008.itsecurity bcp v1
-
Upload
mohammad-ashfaqur-rahman -
Category
Engineering
-
view
205 -
download
0
Transcript of 008.itsecurity bcp v1
![Page 1: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/1.jpg)
Information System Audit
Presented by
Mohammad Ashfaqur RahmanCompliance Professional
www.linkedin.com/in/ashfaqsaphal
![Page 2: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/2.jpg)
Objective
● Concept of IS / IT Audit● Term and Standard● IT audit process● IT Security Audit
![Page 3: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/3.jpg)
IT Audit
● An information technology audit, or information systems audit, is an examination of the management controls within an Information technology (IT) infrastructure.
– Measure the CIA– systematic, measurable technical assessment on
security policy
Systematic process, independent and documented for obtaining audit evidence and evaluate objectively, in order to establish to what extent are audit criteria met
– ISO 19011
![Page 4: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/4.jpg)
IT Audit● Audit Types (Generic)
– Internal audits (1st party) sponsored by by the organization with the aim of improvement of the ISMS.
– External audit (2nd party) audits carried out by an organisation on its supplier (partners, vendors) using, either internal personnel, or external entity entrusted with doing it.
– Certification audit (3rd party) independent from the organizationwith the aim to release the certificate of conformity with the requirements taken as a audit criteria (ISO 27001).
![Page 5: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/5.jpg)
IT Audit Standard1. Audit charter2. Independence3. Ethics and Standards4. Competence5. Planning6. Performance of audit work7. Reporting8. Follow-up activities9. Irregularities and illegal acts10.IT governance11.Use of risk assessment in audit planning
![Page 6: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/6.jpg)
IT Audit Standard● Audit charter
– Purpose, responsibility, authority and accountability
– Approval● Independence
– Professional independence– Organizational independence
● Professional Ethics and Standards
– Code of Professional Ethics– Due professional care
![Page 7: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/7.jpg)
IT Audit Standard● Competence
– Skills and knowledge– Continuing professional education
● Planning
– Plan IS audit coverage– Develop and document a risk-based audit Approach – Develop and document an audit plan– Develop an audit program and procedures
![Page 8: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/8.jpg)
IT Audit Standard● Performance of audit work
– Supervision– Evidence– Documentation
![Page 9: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/9.jpg)
IT Audit Standard● Reporting
– Identify the organization, intended recipients and any restrictions
– State the scope, objectives, coverage and nature of audit work performed
– State the findings, conclusions and recommendations and limitations
– Justify the results reported– Be signed, dated and distributed according to the
audit charter
![Page 10: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/10.jpg)
IT Audit Standard● Follow-up Activities
– Review previous conclusions and recommendations– Review previous relevant findings– Determine whether appropriate actions have been
taken by management in a timely manner
![Page 11: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/11.jpg)
IT Audit Standard● Irregularities and Illegal Acts
– Consider the risk of irregularities and illegal acts– Maintain an attitude of professional skepticism– Obtain an understanding of the organization and its
environment– Consider unusual or unexpected relationships– Test the appropriateness of internal control– Assess any misstatement
![Page 12: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/12.jpg)
IT Audit Standard● Irregularities and Illegal Acts (Cont.)
– Obtain written representations from management– Have knowledge of any allegations of irregularities
or illegal acts– Communicate material irregularities/illegal acts– Consider appropriate action in case of inability to
continue performing the audit– Document irregularity/illegal act related
communications, planning, results, evaluations and conclusions
![Page 13: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/13.jpg)
IT Audit Standard● IT Governance
– Review and assess the IS function’s alignment with the organization’s mission, vision, values, objectives and strategies.
– Review the IS function’s statement about the performance and assess its achievement
– Review and assess the effectiveness of IS resource and performance management processes
![Page 14: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/14.jpg)
IT Audit Framework● Standards
– Must be followed by IS auditors● Guidelines
– Provide assistance on how to implement the standards
● Procedures
– Provide examples for implementing the standards
![Page 15: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/15.jpg)
IT Audit● IS auditor’s perspectives
– Security (confidentiality, integrity and availability) – Quality (effectiveness, efficiency) – Fiduciary (compliance, reliability) – Service and Capacity
![Page 16: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/16.jpg)
IT Audit Process● Audit planning● Stage 1 audit● Stage 2 audit
![Page 17: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/17.jpg)
IT Audit Process● Audit planning
– define audit objectives– define audit scope– select audit criteria– select sampling method– select audit team– define observers and guides (if necessary)– define resources needed
![Page 18: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/18.jpg)
IT Audit Process● Stage 1 Audit
– Initiation of audit– Auditee’s application (self-assessment document)– Document review– Planning work documents (forms, procedures, etc)– Organisation’s unit and processes to be audited– Estimation of time– Work schedule
![Page 19: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/19.jpg)
IT Audit Process● Another Approach
– Planning– Studying and Evaluating Controls
• Fieldwork and documentation– Issue discovery and issue validation– Solution development– Testing and Evaluating Controls– Report drafting and issuance– Follow up
![Page 20: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/20.jpg)
Example IT Infrastructure Security Audit
● Auditing entity level controls● Auditing Data Centers● Auditing Network Equipment● Operating System Audit● Audit Web Server and Application● Auditing Databases● Auditing Storage
![Page 21: 008.itsecurity bcp v1](https://reader035.fdocuments.net/reader035/viewer/2022062904/5876fcb51a28abf3398b683d/html5/thumbnails/21.jpg)
Audit Me