It audit methodologies
-
Upload
salih-islam -
Category
Business
-
view
320 -
download
1
description
Transcript of It audit methodologies
![Page 1: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/1.jpg)
![Page 2: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/2.jpg)
IT AUDITMETHODOLOGIES
![Page 3: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/3.jpg)
IT Audit Methodologies
• CobiT• BS 7799 - Code of Practice (CoP)• BSI - IT Baseline Protection Manual• ITSEC• Common Criteria (CC)
![Page 4: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/4.jpg)
Main Areas of Use
• IT Audits• Risk Analysis• Health Checks (Security Benchmarking)• Security Concepts• Security Manuals / Handbooks
![Page 5: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/5.jpg)
Security Definition
• Confidentiality• Integrity
– Correctness– Completeness
• Availability
![Page 6: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/6.jpg)
CobiT
• Governance, Control & Audit for IT• Developed by ISACA• Releases
– CobiT 1: 1996• 32 Processes• 271 Control Objectives
– CobiT 2: 1998• 34 Processes• 302 Control Objectives
![Page 7: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/7.jpg)
CobiT - Model for IT Governance
• 36 Control models used as basis:– Business control models (e.g. COSO)– IT control models (e.g. DTI‘s CoP)
• CobiT control model covers:– Security (Confidentiality, Integrity, Availability)– Fiduciary (Effectiveness, Efficiency, Compliance,
Reliability of Information)– IT Resources (Data, Application Systems,
Technology, Facilities, People)
![Page 8: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/8.jpg)
CobiT - Framework
![Page 9: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/9.jpg)
CobiT - Structure
• 4 Domains– PO - Planning & Organisation
• 11 processes (high-level control objectives)– AI - Acquisition & Implementation
• 6 processes (high-level control objectives)– DS - Delivery & Support
• 13 processes (high-level control objectives)– M - Monitoring
• 4 processes (high-level control objectives)
![Page 10: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/10.jpg)
PO - Planning and Organisation
• PO 1 Define a Strategic IT Plan• PO 2 Define the Information Architecture• PO 3 Determine the Technological Direction• PO 4 Define the IT Organisation and Relationships• PO 5 Manage the IT Investment• PO 6 Communicate Management Aims and Direction• PO 7 Manage Human Resources• PO 8 Ensure Compliance with External Requirements• PO 9 Assess Risks• PO 10 Manage Projects• PO 11 Manage Quality
![Page 11: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/11.jpg)
AI - Acquisition and Implementation
• AI 1 Identify Solutions• AI 2 Acquire and Maintain Application
Software• AI 3 Acquire and Maintain Technology
Architecture• AI 4 Develop and Maintain IT Procedures• AI 5 Install and Accredit Systems• AI 6 Manage Changes
![Page 12: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/12.jpg)
DS - Delivery and Support
• DS 1 Define Service Levels• DS 2 Manage Third-Party
Services• DS 3 Manage Performance
and Capacity
• DS 4 Ensure Continuous Service
• DS 5 Ensure Systems Security
• DS 6 Identify and Attribute Costs
• DS 7 Educate and Train Users
DS 8 Assist and Advise IT
Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and
Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
![Page 13: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/13.jpg)
M - Monitoring
• M 1 Monitor the Processes• M 2 Assess Internal Control Adequacy• M 3 Obtain Independent Assurance• M 4 Provide for Independent Audit
![Page 14: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/14.jpg)
CobiT - IT Process Matrix
Information Criteria
– Effectiveness– Efficiency– Confidentiali
ty– Integrity– Availability– Compliance– Reliability
IT ResourcesPeopleApplicationsTechnologyFacilitiesData
![Page 15: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/15.jpg)
CobiT - Summary
• Mainly used for IT audits, incl. security aspects• No detailed evaluation methodology described• Developed by international organisation (ISACA)• Up-to-date: Version 2 released in 1998• Only high-level control objectives described• Detailed IT control measures are not documented• Not very user friendly - learning curve!• Evaluation results not shown in graphic form
![Page 16: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/16.jpg)
BS 7799 - Security Baseline Controls
• 10 control categories• 32 control groups• 109 security controls• 10 security key controls
![Page 17: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/17.jpg)
BS 7799 - Control Categories
• Information security policy• Security organisation• Assets classification & control• Personnel security• Physical & environmental security• Computer & network management
![Page 18: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/18.jpg)
BS 7799 - Control Categories
• System access control• Systems development & maintenance• Business continuity planning• Compliance
![Page 19: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/19.jpg)
BS7799 - 10 Key Controls
• Information security policy document• Allocation of information security
responsibilities• Information security education and training• Reporting of security incidents• Virus controls
![Page 20: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/20.jpg)
BS7799 - 10 Key Controls
• Business continuity planning process• Control of proprietary software copying• Safeguarding of organizational records• Data protection• Compliance with security policy
![Page 21: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/21.jpg)
BS7799 - Summary
• Main use: Security Concepts & Health Checks• No evaluation methodology described• British Standard, developed by UK DTI• Certification scheme in place (c:cure)• BS7799, Part1, 1995 is being revised in 1999• Lists 109 ready-to-use security controls• No detailed security measures described• Very user friendly - easy to learn
![Page 22: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/22.jpg)
BSI - Structure
• IT security measures– 7 areas– 34 modules (building blocks)
• Safeguards catalogue– 6 categories of security measures
• Threats catalogue– 5 categories of threats
![Page 23: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/23.jpg)
BSI - Security Measures (Modules)
• Protection for generic components• Infrastructure• Non-networked systems• LANs• Data transfer systems• Telecommunications• Other IT components
![Page 24: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/24.jpg)
BSI - Generic Components
• 3.1 Organisation
• 3.2 Personnel
• 3.3 Contingency Planning
• 3.4 Data Protection
![Page 25: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/25.jpg)
BSI - Infrastructure
• 4.1 Buildings
• 4.2 Cabling
• 4.3 Rooms
• 4.3.1 Office
• 4.3.2 Server Room
• 4.3.3 Storage Media Archives
• 4.3.4 Technical Infrastructure Room
• 4.4 Protective cabinets
• 4.5 Home working place
![Page 26: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/26.jpg)
BSI - Non-Networked Systems
• 5.1 DOS PC (Single User)
• 5.2 UNIX System
• 5.3 Laptop
• 5.4 DOS PC (multiuser)
• 5.5 Non-networked Windows NT computer
• 5.6 PC with Windows 95
• 5.99 Stand-alone IT systems
![Page 27: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/27.jpg)
BSI - LANs
• 6.1 Server-Based Network
• 6.2 Networked Unix Systems
• 6.3 Peer-to-Peer Network
• 6.4 Windows NT network
• 6.5 Novell Netware 3.x
• 6.6 Novell Netware version 4.x
• 6.7 Heterogeneous networks
![Page 28: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/28.jpg)
BSI - Data Transfer Systems
• 7.1 Data Carrier Exchange
• 7.2 Modem
• 7.3 Firewall
• 7.4 E-mail
![Page 29: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/29.jpg)
BSI - Telecommunications
• 8.1 Telecommunication system
• 8.2 Fax Machine
• 8.3 Telephone Answering Machine
• 8.4 LAN integration of an IT system via ISDN
![Page 30: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/30.jpg)
BSI - Other IT Components
• 9.1 Standard Software
• 9.2 Databases
• 9.3 Telecommuting
![Page 31: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/31.jpg)
BSI - Module „Data Protection“ (3.4)
• Threats - Technical failure:– T 4.13 Loss of stored data
• Security Measures - Contingency planning:– S 6.36 Stipulating a minimum data protection concept– S 6.37 Documenting data protection procedures– S 6.33 Development of a data protection concept
(optional)– S 6.34 Determining the factors influencing data
protection (optional)– S 6.35 Stipulating data protection procedures (optional)– S 6.41 Training data reconstruction
• Security Measures - Organisation:– S 2.41 Employees' commitment to data protection– S 2.137 Procurement of a suitable data backup system
![Page 32: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/32.jpg)
BSI - Safeguards (420 safeguards)
• S1 - Infrastructure ( 45 safeguards)• S2 - Organisation (153 safeguards)• S3 - Personnel ( 22 safeguards)• S4 - Hardware & Software ( 83 safeguards)• S5 - Communications ( 62 safeguards)• S6 - Contingency Planning ( 55 safeguards)
![Page 33: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/33.jpg)
BSI - S1-Infrastructure (45 safeguards)
• S 1.7 Hand-held fire extinguishers
• S 1.10 Use of safety doors
• S 1.17 Entrance control service
• S 1.18 Intruder and fire detection devices
• S 1.27 Air conditioning
• S 1.28 Local uninterruptible power supply [UPS]
• S 1.36 Safekeeping of data carriers before and after dispatch
![Page 34: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/34.jpg)
BSI - Security Threats (209 threats)
• T1 - Force Majeure (10 threats)• T2 - Organisational Shortcomings (58 threats)• T3 - Human Errors (31 threats)• T4 - Technical Failure (32 threats)• T5 - Deliberate acts (78 threats)
![Page 35: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/35.jpg)
IT Audit Methodoloies
BSI - T3-Human Errors (31 threats)
• T 3.1 Loss of data confidentiality/integrity as a result of IT user error
• T 3.3 Non-compliance with IT security measures
• T 3.6 Threat posed by cleaning staff or outside staff
• T 3.9 Incorrect management of the IT system
• T 3.12 Loss of storage media during transfer
• T 3.16 Incorrect administration of site and data access rights
• T 3.24 Inadvertent manipulation of data
• T 3.25 Negligent deletion of objects
![Page 36: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/36.jpg)
BSI - Summary
• Main use: Security concepts & manuals• No evaluation methodology described• Developed by German BSI (GISA)• Updated version released each year• Lists 209 threats & 420 security measures• 34 modules cover generic & platform specific
security requirements
![Page 37: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/37.jpg)
BSI - Summary
• User friendly with a lot of security details• Not suitable for security risk analysis• Results of security coverage not shown in graphic
form• Manual in HTML format on BSI web server• Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
• Paper copy of manual: DM 118.--
• Software ‚BSI Tool‘ (only in German): DM 515.--
![Page 38: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/38.jpg)
ITSEC, Common Criteria
• ITSEC: IT Security Evaluation Criteria• Developed by UK, Germany, France, Netherl. and
based primarily on USA TCSEC (Orange Book)
• Releases– ITSEC: 1991– ITSEM: 1993 (IT Security Evaluation Manual)– UK IT Security Evaluation & Certification scheme:
1994
![Page 39: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/39.jpg)
ITSEC, Common Criteria
• Common Criteria (CC)• Developed by USA, EC: based on ITSEC• ISO International Standard• Releases
– CC 1.0: 1996– CC 2.0: 1998– ISO IS 15408: 1999
![Page 40: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/40.jpg)
ITSEC - Methodology
• Based on systematic, documented approach for security evaluations of systems & products
• Open ended with regard to defined set of security objectives– ITSEC Functionality classes; e.g. FC-C2– CC protection profiles
• Evaluation steps:– Definition of functionality– Assurance: confidence in functionality
![Page 41: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/41.jpg)
ITSEC - Functionality
• Security objectives (Why)– Risk analysis (Threats, Countermeasures)– Security policy
• Security enforcing functions (What)– technical & non-technical
• Security mechanisms (How)• Evaluation levels
![Page 42: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/42.jpg)
ITSEC - Assurance
• Goal: Confidence in functions & mechanisms• Correctness
– Construction (development process & environment)– Operation (process & environment)
• Effectiveness– Suitability analysis– Strength of mechanism analysis– Vulnerabilities (construction & operation)
![Page 43: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/43.jpg)
CC - Security Concept
![Page 44: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/44.jpg)
CC - Evaluation Goal
![Page 45: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/45.jpg)
CC - Documentation
CC Part 1Introduction and ModelIntroduction to
Approach
Terms and Model
Requirements forProtection Profiles (PP)and Security Targets (ST)
CC Part 2Functional Requirements
Functional Classes
Functional Families
FunctionalComponents
Detailed Requirements
CC Part 3Assurance Requirements
Assurance Classes
Assurance Families
Assurance Components
Detailed Requirements
Evaluation AssuranceLevels (EAL)
![Page 46: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/46.jpg)
CC - Security Requirements
Functional Requirements
for defining security behavior of the IT product or system:
implemented requirements become security functions
Assurance Requirements
for establishing confidence in Security Functions:
correctness of implementationeffectiveness in satisfying
objectives
![Page 47: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/47.jpg)
CC - Security Functional Classes
Name
AuditCommunicationsCryptographic SupportUser Data ProtectionIdentification & AuthenticationSecurity ManagementPrivacyProtection of TOE Security FunctionsResource UtilizationTOE (Target Of Evaluation) AccessTrusted Path / Channels
Class
FAUFCOFCSFDPFIAFMTFPRFPTFRUFTAFTP
![Page 48: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/48.jpg)
CC - Security Assurance Classes
Name
Configuration ManagementDelivery & OperationDevelopmentGuidance DocumentsLife Cycle SupportTestsVulnerability AssessmentProtection Profile EvaluationSecurity Target EvaluationMaintenance of Assurance
Class
ACMADOADVAGDALCATEAVAAPEASEAMA
![Page 49: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/49.jpg)
CC - Eval. Assurance Levels (EALs)
*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”
Name
Functionally TestedStructurally TestedMethodically Tested & CheckedMethodically Designed, Tested & ReviewedSemiformally Designed & TestedSemiformally Verified Design & TestedFormally Verified Design & Tested
EAL
EAL1EAL2EAL3EAL4EAL5EAL6EAL7
*TCSEC
C1C2B1B2B3A1
![Page 50: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/50.jpg)
ITSEC, CC - Summary
• Used primarily for security evaluations and not for generalized IT audits
• Defines evaluation methodology• Based on International Standard (ISO 15408)• Certification scheme in place• Updated & enhanced on a yearly basis• Includes extensible standard sets of security
requirements (Protection Profile libraries)
![Page 51: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/51.jpg)
Comparison of Methods - Criteria
• Standardisation• Independence• Certifiability• Applicability in practice• Adaptability
![Page 52: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/52.jpg)
Comparison of Methods - Criteria
• Extent of Scope• Presentation of Results• Efficiency• Update frequency• Ease of Use
![Page 53: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/53.jpg)
Comparison of Methods - Results
CobiT
3.43.32.72.83.33.11.93.03.12.3
StandardisationIndependenceCertifyabilityApplicability in practiceAdaptabilityExtent of ScopePresentation of ResultsEfficiencyUpdate frequencyEase of Use
BS 7799
3.33.63.33.02.82.92.22.82.42.7
BSI
3.13.53.03.13.32.72.63.03.42.8
ITSEC/CC
3.93.93.72.53.02.61.72.52.82.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger
![Page 54: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/54.jpg)
CobiT - Assessment
![Page 55: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/55.jpg)
BS 7799 - Assessment
![Page 56: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/56.jpg)
BSI - Assessment
![Page 57: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/57.jpg)
ITSEC/CC - Assessment
![Page 58: It audit methodologies](https://reader036.fdocuments.net/reader036/viewer/2022062419/557c41bcd8b42a23598b4ec5/html5/thumbnails/58.jpg)
Use of Methods for IT Audits
• CobiT: Audit method for all IT processes• ITSEC, CC: Systematic approach for evaluations• BS7799, BSI: List of detailed security measures to
be used as best practice documentation• Detailed audit plans, checklists, tools for technical
audits (operating systems, LANs, etc.)• What is needed in addition:
– Audit concept (general aspects, infrastructure audits, application audits)