Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

The information security audit

5 022 vues

Publié le

Information Technology & Management Program

Publié dans : Internet
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • Want to preview some of our plans? You can get 50 Woodworking Plans and a 440-Page "The Art of Woodworking" Book... Absolutely FREE ◆◆◆ http://ishbv.com/tedsplans/pdf
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • DOWNLOAD FULL BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... 1.DOWNLOAD FULL doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici
  • .DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... .DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD PDF EBOOK here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD EPUB Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... .DOWNLOAD doc Ebook here { https://tinyurl.com/y8nn3gmc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Répondre 
    Voulez-vous vraiment ?  Oui  Non
    Votre message apparaîtra ici

The information security audit

  1. 1. TransformingLives. InventingtheFuture. www.iit.edu I ELLINOIS T UINS TI T OF TECHNOLOGY ITM 578 1 The Information Security Audit Ray Trygstad ITM 478/578 / IT 478 Spring 2004 Information Technology & Management Programs CenterforProfessional Development
  2. 2. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 2 ILLINOIS INSTITUTE OF TECHNOLOGY Learning Objectives: Upon completion of this lesson the student should be able to: – Explain what an information security audit is – Explain the relationship of information security policies to the audit process – Describe how an information security audit is conducted – Discuss knowledge required for members of an information security audit team
  3. 3. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 3 ILLINOIS INSTITUTE OF TECHNOLOGY Introduction  What is an Information Security Audit?  A measure of how the confidentiality, availability and integrity of an organization’s information is protected and assured  A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site  Part of the on-going process of defining and maintaining effective security policies – Many audits will involve everyone who uses computer resources in the organization
  4. 4. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 4 ILLINOIS INSTITUTE OF TECHNOLOGY General Methodology Assess IT security controls which include: – General controls at the entity level – General controls as they are applied to the specific application(s) being examined – Application controls, which are the controls over input, processing, and output of data associated with individual applications
  5. 5. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 5 ILLINOIS INSTITUTE OF TECHNOLOGY General Controls  Policies and procedures that apply to all or a large segment of an entity’s information systems and help ensure their proper operation  Examples of primary objectives for general controls: – Safeguard data – Protect computer application programs – Prevent unauthorized access to system software – Ensure continued computer operations in case of unexpected interruptions  Effectiveness of general controls a significant factor in determining effectiveness of application controls
  6. 6. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 6 ILLINOIS INSTITUTE OF TECHNOLOGY Relationship of Policy to General Controls Security policies are a standardization of security practices put in writing – Employees must read & agree to them – In many enterprises today, security policies may informal or unwritten •Informal/unwritten policies not legally enforceable Typically policies prescribe methods of implementing general and application controls
  7. 7. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 7 ILLINOIS INSTITUTE OF TECHNOLOGY Nature & Extent of the Audit Depends on audit objectives and other factors Factors to consider: – Nature and complexity of the information systems – The control environment – Particular accounts and applications significant to the areas of interest
  8. 8. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 8 ILLINOIS INSTITUTE OF TECHNOLOGY Audit Scope  Audit objectives determine the scope of the audit  Scope determination factors – Site business plan – Type of data being protected – Value/importance of data to the client organization – Previous security incidents – Time available to complete the audit – Talent/expertise/experience of the auditors  Auditors & client must agree on scope prior to the commencement of the actual audit
  9. 9. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 9 ILLINOIS INSTITUTE OF TECHNOLOGY Audit Stages Audit is conducted in four stages – Planning Phase – Internal Control Phase – Testing Phase – Reporting Phase
  10. 10. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 10 ILLINOIS INSTITUTE OF TECHNOLOGY Planning Phase  Auditor gains an understanding of information system operations, controls and related risks  In view of these risks reach tentatively conclusions as to which controls are likely to be effective  If controls are likely to be effective and are relevant to audit objectives, the auditor will determine nature and extent of audit work needed to confirm tentative conclusions.  If controls are not likely to be effective, auditor must develop a sufficient understanding of related control risks to – (1) develop appropriate findings and related recommendations for corrective action – (2) determine the nature, timing, and extent of substantive testing necessary
  11. 11. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 11 ILLINOIS INSTITUTE OF TECHNOLOGY Pre-Audit Tasks Review previous audits (baselining) Assess site survey – Asset inventory including technical description of the system’s hosts – Includes management and user demographics Administer security questionnaires Review previous security incidents
  12. 12. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 12 ILLINOIS INSTITUTE OF TECHNOLOGY Pre-Audit Tasks Read and evaluate the most recent risk assessment Read and evaluate all policies & procedures Develop the Audit Plan – Prepare audit checklists tailored for the audit environment Discuss audit objective and details with the client, ensuring objectives are understood and mutually agreed upon
  13. 13. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 13 ILLINOIS INSTITUTE OF TECHNOLOGY Site Survey May need to be completed by client staff or may be prepared by a member of the audit team based on an existing asset inventory and other information provided by the client Should present auditors with a complete picture of the information technology environment of the client
  14. 14. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 14 ILLINOIS INSTITUTE OF TECHNOLOGY Security Questionnaires Self-assessment tools allowing client staff—both IT professional staff and end users—to measure knowledge of and compliance with security controls in place Should be phrased in terms of “ranking” (i.e. 1-5, 1-10 scales) as to knowledge and compliance in specific areas
  15. 15. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 15 ILLINOIS INSTITUTE OF TECHNOLOGY Pre-Audit Audit Report  If policies and procedures do not prescribe adequate controls for the described risks, auditors may need to: – develop appropriate findings and related recommendations for corrective action – delay remaining portions of the audit until appropriate corrections have been put in place – prepare a preliminary Audit Report to facilitate proper implementation of controls
  16. 16. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 16 ILLINOIS INSTITUTE OF TECHNOLOGY Internal Control Phase  Auditors obtain detailed information on control policies, procedures, and objectives  Perform tests of control activities  First test general controls through a combination of procedures, which may include – Observation – Inquiry – Inspection
  17. 17. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 17 ILLINOIS INSTITUTE OF TECHNOLOGY Internal Control Phase If these controls operate effectively, auditors should then test & evaluate effectiveness of general controls for applications significant to the audit If general controls are not operating effectively, application-level controls are generally not tested (note: in the audits we conduct, we will not be testing any application- level controls…)
  18. 18. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 18 ILLINOIS INSTITUTE OF TECHNOLOGY Application Level Testing  As an example of application-level control testing, auditors might test a system to ensure – data prepared for entry is complete, valid, and reliable; – data is converted to an automated form and entered into the application accurately, completely, and on time; – data is processed by the application completely, on time, and in accordance with established requirements; – output is protected from unauthorized modification or damage and distributed in accordance with prescribed policies
  19. 19. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 19 ILLINOIS INSTITUTE OF TECHNOLOGY Application Level Testing Auditors evaluate and test the effectiveness of application controls by – observing the controls in operation – examining related documentation – discussing the controls with pertinent personnel – reperforming the control being tested
  20. 20. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 20 ILLINOIS INSTITUTE OF TECHNOLOGY Testing Phase  In the testing phase, substantive technical testing is performed  This may include – Application security and integrity testing on appropriate workstation & terminals • Checking for patches and updates – Network security testing through both passive monitoring and active measures – Restoration of backed-up material – If conducted in concert with a broader audit (i.e. a financial audit), auditors may be called upon to assist financial auditors in identifying/selecting computer-processed transactions for testing, possibly using computer audit software
  21. 21. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 21 ILLINOIS INSTITUTE OF TECHNOLOGY Site Visit  Internal Control and Testing phases are normally accomplished through a site visit  Aim of auditors is to not to adversely affect business transactions during the audit  Auditors should conduct an entry briefing where they outline the scope of the audit and what they hope to accomplish  Auditors should be thorough, fair and apply consistent standards and procedures throughout the audit
  22. 22. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 22 ILLINOIS INSTITUTE OF TECHNOLOGY Site Visit  During the visit, auditors may: – Collect data about the physical security of computer assets – Perform interviews of site staff – Perform network vulnerability assessments – Perform operating system and application security assessments & vulnerability testing – Perform access controls assessment – Other evaluations  Auditors should follow their checklists, but keep their eyes (and ears!) open for unexpected problems
  23. 23. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 23 ILLINOIS INSTITUTE OF TECHNOLOGY Key Audit Questions  Remember, audits are principally concerned with how security policies are actually implemented  Key questions to be answered: – Are passwords difficult to crack? • Are they on post-it notes on the monitor or inside the desk’s top drawer? – Are there access control lists (ACLs) in place on network devices to control who has access to shared data? – Are there audit logs to record who accesses data? – Are the audit logs reviewed?
  24. 24. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 24 ILLINOIS INSTITUTE OF TECHNOLOGY Key Audit Questions (continued) – Are the security settings for operating systems in accordance with accepted industry security practices? – Have all unnecessary applications and computer services been eliminated for each system? – Are these operating systems and commercial applications patched to current levels? – How is backup media stored? Who has access to it? Is it up-to-date? – Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
  25. 25. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 25 ILLINOIS INSTITUTE OF TECHNOLOGY Key Audit Questions (continued) – Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured? – Have custom-built applications been written with security in mind? – How have these custom applications been tested for security flaws? – How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
  26. 26. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 26 ILLINOIS INSTITUTE OF TECHNOLOGY Audit Checklists Audits are conducted by checklist Checklists are widely available but should be tailored for each audit by the audit team Checklists may be challenge- response (i.e. check-in-the-box or yes-or-no answers) or they may be scale rankings (1-4, 1-5, 1-10, etc.)
  27. 27. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 27 ILLINOIS INSTITUTE OF TECHNOLOGY Sample Audit Checklist General IT Controls Audit Program Purpose / Scope Perform a General Controls review of Information Technology (IT). The reviews will include all IT related policies, procedures, data security administration, data center operations, system development / maintenance, the IT Disaster / Recovery plan and its relation to the corporate Business Continuity plan. Audit steps Date Initials W/P Ref. IT General Controls Planning Determine if committees review, approve, and report to the board on: Short and long term information systems plans IT operating standards Data security policies and procedures Resource allocation (major hardware/software acquisition and project priorities) Status of major projects IT budgets and current operating cost Policies, Standards, and Procedures Determine whether the board of directors has reviewed and approved IT policies. Examine how IT management has defined standards and adopted a methodology governing the process of developing, acquiring, implementing, and maintaining information systems and related technology. Determine if IT management has adequate standards and procedures for: Systems development Program change control Data Center operations Data Base administration DASD management Performance monitoring
  28. 28. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 28 ILLINOIS INSTITUTE OF TECHNOLOGY Exit Briefing  Ensure management is made aware of any problems requiring immediate attention or correction  Answer questions in a very general manner so as not to create a false impression of the audit’s outcome – At this stage auditors are not in a position to provide definitive answers – Final answers can only be provided following the final analysis of the audit data
  29. 29. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 29 ILLINOIS INSTITUTE OF TECHNOLOGY Reporting Phase Back at the ranch, auditors will review and analyze checklist data and analyze any data discovered through use of vulnerability assessment tools There should be an initial meeting to help focus the outcome of the audit results – Auditors should identify problem areas and possible solutions
  30. 30. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 30 ILLINOIS INSTITUTE OF TECHNOLOGY Writing the Audit Report  The Audit Report may be prepared in a number of formats  Keep it simple and direct, containing concrete findings with measurable ways to correct identified deficiencies  Typical format – Executive summary – Detailed findings – Supporting data (checklists, scan reports etc.) should be included as report appendices
  31. 31. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 31 ILLINOIS INSTITUTE OF TECHNOLOGY Writing the Audit Report  Develop executive summary first as it may be necessary to report to management before details are done  Include an audit summary which may emphasize the positive findings of the audit  Organize audit findings in a simple and logical manner with a half-page or full page for each identified problem  Each problem entry should outline the problem, discuss implications and describe appropriate corrective actions
  32. 32. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 32 ILLINOIS INSTITUTE OF TECHNOLOGY The Audit Report  Describe information security control weaknesses clearly in terms understandable to those with limited knowledge of information system issues  Define all technical terms and avoid jargon and acronyms  Discuss each weakness in terms of – related criteria – the condition identified – the cause of the weakness – actual or potential impact on the organization – appropriate corrective action  This helps senior management to understand the significance of the problem and to ensure development of appropriate corrective actions
  33. 33. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 33 ILLINOIS INSTITUTE OF TECHNOLOGY Technical Reporting Weaknesses reported to technical staff should be the same as that reported to senior management but should include necessary technical detail to allow the staff – to understand the precise cause of the weaknesses – to aid them in developing corrective actions
  34. 34. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 34 ILLINOIS INSTITUTE OF TECHNOLOGY Report Timeliness & Follow-Up Prepare the Audit Report as quickly as accuracy allows so that site staff can correct problems identified Auditors may be called upon to assist technical staff in implementation of appropriate controls and solutions Management should follow-up until all identified deficiencies are corrected
  35. 35. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 35 ILLINOIS INSTITUTE OF TECHNOLOGY Typical Problems Identified in Audits  Lack of formal IT planning mechanisms with the result that IT does not serve the organizations’s pressing needs or does not do so in a timely and secure manner  Lack of formal security policies resulting in a piecemeal or “after-an-incident” approach to security  Inadequate program change control leaving software vulnerable to unauthorized changes
  36. 36. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 36 ILLINOIS INSTITUTE OF TECHNOLOGY Typical Problems Identified in Audits  Little or no awareness of key security issues and inadequate technical staff to address the issues  Failure to take advantage of security soft- ware features such as selective monitoring capabilities, enforcement of stringent pass- word rules, & review of key security reports  Inadequate user involvement in testing and sign-off for new applications resulting in systems that fail to meet user requirements or confidentiality, integrity, and availability needs
  37. 37. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 37 ILLINOIS INSTITUTE OF TECHNOLOGY Typical Problems Identified in Audits  Installation of software or upgrades without adequate attention to default configurations or default passwords  Virus definitions not kept up-to-date  Inadequate continuity of operation plans  Failure to formally assign security administration responsibilities to staff who are technically competent, independent, and report to senior management
  38. 38. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 38 ILLINOIS INSTITUTE OF TECHNOLOGY Typical Problems Identified in Audits Lack of user awareness Unnecessarily high access rights Lack of or inadequate plans for – An information security management program – Physical and logical access controls – Software change controls – Segregated duties – Continuity of business
  39. 39. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 39 ILLINOIS INSTITUTE OF TECHNOLOGY What Should Auditors Know?  Generally accepted accounting practices state “staff assigned to conduct the audit should collectively possess adequate professional proficiency for the tasks required.” – This includes computer skills and security knowledge for IS audits  Although each member of an audit team need not have all attributes, the team must collectively possess the requisite attributes to be able to – Adequately plan the audit – Assess computer-related controls – Test the controls – Determine the effect on the overall audit plan – Develop findings and recommendations – Report the results
  40. 40. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 40 ILLINOIS INSTITUTE OF TECHNOLOGY What Should Auditors Know?  Applicable knowledge is laid out well in the National State Auditors Association/GAO Management Planning Guide for Information Systems Security Auditing (table on next 2 slides)  Typical knowledge/skill set includes – Technical competency – Knowledge and understanding of information security and privacy requirements and best practices – (see the tables)
  41. 41. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 41 ILLINOIS INSTITUTE OF TECHNOLOGY Knowledge, Skills, and Abilities Audit Objective Associated knowledge, skills, and abilities forIS Security Audit Areas Organizationwide security program planning and management Knowledge of applicable legislative requirements for a security program Knowledge of the sensitivity of data and the risk management process through risk assessment and risk mitigation Knowledge of the risks associated with a deficient security program Knowledge of the elements of a good security program Ability to analyze and evaluate an organization’s security policies and procedures and identify their strengths and weaknesses Access control Knowledge across platforms of the access paths into computer systems and of the functions of associated hardware and software providing an access path Knowledge of access level privileges granted to users and the technology used to provide and control them Knowledge of the procedures, tools, and techniques that provide for good physical, technical, and administrative controls over access Knowledge of the risks associated with inadequate access controls Ability to analyze and evaluate an organization’s access controls and identify the strengths and weaknesses Skills to review security software reports and identify access control weaknesses Skills to perform penetration testing of the organization’s applications and supporting computer systems Application software development and change control Knowledge of the concept of a system life cycle and of the System Development Life Cycle (SDLC) process Knowledge of the auditor’s role during system development and of federal guidelines for designing controls into systems during development Knowledge of the procedures, tools, and techniques that provide control over application software development and modification Knowledge of the risks associated with the development and modification of application software Ability to analyze and evaluate the organization’s methodology and procedures for system development and modification and identify the strengths and weaknesses Adapted from “Knowledge, Skills, and Abilities for IS Security Audit Areas by FISCAM Objective” from National State Auditors Association/GAO Manag e m e nt Pla nning G uide fo r Info rm atio n Syste m s Se curity Auditing , 2001
  42. 42. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 42 ILLINOIS INSTITUTE OF TECHNOLOGY Knowledge, Skills, and Abilities Audit Objective Associated knowledge, skills, and abilities forIS Security Audit Areas System software Knowledge of the different types of system software and their functions Knowledge of the risks associated with system software Knowledge of the procedures, tools, and techniques that provide control over the implementation, modification, and use of system software Ability to analyze and evaluate an organization’s system software controls and identify the strengths and weaknesses Skills to use software products to review system software integrity Segregation of duties Knowledge of the different functions involved with information systems and data processing and incompatible duties associated with these functions Knowledge of the risks associated with inadequate segregation of duties Ability to analyze and evaluate an organization’s organizational structure and segregation of duties and identify the strengths and weaknesses Business continuity Knowledge of the procedures, tools, and techniques that provide for business continuity Knowledge of the risks that exist when measures are not taken to provide for business continuity Ability to analyze and evaluate an organization’s program and plans for business continuity and identify the strengths and weaknesses Application controls Knowledge about the practices, procedures, and techniques that provide for the authorization, completeness, and accuracy of application data Knowledge of typical applications in each business transaction cycle Ability to analyze and evaluate an organization’s application controls and identify the strengths and weaknesses Skills to use a generalized audit software package to conduct data analyses and tests of application data, and to plan, extract, and evaluate data samples Adapted from “Knowledge, Skills, and Abilities for IS Security Audit Areas by FISCAM Objective” from National State Auditors Association/GAO Manag e m e nt Pla nning G uide fo r Info rm atio n Syste m s Se curity Auditing , 2001
  43. 43. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 43 ILLINOIS INSTITUTE OF TECHNOLOGY Our Audits Pre-Audit – Policy Review – Administer any questionnaires – Plan the Audit •Create audit checklists •Arrange site visit Site Visit – Entry briefing but probably no exit briefing Prepare Report Deliver Report
  44. 44. Transfo rm ing Live s. Inve nting the Future . www.iit.edu ITM 578 44 ILLINOIS INSTITUTE OF TECHNOLOGY The End… Questions? Discussion!

×