IT Security EVALUATION and

AUDITING Lecture 1

Dr. IMRAN MAKHDOOM

1
COURSE ENROLMENT CODE -
LMS

Enrolment & Fill in the details on

excel sheet for clashes

2
 COURSE INFORMATION
Credit hours - 3+0

Reference Book - CISA Certified Information Systems Auditor,

Study Guide 4th Edition, David Cannon

- Auditing Cyber Security Evaluating Risks and

Auditing Controls, ISACA

3
 ASEESSMENTS/GRADING
Mid term……………..30% - 7th / 8th Week
Research Paper (Ready for submission) ……30 % - 14th Week
Final …………………..…40 % - 18th Week

4
 COURSE OUTLINE
1. Introduction to IS auditing and secrets of a successful auditor
2. Governance and business process reengineering (BPR)
3. Audit Process
4. Networking Technology Basics
5. Information Systems Lifecycle
6. System Implementation and Operations
7. Protecting Information Assets
8. Business Continuity and Disaster Recovery
9. Guest Lecture

5
Introduction to IS Auditing and
Evaluation

6
BUSINESS/COMPANY STRUCTURE

7
RELIANCE ON IT/CYBER
INFRASTRUCTURE
Chemical Dams Financial Services Information
e.g., agricultural chemicals, e.g., hydropower generation e.g., federally insured depository Technology
pharmaceuticals, consumer facilities, navigation locks, institutions, investment products
products e.g., hardware, software, IT
levees, hurricane barriers
systems and services

Commercial Defense Industrial Food & Agriculture Nuclear Reactors,

Facilities Base e.g., farms, restaurants, food Materials & Waste
manufacturing, processing
e.g., public assembly, sports e.g., research and design, e.g., power plants, non-power
facilities
leagues, gaming, lodging, production, delivery and nuclear reactors for research
outdoor events maintenance of military

Communications Emergency Services Government Transportation

e.g., internet, terrestrial, satellite
and wireless transmission
systems
e.g., law enforcement, fire and
emergency services, emergency
management
Facilities Systems
e.g., government owned or e.g., aviation, highways,
leased buildings, education maritime, mass transit, pipeline,
facilities, national monuments freight rail, shipping

Critical Energy Healthcare & Public Water &

Manufacturing e.g., electricity, petroleum, Health Wastewater
natural gas, power plants, coal,
e.g., primary metal oil, solar, wind, geothermal, e.g., infectious disease Systems
manufacturing, machinery, hydroelectric plants, renewable outbreaks, terrorism, natural
e.g., public drinking water
electrical equipment, appliance sources disasters
systems, treatment systems
and component

8
 INFORMATION SECURITY THREATS

• Act of Human Error or Failure (accidents, mistakes)

• Compromises to Intellectual Property (piracy, copyright
infringement)
• Acts of Espionage or Trespass (unauthorized access
and/or data collection)
• Acts of Information Extortion (blackmail of information
disclosure)
• Software Attacks (viruses, worms, macros, denial of service
(DoS))

9
 INFORMATION SECURITY THREATS
Contd..
• Forces of Nature (fire, flood, earthquake, lightning)
• Quality of Service Deviations from Service Providers
(power & WAN service issues)
• Technical Hardware Failures or Errors (equipment
failure)
• Technical Software Failures or Errors (bugs, code
problems, unknown loopholes)
• Technological Issues (antiquated or outdated
technologies)

10
INFORMATION SECURITY
THREATS
Contd..

11
INFORMATION/CYBER SECURITY
STANDARDS
ISO/IEC 27001 (Information security framework) and 27002
COBIT: Framework for IT Governance and Control
 NIST Cybersecurity Framework (NIST CSF)
◦ Special publication 800-12 computer security and control areas
◦ Special publication 800-14 common security principles
◦ Special publication 800-26 how to manage IT security
◦ Special publication 800-37 "Guide for Applying the Risk Management
Framework to Federal Information Systems"
◦ Special publication 800-53 , "Security and Privacy Controls for Federal
Information Systems and Organizations
◦ Special Publication 800-82, "Guide to Industrial Control Systems (ICS) Security”

12
SECURITY MEASURES TAKEN

13
Check Compliance

14
 QUESTIONS/CONCERNS ?
 How effective is organization’s information security
Program ?
 Measuring efficiency of operations -- for example, how
many viruses were detected vs. how many were cleaned
 Evaluating compliance to security policy or standards. For
example, antivirus standards state that all desktop
antivirus .DAT files should be current
 By looking at antivirus logs, security administrators can
determine who has and who hasn't downloaded the
latest .DAT file

15
 QUESTIONS/CONCERNS ?
Contd..

 The ability to determine which assets are most mission-

critical
 The foundation for a comprehensive incident response
plan

16
 AUDITING &
EVALUATION ?
 Auditing
• An Audit is the evaluation of a person,
organization, project, or product primarily for
the purpose of determining its validity and
authenticity, or to verify adherence to a set of
pre-defined processes
• It helps an organization accomplish its
objectives by improving the effectiveness of
risk management, control, and governance
processes

17
 AUDITING &
EVALUATION ?
Contd..

 Evaluation
• On the other hand, an evaluation is the
determination of merit using a set of standards
or product specifications
• It determines the extent to which a program or
project has achieved expected results. Evaluation
informs decision making, improvements, and
innovation

18
 INFORMATION SECURITY AUDIT

 An information security audit is an audit on the level

of information security in an organization
 Within the broad scope of auditing information
security there are multiple types of audits with
multiple objectives for different audits
 Most commonly the controls being audited can be
categorized as technical, physical and administrative

19
 INFORMATION SECURITY AUDIT
Contd..

 Auditing information security covers topics from

auditing the physical security of data centres to
auditing the logical security of databases and
highlighting key components to look for and different
methods for auditing these areas
 Security audits are often used to determine regulatory
compliance, in the wake of legislation (such as HIPAA,
GDPR, 27001 etc) that specify how organizations must
deal with information

20
 CYBERSECURITY AUDIT VS.
CYBERSECURITY ASSESSMENT
 The purpose of a cybersecurity audit is to act as a
‘checklist’ that validates that what you’ve said in a
policy is actually happening and that there’s a control
mechanism in place to enforce it. (E.g., MCS)
 While a cybersecurity audit is used to find the presence
of controls, auditors rarely test the effectiveness of
those controls. And the fact that a control exists does
not necessarily mean that it is effective in mitigating
cyber risk

21
 CYBERSECURITY AUDIT VS.
CYBERSECURITY ASSESSMENTContd..
 E.g., cybersecurity auditors might check a box that says
you have a firewall in place to reduce the number of
websites employees can visit while using company
equipment. But if that firewall isn’t properly configured,
then the firewall might be useless. So just because
you have a control in place, does not mean that the
control is an effective one
 It is for this reason that cybersecurity assessments are
often conducted

22
 PENETRATION TESTING?

“Penetration Test" VS “Computer Security Audit

 Not the same thing
 A penetration test (also known as a pen-test) is a very narrowly
focused attempt to look for security holes in a critical resource,
such as a firewall or Web server
 Penetration testers may only be looking at one service on a
network resource
 They usually operate from outside the firewall with minimal
inside information in order to more realistically simulate the
means by which a hacker would attack the site

23
 MANUAL VS AUTOMATED
AUDITING
 A computer security audit is a manual or systematic
measurable technical assessment of a system or application
 Manual assessments include interviewing staff, performing
security vulnerability scans, reviewing application and
operating system access controls, and analyzing physical access
to the systems
 Automated assessments, or CAAT's (Computer-aided audit
tools), include system generated audit reports or using
software to monitor and report changes to files and settings on
a system (E.g., finding vulnerabilities in the OS or firmware)
 Systems can include personal computers, servers, mainframes,
network routers, or switches
24
 WHY AUDITING ?

 Audit services are designed to help an

organization meet its objectives
 One of the key roles is to monitor risks and
ensure that the controls in place are adequate to
mitigate those risks
 It helps in deploying and monitoring govt
regulation or business policies within your
organization

25
 WHAT NEEDS TO BE AUDITED
?
 Networks
 Desktops
 Servers
 Mobile Devices and Media
 Data Centres/Facilities
 Business and Technical Processes
 Application Controls
 Policy and Procedure Compliance
 What else ?

26
INFORMATION SECURITY AUDIT PHASES
nnnni n &&

ngg

upp
oorrk
k

rtitin
ssisis

w--u
PPllaa atitioon
inngg

llloow
llddww

aalyly

poor
ti a

RReep
AAnn
IInniiti

FFool
FFiiee

• Risk Assessment
• Research • Interview • Confirmation • Findings • Confirm
• Inspection • Verification • Corrective
• Preliminary
Recommendation Action In
Review • Observation • Reconciliation
s • Address
• Audit Objectives • Re-performance • Exit • Client Responses Challenges
• Formal • Testing Conference • Draft Reports • Repeat Phases
Agreement • Final Report (as necessary)
• Entrance • Schedule Client
Corrective Action
Conference
Report
• Plan for Follow-
up Engagement

27
 COMMON FINDINGS
• Unattended Workstations
• Password Sharing
• Weak Passwords
• Data Classification
• Confidentiality
• Lack of Policies and Procedures
• Account Management Issues

28
 CONDUCTING AN AUDIT
 This is not just a conference room activity
 It involves everyone who uses any computer resource
throughout the organization
 Computer security auditors perform their work though
personal interviews, vulnerability scans, examination of
operating system settings, analysis of network shares,
and historical data
 They are concerned primarily with how security
policies - the foundation of any effective organizational
security strategy - are actually used
29
 CONDUCTING AN AUDIT
There are a number of key questions that security audits
should attempt to answer:
 Are passwords difficult to crack?
 Are there access control lists (ACLs) in place on network
devices to control who has access to shared data?
 Are there audit logs to record who accesses data?
 Are the audit logs reviewed?
 Are the security settings for operating systems in accordance
with accepted industry security practices?
 Have all unnecessary applications and computer services
been eliminated for each system?

30
CONDUCTING AN AUDIT
Contd..
 Are the operating systems and commercial applications
patched to current levels?
 How is backup media stored? Who has access to it? Is it
up-to-date?
 Is there a disaster recovery plan? Have the participants
and stakeholders ever rehearsed the disaster recovery
plan?
 Are there adequate cryptographic tools in place to govern
data encryption, and have these tools been properly
configured?

31
CONDUCTING AN AUDIT
Contd..
 Have custom-built applications been written with security
in mind?
 How have these custom applications been tested for
security flaws?
 How are configuration and code changes documented at
every level?
 How are these records reviewed and who conducts the
review?

32
 How to Conduct Audit ?
Any Guidelines / Baselines ?

ISO/IEC 27007 guidance on managing an

information security management
system (ISMS) audit programme, on
conducting audits, and on the
competence of ISMS auditors

33
 CYBERSECURITY CONTROL
SPECIFICATIONS
 Each organization should design controls specific to the risk
posture of the organization and ensure that processes and
people are in place to continuously manage the controls
 Control issues typically are not due to the failure of the
technology, but more often are the result of individuals not
executing the process or using a process that is poorly defined
 Control investments are made across the organization through
technical, administrative and operational investments in
people, process, technology and growing a security-oriented
culture

34
 CYBERSECURITY CONTROL
SPECIFICATIONS Contd..

Types of Control Investments

 Awareness investment
 Policy investment
 Intrusion detection systems
 Event logging
 Incident response
 Vulnerability scanning
 Information asset classification
 Forward intelligence
 Architecture and technology hardening
 Systems hardening

35
 IMPLEMENTING
CONTROLS
 Every organization (large or small, established or a startup) often
implements controls
 The difference is in their level of maturity
 Organizations may implement controls but may not have
thoughtfully planned the implementation
 E.g., they may have implemented a firewall, antivirus software,
user education about password construction and backups
 Each of these controls serves a purpose to protect information
assets

36
 IMPLEMENTING
CONTROLS
Contd..
 However, a low-maturity organization may not have placed
adequate attention in ensuring that the firewall rules are
updated regularly, antivirus software may be installed on all
workstations and contain the latest signatures, or end users who
are on leave may miss the security awareness training
 Therefore, even though controls may appear to be in place, the
organization must regularly engage in independent audits to
ensure these processes are well designed and executed properly

37
 MULTIPLE LINES OF DEFENSE
& REVIEW PROCESS
 The audit and review mechanism is spread across three lines of
defense, each of which contributes to the overall assurance of
the cyber security program
• Management
• Risk Management
• Internal Audit

38
 MULTIPLE LINES OF DEFENSE
& REVIEW PROCESS
 The audit and review mechanism is spread across three lines of
defense, each of which contributes to the overall assurance of
the cyber security program.
• Management
• Risk Management
• Internal Audit

39
 MULTIPLE LINES OF DEFENSE
& REVIEW PROCESS

Management owns th Perform

e risk qualitative risk
assessment to
provide an
adequate
measure of risk

Why not
quantitative ?
Controls are present

These activities are part of business processes designed to identify

control weaknesses or deficiencies in the design or the execution
of the control
40
MULTIPLE LINES OF DEFENSE
& REVIEW PROCESS

Why not
quantitative ?
• It is more costly
than qualitative
• Management can
easily understand
high/medium/low
or
red/yellow/green
charts

41
 CYBERSECURITY RISK
ASSESSMENT
 Risk assessment depends upon the degree of (low, moderate or
high) CIA requirements of a system
 Subsequently, requisite controls are implemented to avoid,
mitigate, or accept the risk
 Example of tackling risks ? Avoid, mitigate, or accept
 Hence, first step is to scope the system based on CIA
requirements

42
 CYBERSECURITY RISK
ASSESSMENT
Identify Threats Contd..

 What is a threat?
Dangers that have the potential to impact CIA if adequate
controls are not in place
 Types of Threats ?

43
 CYBERSECURITY RISK
ASSESSMENT
Identify Threats Contd..
 Types of Threats ?
• Human threats (e.g., carelessness, human error, espionage,
sensitive data disclosure, social media exploits, sabotage,
fraud)
• Environmental threats (e.g., power/heating, ventilating, air
conditioning [HVAC] fluctuation, cable cuts, theft, sensitive
media disposal, server rooms, broken water pipes, fire)
• Technical threats (e.g., lack of logging, malicious code,
unauthorized access, session takeover, mobile media loss,
hardware/software failure, remote access)

44
 CYBERSECURITY RISK
ASSESSMENT
Identify Threats Contd..
 Important Point
Each organization needs to evaluate the threats based upon the
industry in which it operates and the motives of the attacker
 E.g., Cyber Physical Systems (CPS) have different threats than
banks or Fintech industry

45
 CYBERSECURITY RISK
ASSESSMENT
Vulnerability Identification
 Vulnerabilities are extremely critical to the risk evaluation
process
 Vulnerabilities provide the opportunity for an exploit to occur
 Logically, without a vulnerability there is no risk
 Most of the vulnerabilities in system software, procedures and
internal controls are the result of a control not being applied
 The question is, has the organization reviewed where the
vulnerabilities are? to honestly evaluate the risk. Are these
vulnerabilities carried over from year to year without review and
just accepted?

46
 CYBERSECURITY RISK
ASSESSMENT
Existing Control Identification
 An attacker is less likely to succeed, even with motive (threat),
and opportunity (vulnerability), if the vulnerability is mitigated
through an existing primary or compensating control
 When designing and implementing a control, the goal should be
to ensure the CIA of the information resources
 To ensure control effectiveness and sustainability it must be part
of the overall governance process
 Control design, monitoring and testing is key to this process
including ownership

47
 CYBERSECURITY RISK
ASSESSMENT
Existing Control Identification Contd..
 The control frameworks such as COBIT 5 for Security, ISO/IEC
27001/27002, NIST Cybersecurity Framework (and NIST SP 800-
53 controls mentioned previously) provide excellent controls to
choose from at the governance and detailed control levels

48
 CYBERSECURITY RISK
ASSESSMENT
Determine Impact Severity
 This step assumes that the vulnerability has been exploited
 Now the organization can evaluate and respond to the harm that
has been done
 Finance can provide insight into the costs of a system outage
 Impacts may include intangibles e.g., unauthorized disclosure of
information, destruction of data, loss of systems, loss of
reputation, loss of market share and the value of the asset
compromised
 Sometimes the impact may not be readily known, such as in the
case of a stolen product list, marketing plans, business
intelligence, or private data

49
 CYBERSECURITY RISK
ASSESSMENT
Determine Impact Severity Contd..
 An effective risk assessment will guide management in
determining the appropriate level of controls
 Management is responsible to implement preventive, detective
and corrective controls depending on multiple variables

50
 CYBERSECURITY RISK
ASSESSMENT
Determine Risk Level
 Risk is typically determined by examining the likelihood of
occurrence and the impact, resulting in a risk level by accepting
the current state of threats, vulnerabilities and control
environment
 The organization has the opportunity to mitigate the risk through
the application of additional controls
 Once these controls are applied, the risk remaining is the residual
risk
 The organization should implement controls until the residual risk
is at an acceptable level and management is willing to formally
accept the risk

51
 CYBERSECURITY RISK
ASSESSMENT
Determine Risk Level Contd..
 There is risk in everything and the “sweet spot” is finding a level
of risk that enables a benefit, commensurate with the cost
 For example, implementing controls such as virtual private
networks (VPNs) and two-factor authentication mitigates the risk
of man-in-the-middle (MITM) or eavesdropping attacks (threat)
to an acceptable level for most organizations
 For a highly secret government entity, this control may not be
enough, and restrictions to private networks and increased
access authorization may be a required control based on the CIA
requirements of the information system and assets

52
 CYBERSECURITY RISK
ASSESSMENT
Develop a Cyber Security Risk Response
 When risk rises to the level where attention is needed
management must decide which approach to take
 The most obvious approach is to invest in people, technology or
processes to mitigate the risk
 However, this requires resources and money the organization
may not have
 The organization may also have uncovered many risk areas
through this process and needs to plan the mitigation on a
prioritized basis over several years as funds permit (most likely
case)
 Alternatively, there are other options for resolving the risk

53
 CYBERSECURITY RISK
ASSESSMENT
Develop a Cyber Security Risk Response Contd..
 The risk could be assumed or accepted as is, if it fits within the
company’s risk appetite
 In other words, the company is willing to take the chance that
the event will not occur, possibly because the impact is low or
the probability of threat is insignificant
 For example, an organization may not invest in a new malware
endpoint protection product that targets ransomware because it
perceives the cost to be low (restore from backup tapes,
workstation is on a segmented network) or there are other threat
prevention mechanisms in place, such as end-user phishing
education awareness and email scanning

54
 CYBERSECURITY RISK
ASSESSMENT
Develop a Cyber Security Risk Response Contd..
 In cases where the risk is accepted, an effective method is to
have the risk accepted by someone at the senior management
level, supported by a business justification, plans for future
mitigation
 Cyber-insurance is another way to mitigate the risk through
transference to another entity. While this will not mitigate the
risk or transfer the ultimate accountability, it can reduce the
financial impact of the event if it does occur
 Critical vulnerabilities, must be addressed within 07, 30 or 90
days, depending upon the asset and the organization
 These instances need to be reviewed by the auditors to ensure
that the vulnerabilities are being addressed within the time
frames

55
 CYBERSECURITY RISK
ASSESSMENT
Emerging Risks
 Mobile, cloud, social media networks (SMNs), IoT, smart vehicles,
digitized healthcare, digitized government systems (NADRA, FBR),
online banking systems
 Ransomware, targeted attacks, spear phishing, and increased
adversary capabilities cause us to re-evaluate the threat
environment and our defenses on a regular basis
 The risk assessment is not a once and done vehicle
 Cyber security incidents should be reviewed for new scenarios of
attack, and prevention, detection and response actions must be
identified and brought into the risk assessment

56
 AUDITS
Internal Audit
 The internal audit department usually has a dotted-line
reporting relationship to the audit committee to ensure
that an independent view is being communicated to the
board level of the enterprise
 The internal audit function provides internal controls
testing, cyber security compliance, formal risk
acceptance, and support for investigations and forensics
 Cyber security audits should be planned on an annual
cycle, taking into account consideration of the business
cycles, to cause minimal disruption to business activities
and increase the chances of full participation of the
information technology (IT), legal, HR and business areas
necessary for the audit

57
 AUDITS
Audit Scope
 Auditors may require additional information or access in
case of public clouds, BYOD, work from home

58
 AUDITS
Audit Scope Contd..

 Vendors handling information—particularly information

that has high sensitivity or where personal data are involved
— should be required to demonstrate how they are
protecting the information
 This could be accomplished through a right-to-audit clause
included in the contract

59
 AUDITS
Cyber Security Goals and Related Audit Objectives
 Audits can take many shapes and have different focuses
with respect to cyber security, overall governance or
technical testing
 Different aspects of the program should be tested over time
 For programs that may be in the initial states of maturity,
the focus may be centred on ensuring that the policies,
procedures, standards and guidelines are relevant,
approved by management, and frequently updated and
reviewed in response to business changes

60
 AUDITS
Cyber Security Goals and Related Audit Objectives Contd..

 For more mature programs that have the basics in place,

the audit may shift to examine how current and emerging
risk is being identified and addressed
 With the attention shifting today, to detection and
response, the organization may wish to audit to determine
how well prepared it is in the event of a breach
 Because it would be impossible to audit all areas of the
business, it is essential to look at the high-value areas to
audit

61
 AUDITS
Cyber Security Goals and Related Audit Objectives Contd..

 E.g., what would happen if the telecommunications link

between a call centre and the necessary systems were to
fail? (What do we call such a planning?)
• Are appropriate controls in place to handle a DoS attack
for an e-commerce-oriented website?
• Does the organization has the appropriate monitoring
controls in place to ensure that data exfiltration activities
would be noticed in time, or have the data environments
been segregated to protect these data from a targeted
attack?
 The audit objectives should be aligned with the cyber
security goals to achieve the best business outcomes

62
 AUDITS
Cyber Security Goals and Related Audit Objectives

63
 AUDITS
Cyber Security Maturity Model
 A cyber security maturity model provides a path forward
and enables your organization to periodically assess
where it is along that path
 This can be a valuable tool for improving your cyber
security efforts, as well as for communicating with upper
management and getting necessary support

64
 AUDITS
Cyber Security Maturity Model
Maturity Level Explanation
Nonexistent (level 0) • Cyber security is not a planned activity
Ad hoc (level 1) • No executive awareness
• No policies
• Tools may not exist or poorly executed

Repeatable (level 2) • Processes follow a regular pattern – Focus is on

managing people
Defined (level 3) • Documented and communicated processes
Managed (level 4) • Well managed and measured
Optimized (level 5) • Risk assessment
• Roles and responsibilities assigned

Cyber security maturity tools are typically used by those responsible for managing
the cyber security program to demonstrate year-over-year enhancement of the
program
65
THANKS

66
 ISO 27001 INTERNATIONAL
STANDARD FOR INFORMATION
SECURITY

https://www.varonis.com/blog/iso-27001-compliance/

67
 COBIT (CONTROL OBJECTIVES FOR
INFORMATION TECHNOLOGIES)
FIVE PRINCIPLES

https://www.itgovernance.co.uk/cobit

68
 NIST

 The NIST (National Institute of Standards and Technology) is a

physical sciences laboratory and non-regulatory agency of the United
States Department of Commerce
 Its mission is to promote American innovation and industrial
competitiveness

https://www.nist.gov/cyberframework

69