5.4 it security audit (mauritius)

2,498 views
2,362 views

Published on

Published in: Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,498
On SlideShare
0
From Embeds
0
Number of Embeds
59
Actions
Shares
0
Downloads
186
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

5.4 it security audit (mauritius)

  1. 1. IT Security Audit of Information Systems M. Imran Ameerally Project Manager IT Security Unit Ministry of Information and Communication Technology 22 April 2010
  2. 2. Agenda <ul><li>About IT Security Unit </li></ul><ul><li>Types of Audits Conducted </li></ul><ul><li>Companies Division Audit </li></ul><ul><li>Audit Tasks </li></ul><ul><li>Audit Deliverables </li></ul><ul><li>Overview of Audit Findings </li></ul><ul><li>Benefits of the Audit </li></ul>
  3. 3. About IT Security Unit (I) <ul><li>Objectives </li></ul><ul><ul><li>To implement Government policies with regar ds to IT Security </li></ul></ul><ul><ul><li>To assist Ministries/Departments in the implementation of security standards </li></ul></ul><ul><ul><li>To disseminate information on IT security </li></ul></ul><ul><ul><li>To carry out security audits </li></ul></ul>
  4. 4. About IT Security Unit (II) <ul><li>Strategic Activity Areas for IT Security Unit : </li></ul><ul><ul><li>ISO Information Security Standards </li></ul></ul><ul><ul><li>IT Security Audits of Government Systems </li></ul></ul><ul><ul><li>Security Awareness and Promotion </li></ul></ul><ul><ul><li>Develop Security Policies and Guidelines </li></ul></ul><ul><ul><li>Advisory Service to Ministries and Departments on IT Security </li></ul></ul>
  5. 5. Types of Audits Conducted (I) <ul><li>ISO/IEC 27001 Internal audits </li></ul><ul><ul><li>Part of certification process </li></ul></ul><ul><li>Information Security Assessments </li></ul><ul><ul><li>Complete or Partial – to know security posture of the organisation </li></ul></ul><ul><li>In House Security Audits </li></ul><ul><li>Outsourced Security Audits </li></ul>
  6. 6. Types of Audits Conducted (II) <ul><li>In House Security Audits </li></ul><ul><ul><li>Target : Ministries and Departments with IT Infrastructure of basic to medium complexity </li></ul></ul><ul><ul><li>Scope : Key components of the IT infrastructure </li></ul></ul><ul><ul><ul><li>Servers and Network devices </li></ul></ul></ul><ul><ul><ul><li>Representative sample of PCs in use at the organisation </li></ul></ul></ul>
  7. 7. Types of Audits Conducted (III) <ul><li>In House Security Audits </li></ul><ul><ul><li>Approach </li></ul></ul><ul><ul><ul><li>Conducted by IT Security Unit staff </li></ul></ul></ul><ul><ul><ul><li>Use of an Industry standard Vulnerability Assessment Toolset </li></ul></ul></ul><ul><ul><li>Outcome </li></ul></ul><ul><ul><ul><li>Report on vulnerabilities identified and recommendations </li></ul></ul></ul><ul><ul><ul><li>Recommendations implemented by Ministries/Departments </li></ul></ul></ul>
  8. 8. Types of Audits Conducted (IV) <ul><li>Outsourced Audits </li></ul><ul><ul><li>Target : Highly complex and critical Information Systems of the Government </li></ul></ul><ul><ul><li>Audits undertaken by consultants following a tendering exercise </li></ul></ul><ul><ul><li>IT Security Unit manages the project </li></ul></ul><ul><ul><li>Post Audit Implementation Committee set up with various stakeholders to implement audit recommendations </li></ul></ul>
  9. 9. Companies Division Audit <ul><li>Outsourced Audit conducted by external consultants in December 2008 </li></ul><ul><li>Scope </li></ul><ul><ul><li>Include all components of the Information System: application software, middleware, database, operating system, hardware and network infrastructure </li></ul></ul><ul><ul><li>All interfaces to/from remote applications </li></ul></ul>
  10. 10. Audit Tasks (I) <ul><li>Task 1 </li></ul><ul><ul><li>Identify vulnerabilities of the information system and rate them in terms of risk level (e.g. High, Medium and Low) </li></ul></ul><ul><ul><li>Perform checks regarding: </li></ul></ul><ul><ul><ul><li>Adequacy of logical security controls to protect data from unauthorised access </li></ul></ul></ul><ul><ul><ul><li>Effectiveness of all interfaces with remote applications </li></ul></ul></ul>
  11. 11. Audit Tasks (II) <ul><ul><ul><li>Adequacy of input, processing, and output controls to ensure data integrity </li></ul></ul></ul><ul><ul><ul><li>Adequacy of physical access controls for the Information System </li></ul></ul></ul><ul><ul><ul><li>Determine areas that may be susceptible to fraud and assess the adequacy of related controls </li></ul></ul></ul><ul><ul><ul><li>Assess the availability and performance of the Information System and the mechanism used for their monitoring </li></ul></ul></ul>
  12. 12. Audit Tasks (III) <ul><ul><ul><li>Assessment of all applicable domains/control as listed in ISO/IEC 27001 </li></ul></ul></ul><ul><li>Task 2 </li></ul><ul><ul><li>Propose measures to address each vulnerability identified together with the implementation timeframe and related cost estimates through a risk mitigation strategy </li></ul></ul><ul><ul><ul><li>Technical or operational measures </li></ul></ul></ul>
  13. 13. Audit Tasks (IV) <ul><li>Task 3 </li></ul><ul><ul><li>Elaborate a Security Policy for the Information System which includes ISO/IEC 27001 controls </li></ul></ul><ul><li>Task 4 </li></ul><ul><ul><li>Elaborate an IT Contingency Plan (ITCP) for the Information System </li></ul></ul>
  14. 14. Audit Tasks (V) <ul><li>Task 5 </li></ul><ul><ul><li>Provide a transfer of knowledge gained from the IT Security Audit to selected staff </li></ul></ul><ul><ul><li>Allow technical IT staff to be fully acquainted with the tools used for the audit and the methodology applied </li></ul></ul><ul><ul><li>A standard small-scale sample application utilized with hands-on usage of auditing tools and techniques followed by analysis and interpretation of the results </li></ul></ul>
  15. 15. Audit Deliverables (I) <ul><li>Audit deliverables to be submitted at the end of each phase of the Audit </li></ul><ul><li>Audit broken in 3 phases </li></ul><ul><ul><li>Phase 1 – Planning the Audit </li></ul></ul><ul><ul><li>Phase 2 – Performing the Audit Work </li></ul></ul><ul><ul><li>Phase 3 – Reporting Audit Results </li></ul></ul>
  16. 16. Audit Deliverables (II) <ul><li>Phase 1 – Planning the Audit </li></ul><ul><ul><li>Inception Report which include the following: </li></ul></ul><ul><ul><ul><li>Agreed methodology to be used for assessing the risk areas and conducting the audit </li></ul></ul></ul><ul><ul><ul><li>Detailed workplan for conducting tasks 1 to 5 </li></ul></ul></ul><ul><ul><ul><li>Approach to be used for providing the transfer of knowledge </li></ul></ul></ul>
  17. 17. Audit Deliverables (III) <ul><li>Phase 2 – Performing the Audit Work </li></ul><ul><ul><li>Draft Audit report which include the following: </li></ul></ul><ul><ul><ul><li>Methodology used for assessing the risk areas and conducting the audit </li></ul></ul></ul><ul><ul><ul><li>Tests performed and tools/software that have been used during the exercise </li></ul></ul></ul><ul><ul><ul><li>Weaknesses found and areas of risks identified with clear indication on the severity </li></ul></ul></ul>
  18. 18. Audit Deliverables (IV) <ul><ul><ul><li>Time bound corrective action proposed (short and long term) with procurement details (i.e. specifications and cost estimates) where applicable </li></ul></ul></ul><ul><ul><ul><li>Draft Security Policy for the Information System </li></ul></ul></ul><ul><ul><ul><li>Draft IT Contingency plan for the Information System </li></ul></ul></ul><ul><ul><li>Weekly status meetings to review findings </li></ul></ul>
  19. 19. Audit Deliverables (V) <ul><li>Phase 2 – Reporting Audit Results </li></ul><ul><ul><li>Final IT Security Audit report which contain all reportable issues (findings) </li></ul></ul><ul><ul><li>Report must be comprehensive and include the following information: </li></ul></ul><ul><ul><ul><li>Executive Summary, detailing the significant issues (findings) and a high level corrective action plan </li></ul></ul></ul><ul><ul><ul><li>Scope of the IT Security Audit </li></ul></ul></ul><ul><ul><ul><li>Objectives </li></ul></ul></ul>
  20. 20. Audit Deliverables (VI) <ul><ul><ul><li>Methodology used for assessing the risk areas and conducting the audit </li></ul></ul></ul><ul><ul><ul><li>Tests performed and tools/software that have been used during the exercise </li></ul></ul></ul><ul><ul><ul><li>Audit results which address the audit objectives, including detailed information on weaknesses found and areas of risks identified with clear indication on the severity of the findings </li></ul></ul></ul>
  21. 21. Audit Deliverables (VII) <ul><ul><ul><li>Time bound corrective action proposed (short and long term) with procurement details (i.e. specifications and cost estimates) where applicable including recommendation of measures to strengthen the security of the Information System </li></ul></ul></ul><ul><ul><ul><li>Final Security Policy document for the Information System </li></ul></ul></ul><ul><ul><ul><li>Final IT Contingency plan </li></ul></ul></ul>
  22. 22. Overview of Audit Findings (I) <ul><li>Findings broken into 3 categories </li></ul><ul><ul><li>Application Security </li></ul></ul><ul><ul><li>Network and System Security </li></ul></ul><ul><ul><li>Physical Security </li></ul></ul>Severity Rating Basis of giving severity rating Recommended timeframe to fix High Privileged access or severely impact system operation Immediate Medium Hacker may gain limited user or network level access Within 1 month Low Minimal possibility for hacker to again access to resources Within 6 months
  23. 23. Overview of Audit Findings (II) <ul><li>Some examples … </li></ul><ul><li>Application Security </li></ul><ul><ul><li>Configuration of Application Server to be strengthened </li></ul></ul><ul><ul><li>Input validation to be implemented for all data input </li></ul></ul><ul><ul><li>Define user access roles </li></ul></ul><ul><ul><li>Do not allow simultaneous logins of same user </li></ul></ul>
  24. 24. Overview of Audit Findings (III) <ul><li>Network and System Security </li></ul><ul><ul><li>Use of strong passwords </li></ul></ul><ul><ul><li>Hardening of Operating System </li></ul></ul><ul><ul><li>Use of a legal banner </li></ul></ul><ul><ul><li>Enable auditing on systems </li></ul></ul><ul><li>Physical Security </li></ul><ul><ul><li>Strengthen entry controls in high security area </li></ul></ul>
  25. 25. Benefits of the Audit (I) <ul><li>Health check of the Information System from a security perspective: </li></ul><ul><ul><li>Physical, Network and Application levels </li></ul></ul><ul><li>Security policy endorsed by top management of CD that provides a framework for implementing security procedures and guidelines </li></ul>
  26. 26. Benefits of the Audit (II) <ul><li>Availability of an IT Contingency Plan that should be followed in case of IT failure/disruption </li></ul><ul><ul><li>Documented procedures </li></ul></ul><ul><li>Physical Security strengthened and physical access control implemented </li></ul>
  27. 27. Benefits of the Audit (III) <ul><li>Post Audit Implementation Committee </li></ul><ul><ul><li>Corrective Action Plan elaborated </li></ul></ul><ul><ul><li>Cross functional team of different stakeholders set up to monitor, review, maintain and continuously improve the information system </li></ul></ul><ul><ul><li>Several working sessions held where implementation of audit recommendations is closely monitored </li></ul></ul>
  28. 28. Benefits of the Audit (IV) <ul><li>Ultimately </li></ul><ul><ul><li>Enhanced security posture of the Information System </li></ul></ul><ul><ul><li>Information System is less vulnerable </li></ul></ul><ul><ul><li>A process is in place to identify vulnerabilities, reduce threats, manage risks and act in case Information System is impacted </li></ul></ul>
  29. 29. <ul><li>Thank you </li></ul>

×