Auditing in CIS Environment

BIT 006
Standard 1210.A3
• Internal Auditors must have sufficient knowledge of key information
technology risks and controls and available technology-based audit
techniques to perform their assigned work. However, not all internal
auditors are expected to have the expertise of an internal auditor
whose primary responsibility is information technology auditing.
Standard 1220.A2
• In exercising due professional care internal auditors must consider the
use of technology-based audit and other data analysis techniques
Standard 2110.A2
• The internal audit activity must assess whether the information
technology governance of the organization supports the
organization’s strategies and objectives.
INFORMATION TECHNOLOGY
Security- The goal of systems security is to maintain the integrity of
information assets and processing and mitigate and remediate vulnerities.
A.Understanding of Physical/System Security
Manage IT security, as aligned with business requirements.
Implement an IT security plan that balances organizational
goals and risks and compliance requirements with the
organization’s IT infrastructure and security culture

According to COBIT, ensuring systems security involves both creating

security policies and continuously monitoring and responding to
security threats.
Effective IT General Controls (ITGCs)are measured by the number of:
1. Incidents that damage the enterprise’s public reputation.
2. Systems that do not meet security criteria.
Security
Effective IT General Controls (ITGCs)are measured by the number of:
1. Incidents that damage the enterprise’s public reputation.
2. Systems that do not meet security criteria.
3. Violations in segregation of duties.

Classification of ITGCs
1. Physical security controls –
Security
Physical access controls- locks, key cards, security computer checks,
motion sensors, cameras, biometric devices
Environmental hazard controls – Data centers are located in
in inconspicuous location. Heating, venting and air conditioning are vital
because servers function better in cool, low-humidity rooms. Devices need
to be grounded
The air must be clean and free from smoke and particles. Maintenance
and housekeeping schedules
should be set. Logs of hardware cleaning and malfunctions should be kept.
Fire and flood protection – Media storage must be fire-rated and back-up
and disaster contingency measures must be in place. Fire alarms and
moisture detectors should be used.
Internal Audit Activity Techniques and Tools
to ensure a thorough assessment of security risks
1. Analysis of reported incidents – Records can provide valuable inform-
ation about potential and actual losses.
2. Review of exposure statistics- Statistics from insurance carriers,
industry assn, and regulatory agencies can provide guidance about
where to look for potential risk exposures.
3. Mapping key processes – Developing process maps and identifying
potential risk points provides helpful insights.
4. Periodic inspections – Health and safety inspections can surface
compliance lapses and also uncover opportunities to decrease risks
5. Periodic process and product audits- Such internal audits can incorporate
specific questions to identify potential risks
Security
Hardware Controls are built-in controls designed to detect and report
hardware errors or failures.
1. Redundant character check- each transmitted data element receives an
additional bit (character) of data mathematically related to the data.
Abnormal changes will void the mathmatecal relationship
2. Equipment Check- These are circuitry controls that detect hardware
errors
3. Duplicate process check- A process is done twice and compared
4. Echo check- Received data is returned to the sender for comparison
5. Fault-tolerant components- Fault-Tolerant components have
redundancies in hardware or software to allow continued operations if a
system fails.
Security
System and data backup and recovery controls
Backup methodologies include the grandfather-father-son concept.
1. Off-site storage- Data should be backed up to an off-site
storage facility physically distant from the primary operations to keep area
catastrophies from affecting both sites.
2. Cloud back up –The use of this satisfies the physical distance and secret loca-
tion criteria because clouds are network of distributed databases and servers
in which data is placed wherever there is available capacity rather than having
designated storage areas.
3. Electronic Vaulting – involves electronically transmitting changes to data to an
offsite facility and then creating backup long-term storage, eliminating physical
transportation
Security
Back up data controls
Back-up systems need to have a methodology for labeling and
storing back up and application library items if they are in physical form
such as tape, CD or disk. The labels should be internal(digital) and
external (physical) and use a logical file-naming convention to prevent
files from being deleted accidentally.
Security
IT Operational Controls – include planning controls; policies and standards;
procedures; data and program security; insurance and continuity planning and
controls over external providers. This involves-
1. Ensuring that audit trails exist.
2. Reviewing exception reporting and transaction logs.
3. Minimizing the number of users with administrative privileges.
4. Using software tools and direct observation by supervisors to monitor the
activities of users administrative privileges.
5. Obligating systems controllers and other persons in sensitive positions to take
vacations or rotate jobs.
6. Separating testing environments and production environments by formal data
migration processes.
7. Ensuring that employees with physical custody of assets do not have access
to the related computer records
Security
B. Concepts and Threats of Information Protection
Information reliability and integrity includes accuracy, completeness and
security.
The Three Universally Accepted Elements of Information Security:
1. Confidentiality
2. Integrity
3. Availability
Security
The Internal Audit Activity should ensure that:
1. Management recognizes this responsibility on information protection.
2. The information security function cannot be breached.
3. Management is aware of any faulty security provisions.
4. Corrective measures are taken to resolve any/all information security problems
5. Preventive, detective and corrective measures are in place to ensure
information security.
Security
To improve management vulnerabilities, recommend:
1. Enlisting senior management support consistent with
the enterprise’s risk appetite.
2. Inventory all assets and their associated vulnerabilities .
3. Prioritizing mitigation/remediation steps according to risk.
4. Remediating vulnerabilities by presenting planned work projects
IT management.
5. Continually updating asset discovery, vulnerability discovery tools as
much as possible.
Security
Privacy
IT can make invasions of privacy easy and inexpensive. Privacy
is an issue for corporate data, employees and customers. Corporate
data must be safeguarded for a business to stay viable.
Employees and their employers are in conflict on privacy, because
organizations want to protect both their interests and guard against
improper activity, while the employees want to feel that they have a
measure of privacy at work.
Security
Auditors and Privacy
The primary role of auditors in privacy is to ensure that relevant
privacy laws and other regulations are communicated to the
responsible parties. Personnel must be told what is expected of them
and what the individual and organizational penalties are for non-
compliance.
Security
Implement identity management processes to ensure that all users are identified and
.
have appropriate access rights
C. Application Authentication - is a form of security in a which a software
application is able to prevent unauthorized access to itself.
One form of which, possible in Microsoft Windows, for example, is
the creation of accounts for authorized users with required
identification. Application authentication depends on implementing
logical access controls.

Logical access controls- are the ways that computer program logic can identify
authorized users. IDENTITY and ACCESS MANAGEMENT (IAM) is a process used
to identify authorized users. This poses 3 fundamental questions whose answers
should inform access decisions and management
Security
Identity and Access Management (IAM)
1. Who has access to what information?
2. Is the access appropriate for the job being performed?
3. Are the access and activity monitored, logged and reported
appropriately?
The primary logical access control is password authentication.

AUTHENTICATION TECHNIQUES
1. Digitally enforcing use of alphanumeric
2. Enforced password changes
3. Passwords management- deleting unused passwords and user accounts
(provisioning) or detecting user accounts that have no password or use a
default password
Security
Other logical controls
1. Automatic log-off procedures
2. Monitoring and controlling access to computers with remote control privileges
(help-desk)
3. Access logs (application and Internet logs)
4. Single-use access codes or codes with defined start and end dates for
contractors
To improve Identity and Access Management, recommend:
1. End-user security training – this can make a huge difference to
application authentication security.
2. Password and log –on methodology teaches users to avoid common mistakes.
3. Users training to avoid storing their password near their computer or using easily
deduced passwords
4. Access rights or privileges only to areas where there is a genuine business need.
5. Access rights are based on a role name set in a hierarchy
Security
D. Understanding of Encryption
Encryption uses a mathematical algorithm to scramble data so that it cannot
be unscrambled without a numeric key code. This is used in stored and physically
transmitted data (e.g. flash drive) and electronically transmitted data. Server
access control is the use of internally encrypted passwords to keep technical
persons from browsing password files. Wireless data can also be encrypted to
prevent compromise if it is intercepted.
Security
AUDITING ISSUES IN THE EVALUATION OF ENCRYPTION
1. Evaluating physical controls over computers that have password keys.
2. Testing policies to see if they are being followed
3. Implementing and monitoring logic controls.
4. Each security domain should be able to share its local identity and security data
without compromising its internal directories.
5. The relative security of a key is determined by the bit length of the key.
6. When passwords are used to create keys, effective password creation rules
must be applied.
Application Development
• End-User Computing
Application Development
• Understanding of Change Control
Application Development
• Systems Development Methodology
Application Development
• Understanding of Application Development
Application Development
• Various Levels of Application Controls
Application Development
• Understanding of Information System Development