It Audit Expectations High Detail


Published on

Frame Work for IT Auditing in Higher Education of Information and Information Systems

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

It Audit Expectations High Detail

  1. 1. Office of Internal Audit (OIA) Board of Regents of the University System of Georgia June 8, 2009 Erwin (Chris) L. Carrow, IT Auditor, CISSP, INFOSEC, CSSP, CCNP, OCM, plus a bunch of others (Who Cares?) The IT Auditing Process (Everything you don’t want to know about the impending IT Audit and are afraid to ask)
  2. 2. Schedule of Events <ul><li>1. Introduction – Quick Hello </li></ul><ul><li>2. Orientation – Where are we at / Where we want to go? </li></ul><ul><li>3. Slide Presentation </li></ul><ul><li>Part I, II, III – OIA Background; Audit Process, Plan, and Expectations; and the On-site Audit </li></ul><ul><li>(1 hour and break) </li></ul><ul><li>Part IV – Example of “How to Prepare” COBIT 4.01 </li></ul><ul><li>(1 hour and break for Lunch) </li></ul><ul><li>Part V - High Level Simple Application of Identity Management, Access Control, and Security Management </li></ul><ul><li>Regroup Discussion – What do you want to focus on? </li></ul><ul><li>5. Lock-into the Particulars and “Do – It” </li></ul>
  3. 3. Agenda and Overview <ul><li>Part I – OIA Background </li></ul><ul><ul><li>Mission and Charter </li></ul></ul><ul><ul><li>Audit Staff Background & Organizational Structure </li></ul></ul><ul><ul><li>Audit Selection Process: Risk Assessment, Planning Process, Methodology, Scope of Application, Standards of Application </li></ul></ul><ul><ul><li>Type of Audit Role of Auditors: Federal, State, Campus, & BOR Audits </li></ul></ul><ul><li>Part II – Audit Process, Plan, and Expectations </li></ul><ul><ul><li>The Process: Notification to Final Report </li></ul></ul><ul><ul><li>The Audit Finding & Follow-Up Process </li></ul></ul><ul><ul><li>Expectations </li></ul></ul><ul><ul><li>Part III – The On-site Audit </li></ul></ul><ul><ul><li>Audit Objectives </li></ul></ul><ul><ul><li>Audit Plan </li></ul></ul><ul><ul><li>Audit Schedule </li></ul></ul><ul><li>Part IV – Example of “How to Prepare” COBIT 4.01 </li></ul><ul><li>Part V – High Level Simple Example </li></ul>
  4. 4. What IT Auditors are Not! (Despite the Similar Resemblance) <ul><li>We have Families and like being able to spend time with them </li></ul><ul><li>We enjoy our Jobs </li></ul><ul><li>We are Relational </li></ul><ul><li>We can Speak in other than Audit, Tech, and Business terminology </li></ul><ul><li>We have no problems Sleeping at nights </li></ul>
  5. 5. Part I –OIA Background ( The Untold Story)
  6. 6. Why We Audit – Mission & Charter <ul><li>“ Internal auditing is an independent appraisal activity authorized by the Board of Regents to examine , evaluate , and advise components of the University System of Georgia. The objectives of internal auditing are to assist members of the Board, the Chancellor, and institution management in the effective discharge of their responsibilities by furnishing them with analyses , appraisals , recommendations , counsel , and information concerning the activities reviewed and by promoting efficient operations and effective controls .” </li></ul><ul><li>- Internal Audit Charter approved by the Board of Regents </li></ul><ul><li>*(underline added ) </li></ul>
  7. 7. Staff Background & Organizational Structure
  8. 8. Audits Selection Process – Risk Assessment & Planning Process (The “Why Us Syndrome?”) <ul><li>OIA’s Annual Risk Assessment </li></ul><ul><ul><li>Survey USG and System Office Leadership </li></ul></ul><ul><ul><li>Survey members of the BOR </li></ul></ul><ul><ul><li>Incorporate financial data, management turnover, fraud, state audit reports, and additional criteria </li></ul></ul><ul><ul><li>USG institutions ranked by risk score </li></ul></ul><ul><li>Annual Audit Plan </li></ul><ul><ul><li>Designed to ensure coverage of institutions with high risk </li></ul></ul><ul><ul><li>Also designed to ensure OIA coverage at all USG institutions at least once every 3-4 years </li></ul></ul><ul><ul><li>Specifies institution and broad categories in which to audit </li></ul></ul><ul><ul><li>May also incorporate consulting engagements and other special projects </li></ul></ul>
  9. 9. Audit Plan – We ask the Question…, What High Critical Risk Exist? <ul><li>Determined how the categories of risk may or may not apply: </li></ul><ul><ul><li>Strategic : Affects the entities’ ability to achieve goals and objectives </li></ul></ul><ul><ul><li>Compliance : Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc. </li></ul></ul><ul><ul><li>Reputational : Affects reputation, public perception, political issues, etc. </li></ul></ul><ul><ul><li>Financial : Affects loss of assets, technology, etc. </li></ul></ul><ul><ul><li>Operational : Affects on-going management processes and procedures </li></ul></ul>
  10. 10. Audit Plan – The Focus on Risk The High Critical Risk that Exist
  11. 11. Audit Methodology & Plan <ul><ul><li>Audit Methodology & Plan </li></ul></ul><ul><ul><ul><li>Provides roadmap to auditor on which areas to focus audit steps (assess controls) </li></ul></ul></ul><ul><ul><ul><ul><li>Preventive : controls to stop the problem from occurring </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Detective : controls to find the problem </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Corrective : controls to repair the problem after detection </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Administrative : policies, standards, guidelines, & procedures </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Technical : controls using hardware or software for processing & analysis </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Physical : controls to implement barriers or deterrents </li></ul></ul></ul></ul><ul><ul><ul><li>Based upon industry certification standards & requirements </li></ul></ul></ul>
  12. 12. Methodology & Scope of Audit <ul><ul><li>Standards for the Methodology </li></ul></ul><ul><ul><ul><ul><li>Institute of Internal Auditor (IIA - ) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Information System Audit & Control Association (ISACA - ) </li></ul></ul></ul></ul><ul><li>Scope of Application: Area of Emphasis (Entity or Process) </li></ul><ul><ul><li>Usually focused on institution-wide processes, e.g., data classification, IT services, NOC, incident response / emergency planning, strategic planning, change management, etc. </li></ul></ul><ul><ul><li>Will incorporate recommended focus areas from institutional leadership </li></ul></ul><ul><ul><li>Scope can change during the course of an audit if warranted </li></ul></ul>
  13. 13. Standards of Application <ul><li>Industry Standards </li></ul><ul><ul><li>COBiT 4.1 (Control Objectives for Information Technology) </li></ul></ul><ul><ul><li>NIST (National Institute of Standards and Technology) </li></ul></ul><ul><ul><li>ISO 17799/27001 (International Organization for Standardization) </li></ul></ul><ul><ul><li>ITIL (Information Technology Infrastructure Library) </li></ul></ul><ul><li>Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA, PCI, SOX, SCADA, etc.) </li></ul><ul><li>Board of Regents Standards </li></ul><ul><ul><li>OIIT Security Guidelines </li></ul></ul><ul><ul><li>Business Process Manual </li></ul></ul><ul><li>Institutions’ Local Policies and Procedures </li></ul>
  14. 14. Evaluation Criteria - CMMI <ul><li>Common Maturity Model of Internal Controls </li></ul><ul><ul><li>Variants of the CMMI: CMM & ISO 15504 </li></ul></ul><ul><ul><li>Identifies WHERE you are at in the application of IT risk mitigation controls and HOW to get to the next level </li></ul></ul><ul><ul><li>Levels of Application </li></ul></ul><ul><ul><ul><li>Level 0: No Recognizable Process , though one is needed </li></ul></ul></ul><ul><ul><ul><li>Level 1: Process is Ad-hoc and perform by key individuals </li></ul></ul></ul><ul><ul><ul><li>Level 2: Process is Repeatable , but not controlled </li></ul></ul></ul><ul><ul><ul><li>Level 3: Process is Defined & Documented and periodically Evaluated </li></ul></ul></ul><ul><ul><ul><li>Level 4: Managed & Measurable ; effective Internal Controls with Risk Management </li></ul></ul></ul><ul><ul><ul><li>Level 5: Optimized Enterprise wide risk and control program </li></ul></ul></ul>
  15. 15. Areas Commonly Reviewed & Priority of Emphasis Information Technology Department (High) Auxiliaries (Low) Academic Units (Limited) Administrative Units (Medium)
  16. 16. Types of Audits – Federal, State, Campus, and Board of Regents <ul><li>Federal Auditors </li></ul><ul><ul><li>Rely on work of state auditors </li></ul></ul><ul><ul><li>May focus on federal compliance (FISMA, FERPA, HIPAA, etc.), financial aid, and federal grants management </li></ul></ul><ul><li>State Auditors – Financial and Performance </li></ul><ul><ul><li>Financial / Operational auditors - external auditors validating internal controls and the AFR </li></ul></ul><ul><ul><li>Performance auditors – external auditors focused on specific system-wide process or policy issue </li></ul></ul><ul><li>Campus Auditors </li></ul><ul><ul><li>Varies by campus </li></ul></ul><ul><ul><li>Generally focused on departmental reviews </li></ul></ul><ul><ul><li>Report to institution President and USO Chief Audit Officer </li></ul></ul><ul><li>Board of Regents Auditors </li></ul><ul><ul><li>Shoot the gaps that other agencies do not address and engage with specific BOR or Legislative concerns </li></ul></ul>
  17. 17. Policing the Process and Safe-Guarding What's Important Purchase the Family Trunk Monkey!
  18. 18. <ul><li>Part II – Audit Process & Evaluation </li></ul><ul><li>(What you can Expect) </li></ul>
  19. 19. The Process We Follow – From Notification to Final Report <ul><li>1 st Phase: Pre-Campus Work </li></ul><ul><ul><li>Notification Letter – Sent to President upon annual audit plan approval </li></ul></ul><ul><ul><li>Engagement Letter – Sent to President approx. 30 days prior to start of audit </li></ul></ul><ul><ul><li>Data Collection – Initial interviews, data requests, network scans may take place prior to arrival on campus – the more we get ahead of time the less we have to spend onsite </li></ul></ul><ul><li>2 nd Phase: On-Campus Fieldwork </li></ul><ul><ul><li>Initiated with Entrance Conference (“Line in the Sand”) </li></ul></ul><ul><ul><li>Scope of work may expand/contract </li></ul></ul><ul><ul><li>Campus POC kept informed on audit progress and issues </li></ul></ul><ul><ul><li>Wrap-Up meeting conducted at close of work summarizing initial results </li></ul></ul><ul><li>3 rd Phase: Post-Campus Work </li></ul><ul><ul><li>Draft Report prepared and sent as discussion document </li></ul></ul><ul><ul><li>Exit Conference held either in person or via phone </li></ul></ul><ul><ul><li>Official Draft Report sent requiring response from institution </li></ul></ul><ul><ul><li>Institution’s response incorporated in report </li></ul></ul><ul><ul><li>Report published and distributed </li></ul></ul>
  20. 20. Summary of Audit Flow Timeframes Audit Letter with data request sent – preliminary assessment Entrance meeting & Audit field work Draft Report Sent Final Report with Responses issued 30 Days 30 Days 2 to 6 weeks Exit Conference with President Action items reviewed quarterly 3 to 5 weeks Draft with Responses Returned
  21. 21. Auditing by the Numbers (Fear -Factor)?
  22. 22. Audit: Application of Standards <ul><li>Standards & Identification </li></ul><ul><ul><li>Gather Information / Evidence </li></ul></ul><ul><ul><li>Assess Control Weaknesses </li></ul></ul><ul><ul><li>Calculate Level of Criteria Applied (CMMI) </li></ul></ul><ul><li>Analysis to Determine if Compliant with Standards </li></ul><ul><li>Document Variances or Exceptions (Findings) </li></ul><ul><li>Report Per Charter Requirements (Audit Rating) </li></ul>
  23. 23. Snapshot of Documentation Format <ul><li>General Area of Impact or Effect , e.g., Network infrastructure </li></ul><ul><li>Finding: Identification of the Problem and Solution (typically a combination of exceptions weighted per threat or impact, e.g., the threat is likely , vulnerabilities exist , therefore loss can be expected …, if corrective action is not taken ) </li></ul><ul><ul><li>Observation / Condition: Identify the context & weakness or lack of control </li></ul></ul><ul><ul><ul><li>Managerial Overview – short high level summary of issues for upper management </li></ul></ul></ul><ul><ul><ul><li>Technical Details – long particularized explanation of the key issues </li></ul></ul></ul><ul><ul><li>Criteria : What Right Looks Like </li></ul></ul><ul><ul><li>Cause : The Reason Why something is not right </li></ul></ul><ul><ul><li>Risk / Effect : Problems because of the weakness or lack of control </li></ul></ul><ul><ul><li>Recommendation : What is Required to correct the weakness or lack of control </li></ul></ul><ul><ul><ul><li>Minimums (non-negotiable) </li></ul></ul></ul><ul><ul><ul><li>Ideal (optional and subject to capability or constraints) </li></ul></ul></ul><ul><ul><li>Managements’ Documented Response </li></ul></ul>
  24. 24. Sample Audit Finding Executive Summary <ul><li>Network Design, Security Architecture, .… </li></ul><ul><li>A review was made of the design and implementation of the Audited Entities’ network. This review focused on the design of the network, the infrastructure used to support the network and the ability of the network to support critical operations and recover from failures. The security of the network services and support infrastructure were also assessed. The following observations were noted: </li></ul><ul><li>Report Item #1: Significant (Rating of Exception) </li></ul><ul><li>Insecure protocols and access procedures were being used to configure, manage, and monitor network infrastructure resources. The use of insecure protocols could allow a potential attacker to create a network failure or takeover network resources. (Problem Statement) </li></ul>
  25. 25. Sample Audit Finding Observations – High Level <ul><li>Report Item #1. </li></ul><ul><li>Ensure secure connections and protocols are being used for operational configuration and management of remote services and resources.   (Solution Statement) </li></ul><ul><li>Observation: (When doing the audit these are the things we found) </li></ul><ul><li>Managerial Overview </li></ul><ul><li>The procedures and protocols used to configure and manage Audited Entities’ resources were not using a secure process or protocols. Lack of a secure method of controlling critical resources could provide an opportunity for malicious intent. Hostile attackers could damage or take over improperly configured or managed network resources. </li></ul>
  26. 26. Sample Audit Finding Observations – Low Level <ul><li>Technical Details </li></ul><ul><li>It was identified that … was the main method used to help mitigate risk. While this implementation would limit possible … to the remotely administrated devices, it does not mitigate or circumvent “Zero Day” application layer threats / vulnerabilities, …, or trusted internal disgruntled users. More significant security precautions need to be given consideration and are addressed in the following observations. </li></ul><ul><li>Session connectivity to remotely manage or configure a device should be established through a secure means. The Internet Operating System (IOS) on several of the routers should have been updated to accommodate Secure Shell (SSH) or Virtual Private Networking (VPN) for secure communication for configuration and management requirements … </li></ul><ul><li>Both Telnet and System Network Management Protocols (version 1 & version 2c) were implemented for systems and applications that monitor and manage remote network infrastructure devices. Telnet is a clear text transmission through a terminal command-line and should not be used for configuration and management access. … </li></ul>
  27. 27. Sample Audit Finding Criteria, Cause, Risk/Effect <ul><li>Criteria: </li></ul><ul><li>The exchange of sensitive system configuration and management information should be by means of a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt, and non-repudiation of origin. </li></ul><ul><li>Cause: </li></ul><ul><li>Lack of secure exchange of information due to the limitations of older systems or software that was used to support and manage the network infrastructure. Inappropriate procedures were being practiced for remotely accessing the networks critical services and resources. </li></ul><ul><li>Risk/Effect: </li></ul><ul><li>Lack of trusted means of communication for configuration and management of network infrastructure </li></ul><ul><li>Sensitive information exposed or violation of system integrity by unauthorized parties </li></ul><ul><li>Unauthorized access to or manipulation of key systems or resources </li></ul>
  28. 28. Sample Audit Finding Recommendation / Response <ul><li>Recommendation: </li></ul><ul><li>We recommend the following changes for configuration, management, and monitoring of Audited Entities network infrastructure resources. </li></ul><ul><li>Discontinue Telnet protocol use for connections to remote resources unless …. Secure Shell (SSH) or Virtual Private network (VPN) connection should be used for all operational requirements </li></ul><ul><li>Simple Network Management Protocol (SNMP) versions 1 and 2c should be discontinued and version 3 utilized for all network management needs. For software applications that are dependent upon …. </li></ul><ul><li>Management Response : </li></ul><ul><li>The identified recommendations will be implemented by …, who should complete the work not later than …. </li></ul><ul><li>Evaluation of Response: </li></ul><ul><li>Response was satisfactory </li></ul>
  29. 29. The Report – Individual Finding Ratings <ul><li>Through investigation and analysis, a number of exceptions generated are often summarized to identify a weakness or risk and create a “ Finding ” </li></ul><ul><li>The impact of a Finding can be classified in one of the four following ways: </li></ul><ul><li>Insignificant = Nominal violations of procedures, rules or regulations. Not included in report. Corrective action suggested verbally, but not required. </li></ul><ul><li>Notable = Minor violation of policies and procedures; and/or weak internal controls; and/or opportunity to improve effectiveness and efficiency. Moderate risk identified. Corrective action recommended. </li></ul><ul><li>Significant = Significant violation of policies/procedures/laws; and/or poor internal controls; and/or significant opportunity to improve effectiveness and efficiency. Significant risk identified. Corrective action required. </li></ul><ul><li>Major = Major violation of policies/procedures/laws; and/or unacceptable internal controls; and/or high risk for fraud/waste/abuse; and/or major opportunity to improve effectiveness and efficiency. Major risk identified. Immediate corrective action required. </li></ul><ul><li>Relationship of Exception(s) to Finding can be …, One to One or Many to One </li></ul>
  30. 30. Overall Report Ratings <ul><li>The overall rating is typically based on the number and type of “ Findings ” </li></ul><ul><li>Excellent = Few notable observations. No internal control weaknesses noted, good adherence to laws, regulations and policies. Excellent control environment. </li></ul><ul><li>Good = Several notable and/or one or two significant observations. Minor violations of policies and procedures. No violation of laws. Minor opportunities for improvement. </li></ul><ul><li>Fair = Many notable observations and/or few significant observations. Several notable violations of policy. Minor violations of regulations. No violations of laws. Moderate opportunities for improvement. </li></ul><ul><li>Poor = Several significant observations and no major observations. Controls were weak in one or more areas. Noncompliance with policies/regulations put the University/College at risk. Violation of law (not serious). Substantial opportunities for improvement. </li></ul><ul><li>Adverse = Several significant observations or one or more major observations . Significant risk for noncompliance with policies/regulations. Serious violation of laws. Significant opportunities for improvement. </li></ul>
  31. 31. Audit Finding Follow-Up Process <ul><li>Our expectations from leadership upon completion of the audit draft report … </li></ul><ul><li>Response to audit report is to be provided in the form of an action plan – WHO will do WHAT to implement recommendation by WHEN </li></ul><ul><li>Status of action plan is reported on a quarterly basis to the BOR Audit Committee until issue is resolved </li></ul>
  32. 32. Snapshot of Evidence Gathering Process (Typically Inductive to Deductive Approach)
  33. 33. What Does Evidence Look like? <ul><li>Definition: Evidence must be Sufficient, Reliable and Relevant </li></ul><ul><li>The various types of audit evidence that the IS auditor consider using include: </li></ul><ul><ul><li>Observed processes and existence of physical items, e.g., A computer room security system in operation </li></ul></ul><ul><ul><li>Documentary audit evidence, e.g., Activity and control logs, System development documentation </li></ul></ul><ul><ul><li>Representations, e.g., Written policies and procedures, System flowcharts, Written or oral statements </li></ul></ul><ul><ul><li>Analysis, e.g., Benchmarking IS performance against other organizations or past periods; Comparison of error rates between applications, transactions and users </li></ul></ul><ul><li>Evidence gathering procedures considered are: Inquiry, Observation, Inspection, Confirmation, Re-performance , and Monitoring </li></ul><ul><li>Audit evidence should be useful to form an opinion or support the findings and conclusions. </li></ul><ul><li>Evidence gathered should be appropriately documented and organized to support the findings and conclusions. </li></ul>
  34. 34. We Help Support the Process …, We are Life Savers! Purchase the First-Aid Trunk Monkey!
  35. 35. Part III – The On-site Audit (Preliminaries, Logistics & Execution)
  36. 36. Part III – The On-site Audit Preliminaries
  37. 37. Sample Engagement Letter To Your Institution’s Leadership <ul><li>Dear Dr. So and So or Whomever : </li></ul><ul><li>In accordance with the Internal Audit Plan approved by …, we plan to conduct an audit of Audited Entity University’s network and associated systems beginning on Date . This letter is to confirm …. </li></ul><ul><li>The audit engagement will constitute an independent and objective service performed on behalf of the Board of Regents. The purpose of this audit will be to evaluate …. </li></ul><ul><li>The scope of the audit will include such areas as: </li></ul><ul><li>Identity Management ; the management of user credentials and the means by which users might log onto to and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities </li></ul><ul><li>Access Control ; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares </li></ul><ul><li>Perimeter and Network Security ; the provisions made in an underlying computer network infrastructure to protect network-accessible resources from unauthorized access and the effectiveness of these measures. </li></ul><ul><li>Please note that the scope of the audit is subject to change/modification during the course of the audit. Please designate an individual that will serve as your representative and primary contact for the audit. …. Additional information regarding our audit process, as well as specific requests for logistical assistance, is attached. …. Please have these materials assembled and ready for review by Date . …. </li></ul><ul><li>“ Engagement Letter of Generic- Revised Aug 2008.doc ” </li></ul>
  38. 38. Sample Engagement Letter Attachments Included <ul><li>A Practical list of Procedures and Requirements </li></ul><ul><ul><li>Engagement Process </li></ul></ul><ul><ul><li>Logistical Assistance </li></ul></ul><ul><ul><ul><li>Work Space – Room, Desk, printer, etc. </li></ul></ul></ul><ul><ul><ul><li>Technical Assistance – VPN capability, etc. </li></ul></ul></ul><ul><ul><ul><ul><li>“ BOR Engagement Process and Request for Logistical Assistance.doc ” </li></ul></ul></ul></ul><ul><li>IT Auditor Technical Needs and Requirements </li></ul><ul><ul><li>Audited Entities’ Policies, Procedures, Guidelines, etc </li></ul></ul><ul><ul><li>Audited Entities’ Topology, Configs, Hardware, etc. </li></ul></ul><ul><ul><li>Data Store(s) Access Requirements for Testing </li></ul></ul><ul><ul><ul><ul><li>“ IT Audit Request List-Generic - Reduced.doc ” </li></ul></ul></ul></ul><ul><ul><li>Script(s) to Apply to the Data Store(s) </li></ul></ul><ul><ul><ul><ul><li>“ Oracle Audit Privileges.doc ” and “ Audit Steps for Oracle Databases.doc ” </li></ul></ul></ul></ul><ul><li>Contact will be made with Audited Entities’ CIO / CISO by Auditor to Negotiate the practicality of technical needs and requirements </li></ul>
  39. 39. <ul><li>Part III – The On-site Audit Logistics – and THE PLAN </li></ul>
  40. 40. Sample Audit Plan OIA Internal Use by the Auditors - Situation <ul><li>Situation: </li></ul><ul><li>What Risk or Requirement justifies a specific Audit (Implementation of the Tactical guidance and associated functional requirements)? </li></ul><ul><li>What Critical Business process or function needs to be assessed and why? </li></ul><ul><li>What precedence is there for an investigation or the gathering of evidence? </li></ul><ul><li>What regulatory or policy compliance issue exist to support the goals and objective for a specific audit? </li></ul><ul><li>How does this one audit fit into the bigger picture, e.g., time, resources, the Tactical / Strategic goals, and other auditor agencies that will audit our institution? </li></ul><ul><li>Is the goal to place emphasis upon Risk Assessment, Risk Management, or Risk Avoidance? </li></ul><ul><li>What Critical Process Information is available to support the goals and objectives for a specific audit? </li></ul><ul><li>Will the process be deductive (investigation of predefined particulars to prove some hypotheses) or inductive (the collection of facts that may or may not reveal patterns or activities that introduce risk)? </li></ul>
  41. 41. Sample Audit Plan OIA Internal Use by the Auditors – Other Considerations <ul><li>Pre-Audit Considerations or Outcomes: </li></ul><ul><li>Define what is to be audited and associate outcomes – scope and criteria. </li></ul><ul><ul><li>What process of examining and validating documents, data, processes, procedures, systems, or other activities will be used to ensure that the audited entity complies with objectives? </li></ul></ul><ul><ul><li>What set of business rules, system control, government regulations, or security policies will be used to measure and determine compliance of the audited entity ? </li></ul></ul><ul><li>Define expected outcomes or results for which the audit will produce, e.g., a report which identifies …, (goals or objectives resulting from the audit). </li></ul>
  42. 42. Sample Audit Plan OIA Internal Use by the Auditors - Mission <ul><li>Mission (goals and objectives): </li></ul><ul><li>The OIA IT department will conduct an audit of Audited Institution or entity name on date of onsite audit to validate that appropriate controls and procedures exist to mitigate the potential threat of the inappropriate access to the Institutes network and resources. The focus of the audit will review: </li></ul><ul><ul><li>The management of user credentials and the means by which users might log onto to and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities </li></ul></ul><ul><ul><li>The mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares </li></ul></ul><ul><ul><li>The provisions made in an underlying computer network infrastructure to protect network-accessible resources from unauthorized access and the effectiveness of these measures. </li></ul></ul>
  43. 43. Sample Audit Plan OIA Internal Use by the Auditors – Execution of Audit <ul><li>Execution (Operational Requirements – Part 1): </li></ul><ul><li>The explanation of how critical characteristics of the mission will be complete - what steps and / or processes involved to complete the mission: </li></ul><ul><ul><li>Controls to be assessed are: preventive, detective, corrective, administrative, technical, and physical (Need to address specifics per the types of systems being employed at Audited Entity) </li></ul></ul><ul><ul><li>Audit programs / processes to support the mission and target specific application of controls and the individuals who will complete each set of tasks and the time to be invested during the audit - Identity Management (50%) Access Control (25%) Network and Perimeter Security (25%) </li></ul></ul><ul><ul><li>Key system(s) to be evaluated are the major network support systems associated with user access: </li></ul></ul><ul><ul><ul><li>Data Stores: Banner, PeopleSoft, Other database systems </li></ul></ul></ul><ul><ul><ul><li>Directory services (NDS, AD, LDAP, etc.) </li></ul></ul></ul><ul><ul><ul><li>One Card system, and others …, </li></ul></ul></ul><ul><ul><li>User access to network resources and associated policies and procedures for: NOC, Administration, Auxiliary Services, Faculty, Students </li></ul></ul><ul><ul><ul><li>Internal and external network devices </li></ul></ul></ul>
  44. 44. Sample Audit Plan OIA Internal Use by the Auditors – Execution of Audit <ul><li>Execution (Operational Requirements - Part 2) : </li></ul><ul><li>Standards for the Audit Methodology </li></ul><ul><ul><li>Standards for the execution of the audit will comply with IIA guidance. Processes or outcomes will be measured using Industry Standard businesses practices identified in ISACA (CoBIT4.01) and the additional guidelines where applicable, e.g., NIST, ISO, ITL, BPM, Local Policies, etc. </li></ul></ul><ul><li>CMMI level 3 will be the minimum criteria for measuring key processes for maturity </li></ul><ul><li>Objectives and milestones of the audit (programs and process) to support the mission </li></ul>
  45. 45. Sample Audit Plan OIA Internal Use by the Auditors – C3 <ul><li>Command, Control, & Communication : </li></ul><ul><li>Key Leadership contact information and communication procedures or protocol expected </li></ul><ul><ul><li>Key shareholders (contact information): President, Chief Business Officer, Chief Information Officer, Chief Security Officer, and is there a local campus auditor? </li></ul></ul><ul><ul><li>Are they any special requirements or considerations outside of our normal operations? </li></ul></ul><ul><li>Logistics – Resources required to complete the mission Identify & coordinate logical requirements </li></ul><ul><ul><li>The audited institution or entities’ location </li></ul></ul><ul><ul><li>Travel mileage and driving time from USGBOR to Institution / Hotel </li></ul></ul><ul><ul><li>Timeline and general schedule of hours to be invested </li></ul></ul><ul><ul><li>Support needs to conduct the audit or coordinated e.g., office space, interview rooms, parking passes, etc </li></ul></ul><ul><li>Coordination and scheduling with audited entity POC in how the audit evidence will be gathered and what resources needed e.g., people for interviews, IT systems, documentation, etc. </li></ul><ul><li>Communications – notification and dialogue required to complete the mission </li></ul><ul><ul><li>Key shareholders – regular situational audit updates to the audited entity </li></ul></ul><ul><ul><li>Interviewees – coordination and conduct: Administration or Operational Services, e.g., IT, HR, etc; Functional Faculty; Auxiliary Service or outside agencies contracted to support the audited entity </li></ul></ul><ul><ul><li>Colleagues (peer auditors) and superiors – special or general guidance as the process progresses </li></ul></ul>
  46. 46. Sample Audit Plan OIA Internal Use by the Auditors – Safety <ul><li>Safety (physical or political considerations): </li></ul><ul><li>Sensitivity to issues that are local to the audited entity </li></ul><ul><li>Physical safety concerns </li></ul><ul><ul><li>Assessments involving or around resources or equipment that is hazardous </li></ul></ul><ul><ul><li>Avoidance of placing the auditor in a situation that could compromise the integrity of the evidence being gathered or their personal character </li></ul></ul>
  47. 47. With Your IT Auditor Around …, You have no need to fear! Purchase the Karate Trunk Monkey!
  48. 48. <ul><li>Part III – The On-site Execution of Audit </li></ul>
  49. 49. Your Institution - Audit Objectives (Sample of Business Logic and Associated Risk Areas – Understanding the Objective ) <ul><li>Entrance Conference: </li></ul><ul><li>Your Institution plays a vital role for the Audit Entity needs of USG. Loss of the Audit Entity’s functionality would have a major impact on your institutions '’ capability to … (business practice, controls to mitigate risk, and / or effect if not protected or working properly) in support of USG development, growth, cost, etc., or adversely impact USG’s image . </li></ul><ul><li>Possible areas to be reviewed: </li></ul><ul><ul><li>Governance, Administration, Policies and Procedures </li></ul></ul><ul><ul><li>Physical Security and Environmental Controls </li></ul></ul><ul><ul><li>Network Design and Security Architecture </li></ul></ul><ul><ul><li>User Management / Logical Access to Applications and Sensitive Data </li></ul></ul><ul><ul><li>Incident and Disaster Response </li></ul></ul><ul><ul><li>Change Management, Systems Monitoring and Trend Analysis </li></ul></ul>
  50. 50. Your Institution - Plan of Action <ul><li>Doing the Audit: </li></ul><ul><li>Gather Information / Evidence </li></ul><ul><ul><li>Interviews with key personnel </li></ul></ul><ul><ul><li>Test and Validate Objectives </li></ul></ul><ul><li>Document initial analysis (informal) </li></ul><ul><li>Dialogue and gain Confirmation of Observations </li></ul><ul><li>Dialogue and gain Common Understanding of Exceptions and Findings </li></ul><ul><li>Get Key Shareholders to Sign Audit Report Worksheets (ARWs) </li></ul><ul><li>Up until the final report is completed, dialogue will continue with audited entity regarding findings </li></ul>
  51. 51. Your Institution - Schedule of Events <ul><li>Support Auditors “logistical needs and evidence gathering requirements (sent with engagement letter)” </li></ul><ul><ul><li>Key shareholders schedule time for Interviews with personnel requested – </li></ul></ul><ul><ul><li>Need to provide an institutional administrative contact to coordinate interviews and logistics, e.g., 10:00 AM at Building A, room 120, with Joe or Jill Somebody. </li></ul></ul><ul><ul><li>Order of precedence; leadership to line worker, or dean / director to faculty </li></ul></ul><ul><ul><li>Need to speak with key areas’ leadership the 1 st week </li></ul></ul><ul><ul><li>Hours of operation from 8:00 to 7:00 (with working lunch – split shift is possible if needed, 45-60 minutes per each interview) </li></ul></ul><ul><ul><li>Leadership should recommend others as needed </li></ul></ul><ul><ul><li>Interviewees will need to be from key functional areas </li></ul></ul><ul><li>Need to have physical access to system resources or locations to assess and confirm controls (e.g., look over the shoulder or direct access) </li></ul><ul><li>Auditor will provide status updates to your institution’s audit POC each week </li></ul><ul><li>Brief exit meeting with Key leadership to address ARW’s </li></ul>
  52. 52. <ul><li>Did Someone Mention Break? </li></ul>
  53. 53. <ul><li>Part IV - Example of “How to Prepare” </li></ul><ul><li>BIA, CMMI, and COBIT 4.01 </li></ul>
  54. 54. <ul><li>Education versus Industry </li></ul><ul><li>Everyone’s goal in USG is to: Create a More Educated Georgia by…, providing Information Technological service and support for functional and operational business needs or requirements </li></ul>
  55. 55. IT Challenges and Business Requirements - Where are you at? Can seem like HERDING CATS ! EDS “Cat Herding” 1:07 minutes
  56. 56. IT Challenges and Business Requirements - Where are you at? Can seem like herding cats! <ul><li>Business Functions and Processes? </li></ul><ul><ul><li>Herding Cats can have its challenges </li></ul></ul><ul><ul><li>Herding Cats has its risks </li></ul></ul><ul><li>Education is distinct from Industry practices due to: </li></ul><ul><ul><li>Diversity of Administrative Operational Requirements </li></ul></ul><ul><ul><li>Fluctuation of Functional Instructor / Faculty Requirements </li></ul></ul><ul><ul><li>Changes in Leadership </li></ul></ul><ul><li>Educational requirements do overlap with Industry! </li></ul><ul><ul><li>Business rules and requirements, e.g. compliance, integrity, confidentiality, availability, effectiveness, reliability, efficiency, etc. </li></ul></ul><ul><ul><li>Processes, e.g., domains (scope of application for controls), procedures, operational activities, etc. </li></ul></ul><ul><ul><li>Resources, e.g., people, information, infrastructure, applications, etc. </li></ul></ul>
  57. 57. Pitch Hit – Fingers in Dike 1# Where are you at? Prioritizing the process We Do Understand!
  58. 58. Pitch Hit – Fingers in Dike 2# Real World – Real Problems We Are Concerned!
  59. 59. Pitch Hit – Fingers in Dike 3# Running out of Fingers? We Recognize the Challenge!
  60. 60. Know Yourself – Know Your Enemy! The Art of War ( Chinese : 孫 子 兵 法 ; pinyin : Sūn Zǐ Bīng Fǎ ) is a Chinese military treatise that was written during the 6th century BC by Sun Tzu . <ul><li>Two Possible not Recommended Responses to the Challenge </li></ul><ul><ul><li>Freak Out : Embrace Hopelessness, Hide, Ignore, Deny, and Play Computer games until the Inevitable Occurs </li></ul></ul><ul><ul><li>Idealistic and Unrealistic : Do the “Don Quixote (To Dream the Impossible Dream and Fight the Impossible Fight)” - Wear yourself out Fighting Windmills by shooting at whatever pops its head out! </li></ul></ul><ul><li>Third Approach “How do you Eat the Elephant standing in the corner, Instead of Avoid it?” Take ONE BITE at a time by… </li></ul><ul><ul><li>Strategizing a Response </li></ul></ul><ul><ul><li>Create a deliberate Long term Plan </li></ul></ul><ul><ul><li>Identify Short term Objectives and Milestones </li></ul></ul><ul><ul><li>Gain Key Shareholder ownership of the challenges </li></ul></ul><ul><ul><li>Test and Monitor the process with Identifiable Outcomes </li></ul></ul>
  61. 61. Making a Lose / Lose Situation …, a Win / Win <ul><li>Givens: A perfect IT Operational environment does not exist! You will have Exceptions and Findings (if not you should complain about the auditor) </li></ul><ul><li>Priority of effort should be directed to likely threats for known vulnerabilities by …, </li></ul><ul><ul><li>Affirming good controls and practices </li></ul></ul><ul><ul><li>Uncovering unknown vulnerabilities </li></ul></ul><ul><li>Focus upon what is essential for the success of Your Institutions “ Business Functions. ” Which are comprised of … </li></ul><ul><ul><li>Business Rules or Requirements : A statement that defines or constrains some aspect of the business. It is intended to assert business structure or to control or influence the behavior of the business. </li></ul></ul><ul><ul><li>Business Standards or Practices : A related group of business processes that support some aspects of the mission of an enterprise. </li></ul></ul>
  62. 62. Dealing with the Nuts The Old Way…! Assessing Risk? 20 th Century FOX “Ice Age” 1:55 min/sec
  63. 63. Nuts Can Be Challenging Business Process – Gathering and Storing NUTS and the Big Squeeze <ul><li>Tasks of Dealing with the NUTS– </li></ul><ul><ul><li>1. Gather Nuts </li></ul></ul><ul><ul><li>2. Store Nuts </li></ul></ul><ul><ul><li>3. The Big Squeeze? Operational versus Functional needs! </li></ul></ul><ul><li>What are the Associated Risks? </li></ul>20 th Century FOX “Ice Age”
  64. 64. In Time, Nut Requirements Change The New Way …! Risk Assessment? 20 th Century FOX “Ice Age 2: The Meltdown” 55 sec
  65. 65. Different Nuts, Different Methods History has a Way of Repeating Itself! <ul><li>Old Ways can Influence New Ways of …, </li></ul><ul><li>Different Business Requirements – Use of Different Methods (Variety of NUTS) </li></ul><ul><li>Sometimes the NUTS get Bigger and Harder to CRACK </li></ul><ul><li>Risk may Change or Increase! </li></ul>20 th Century FOX “Ice Age 2: The Meltdown”
  66. 66. Making Peanut Butter Out of Nuts Moral: Life is Always Going to Be a Little Squirrelly. <ul><li>Business function Goals and Objectives can make the IT requirements a little NUTTY </li></ul><ul><li>Risk Implications associated with IT Implementations are NOT always CONSIDERED </li></ul><ul><li>Clearly Define the Task: Try making PEANUT BUTTER out of a difficult situation – it is easier to Store </li></ul><ul><li>WHERE DO YOU START? </li></ul>20 th Century FOX “Ice Age 2: The Meltdown”
  67. 67. A Business Function’s - Rules and Practices <ul><li>YOU MUST KNOW … </li></ul><ul><li>What are the Business Principles in Operation? </li></ul><ul><li>Reasons - Why you do things a certain Way </li></ul>Control Objectives for Information and related Technology (COBIT®)
  68. 68. Business Requirements Objectives and Rules of Engagement <ul><li>Requirements – Who needs it? What is it suppose to do? How do I ensure its’…? </li></ul><ul><ul><li>Effectiveness </li></ul></ul><ul><ul><li>Efficiency </li></ul></ul><ul><ul><li>Confidentiality </li></ul></ul><ul><ul><li>Availability </li></ul></ul><ul><ul><li>Compliance </li></ul></ul><ul><ul><li>Reliability </li></ul></ul>
  69. 69. IT Resources New or Existing <ul><li>Resources – Who or what is involved for the implementation & maintenance? </li></ul><ul><ul><li>Applications: What systems are involved? </li></ul></ul><ul><ul><li>Information: What Data Dependencies exist? </li></ul></ul><ul><ul><li>Infrastructure: What will the current or new IT environment require? </li></ul></ul><ul><ul><li>People: Who will it support? </li></ul></ul>
  70. 70. IT Processes Operational Considerations <ul><li>Processes– What is the scope of functionality for the business implementation and what needs to be done to make it work? </li></ul><ul><ul><li>Domains: Who or what is involved? </li></ul></ul><ul><ul><li>Processes: What major events will occur? </li></ul></ul><ul><ul><li>Activities: What individual events must support those processes? </li></ul></ul>
  71. 71. Four Principles for Consideration Does a process exist or a means in place for…? <ul><li>1 st Top-down Risk Based identification of threats and vulnerabilities for key Business processes and related IT support processes , e.g., change management, access security, operations, etc. ( General Risk Assessment ) </li></ul><ul><li>2 nd Control of IT Risk that affect critical IT functionality in financially significant applications and related data ( Particularized Risk Assessment ) </li></ul><ul><li>3 rd Layered IT controls to mitigate risk for application program code, databases, operating systems, and the network ( Operational processes that align with precedence of Risk ) </li></ul><ul><li>4 th Risk mitigation based upon Business and IT control objectives (not the limitations of individual controls), have a IRP, DRP, & BCP </li></ul>
  72. 72. Four Principles for Consideration Possible Suggestions! <ul><li>1 st Security Policy that supports the IT Strategic Plan and identifies the general scope of application – General Risk Assessment </li></ul><ul><li>2 nd Detailed Risk Assessment – that is conducted and evaluated periodically </li></ul><ul><li>3 rd Layered IT controls </li></ul><ul><li>4 th Business and IT control objectives are aligned IRP, DRP, & BCP– Justify Response </li></ul>Layer Change Management Operations Security Application Database Operating System Network Infrastructure
  73. 73. COBIT 4.01 – Business Rules, Requirements and Practices How Processes Are Evaluated?
  74. 74. Sample Key Process – Ecommerce e.g., One Card System Requirements? <ul><li>Business Rules and Requirements (step 1): </li></ul><ul><ul><li>Business Goals </li></ul></ul><ul><ul><li>IT Goals </li></ul></ul><ul><li>IT Resources (step 2) </li></ul><ul><li>IT Processes (step 3) </li></ul><ul><li>Capacity and Performance Measurement (Quality of Service being delivered – step 4) </li></ul><ul><li>Controls to Measure and Mitigate Risk (Security of Service provided – step 5) </li></ul><ul><li>Contingency Planning & Rehearsal (step 6) </li></ul>Access Control ? Identity Management? Regulatory PCI Constrains and Requirements? Vendors ? Network Infrastructure and Security?
  75. 75. Example: One Card System – Identity Management <ul><li>Thinking About Identity Management (IdM) </li></ul><ul><li>Corporate Culture </li></ul><ul><ul><li>Is management ready to meet the challenges of IdM? </li></ul></ul><ul><ul><li>Is there enough buy-in to implement an IdM program effectively and efficiently? </li></ul></ul><ul><ul><li>What are the prevailing perceptions and expectations of IdM? </li></ul></ul><ul><ul><li>Has the IT strategic plan been updated to reflect the need or concern for IdM? </li></ul></ul><ul><ul><li>Has management considered the impact of IdMon the organization’s long-term strategy? </li></ul></ul><ul><ul><li>Is the corporate culture ready for and accepting of change? </li></ul></ul><ul><ul><li>Has a risk assessment been performed on the current environment? </li></ul></ul><ul><li>Dedication of Resources </li></ul><ul><ul><li>What are the limitations with regard to resources that can be dedicated to implementing an IdM solution? </li></ul></ul><ul><ul><li>Are the resources centralized or decentralized? </li></ul></ul>
  76. 76. Example: One Card System – Identity Management <ul><li>Planning for the Implementation of Identity Management (IdM) </li></ul><ul><li>IT Inventory and Resources </li></ul><ul><ul><li>Have an analysis and assessment of the IT architecture (hardware, software and resources) been performed? </li></ul></ul><ul><ul><li>Will new web servers, OSs, DBs, and application be required for the implementation? </li></ul></ul><ul><ul><li>Is the legal department up to date on the latest privacy laws and their impact on maintaining and protecting data? </li></ul></ul><ul><ul><li>Are users shared between organization units and if so how? </li></ul></ul><ul><ul><li>Has the impact on the restructuring of IT operations as a result of the IdM implementation been considered? </li></ul></ul><ul><ul><li>Have designated IT resources for the implementation of IdM been assigned? </li></ul></ul><ul><ul><li>Has a clear budget been established for the implementation? </li></ul></ul><ul><ul><li>Is the entity’s data classified into different categories (confidential, sensitive, public access)? </li></ul></ul><ul><ul><li>Has an assessment of alternate forms of authentication been analyzed (i.e., PKI, biometrics)? </li></ul></ul>
  77. 77. Example: One Card System – Identity Management <ul><li>Meeting the Needs of the Business </li></ul><ul><ul><li>What are the business needs and expectations of the organization’s management and IT department? How will IdM help meet these expectations? </li></ul></ul><ul><ul><li>Are the needs of the organization’s management aligned with those of the IT department? </li></ul></ul><ul><ul><li>Does the IT department have the necessary resources, time and funding to meet or exceed the expectations of management? </li></ul></ul><ul><ul><li>Is there a timeline/deadline associated with the implementation of IdM? </li></ul></ul><ul><ul><li>Has a process review been performed (identifying key areas for streamlining and reducing costs)? </li></ul></ul><ul><ul><li>Have all applications been mapped to a timed life cycle? </li></ul></ul><ul><ul><li>Has a segregation of duties been established for implementing IdM? </li></ul></ul><ul><ul><li>Has management communicated to the users of the organization regarding IdM? </li></ul></ul><ul><ul><li>Has a cost-benefit analysis been performed? </li></ul></ul><ul><ul><li>Have external implications been considered (laws, regulations, etc.)? </li></ul></ul><ul><ul><li>What will the new IdM savings be benchmarked against? </li></ul></ul>
  78. 78. Business Impact Analysis (BIA) – The ABC’s by the Numbers CISA Study Guide, SYBEX, 2006
  79. 79. Areas of Concern – BIA to Contingency Planning Principles of Information Security, Thompson, 2007
  80. 80. One Method of Service Support and Risk Assurance Purchase the IT Trunk Monkey!
  81. 81. COBIT 4.01 – What Is It? Four Major Areas of Review <ul><li>Plan and Organize (PO) — Provides direction to solution delivery(AI) and service delivery (DS) </li></ul><ul><li>Acquire and Implement (AI) — Provides the solutions and passes them to be turned into services </li></ul><ul><li>Deliver and Support (DS) — Receives the solutions and makes them usable for end users </li></ul><ul><li>Monitor and Evaluate (ME) — Monitors all processes to ensure that the direction provided is followed </li></ul>
  82. 82. COBIT 4.01 – Narrowing the Scope Delivery and Support (DS) <ul><li>DS1 Define and Manage Service Levels </li></ul><ul><li>DS2 Manage Third-party Services </li></ul><ul><li>DS3 Manage Performance and Capacity </li></ul><ul><li>DS4 Ensure Continuous Service </li></ul><ul><li>DS5 Ensure Systems Security </li></ul><ul><li>DS6 Identify and Allocate Costs </li></ul><ul><li>DS7 Educate and Train Users </li></ul><ul><li>DS8 Manage Service Desk and Incidents </li></ul><ul><li>DS9 Manage the Configuration </li></ul><ul><li>DS10 Manage Problems </li></ul><ul><li>DS11 Manage Data </li></ul><ul><li>DS12 Manage the Physical Environment </li></ul><ul><li>DS13 Manage Operations </li></ul>13 Categories
  83. 83. DS5 Ensure Systems Security <ul><li>DS5.1 Management of IT Security </li></ul><ul><li>DS5.2 IT Security Plan </li></ul><ul><li>DS5.3 Identity Management </li></ul><ul><li>DS5.4 User Account Management </li></ul><ul><li>DS5.5 Security Testing, Surveillance and Monitoring </li></ul><ul><li>DS5.6 Security Incident Definition </li></ul><ul><li>DS5.7 Protection of Security Technology </li></ul><ul><li>DS5.8 Cryptographic Key Management </li></ul><ul><li>DS5.9 Malicious Software Prevention, Detection and Correction </li></ul><ul><li>DS5.10 Network Security </li></ul><ul><li>DS5.11 Exchange of Sensitive Data. </li></ul>11 Sub-Categories
  84. 84. DS5.3 Identity Management Goals and Objectives <ul><li>DS5.3 Identity Management </li></ul><ul><li>Ensure that all users (internal, external and temporary) and their activity on IT systems (business application, IT environment, system operations, development and maintenance) are uniquely identifiable . Enable user identities via authentication mechanisms. </li></ul><ul><li>Confirm that user access rights to systems and data are in line with defined and documented business needs and that job requirements are attached to user identities. </li></ul><ul><li>Ensure that user access rights are requested by user management, approved by system owners and implemented by the security-responsible person. </li></ul><ul><li>Maintain user identities and access rights in a central repository. </li></ul><ul><li>Deploy cost-effective technical and procedural measures , and keep them current to establish user identification, implement authentication and enforce access rights . </li></ul>
  85. 85. Logical Didactic Approach DS5.3 Identity Management (How it is Evaluated) <ul><li>Control over the IT process of Ensure systems security that satisfies the business requirement for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents </li></ul><ul><li>By focusing on </li></ul><ul><ul><li>defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents </li></ul></ul><ul><li>Is achieved by </li></ul><ul><ul><li>Understanding security requirements, vulnerabilities and threats </li></ul></ul><ul><ul><li>Managing user identities and authorizations in a standardized manner </li></ul></ul><ul><ul><li>Testing security regularly </li></ul></ul><ul><li>And is measured by </li></ul><ul><ul><li>Number of incidents damaging the organization's reputation with the public </li></ul></ul><ul><ul><li>Number of systems where security requirements are not met </li></ul></ul><ul><ul><li>Number of violations in segregation of duties </li></ul></ul>
  86. 86. How We Measure Success? Maturity Model – CMMI DS5 Snapshoot (Criteria) <ul><li>DS5 Ensure Systems Security - Management of the process of Ensure systems security that satisfies the business requirements for IT of maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents is: </li></ul><ul><li>0 Non-existent when The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned … There is a complete lack of a recognizable system security administration process . </li></ul><ul><li>1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured. Detected IT security breaches invoke finger-pointing responses , … to IT security breaches are unpredictable. </li></ul><ul><li>2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security …, although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information …, it is not analyzed . IT security is seen primarily as the responsibility and domain of IT and the business does not see IT security as within its domain . </li></ul><ul><li>3 Defined when Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced. An IT security plan and security solutions exist as driven by risk analysis . Reporting on security does not contain a clear business focus. Ad hoc security testing (e.g., intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed. </li></ul><ul><li>4 Managed and Measurable when Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. .... User identification, authentication and authorization are standardized . Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. …. IT security reporting is linked to business objectives . IT security training is conducted …. IT security training is planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured. </li></ul><ul><li>5 Optimized when IT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives . IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for defining security requirements, and security functions are integrated with applications at the design stage . Security incidents are promptly addressed with formalized incident response procedures supported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated …. </li></ul>
  87. 87. COBIT 4.01 Standards to NIST Mapping –Integration with other Standards (Alignment of IT Controls to Mitigate Risk)
  88. 88. NIST 800-53, Revision 1 Standards Terminology and Application
  89. 89. Sample Key Process – Ecommerce e.g., One Card System <ul><li>Solutions to Other Questions Relating to the Ecommerce system </li></ul><ul><ul><li>Plan and Organize (PO) — Provides direction to solution delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11 </li></ul></ul><ul><ul><li>Acquire and Implement (AI) — Provides the solutions and passes them to be turned into services AI5 and AI4 </li></ul></ul><ul><ul><li>Deliver and Support (DS) —Receives the solutions and makes them usable for end users: DS1, DS5 and DS11 </li></ul></ul><ul><li>Map the requirements to your preferred checklist, e.g. NIST or ISO </li></ul><ul><li>Requirements for Ecommerce Compliment other Processes </li></ul><ul><ul><li>Less work required for other system implementations </li></ul></ul><ul><ul><li>No duplication of effort if requirements are properly addressed </li></ul></ul><ul><li>Identity Management applies to many different other process requirements, e.g., Applications, Operating Systems, and Databases </li></ul>
  90. 90. COBIT 4.0-4.01 Available Mappings <ul><li>ISACA web site at (many more available then listed here) </li></ul><ul><li>A few of the available mappings </li></ul><ul><ul><li>COBIT® Mapping: Mapping of NIST SP800-53 with COBIT ®4.1 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of CMMI® for Development V1.2 With COBIT® 4.0 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of ISO/IEC 17799:2000 With COBIT®, 2nd Edition </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of ISO/IEC 17799:2005 With COBIT® 4.0 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of ITIL With COBIT® 4.0 </li></ul></ul><ul><li>Other planned detailed mappings include: </li></ul><ul><ul><li>COBIT® Mapping: Mapping of ITIL V3 With COBIT® 4.1 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of COSO ERM With COBIT® 4.1 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of ISO 20000 With COBIT® 4.1 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of CMMI® for Development V1.2 With COBIT® 4.1 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of PMBOK© With COBIT® 4.1 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of ISI/IEC 1220 With COBIT® 4.1 </li></ul></ul><ul><ul><li>COBIT® Mapping: Mapping of ISO 19770-1 With COBIT® 4.1 </li></ul></ul>
  91. 91. <ul><li>Did Someone Mention …, Another Break? </li></ul>
  92. 92. <ul><li>Part V – High Level Simple Example: </li></ul><ul><li>Identity Management, Access Control, & Network Security </li></ul>
  93. 93. Birthing of a New Approach? Purchase the Birthing Trunk Monkey!
  94. 94. Entities Assessed During the Audit Scope of Application: Areas of Emphasis (Entity or Process) <ul><li>IAM: Identity and Access Control Management </li></ul><ul><ul><li>Identity Management ; the management of user credentials and the means by which users might log onto and use various systems or resources , e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities </li></ul></ul><ul><ul><li>Access Control ; the mechanisms in place to permit or deny the use of a particular resource by a particular entity , e.g., technical or administrative controls to allow or deny access to file shares </li></ul></ul><ul><li>NETSEC: Perimeter and Network Security </li></ul><ul><ul><li>The provisions and management for the underlying computer network infrastructure to protect network-accessible resources from unauthorized access and the effectiveness of these measures </li></ul></ul>
  95. 95. Users Involved in Business Functions and Types of System Information? (Provisioning of High Risk or Critical Information) <ul><li>Business Functional responsibility for assigning “Rights & Permissions” to various roles within the organization </li></ul><ul><ul><li>Business Owner : Responsible for the provisioning and delegation of the processes or functions and associated privileges, e.g., Payroll, Registrar, FinAid, HR, ConEd, etc. </li></ul></ul><ul><ul><li>Trustees : Responsible to maintain trust granted by Business owner, e.g., “Worker Bees” in the associated departments that conduct day to day operations </li></ul></ul><ul><ul><li>Stewards : Responsible to service and support the business function , typically provide a technical system or infrastructure to facilitate business needs, e.g., ITS, OIIT, etc. </li></ul></ul><ul><li>Types of Information (Data Classification) per BOR’s BPM </li></ul><ul><ul><li>Unrestricted / Public : No consequence typically general information </li></ul></ul><ul><ul><li>Sensitive : typically references’ legal or externally imposed constraints that requires this restriction </li></ul></ul><ul><ul><li>Confidential : highest level of restriction, applies to the risk or harm that may result from disclosure or inappropriate use, e.g., FERPA </li></ul></ul>
  96. 96. Following the Business Function Information from Origin to Destination <ul><li>We Identify how the information travels and is managed throughout the business function life cycle! </li></ul><ul><ul><li>Technical Considerations: How packets of data are managed, provisioned, formatted, and transferred throughout business functions </li></ul></ul><ul><ul><li>Administrative Considerations: How the handling of information is conducted per the classification of this information and its intended use </li></ul></ul><ul><ul><li>Attempt to assess information and information system security from various perspectives </li></ul></ul>
  97. 97. High level Simple Example Paradigm Shift – CAN YOU DO IT? <ul><li>Technology Management of User Space and Services through Security Threat Gateways </li></ul><ul><ul><li>Techniques and Current Management Practices </li></ul></ul><ul><ul><li>Recognition of the Challenges for Network Infrastructure Security </li></ul></ul><ul><ul><li>Discussion: </li></ul></ul><ul><ul><ul><li>User Profile Characteristics and Service Needs Identification Process </li></ul></ul></ul><ul><ul><ul><li>Tactical Significance of the Security Threat Gateway in Mitigating Risk </li></ul></ul></ul>
  98. 98. Overall Audit Plan & Program: Summary of Situation <ul><li>The methodology for auditing the Information Systems assessment will be a Top Down approach </li></ul><ul><ul><li>Business Goals to Standards and Practices </li></ul></ul><ul><ul><li>Business Function to Information System </li></ul></ul><ul><ul><li>Leadership (administrator) to Technician or Staff member (end user) </li></ul></ul><ul><li>The approach will focus on key business functions and their associated Business Goals and Objectives as it relates to IAM and NETSEC . </li></ul><ul><li>Once identified and agreed upon for each business function, the key associated requirements, resources, and processes will be identified and assessed to determine if high or critical risk is being managed . </li></ul><ul><li>Focus will be upon Control Practices and Responsibility / Accountability associated with key activities with an expected CMMI level 3 criteria for High Risk Critical processes. </li></ul>
  99. 99. High level Simple Example Traditional Network Paradigm <ul><li>Techniques and Current Management Practices </li></ul>
  100. 100. Management of User Space and Services - Threat Controls <ul><li>Recognition of the Challenges for Network Infrastructure Security </li></ul><ul><ul><li>Resources </li></ul></ul><ul><ul><li>Controls </li></ul></ul><ul><ul><li>Security in Depth </li></ul></ul>Principles of Information Security, Thompson, 2007 Your Institution's Security Topology!
  101. 101. Management of User Space and Services - Regulatory Compliance <ul><li>Further Recognition of the Challenges for Network Infrastructure Security </li></ul>CISA Study Guide, SYBEX, 2006 The LAW: We Are Not Exempt!
  102. 102. Management of User Space and Services Through Security Threat Gateways <ul><li>Discussion (Relate it to COBIT) : </li></ul><ul><ul><li>User Profile Characteristics and Service Needs Identification Process </li></ul></ul><ul><ul><ul><li>Survey – Business Functionality ( Goals and Objectives ) </li></ul></ul></ul><ul><ul><ul><li>IT Service Needs Identification ( Rules and Requirements; Scope, Processes, and Activities; and Resources ) </li></ul></ul></ul><ul><ul><ul><li>Virtual Playgrounds ( Context of the Audited Entities ) </li></ul></ul></ul><ul><ul><ul><ul><li>User Space (IT, Faculty, Staff, Students, etc) </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Service Space (access to various resources and services) </li></ul></ul></ul></ul><ul><ul><li>Tactical / Operational Significance of the Security Threat Gateway in Mitigating Risk ( Controls for the Audited Entities ) </li></ul></ul>
  103. 103. Your Institutions’ Business Function’s for … (the Audited Entities) - What Rules and Practices Exist? <ul><li>Contextualize the Issues! </li></ul><ul><li>What are the Business Principles in Operation? </li></ul><ul><li>Reasons - Why you do things a certain Way </li></ul><ul><li>Who are the Key Shareholders? </li></ul>Control Objectives for Information and related Technology (COBIT®)
  104. 104. Identity Management, Access Control, and Network Security – Business Rules, Requirements and Practices Self-Evaluated? Do a Check-up If the Vision is Unclear , the Cost is Always to Much !
  105. 105. Management of User Space and Services Through Security Threat Gateways – Sample User Survey <ul><li>Some of the questions to pose in the survey may look like this: </li></ul><ul><li>What information technology services do you need to perform your duties? Please briefly describe how you use technology on a daily basis. </li></ul><ul><li>Do you use email and if so do you require that it be sent securely, so no one but the intended user can read it? If so please describe a practical example in the past where this was necessary or would have been beneficial. </li></ul><ul><li>Do you use or exchange data that may be considered sensitive, and if so briefly describe how you do this? </li></ul><ul><li>Do you need information technology when you travel, or do you work from home? If so, what resources do you need access to, and for what purpose? </li></ul><ul><li>How long have you been with the organization and what is your current position? </li></ul><ul><li>How often do you use some type information technology, and what level of knowledge or experience would you classify yourself as, e.g., novice, intermediate, expert, or somewhere in between? </li></ul><ul><li>Does your department have any special needs or requirements that may introduce a threat to the overall information technology services on our network? </li></ul> – free, easy, and effective
  106. 106. Management of User Space and Services Through Security Threat Gateways – Sample User Services
  107. 107. Management of User Space and Services Through Security Threat Gateways – Virtual Play Grounds Controls to Mitigate or Avoid Risk?
  108. 108. Management of User Space and Services Through Security Threat Gateways – Identity Management Choke Points <ul><li>No longer a “FRONT-DOOR” Issue </li></ul><ul><ul><li>We live in a glass house with no closed doors and lots of open windows – need a 3D solution </li></ul></ul><ul><ul><ul><li>User Space, Service Space, and STGs </li></ul></ul></ul><ul><ul><li>The challenge is internal and can be without boundaries </li></ul></ul><ul><li>Boundaries must be how YOU draw them </li></ul><ul><ul><li>Proactively rethink through the “Traditional Topology” paradigm </li></ul></ul><ul><ul><li>The STG Channels Resource Access </li></ul></ul><ul><ul><li>Defined boundaries and regulate the channels to .. </li></ul></ul><ul><ul><ul><li>Control and Mitigate Risk </li></ul></ul></ul><ul><ul><li>People are the biggest vulnerability on the network </li></ul></ul><ul><ul><ul><li>Political Fiefdoms and Turf Battles for freedom of expression? </li></ul></ul></ul><ul><ul><ul><li>Work with them or against them? </li></ul></ul></ul><ul><ul><ul><li>Give them a virtual Playground with clearly defined boundaries </li></ul></ul></ul>
  109. 109. Management of User Space and Services Through Security Threat Gateways – Tactical Network Paradigm Shift <ul><ul><li>Match user needs to services </li></ul></ul><ul><ul><li>Segment service access </li></ul></ul><ul><ul><li>Fluid controls in place to mitigate risk </li></ul></ul><ul><ul><li>Create Security Threat Gateways to control and mitigating risk </li></ul></ul>
  110. 110. Management of User Space and Services Through Security Threat Gateways – Keys of Success to Mitigate Risk <ul><li>Step1: Clearly Poll and Define User Needs and Requirements (Business Function!) </li></ul><ul><li>Step 2: Identity Policy and Legal Requirements </li></ul><ul><li>Step 3: Create and Segregate into Logical Buckets (Spaces & Places) </li></ul><ul><ul><li>User Groups (User Space) </li></ul></ul><ul><ul><li>Service Groups (Service Space) </li></ul></ul><ul><li>Step 4: Map out the Topology and Physical Requirements </li></ul><ul><ul><li>Physical Hardware software </li></ul></ul><ul><ul><li>Routing, Switching, IDS, IPS, DAM </li></ul></ul><ul><li>Step 5: Redefine Security Requirements and Implement Security Threat Gateways (the Perimeter is Everywhere) ! </li></ul><ul><li>Step 6: Create the Virtual User Playground </li></ul><ul><li>Step 7: Document, Manage, and Monitor User Activity and Resources </li></ul>
  111. 111. Summary Overview of IT Audits <ul><li>OIA Background </li></ul><ul><li>Audit Process, Plan, and Expectations </li></ul><ul><ul><li>The On-site Audit </li></ul></ul><ul><li>Example of “How to Prepare” COBIT 4.01 </li></ul><ul><li>Simple Example – Security Threat Gateways </li></ul>
  112. 112. Key Resources <ul><li>IIA - </li></ul><ul><li>ISACA - </li></ul><ul><li>ISC(2) - </li></ul><ul><li>ISO - </li></ul><ul><li>NIST - </li></ul><ul><li>NSA - </li></ul><ul><li>IASE - </li></ul><ul><li>Web App Consortium - </li></ul><ul><li>EDUCAUSE - </li></ul><ul><li>Univ. Austin Texas Sec. - </li></ul><ul><li>Univ. Cornell Sec. - </li></ul><ul><li>Virginia Tech Sec. - </li></ul><ul><li>Ga. Tech Info Sec. Center - </li></ul><ul><li>Video Clips - </li></ul>
  113. 113. Call to Action & Challenge “ Birds of a Feather, Flock Together” or “Life is For the Birds” Be Different? PIXAR “For the Birds” 3:16 minutes
  114. 114. Where are you in the Process of Preparation for the Audit? Standing Alone …? IT Can Seem a Little Funny …, BUT IT WILL WORK OUT! Moral: “Don’t Drink the Kool-Aid” and Be “Caught with Your Shorts Down ” Possible Situation : The Emperor has No Clothes - Who is Going to Tell Him? Disclaimer: All PUNS are intended, and should not be held against the Retarded Auditor or OIA
  115. 115. Discussion & Questions? Suggestion? <ul><ul><li>Build “ Relational Bridges of Trust ” with Superiors - even though it Requires a Level of Vulnerability (I am an Idealist USE Wisdom – hopefully, we have build one today) </li></ul></ul><ul><ul><li>Strategize a Plan to Address the Elephant in the Corner </li></ul></ul><ul><ul><ul><li>Step 1: Where are your weaknesses for the Areas being Audited? </li></ul></ul></ul><ul><ul><ul><li>Step 2: What will it take to get to CMMI level 3? </li></ul></ul></ul><ul><ul><ul><li>Step 3: Who else needs to be include in the solution process? </li></ul></ul></ul><ul><ul><ul><li>Step 4: Make a physical list of resources that need to be accessed? </li></ul></ul></ul><ul><ul><ul><li>Step 5: Notify Key Shareholders of their involvement and what you need from them to be successful! </li></ul></ul></ul><ul><ul><ul><li>Step 6: Take the time left before your audit and backward plan ! </li></ul></ul></ul><ul><ul><ul><li>Step 7: No one likes ugly surprises – you can run, but you can’t hide! </li></ul></ul></ul>