IT Security Auditing

Martin Goldberg

Todays Topics
Defining IT Audit and the Auditor
Steps of an IT Audit
Preparing to be Audited
How IT Audit Applications

Defining IT Security Audit

Financial Audit
IRS

Physical Audit
Inventory

Defining IT Security Audit (cont.)

IT Audit

Independent review and examination of records

and activities to assess the adequacy of system
controls, to ensure compliance with established
policies and operational procedures, and to
recommend changes in controls, policies, or
procedures - DL 1.1.9

Good Amount of Vagueness

Ultimately defined by where you work

Who is an IT Auditor
Accountant Raised to a CS Major

CPA, CISA, CISM, Networking, Hardware, Software,

Information Assurance, Cryptography
Some one who knows everything an accountant does
plus everything a BS/MS does about CS and Computer
Security - Not likely to exist

IT Audits Are Done in Teams

Accountant + Computer Geek = IT Audit Team

Scope to large
Needed expertise varies

CISA? CISM?
CISA - Certified Information Systems Auditor
CISM - Certified Information Systems
Mangager - new
www.isaca.org (Information Systems Audit and
Control Organization)
Teaching financial auditors to talk to CS people

CISA
Min. of 5 years of IS auditing, control or security
work experience
Code of professional ethics
Adhering to IS auditing standards
Exam topics:

1. Management, Planning, and Organization of IS

2. Technical Infrastructure and Operational Practices
3. Protection of Information Assets

CISA (cont.)
Exam topics: (cont.)
4. Disaster Recovery and Business Continuity
5. Business Application System Development,
Acquisition, Implementation, and Maintenance
6. Business Process Evaluation and Risk
Management
7. The IS Audit Process

CISM
Next step above CISA
Exam topics:

1. Information Security Governance

2. Risk Management
3. Information Security Program Management
4. Information Security Management
5. Response Management

Steps of An IT Audit
1. Planning Phase
2. Testing Phase
3. Reporting Phase
Ideally its a continuous cycle
Again not always the case

Planning Phase
Entry Meeting

Site Survey

Define Scope

Review Current
Policies
Questionnaires

Learn Controls
Historical Incidents
Past Audits

Define Objectives
Develop Audit Plan /
Checklist

Defining Objectives & Data

Collection
Some Points to Keep in Mind

OTS (Department of Treasury - Office of Thrift Savings) Banking Regulations

SEC (Securities and Exchange Commission) - Mutual
Funds
HIPPA - Health Care
Sarbanes Oxley - Financial Reports, Document Retention
Gramm-Leach Bliley - Consumer Financial Information
FERPA (Family Education Rights and Privacy Act) - Student
Records
Clearence

Example Checklist
An Auditors Checklist for Performing a
Perimeter Audit of on IBM ISERIES
(AS/400) System - Craig Reise
Scope of the audit does not include the
Operating System
Physical security
Services running

Testing Phase
Meet With Site Managers
What data will be collected
How/when will it be collected
Site employee involvement
Answer questions

Testing Phase (cont.)

Data Collection

Based on scope/objectives

Types of Data

Physical security
Interview staf
Vulnerability assessments
Access Control assessments

Reporting Phase
Exit Meeting - Short Report
Immediate problems
Questions & answer for site managers
Preliminary findings
NOT able to give in depth information

Reporting Phase (cont.)

Long Report After Going Through Data
Intro defining objectives/scope
How data was collected
Summary of problems

Table format
Historical data (if available)
Ratings
Fixes
Page # where in depth description is

Reporting Phase (cont.)

In depth description of problem
How problem was discovered
Fix (In detail)
Industry standards (if available)

Glossary of terms
References

Note: The Above Varies Depending on

Where You Work

Preparing To Be Audited
This Is NOT a Confrontation
Make Your Self Available
Know What The Scope/Objectives Are
Know What Type of Data Will be
Collected
Know What Data Shouldnt be Collected

Example - Auditing User & Groups

Application Audit
An assessment Whose Scope Focuses on a Narrow
but Business Critical Processes or Application
Excel spreadsheet with embedded macros used to
analyze data
Payroll process that may span across several diferent
servers, databases, operating systems, applications, etc.
The level of controls is dependent on the degree of risk
involved in the incorrect or unauthorized processing of
data

Application Audit (cont.)

1. Administration
2. Inputs, Processing, Outputs
3. Logical Security
4. Disaster Recovery Plan
5. Change Management
6. User Support
7. Third Party Services
8 . General Controls

Application Audit - Administration

Probably the most important area of the
audit, because this area focuses on the
overall ownership and accountability of
the application
Roles & Responsibilities - development,
change approval, access authorization
Legal or regulatory compliance issues

Application Audit - Inputs,

Processing, Outputs

Looking for evidence of data preparation

procedures, reconciliation processes,
handling requirements, etc.
Run test transactions against the
application
Includes who can enter input and see
output
Retention of output and its destruction

Application Audit - Logical Security

Looking at user creation and authorization as
governed by the application its self

User ID linked to a real person

Number of allowable unsuccessful log-on attempts
Minimum password length
Password expiration
Password Re-use ability

Application Audit - Disaster

Recovery Plan

Looking for an adequate and

performable disaster recovery plan that
will allow the application to be recovered
in a reasonable amount of time after a
disaster

Backup guidelines, process documentation,

ofsite storage guidelines, SLAs with ofsite
storage vendors, etc.

Application Audit - Change

Management

Examines the process changes to an

application go through
Process is documented, adequate and followed
Who is allowed to make a request a change,
approve a change and make the change
Change is tested and doesnt break compliance
(determined in Administration) before being placed
in to production

Application Audit - User Support

One of the most overlooked aspects of
an application
User documentation (manuals, online help,
etc.) - available & up to date
User training - productivity, proper use,
security
Process for user improvement requests

Application Audit - Third Party

Services

Look at the controls around any 3rd party

services that are required to meet business
objectives for the application or system

Liaison to 3rd party vendor

Review contract agreement
SAS (Statement on Auditing Standards) N0. 70 Service organizations disclose their control activities
and processes to their customers and their
customers auditors in a uniform reporting format

Application Audit - General

Controls

Examining the environment the application

exists within that afect the application

System administration / operations

Organizational logical security
Physical security
Organizational disaster recovery plans
Organizational change control process
License control processes
Virus control procedures

References
www.isaca.org
An Auditors Checklist for Performing a
Perimeter Audit of on IBM ISERIES (AS/400)
System - Craig Reise
Conducting a Security Audit: An Introductory
Overview - Bill Hayes
The Application Audit Process - A Guide for
Information Security Professionals - Robert Hein