Auditing

1,701 views
1,623 views

Published on

ITS JUST TO HAVE A BASIC OVERVIEW

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,701
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
130
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Auditing

  1. 1. Who am I null nullcon Hackim Battle UnderGround Hyderabad Hackers missing two hackers
  2. 2. Companies are worried about ?
  3. 3. Restrictions on the accessibility and dissemination of information. Protecting data from modification or deletion by unauthorized parties confidentiality Integrity Availability Ensures that information or resources are available when required
  4. 4. A control put into place to mitigate potential loss.
  5. 5. AUDITING Industry needs it ? Ch.Pardhasaradhi a.k.a Babloo [email_address]
  6. 6. What is Auditing Types Of Auditors Audit Planning Audit Classification Practical Examples Phases of the Audit Process Security Policy AGENDA
  7. 7. Auditing An audit is an evaluation of an organization, system, process, project or product. Performed by competent, independent and objective person, known as auditors who then issue a report on the results of the audit. Who is responsible Formerly called an Electronic Data Processing (EDP) audit
  8. 8. Types of auditors Two types of auditors: These are employees of a company hired to assess and evaluate its system of internal control. Internal Auditors External Auditor These are independent staff assigned by an auditing firm to assess and evaluate financial statements of their clients or to perform other agreed upon evaluations.
  9. 9. PHASES OF THE AUDIT PROCESS <ul><li>Subject Example - Area, Department, or entity. </li></ul><ul><li>Objective Determine the audit objective or purpose. </li></ul><ul><li>Example - Are you going to audit the source code or a firewall services or a security policy. </li></ul><ul><li>Scope Typically associated with scope is how much time you going to take for this audit. </li></ul><ul><li>Pre-audit planning Identifying the needs </li></ul>
  10. 10. AUDIT PLANNING <ul><li> Gather Information </li></ul><ul><li> Identify Stated Components </li></ul><ul><li> Assess Risk </li></ul><ul><li> Perform Risk Analysis </li></ul><ul><li>Conducting Internal Control Review </li></ul><ul><li> Set Audit Scope and Objectives </li></ul><ul><li> Develop Auditing Strategy </li></ul><ul><li> Assign Resources </li></ul>
  11. 11. Audit Classifications <ul><li>Financial </li></ul><ul><li>Operational </li></ul><ul><li>Integrated </li></ul><ul><li>Administrative </li></ul><ul><li>Info Systems </li></ul><ul><li>Specialized </li></ul><ul><li>Forensics </li></ul>
  12. 12. Security Policy security policies are a special type of documented business rule for protecting information and the systems which store and process the information. Types Of Policies <ul><li>Regulatory Those enforced to meet legal compliance. </li></ul><ul><li>Advisory Define a required behavior with sanctions. </li></ul><ul><li>Informative Policies that are not enforceable, but can be regulated </li></ul>
  13. 13. <ul><li>Gather Information </li></ul><ul><li>Touring the key organization facilities </li></ul><ul><li>Looking at the physical infrastructure </li></ul><ul><li>Reading up on background material </li></ul><ul><li>Publication from the industry </li></ul><ul><li>Annual report </li></ul><ul><li>Semi annual reports </li></ul><ul><li>Independent financial analysis reports </li></ul><ul><li>Short term and long term strategic plans </li></ul><ul><li>Interview key personnel, key decision makers, CIO, key managers, </li></ul>
  14. 14. <ul><li>Identify Stated Components </li></ul><ul><li>Understand business issues </li></ul><ul><li>Understand business needs </li></ul><ul><li>Review prior auditing reports if any </li></ul><ul><li>Assess Risk </li></ul>Risk is the potential that a given threat will exploit vulnerabilities of an asset to cause loss or damage to the assets.
  15. 15. Risk Analysis <ul><li>Technique for identifying and assessing factors that can harm a process or goal. </li></ul><ul><li>RA involves implementing preventative measures to avert negative impact of incidents. </li></ul>Risk assets are of two types <ul><li>Physical assets </li></ul><ul><li>An item of economic, commercial or exchange value that has a tangible or material existence </li></ul><ul><li>ex :Physical location , Physical assets </li></ul><ul><li>Information assets </li></ul><ul><li>An Information Asset is a definable piece of information, stored in any manner which is recognized as 'valuable' to the organization </li></ul><ul><ul><ul><li>Ex: Ip and Data </li></ul></ul></ul>
  16. 16. Conducting Internal Control Review <ul><li>There are two types of control evaluations: </li></ul><ul><ul><li>Alternative Internal Control Review (AICR) </li></ul></ul><ul><ul><li>Internal Control Review (ICR). </li></ul></ul>AICRs and ICRs have the same goal: Assessing a component’s control system effectiveness. AICRs and ICRs also share common elements. Both types of reviews consist of the following steps: 1. Identifying what might go wrong (risk) 2. Comparing control systems to the GAO control standards 3. Testing control techniques 4. Documenting the evaluation 5. Planning corrective actions Internal Control - 17 6. Reporting the results
  17. 17. <ul><li>Set Audit Scope and Objectives </li></ul><ul><li>Develop Auditing Strategy </li></ul>Auditing Standards and is widely applied by auditing firms. The assessment of inherent and control risk as less than high and the performance of a lower level of substantive procedures involves considerable judgment and entails a degree of risk. <ul><li>Independence </li></ul><ul><li>Staffing and training </li></ul><ul><li>Relationships </li></ul><ul><li>Due care </li></ul><ul><li>Planning ,controlling and recording </li></ul><ul><li>Evaluation of internal control System </li></ul><ul><li>Reporting and follow up </li></ul>
  18. 18. <ul><li>Assign Resources </li></ul><ul><li>Achievable </li></ul><ul><li>Implemented </li></ul><ul><li>Long term Plans </li></ul><ul><li>Preliminary Access </li></ul><ul><li>Contingency Allowances </li></ul>
  19. 19. Auditing practically through some software's MBSA Log Parser Event Viewer Event tracker Group Edit policy in windows gpedit.msc is only in win7 Ultimate, Professional (old Business) and Enterprise editions, and not in the Windows 7 Home Premium or Basic editions.
  20. 20. gpedit.msc <ul><li>Local Computer Policy  Computer Configuration  Windows Settings  Security Settings  Local Policy  Audit Policy </li></ul>
  21. 21. Some Certification references ISO 27001 CISA CISSP ISACA community https://www.isaca.org/ Hyderabad Chapter http://isaca.org.in/ CISSP ISC2 https://www.isc2.org GSNA GIAC Systems and Network Auditor http://www.giac.org/certifications/audit/gsna.php
  22. 22. CISSP GUIDE Google Wikipedia References == Google

×