Is Security Audit
Is Security Audit
Is Security Audit
Topics
Defining IT Audit
Risk Analysis
Internal Controls
Steps of an IT Audit
Preparing to be Audited
Auditing IT Applications
Who is an auditor
Audit Charter
Audit charter (or engagement letter)
Stating managements responsibility and
objectives for, and delegation of authority
to, the IT audit function
Outlining the overall authority, scope and
responsibilities of the audit function
Scope of IT Audit
The scope of an IT audit often varies, but can
involve any combination of the following:
Organizational Examines the management
control over IT and related programs, policies,
and processes
Compliance Pertains to ensuring that specific
guidelines, laws, or requirements have been met
Application Involves the applications that are
strategic to the organization, for example those
typically used by finance and operations
Technical Examines the IT infrastructure and
data communications
Questions to be asked
Risk Analysis
Where is the risk?
How significant is the risk?
Internal Controls
Policies, procedures, practices and
organizational
structures implemented to reduce risks
Classification of internal controls
Preventive controls
Detective controls
Corrective controls
Internal Controls
(continued)
Steps of An IT Audit
1. Planning Phase
2. Testing Phase
3. Reporting Phase
Planning Phase
Defining the Scope of Your Audit
Security Parameter
The security perimeter is both a
conceptual and physical boundary
within which your security audit will
focus, and outside of which your audit
will ignore.
Entry Meeting
Define Scope
Learn Controls
Historical Incidents
Past Audits
Site Survey
Review Current
Policies
Questionnaires
Define Objectives
Develop Audit
Plan / Checklist
Testing Phase
Meet With Site Managers
What data will be collected
How/when will it be collected
Site employee involvement
Get questions answered
Types of Data
Physical security
Interview staff
Vulnerability assessments
Access Control assessments
Computer and network passwords. Is there a log of all people with passwords (and what
type). How secure is this ACL list, and how strong are the passwords currently in use?
Physical assets. Can computers or laptops be picked up and removed from the premises by
visitors or even employees?
Records of physical assets. Do they exist? Are they backed up?o
Data backups. What backups of virtual assets exist, how are they backed up, where are the
backups kept (onsite and/or offsite), and who conducts the backups?
Logging of data access. Each time someone accesses some data, is this logged, along with
who, what, when, where, etc.?
Access to sensitive customer data, e.g., credit card info. Who has access? How can
access be controlled? Can this information be accessed from outside the company premises?
Access to client lists. Does the website allow backdoor access into the client database?
Can it be hacked?
Long-distance calling. Are long-distance calls restricted, or is it a free-for-all? Should it be
restricted?
Emails. Are spam filters in place? Do employees need to be educated on how to spot
potential spam and phishing emails? Is there a company policy that outgoing emails to clients
not have certain types of hyperlinks in them?
Past Due Diligence & Predicting the Future: Checking past security threat trends and
predicting future ones
Reporting Phase
Exit Meeting - Short Report
Immediate problems
Questions & answer for site managers
Preliminary findings
IS auditors should be aware that,
ultimately, they are responsible to senior
management and the audit committee of
the board of directors. IS auditors should
feel free to communicate issues or
concerns to such management.
Table format
Historical data (if available)
Ratings
Fixes
Page # where in depth description is
Glossary of terms
References
Audit Documentation
Audit documentation includes:
Planning and preparation of the audit scope
and objectives
Description on the scoped audit area
Audit program
Audit steps performed and evidence gathered
Other experts used
Audit findings, conclusions and
recommendations
Implementation of Recommendations
Preparing To Be Audited
Application Audit
An assessment Whose Scope Focuses on a
Narrow but Business Critical Processes or
Application
Excel spreadsheet with embedded macros
used to analyze data
Payroll process that may span across several
different servers, databases, operating
systems, applications, etc.
The level of controls is dependent on the
degree of risk involved in the incorrect or
unauthorized processing of data
1. Administration
2. Inputs, Processing, Outputs
3. Logical Security
4. Disaster Recovery Plan
5. Change Management
6. User Support
7. Third Party Services
8 . General Controls
Who is an IT Auditor
Accountant Raised to a CS Major or a
CPA, CISA, CISM, Networking, Hardware,
Software, Information Assurance, Cryptography
Some one who knows everything an
accountant does plus everything a BS/MS does
about CS and Computer Security - Not likely to
exist
CISA? CISM?
CISA - Certified Information Systems
Auditor
CISM - Certified Information Systems
Mangager - new
www.isaca.org (Information Systems Audit
and Control Organization)
Teaching financial auditors to talk to CS people
CISA
Min. of 5 years of IT auditing, control or
security work experience
Code of professional ethics
Adhering to IT auditing standards
Exam topics:
1. Management, Planning, and Organization of
IS
2. Technical Infrastructure and Operational
Practices
3. Protection of Information Assets
CISA (cont.)
Exam topics: (cont.)
4. Disaster Recovery and Business Continuity
5. Business Application System Development,
Acquisition, Implementation, and Maintenance
6. Business Process Evaluation and Risk
Management
7. The IT Audit Process
CISM
Next step above CISA
Exam topics:
1.
2.
3.
4.
5.
References
www.isaca.org
An Auditors Checklist for Performing a
Perimeter Audit of on IBM ISERIES (AS/400)
System - Craig Reise
Conducting a Security Audit: An
Introductory Overview - Bill Hayes
The Application Audit Process - A Guide
for Information Security Professionals Robert Hein