, Microsoft Project Central,
Oracle Database. (examples only).
Audit Event Reporting
During the last few decades systematic audit record generation (also called audit event
reporting) can only be described as ad hoc. Ironically, in the early days of mainframe and minicomputing with large scale, single-vendor, custom software systems from companies such as
IBM and Hewlett Packard, auditing was considered a mission-critical function. Over the last 30
years, COTS or Commercial Off The Shelf software applications and components, and micro
computers have gradually replaced custom software and hardware as more cost-effective
business management solutions.
During this transition, the critical nature of audit event reporting gradually transformed
into low priority customer requirements.
Software consumers, having little else to fall back on, have simply accepted the lesser
standards as normal. The consumer licenses of existing COTS software disclaim all liability for
security, performance and data integrity issues.
Types of Audit Event Reporting
1. Traditional Logging

Using traditional logging methods, applications and components submit free-form text messages
to system logging facilities such as the Unix Syslog process, or the Microsoft Windows System,
Security or Application event logs.
Java applications often fall back to the standard Java logging facility.
These text messages usually contain information only assumed to be security-relevant by the
application developer, who is often not a computer- or network-security expert.
The fundamental problem with such free-form event records is that each application developer
individually determines what information should be included in an audit event record, and the
overall format in which that record should be presented to the audit log.
This variance in formatting among thousands of instrumented applications makes the job of
parsing audit event records by analysis tools,
Example

Computer Audit
difficult and error prone -such domain and application specific parsing code included in
analysis tools is also difficult to maintain, as changes to event formats inevitably work
their way into newer versions of the applications over time.
2. Modern Auditing Services

Most contemporary enterprise operating systems, including Microsoft Windows, Solaris, Mac
OS X, and FreeBSD (via the TrustedBSD Project) support audit event logging due to
requirements in the Common Criteria (and more historically, the Orange Book).
Both FreeBSD and Mac OS X make use of the open source OpenBSM library and command
suite to generate and process audit records.
The importance of audit event logging has increased with recent new (post-2000) US and
worldwide legislation mandating corporate and enterprise auditing requirements.
Performing an Audit
Generally, computer security audits are performed by:
1. Federal or State Regulators - Certified accountants, CISA. Federal OTS, OCC,
DOJ, etc.
2. Corporate Internal Auditors - Certificated accountants, CISA.
3. Corporate Security Staff - Security managers, CISSP, CISM.
4. IT Staff - subject matter experts, oversight support.

Audit Process
1. Audit planning & preparation
The auditor should be adequately educated about the company and its critical business
activities before conducting a data center review.
The objective of the data center is to align data center activities with the goals of the business
while maintaining the security and integrity of critical information and processes. To adequately
determine if whether or not the clients goal is being achieved, the auditor should perform the
following before conducting the review:

Meet with IT management to determine possible areas of concern

Review the current IT organization chart

Review job descriptions of data center employees

Computer Audit

Research all operating systems, software applications and data center equipment
operating within the data center

Review the companys IT policies and procedures

Evaluate the companys IT budget and systems planning documentation

Review the data centers disaster recovery plan

2. Establishing audit objectives

The next step in conducting a review of a corporate data center takes place when the auditor
outlines the data center audit objectives.
Auditors consider multiple factors that relate to data center procedures and activities that
potentially identify audit risks in the operating environment and assess the controls in place that
mitigate those risks.
After thorough testing and analysis, the auditor is able to adequately determine if the data center
maintains proper controls and is operating efficiently and effectively.
Following is a list of objectives the auditor should review:

Personnel procedures and responsibilities including systems and cross-functional training

Change management processes are in place and followed by IT and management

personnel

Appropriate back up procedures are in place to minimize downtime and prevent loss of
important data

The data center has adequate physical security controls to prevent unauthorized access to
the data center

Adequate environmental controls are in place to ensure equipment is protected from fire
and flooding

3. Performing the review

The next step is collecting evidence to satisfy data center audit objectives. This involves
traveling to the data center location and observing processes and procedures performed within
the data center.
The following review procedures should be conducted to satisfy the pre-determined audit
objectives:

Computer Audit

Data center personnel All data center personnel should be authorized to access the data
center (key cards, login IDs, secure passwords, etc.). Data center employees are
adequately educated about data center equipment and properly perform their jobs. Vendor
service personnel are supervised when doing work on data center equipment. The auditor
should observe and interview data center employees to satisfy their objectives.

Equipment The auditor should verify that all data center equipment is working properly
and effectively. Equipment utilization reports, equipment inspection for damage and
functionality, system downtime records and equipment performance measurements all
help the auditor determine the state of data center equipment. Additionally, the auditor
should interview employees to determine if preventative maintenance policies are in
place and performed.

Policies and Procedures All data center policies and procedures should be documented
and located at the data center. Important documented procedures include: data center
personnel job responsibilities, back up policies, security policies, employee termination
policies, system operating procedures and an overview of operating systems.

Physical security / environmental controls The auditor should assess the security of the
clients data center. Physical security includes bodyguards, locked cages, man traps,
single entrances, bolted down equipment, and computer monitoring systems.
Additionally, environmental controls should be in place to ensure the security of data
center equipment. These include: Air conditioning units, raised floors, humidifiers and
uninterruptible power supply.

Backup procedures The auditor should verify that the client has backup procedures in
place in the case of system failure. Clients may maintain a backup data center at a
separate location that allows them to instantaneously continue operations in the instance
of system failure.

4. Issuing the review report

The data center review report should summarize the auditors findings and be similar in format to
a standard review report. The review report should be dated as of the completion of the auditor's
inquiry and procedures. It should state what the review entailed and explain that a review
provides only "limited assurance" to third parties.

The audited systems

A. Network vulnerabilities

Interception: Data that is being transmitted over the network is vulnerable to being
intercepted by an unintended third party who could put the data to harmful use.

Computer Audit

Availability: Networks have become wide-spanning, crossing hundreds or thousands of

miles which many rely on to access company information, and lost connectivity could
cause business interruption.

Access/entry point: Networks are vulnerable to unwanted access. A weak point in the
network can make that information available to intruders. It can also provide an entry
point for viruses and Trojan horses.

B. Controls

Interception controls: Interception can be partially deterred by physical access controls at

data centers and offices, including where communication links terminate and where the
network wiring and distributions are located. Encryption also helps to secure wireless
networks.

Availability controls: The best control for this is to have excellent network architecture
and monitoring. The network should have redundant paths between every resource and an
access point and automatic routing to switch the traffic to the available path without loss
of data or time.

Access/entry point controls: Most network controls are put at the point where the network
connects with external network. These controls limit the traffic that pass through the
network. These can include firewalls, intrusion detection systems, and antivirus software.

The auditor should ask certain questions to better understand the network and its vulnerabilities.
The auditor should first assess what the extent of the network is and how it is structured. A
network diagram can assist the auditor in this process. The next question an auditor should ask is
what critical information this network must protect. Things such as enterprise systems, mail
servers, web servers, and host applications accessed by customers are typically areas of focus. It
is also important to know who has access and to what parts.
Questions Commonly Asked?
Do customers and vendors have access to systems on the network?
Can employees access information from home?
Lastly the auditor should assess how the network is connected to external networks and
how it is protected.
Most networks are at least connected to the internet, which could be a point of vulnerability.
These are critical questions in protecting networks.

C. Encryption and IT audit

In assessing the need for a client to implement encryption policies for their organization, the
Auditor should conduct an analysis of the clients risk and data value.

Computer Audit
Companies with multiple external users, e-commerce applications, and sensitive
customer/employee information should maintain rigid encryption policies aimed at encrypting
the correct data at the appropriate stage in the data collection process.
Auditors should continually evaluate their clients encryption policies and procedures.
Companies that are heavily reliant on e-commerce systems and wireless networks are extremely
vulnerable to the theft and loss of critical information in transmission.
Policies and procedures should be documented and carried out to ensure that all transmitted data
is protected.
The auditor should verify that management has controls in place over the data encryption
management process.
Access to keys should require dual control, keys should be composed of two separate
components and should be maintained on a computer that is not accessible to programmers or
outside users.
Management should attest that encryption policies ensure data protection at the desired level and
verify that the cost of encrypting the data does not exceed the value of the information itself.
All data that is required to be maintained for an extensive amount of time should be encrypted
and transported to a remote location.
Procedures should be in place to guarantee that all encrypted sensitive information arrives at its
location and is stored properly.
Finally the auditor should attain verification from management that the encryption system is
strong, not attackable and compliant with all local and international laws and regulations.

D. Logical security audit

The first step in an audit of any system is to seek to understand its components and its structure.
When auditing logical security the auditor should investigate what security controls are in place,
and how they work. In particular, the following areas are key points in auditing logical security:

Passwords: Every company should have written policies regarding passwords, and
employees use of them. Passwords should not be shared and employees should have
mandatory scheduled changes. Employees should have user rights that are in line with
their job functions. They should also be aware of proper log on/ log off procedures. Also
helpful are security tokens, small devices that authorized users of computer programs or
networks carry to assist in identity confirmation. They can also store cryptographic keys
and biometric data. The most popular type of security token (RSAs SecurID) displays a
number which changes every minute. Users are authenticated by entering a personal
identification number and the number on the token.

Computer Audit

Termination Procedures: Proper termination procedures so that old employees can no

longer access the network. This can be done by changing passwords and codes. Also, all
id cards and badges that are in circulation should be documented and accounted for.

Special User Accounts: Special User Accounts and other privileged accounts should be
monitored and have proper controls in place.

Remote Access: Remote access is often a point where intruders can enter a system. The
logical security tools used for remote access should be very strict. Remote access should
be logged.