Chapter 2:

Control, Audit and

Security of Information
system
KESHAV RAJ JOSHI
 Control of information system
Controls:
 Methods, policies, and organizational procedures
that ensure safety of organization’s assets;
accuracy and reliability of its accounting records;
and operational adherence to management
standards
 Method to ensure that a system processes data as
per design and that all data is included and are
correct
 Motivation for Control
 It is very important to ensure the reliability of reports
produced by an information system
 If unreliability is seen by users the entire credibility of the
system is lost
 Ensuring reliability is not difficult for small systems but
when a system has to handle massive data it is a
challenge
 Systematic controls are thus essential when a system is
designed
 Motivation for Control
 Information systems handle massive amounts
of data – accidents such as not including
some data can cause serious damage
 Incorrect data entry can lead to high
monetary losses
 Credibility in the information system may be
lost if errors are found in operational systems
 Objectives of Control
 To
make sure data entering the computer are
correct
 Check clerical handling of data before it is input
to a computer
 Provide
means of detecting and tracing errors
which occur due to bad data or bad program
 Ensure legal requirements are met
 To guard against frauds
 Controlling Information System
 there
are numerous threats to Information
Systems
Hardware failures
Software failures
Upgrade issues
Disasters
Malicious intent
 Controlling Information System
 Tominimise likelihood of threats, must control the
environment in which Information Systems are
developed and deployed
 Controls put in place to:
 Manuallycontrol environment of Information Systems
 Automatically add controls to Information Systems
 Controls Implemented through
 Policies
 Procedures
 Standards
 Types of Control
 1. General Control
 Govern the design, security, and use of computer programs
 Govern the security of data files in general throughout the
organization’s information technology infrastructure
Types of General Control
a) Software Control: Monitor the use of system
software and prevent unauthorized access of
software programs, system software, and computer
programs
 Types of Control
b) Hardware Control: Ensure that computer hardware is physically
secure and check for equipment malfunction.
Protected against fires, extremes of temperature, humidity etc.
c) Computer Operations Control: to ensure that programmed
procedures are consistently and correctly applied to the storage and
processing of data.
d) Data Security Control: Ensure that valuable business data files on
either disk or tape are not subject to unauthorized access, change, or
destruction while they are in use or in storage.
e) Implementation Controls: Audit the systems development process
at various points to ensure that the process is properly controlled and
managed
f) Administrative Control: Formalize standards, rules, procedures, and
control disciplines to ensure that the organization’s general and
application controls are properly executed and enforced
 Types of Control
2. Application Control:
Specific controls for each application
 Input controls
 Data is accurate and consistent on entry
 Direct keying of data, double entry or automated input
 Data conversion, editing and error handling
 Field validation on entry
 Input authorisation and auditing
 Checks on totals to catch errors
 Application Control
 Processing controls
 Data is accurate and complete on processing
 Checks on totals to catch errors
 Compare to master records to catch errors
 Field validation on update
 Output controls
 Data is accurate, complete and properly distributed on output
 Checks on totals to catch errors
 Review processing logs
 Track recipients of data
 Security of Information System
What is Security?
 The quality or state of being secure--to be free from
danger
 To be protected from adversaries
 Multiple layers of securities:
 Physical security
 Personal security
 Operations security
 Communications security
 Network security
What Is Information Security?
 Three widely accepted elements or areas of focus
(referred to as the ―CIA Triad‖):
 Confidentiality

 Integrity

 Availability (Recoverability)
 Includes Physical Security as well as Logical Security
 Necessary tools: policy, awareness, training, education,
technology
 Motivation for Security
 Systems contain sensitive data about the organization and also
about persons working in the organization
 Sensitive data should be protected from spies, thieves or
disgruntled employees.
 Thus access should be carefully controlled and provided only on a
need to know basis
 When computers are networked corruption may take place due
to viruses
 Services may be disrupted due to denial of service attacks
 Thus systems should be designed with appropriate security
measures.
 CIA Triad
 Confidentiality: Making sure that those who should not see
information
 Integrity: Making sure that the information hasn’t been changed
from it’s original
 Availability: Making sure that the information is available for use
when you need it.
 Information can exist in
 Printed or written on paper
 Stored electronically
 Transmitted by post or using electronic means
 Shown on corporate videos
 Displayed / published on web
 Verbal – spoken in conversations
Security breaches leads to…
 Reputation loss
 Financial loss
 Intellectual property loss
 Legislative Breaches leading to legal actions (Cyber Law)
 Loss of customer confidence
 Business interruption costs
 Loss of Goodwill
Information Security Components
 People : ―Who we are‖: who use or interact with the Information
 Process: ―What we do‖: The processes refer to "work practices" or
workflow. Processes are the repeatable steps to accomplish
business objectives.
 Technology: ―what we use to improve what we do‖
 Network Infrastructure
 Application software
 Physical Security components
 Access devices
 Risk, Threat and Vulnerability
 Risk: A possibility that a threat exploits a vulnerability in an
asset and causes damage or loss to the asset.
 Threat: Something that can potentially cause damage
to the organization, IT Systems or network.
 Vulnerability: A weakness in the organization, IT Systems,
or network that can be exploited by a threat.
 Relationship between Risk, Threats, and
Vulnerabilities
exploit
Threats Vulnerabilities

Controls * Risk Information assets

reduce

Protection Requirements Asset values

* Controls: A practice, procedure or mechanism that reduces risk

Threat Vectors
 Security Threats: Malwares
 software programs designed to damage or do other unwanted
actions on a computer system
 includes computer viruses, worms, Trojan horses, spyware, dishonest
adware, crimeware, most rootkits
 Viruses: needs a host, copies itself, executable
 Worms: No host, copies itself, executable
 Trojan Horses: No Host, does not copies itself
 Spyware: watches what users do with their computer and then sends
that information over the internet
 Security Threats: Malwares
 Adware: which automatically plays, displays, or downloads
advertising material to a computer
 Crimeware: designed to carry out or facilitate illegal online
activity
 Rootkits: gives a threat actor remote access to and control over a
computer or other system
 SSL Certificate
Secure Sockets Layer (SSL)
 is
the standard security technology for establishing an encrypted link
between a web server and a browser.
 ensures that the data passed between web server and browser remain
private and secure.
 If you want to activate SSL on your web server you will be
prompted to complete a number of questions about the
identity of your website and your company. Your web
server then creates two cryptographic keys - a Private
Key and a Public Key.
 All browsers have the capability to interact with secured
web servers using the SSL protocol.
 However, the browser and the server need what is called
an SSL Certificate to be able to establish a secure
connection.
 The lock icon: SSL indicator
 Intended goal:
• Provide user with identity of page origin
• Indicate to user that page contents were not viewed or
modified by a network attacker
 SSL overview
Public-key encryption:
Alice Bob
m c c m
Enc Dec

PKBob SKBob

Bob generates (SKBob , PKBob )

Alice: using PKBob encrypts messages

and only Bob can decrypt
 Brief overview of SSL
browser server
client-hello
cert
server-hello + server-cert (PK)
SK

key exchange (several options)

Random
: k
client-key-exchange: E(PK, k)
k

Finished

HTTP data encrypted with KDF(k)

Most common: server authentication only

1. Browser connects to a web server (website) secured
with SSL (https). Browser requests that the server identify
itself.
2. Server sends a copy of its SSL Certificate, including the
server’s public key.
3. Browser checks the certificate root against a list of
trusted CAs and that the certificate is unexpired,
unrevoked, and that its common name is valid for the
website that it is connecting to. If the browser trusts the
certificate, it creates, encrypts, and sends back a
symmetric session key using the server’s public key.
4. Server decrypts the symmetric session key using its
private key and sends back an acknowledgement
encrypted with the session key to start the encrypted
session.
5. Server and Browser now encrypt all transmitted data
with the session key.
 Why is HTTPS not used for all web traffic?

• Slows down web servers

• Breaks Internet caching

• ISPs cannot cache HTTPS traffic
• Results in increased traffic at web site

• Incompatible with virtual hosting (older browsers) – (hosting hundreds

of virtual web server on same physical server slows down traffic)
• Cost
Extended Validation (EV) Certificate
 EV certificates are single-domain SSL certificates that offer the
highest degree of authentication and SSL protection.
 Increase customer confidence and conversions with the highest
degree of authentication available.
 To ensure this, they require more evaluation and documentation
checks for applicant websites than other certificate types.
 The legal, physical, and operational existence of the entity
 That the entity has properly authorized the issuance of the certificate
 That the entity has exclusive right to use the domain specified
 The identity of the entity matches official records
How can I recognize websites using EV SSL
Certificates?
 A website using EV SSL Certificate will activate highly visible
indicators directly on the browser address bar:
 The name of the Organization that owns the website and the name
of the Certification Authority that issued the EV SSL Certificate.
So what's wrong with the old SSL certificates?
 Technically there is nothing wrong with the old ssl certificates. Since they use
the same data encryption, both certificate types will allow you to securely
transfer data between two end points.
 That brings us to the problem of who is on the other end: How do your
customers know it's really you?
 In the early days of the web, SSL Certificates were only issued to a real business
or individual. Before issuing you an SSL Certificate, the CA would verify your
domain ownership, business registration and address, phone number, and
other pertinent information. But there was no standard in place to make them
verify all those details.
 In recent years, some CAs began to offer low-cost certificates with "domain
only" validation. These types of ssl certificates typically only verify the
control/registration of your web site's domain (often a simple check of the
whois record).
 Then phishing sites burst onto the scene. Here's a typical story:
 A criminal buys the domain paypa1.com (note the number 1) and sets up a
web page that looks just like the login page to PayPal. Then an email is sent out
telling people that for some reason or other they need to login to their account
by clicking on a link provided in the email. Unsuspecting users click the link and
send their login information to paypa1.com (this is known as Phishing). The bad
guys then use this login information to steal--by making online purchases, or
transferring money to their accounts, etc.
 The first round of Phishing attacks did not include the use of SSL
Certificates and Site Seals, probably because it was easy
enough to get people to "login" over a standard http (non-
secured) connection. But as people became more wary of
online scams, the Phishers adapted by purchasing easy to
acquire "domain-only" SSL Certificates giving them the
appearance of a trusted third party endorsement that helped
to establish the falsified web site as being authentic.
 Unfortunately, all previous versions of web browsers could not
distinguish between fully validated SSL Certificates and the
cheaper "domain-only" type. Providing no reasonable method
for Internet users to know if that little gold padlock in their
browser was issued to an accountable party on the other side.
Thus came the need for a High Assurance (standards based) EV
SSL Certificate.
 Enterprise layered security strategy
 Layered security refers to security systems that use multiple
components to protect operations on multiple levels, or layers.
 term can also be related to the term defense in depth.
 idea behind layered security is that in order to protect systems from
a broad range of attacks, using multiple strategies will be more
effective.
 Layered security efforts attempt to address problems with different
kinds of hacking or phishing, denial of service attacks and other
cyberattacks, as well as worms, viruses, malware and other kinds of
more passive or indirect system invasions.
 each individual layer in a multi-layered security approach focuses
on a specific area where the malware could attack.
Security:
 Proactive security: is designed to stop threats before they start.
 Detective security: is designed to catch emerging threats as they
pop up.
 Reactive security: is designed to recover systems and data quickly
if a threat manages to circumvent other security measures.

 Multilayer security covers all proactive security, detective security

and reactive security.
 Various Security Layer
 Email security and archiving: Email-borne attacks come in the form
of phishing, spear-phishing, Trojans, malicious attachments, and
hidden scripts. Attack techniques are ever- evolving and adapt
with technology in an effort to stay ahead of security
professionals—driving malware authors to become very good at
what they do.
 Network Virtualization: to segregate the physical network into
multiple virtual networks to support multiple security levels
 Web application firewalls: filter the content of specific web
applications to protect any applications that are running.
 they prevent attacks that originate from security flaws in web
applications.
 Network Access Control (NAC):
 User/Host
Authentication – The network should be able
to authenticate the user (or at least the host) onto the
network.
 HostPosture Verification – The ability to make sure that
the host posture (virus definitions, patches, firewalls,
etc.) match the policy of the network for which it is
destined.
 HostRemediation – The placement of the host into the
correct network
First, establish ACCESS POLICIES. Then:
Authenticate & Authorize Quarantine & Enforce
 Enforces authorization  Isolate non-compliant devices
policies and privileges from rest of network
 Supports multiple  MAC and IP-based quarantine
user roles effective at a per-user level

Scan & Evaluate Update & Remediate

 Agent scan for required
versions of hotfixes, AV, etc
 Network scan for virus
and worm infections and
port vulnerabilities
 Network-based tools
for vulnerability and
threat remediation
 Help-desk integration

LIMITED COMPLIANCE = LIMITED NETWORK ACCESS

 Patch Management: Cyber attackers typically search for
the unpatched vulnerabilities.
 Patch management covers the regular identification of missing
patches, finding and downloading and installing the patches.
 Antivirus Software: Are used to prevent, detect, and
remove malware.
 Biometrics: Used for authentication
 Firewalls: control and monitor incoming and outgoing network
traffic to protect the infrastructure and operating system that a
service is running on
 basically a barrier between internal and external networks
 Security information and event management (SIEM):
 provide real-time analysis of security alerts generated by applications and
network hardware
 vulnerability management and policy-compliance tool
 makes easy to use logs for security, compliance, and troubleshooting
Capabilities:
 Data Aggregation - aggregates data from many sources, including network,
security, servers, databases, applications
 Correlation - looks for common attributes, and links events together into
meaningful bundles
 Compliance - gathering of compliance data, producing reports that adapt
to existing security, governance and auditing processes
 Forensic analysis
 Dashboards
 Alerting
 Intrusion Detection System (IDS): is the process of
monitoring the events occurring in your network and
analyzing them for signs of possible incidents, violations
 Intrusion prevention System(IPS): is the process of
performing intrusion detection and then stopping the
detected incidents.
 Intrusion examples:
 Web server defacement
 Guessing/Cracking passwords
 viewing sensitive data without authorization
 impersonating an executive to get information
 using an unattended workstation
 NIDS:
 placed in the network to monitor traffic to and from all devices
on the network.
 performs analysis of traffic and matches the traffic that is passed
on the subnets to the library of known attacks

 HIDS
 run on individual hosts or devices on the network
 Ittakes a snapshot of existing system files and matches it to the
previous snapshot. If the critical system files were modified or
deleted, an alert is sent to the administrator to investigate
 Digital Certificate:
 are a means by which consumers and businesses can utilise the
security applications of Public Key Infrastructure (PKI)
 PKI comprises of the technology to enables secure e-commerce and
Internet based communication.
 e.g. used in Remittance

 Data encryption
 privacy control
 anti spam and spam filters
 Other Security measures for
Enterprise:
 Security incident response capability shall be developed to
assist with detection and response to IT related problems.
 Regular vulnerability assessments and penetration testing.
 Security Trainings and awareness to IT staffs
 Employee background check and confidentiality agreements
 System hardening
 Documented disaster recovery and business continuity plan
Consumer layered Security strategy
 Good password management: passwords change, never
reuse, difficult to guess, and contain a long combination
of letters, numbers, and other characters.
 Workstations shall either logged off or shut down when
not in use.
 Automatic inactivity locking shall be enabled
 Confidential data shall only shared with authorized
personnel
 Installation of authorized softwares only
Consumer layered Security strategy
 Web browser security
 Antivirus
 Antimalware
 Firewall
 Backup
 Operating system updates
 Business intelligence
 Business Intelligence is the processes, technologies, and
tools that help us change data into information,
information into knowledge and knowledge into plans
that guide organization
 Technologies for gathering, storing, analyzing and
providing access to data to help enterprise users make
better business Decisions
 Business intelligence (BI) is a set of theories,
methodologies, architectures, and technologies that
transform raw data into meaningful and useful information
for business purposes.
 Why BI?
 What happened?
 What were our total sales this month?
 What’s happening?
 Are our sales going up or down, trend analysis
 Why?
 Why have sales gone down?
 What will happen?
 Forecasting & What If Analysis
 What do I want to happen?
 Planning & Targets
 Characteristics of BI
 Single point of access to information
 Timely answers to Business questions
 Using BI in all Departments of an organization
Key Stages of BI
 Data Sourcing
 Data Analysis
 Situation Awareness
 Risk Analysis
 Decision Support
BI Applications and technologies can help
to analyze:
 Changing trends in market share
 Changes in customer behavior and spending patterns
 Customers preferences
 Company capabilities
 Market conditions
 Significance of BI
 Companies need to have accurate, up-to-date information on
customer preferences , So that company can quickly adapt to
their changing demands
 BI applications can also help managers to be better informed
about actions that a company’s competitors are taking
 It help analysts and managers to determine which adjustments are
mostly likely to respond to changing trends
 IT can help companies develop a more consistent, data-based
decision, which can produce better results than making business
decisions by ―guesswork‖
Where is Business Intelligence applied?

Operational Efficiency Customer Interaction

 ERP Reporting  Sales Analysis

 Product Profitability  Sales Forecasting
 Risk Management  Segmentation
 Balanced Scorecard  Cross-selling
 Activity Based Costing  CRM Analytics
 Global Sourcing  Campaign Planning
 Logistics  Customer Profitability
 Remote Access Authentication
 With a remote access connection, employees can access the
corporate remote access server and log in to the network with their
regular user account.
 Employees can then use all the resources that would be available
from the office desktop computer

 Types:
 Dial up remote access
 VPN remote access
 Dial-up Remote Access: comprises remote access clients, a remote
access server (RAS), and some telecommunication infrastructure
(typically, an analog phone line). A remote client uses the
telecommunication infrastructure to create a temporary physical or
virtual circuit to a port on the RAS. After the circuit is created, the
connection parameters are set. If RAS and remote access clients are not
located in a local telecommunication boundary, incremental long
distance charges are incurred. Even though it has limited scalability, this
solution is good for corporations that have a low requirement for remote
access.
 VPN Remote Access: VPN remote access connection between a user
and the enterprise data center consists of a VPN client, a VPN device or
server, and the Internet. When a client accesses the Internet through a
local ISP, a virtual point-to-point connection is created with a RAS acting
as the VPN server. Once this connection is created, the parameters for
the VPN connection can be set and a VPN tunnel established with the
VPN device or server to access enterprise resources. In this case, the
client is not required to dial long distance
Dial-In Equipment and WAN Infrastructure for PSTN Connections
 Remote Access Security: AAA
 Authentication:
 The process of verification to gain access is called
authentication
 May be one factor, two factor, three factor
 The user may then be able to execute commands on that server

 Authorization
 The server uses a process called authorization to determine
which commands and resources should be made available to
that particular user.
 Authorization asks the question, "What privileges does this user
have?"
 Accounting
 Finally,
the number of login attempts, the specific commands
entered, and other system events can be logged and time-
stamped by the accounting process.
 Accounting can be used to trace a problem, such as a security
breach, or it may be used to compile usage statistics or billing
data.
 Accounting asks the questions, "What did this user do and when
was it done?"
 AAA advantages
AAA provides scalability.
 Typical AAA configurations rely on a server or group of servers to
store usernames and passwords.
 This means that local databases do not have to be built and
updated on every router and access server in the network.
 Instead, the routers in the network become clients of these security
servers.
 By centralizing the username/password database, AAA makes it
possible to enter, update, and store information in one place.
AAA supports standardized security protocols, specifically TACACS+,
RADIUS, and Kerberos.
 TACACS+ (Terminal Access Controller Access-Control System Plus )
 A security application used with AAA that provides centralized
validation of users attempting to gain access to a router or network
access server.
 is a protocol developed by Cisco
 RADIUS (Remote Authentication Dial-In User Service)
 A distributed client/server system used with AAA that secures networks
against unauthorized access.
 This central server contains all user authentication and network service
access information.
 Kerberos
 A secret-key network authentication protocol used with AAA that uses the
Data Encryption Standard (DES) cryptographic algorithm for encryption and
authentication.
 Content control and policy based encryption

 Email is a widely accepted method for sharing information with

partners and customers. However, a single email containing
sensitive or confidential business information could put your entire
organization at risk. Failure to protect this information can be costly:
investigating a breach, settling legal issues, and paying fines from
industry regulators can seriously harm your company.
 Automatically safeguard the security and privacy of sensitive data
you exchange with customers and business partners via email
 Service lets you create and enforce flexible rules in accordance
with your policies.
 Create encryption policies:
 Build flexible policies to scan email attachments, header subject, or
body
 Design policies to look for:-
 Sender and recipient identity- Words, phrases, numerical data templates-
Email attributes such as priority and urgency- Attachment attributes such
as name and type
 Scan and encrypt
 Scan for viruses, spam, or inappropriate images, if policy configured
accordingly
 Scan message content and attachments against specified policies
 Automatically encrypt and deliver mails which trigger encryption
policies
 Deliver all other emails as normal, unencrypted
 Access email
 Unencrypted emails accessed as normal via recipient’s inbox
Example of security in e-Commerce Transaction
 e-Commerce
 Tradebetween two parties: where exchange is negotiated
under the set of mutual acceptance conditions, so both
parties emerge satisfied with result.
 Depends on whether two parties trust each other
 Types:
 Business to business
 Business to consumer
 Consumer to consumer
 Consumer to business
 Security is an essential part of any transaction that takes place over the
internet. Customers will lose his/her faith in e-business if its security is
compromised. Following are the essential requirements for safe e-
payments/transactions −
 Confidentiality − Information should not be accessible to an unauthorized
person. It should not be intercepted during the transmission.
 Integrity − Information should not be altered during its transmission over the
network.
 Availability − Information should be available wherever and whenever
required within a time limit specified.
 Authenticity − There should be a mechanism to authenticate a user before
giving him/her an access to the required information.
 Non-Repudiability − It is the protection against the denial of order or denial
of payment. Once a sender sends a message, the sender should not be
able to deny sending the message. Similarly, the recipient of message
should not be able to deny the receipt.
 Encryption − Information should be encrypted and decrypted only by an
authorized user.
 Auditability − Data should be recorded in such a way that it can be audited
for integrity requirements.
Security threats to e-commerce
 1. Client computer threats 2. Communication channel threats
 Trojan horse Sniffer program
 Viruses Backdoor
Spoofing
 Worms Denial-of-service
 3. Server threats
 Privilege setting
 SQL injection, XSS
 Spamming

 Security
 Client security - Techniques and practices that protect user privacy and
integrity of the computing system.
 Server security - Protect web server, software and associated hardware from
break-ins, vandalism and DOS attacks.
 Communication security - Guarantee protection against eavesdropping and
intentional message modification (tapping, intercepting, diverting)
Security Issues in E Commerce
 1. Malicious Code – It includes a variety of threats such as virus, worms,
Trojan horse etc.
 2. Unwanted program – programs installed without the users consent.
 Browser parasites – Program used to monitor and change settings of a user`s
browser
 Adware – Unwanted pop up ads, Spyware – Program used to obtain personal
information
 3. Phishing and Identity theft – It refers to any deceptive, online attempt by
a third party to obtain confidential information for a financial gain.
 4. Hacking
 5. Credit Card Fraud – refers to use of stolen data to establish credit under
false identity.
 6. Spoofing – Hackers hide their identity, misrepresent themselves by using
fake email addresses or masquerading as someone else this threatens
integrity and authenticity of the hacked website
 7. DOS (Denial of Service) – Hackers flood a website with
useless traffic to overwhelm the network.
 8. DDOS (Distributed Denial of Service) – Hackers use numerous
networks from numerous launch points to send useless traffic
to a website. This may cause a complete shutdown making it
impossible for users to access the website.
 9. Sniffing – A sniffer is a type of eavesdropping application
that monitors information travelling over the network. It
enables hackers to steal proprietary information from
anywhere on a network including email, files, reports etc.
 10. Insider jobs – It involves poorly designed server and client
software and complexity of program which increase
vulnerabilities for hackers to exploit.
Defensive measures against Security Issues in E commerce
 1. Use of Secure Socket Layer (SSL)
 2. Secure hypertext transfer protocol: is an obsolete alternative to the HTTPS
protocol for encrypting web communications carried over HTTP
 3. Encryption
 4. Server protection
 Access control and authentication, Digital signature from user, Username and
password, Access control list
 5. Digital Signature – It is a signature in encrypted electronic code which is
encrypted by the sender with his private key and can be decrypted only with
the public key of the sender (by receiver).
 6. Use of Firewalls
 7. Client computer protection: Browser protection, Antivirus software, user
awareness, use of updated applications
Audit of Information
System
 Overview

• IS Audit Process
• Common IS Audit Observations
• So What Should We Do
 Motivations For Audit
◼ Many organizations are now entirely dependent on
computer based information system
▪ These information systems contain financial data and
other critical procedures
▪ It is essential to protect the systems against frauds and
ensure that sound accounting practices are followed
▪ It is necessary to trace the origin and fix responsibilities
when frauds occur

▪ Audit methods primary purpose is to ensure this.

 Audit Process

Planning

Follow-up Testing

Reporting
 Planning

• Understand the client's business and industry

• Defining the scope
• Preliminary Audit Plan
• Staffing/Timing
• Notification and Request for Information
• Understand Risks and Controls
 Testing

• Security
• Backup & Recovery
• Resource Management
• Web Site
• Policies/Procedures
 Illustration of Test Data
Approach
Computer Operations Auditors

Prepare Test
Transaction
Transactions
Test Data
And Results

Computer
Application
System

Manually
Computer Auditor Compares
Processed
Output Results
 Security Testing
Remote Vulnerability Scans

Servers

If it’s on the network Printers

Auditor scan it!

Routers

Nmap & Nessus

Workstations

Laptops
 Security Testing
On-Site, Follow-up Vulnerability Tests

Test of Computers That May Have Security Vulnerabilities!

CIS Tools & Benchmarks

WinAudit

Workstations Laptops Servers

Backup & Recovery Testing
Company Must Have Effective Controls to Backup &
Recover

“Critical Data”
Resource Management Testing
Computer Hardware & Software

Procurement through Surplus

 Web Site Testing
• Privacy Statement
• Web Server & Application Security
• Mailto Links
• Test Cookies
• Checking for Syntax Errors
 Reporting
Observations

When Unexpected Results are Noted

Observations are made

 Reporting
Recommendations

Auditors Recommend Opportunities

To Improve the Controls

 Reporting
Management Action Plans

Company Develop Plans, Schedules, and

Priorities

To Implement Solutions
 Reporting
A Final Report is Sent
to
The Board of Directors
 Follow-Up

• Follow-Up Actions are Based on

Company’s “Management Action Plan”
• Progress is Monitored
• Some Re-Testing May be Necessary
• Board of Director is Updated
• Audit is closed
Common Audit Observations
Weak Security Settings

Windows Operating System

Common Audit Observations

Missing Security Patches

Operating Systems
Applications
Databases
Common Audit Observations

Misconfigured Anti-Malware Tools

Out-of-Date Threat Signatures

Scans Not Scheduled
Common Audit Observations

Inadequate Access Controls

Weak Passwords & File Permissions

Common Audit Observations

Open Communication Ports

The Hacker’s Point of Entry

 So What Should We Do?
• Harden Security Settings
• Keep Everything Patched
• Install and Use Anti-Malware Tools
• Enforce Strong Passwords
• Close or Filter Communication Ports
• Test Your Systems
• Support Your System Administrator!

Copy protected with Online-PDF-No-Copy.com