Lecture 1 - Information Systems Auditing Overview and Methodologies
Lecture 1 - Information Systems Auditing Overview and Methodologies
By
Agenda
CobiT
BS BSI
ITSEC
Common
Criteria (CC)
2
CobiT:
www.isaca.org
BS7799: www.bsi.org.uk/disc/
BSI:
www.bsi.bund.de/gshb/english/menue.htm
Audits Analysis
Risk
Health
Security
Security
Manuals / Handbooks
4
Security Definition
Confidentiality Integrity
Correctness Completeness
Availability Non-repudiation
5
CobiT
Governance,
1: 1996
2: 1998
Business
Security
(Confidentiality, Integrity, Availability) Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) IT Resources (Data, Application Systems, Technology, Facilities, People)
7
CobiT - Framework
CobiT - Structure
4
Domains
- Planning & Organisation
processes (high-level control objectives)
11
PO
AI
DS
13
- Monitoring
processes (high-level control objectives)
9
PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 PO 11
Define a Strategic IT Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality
10
AI 1 AI 2 AI 3 AI 4 AI 5 AI 6
Identify Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Architecture Develop and Maintain IT Procedures Install and Accredit Systems Manage Changes
11
DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13
Define Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Attribute Costs Educate and Train Users Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations
12
M - Monitoring
M1 M2 M3 M4
Monitor the Processes Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit
13
IT Resources
IT Processes
14
CobiT - Summary
Mainly
used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form
15
CobiT - Summary
May
be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks 3 parts freely downloadable from ISACA site
CobiT
BS 7799 - CoP
Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases
17
control categories 32 control groups 109 security controls 10 security key controls
18
security policy Security organisation Assets classification & control Personnel security Physical & environmental security Computer & network management
19
access control Systems development & maintenance Business continuity planning Compliance
20
Information
Reporting
of security incidents
Virus
controls
21
Safeguarding Data
Compliance
22
BS7799 - Summary
Main
use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure) BS7799, Part1, 1995 is being revised in 1999 Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn
23
BS7799 - Summary
Evaluation
results not shown in graphic form May be used for self assessments BS7799, Part1: BS7799, Part2: BSI Electronic book of Part 1: Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK:
24
Baseline Protection Manual (IT- Grundschutzhandbuch ) Developed by German BSI (GISA: German Information Security Agency) Releases:
IT
security manual: 1992 IT baseline protection manual: 1995 New versions (paper and CD-ROM): each year
25
BSI - Approach
26
BSI - Approach
Used
to determine IT security measures for medium-level protection requirements Straight forward approach since detailed risk analysis is not performed Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks List of assembled security measures may be used to establish or enhance baseline protection
27
BSI - Structure
IT
security measures
catalogue
Threats
5
catalogue
categories of threats
28
for generic components Infrastructure Non-networked systems LANs Data transfer systems Telecommunications Other IT components
29
3.1
3.2 3.3
Organisation
Personnel Contingency Planning
3.4
Data Protection
30
BSI - Infrastructure
4.1
Buildings
4.2
4.3 4.3.1
Cabling
Rooms Office
4.3.2
4.3.3 4.3.4
Server Room
Storage Media Archives Technical Infrastructure Room
4.4
4.5
Protective cabinets
Home working place
31
5.1
5.2
5.3 5.4 5.5 5.6 5.99
UNIX System
Laptop DOS PC (multiuser) Non-networked Windows NT computer PC with Windows 95 Stand-alone IT systems
32
BSI - LANs
6.4
6.5 6.6 6.7
Windows NT network
Novell Netware 3.x Novell Netware version 4.x Heterogeneous networks
33
7.4
34
BSI - Telecommunications
8.1 Telecommunication system 8.2 Fax Machine 8.3 Telephone Answering Machine
35
36
Threats - Technical failure: T 4.13 Loss of stored data Security Measures - Contingency planning:
S 6.36 Stipulating a minimum data protection concept S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional) S 6.34 Determining the factors influencing data protection (optional) S 6.35 Stipulating data protection procedures (optional) S 6.41 Training data reconstruction Security Measures - Organisation:
S 2.41 Employees' commitment to data protection S 2.137Procurement of a suitable data backup system
37
- Infrastructure ( 45 safeguards) S2 - Organisation (153 safeguards) S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards) S5 - Communications ( 62 safeguards) S6 - Contingency Planning ( 55 safeguards)
38
S 1.7
- Force Majeure (10 threats) T2 - Organisational Shortcomings (58 threats) T3 - Human Errors (31 threats) T4 - Technical Failure (32 threats) T5 - Deliberate acts (78 threats)
40
(31 threats)
Loss of data confidentiality/integrity as a result of IT user error Non-compliance with IT security measures Threat posed by cleaning staff or outside staff Incorrect management of the IT system
T 3.12 Loss of storage media during transfer T 3.16 Incorrect administration of site and data access rights
BSI - Summary
Main
use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year Lists 209 threats & 420 security measures 34 modules cover generic & platform specific security requirements
42
BSI - Summary
User
friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in graphic form Manual in HTML format on BSI web server Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
Paper
1991 ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification scheme: 1994
44
Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases
CC
ITSEC - Methodology
Based
on systematic, documented approach for security evaluations of systems & products Open ended with regard to defined set of security objectives
ITSEC
steps:
Definition
ITSEC - Functionality
Security
Risk
objectives (Why)
technical
ITSEC - Assurance
Goal:
CC - Security Concept
49
CC - Evaluation Goal
50
CC - Documentation
CC Part 3
Assurance Requirements
CC Part 2
Functional Requirements
* Assurance Classes
CC Part 1
Introduction and Model
* Introduction to Approach * Terms and Model * Requirements for Protection Profiles (PP) and Security Targets (ST)
* Assurance Families
* Assurance Components * Detailed Requirements * Evaluation Assurance Levels (EAL)
* Detailed Requirements
51
CC - Security Requirements
Functional Requirements
- for defining security behavior of the IT product or system: implemented requirements become security functions
Assurance Requirements
- for establishing confidence in Security Functions: correctness of implementation effectiveness in satisfying objectives
52
Name
Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels
53
Name
Configuration Management Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance
54
Name
Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested
*TCSEC
C1 C2 B1 B2 B3 A1
55
ITSEC, CC - Summary
Used
primarily for security evaluations and not for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place Updated & enhanced on a yearly basis Includes extensible standard sets of security requirements (Protection Profile libraries)
56
ITSEC, CC - Summary
Allows
to determine confidence level in planned resp. implemented security Evaluation results not shown in graphic form Not very user friendly - learning curve! Detailed documentation in electronic PDF format freely available on web server
57
Applicability
Adaptability
in practice
58
59
BSI ITSEC/CC 3.1 3.9 3.5 3.9 3.0 3.7 3.1 2.5 3.3 3.0 2.7 2.6 2.6 1.7 3.0 2.5 3.4 2.8 2.8 2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger
CobiT - Assessment
61
BS 7799 - Assessment
62
BSI - Assessment
63
ITSEC/CC - Assessment
64
Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures to be used as best practice documentation Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.) What is needed in addition:
Audit