Compliance• Compliance measures the extent to whichdefined policies, standards, and proceduresare being followed.• Compliance includes auditing, monitoring, andinvestigating at several different levels of theorganization.
First level• Detection of security violations minimizes the damagedone to the organization.• The information owner or individual assignedresponsibility for the component must ensure thatappropriate preventative and detective controls are inplace and are being utilized effectively.• Controls at this level include establishing andmaintaining access, implementing monitoring and alerttools, administration of audit trail reports,management review of log-in attempts, implementingsecurity parameters, and investigation of lockouts.
Second level• Audit function.• The audit function can be performed by theinternal audit department, external auditors, or acombination of both according to industrystandards.• Audit objectives include ensuring compliancewith corporate policies, standards, andprocedures as well as developing programs tounderstand the control environment, performrisk assessment, and establish controlprocedures.
Third level• Security Team or Committee level.• This is investigative in nature and, instead offocusing on a particular application orcomponent, the Security Team is responsiblefor ensuring that security is implementedorganization wide.
LEVEL ONE COMPLIANCE: THECOMPONENT OWNER• To ensure appropriate access, a procedureshould be established to have componentowners, network and applicationadministrators run a listing of specified accessby user on a quarterly basis, at a minimum.• These reports are then submitted to thesecurity liaison of each business function toreview for appropriateness.
Additional responsibilities of the security coordinators/liaisons are to:• Ensure that application access forms areinitiated for existing and new users within therespective departmental area• Ensure that access is modified or deletedwhen employees and nonemployees(consultants, contractors, business partners)operating within their business function orsite are transferred or terminated
• Conduct user security awareness within theirdepartmental function• Ensure that the enterprise ConfidentialityAgreement and exit interview forms aresigned by all users operating within theirdepartment or area of responsibility• Actively participate as a member of theSecurity Team• Coordinate with the Security Officer on allsecurity-related matters
• Network and application administrators aretechnically responsible for the operation ofthe network or application.• The administrators set security defaults on thesystem and establish the baseline controlstandards upon completion of a riskassessment and identification ofvulnerabilities.
LEVEL TWO COMPLIANCE: THE AUDITFUNCTION• The audit function is concerned with obtainingan understanding of and evaluating anorganization’s internal control.• Internal control refers to the processesestablished by an organization’s board ofdirectors, management, and technical staff toprovide effective and efficient operations,reliable financial reporting, and compliancewith applicable laws and regulations.
The components of internal controlinclude:• The control environment• Risk assessment• Control procedures• Monitoring activities• Information and communication
• The integrity, ethical values, and fitness of thepeople within the organization establish thecontrol environment.• Audit seeks to ensure that the controlenvironment is effective by assessing thestability and consistency of the factorsmentioned above.The control environment
Risk assessment• Risk assessment provides identification andanalysis of realistic and associated risks inachieving the organization’s business objectives.• The audit function seeks to establish informationsecurity controls that are proportionate to thevalue, sensitivity, and criticality of the systemsand information being protected.• This includes the probability, frequency, andseverity of loss or damage that can occur.
Control procedures• Control procedures ensure that managementdirectives are implemented.• Control procedures include authorization,verification, approval, reconciliation, analysisof the efficiency of operations,implementation of access controls, physicalsecurity of assets, and segregation of duties.
Monitoring activities• Monitoring activities include well-defined andscheduled management and supervisory activities todetermine whether control procedures are performedeffectively and consistently.• Auditors monitor the control processes and proceduresfor indications of weakness in the control environmentthat has been established, while security, network, andapplication administrators monitor specificimplementations for errors, damage, or indications ofunauthorized access to systems and applications.
Information and communication• Information and communication in the auditenvironment includes the timely processingand dissemination of operational, financial,and compliance- related information tomanage the business effectively.
• Auditing is most often coupled with thereliability of financial reporting.
• The second portion of a computer auditencompasses understanding and evaluatingthe general computer controls for anoperating environment.
• When testing general computer controls,there are four areas of consideration:– Information security– System acquisition, development, andmaintenance– Computer operations– Information systems support
• Information security includes testing forlogical security of online and batch accesscontrols.• System acquisition, development, andmaintenance include the quality of newsystems design and implementation, as well asprogram change control.• Computer operations entail media librarymanagement, job scheduling, physical controlof devices, information and data, reportdistribution, backup, and recovery.
• Information systems support includes all ofthe peripherals that support an applicationand processing environment such as controlsrelated to operating system software,database administration, network operations,and end-user computing.
Financial audit• The auditors must determine what level ofreliance they place on key controls.• When reliance is high — which means thatthey trust the output data to be true andcorrect — a test of the key controls must beperformed for completeness, accuracy,validity, and restricted access.
• Controls are a combination of monitoringcontrols, and both manual and automatedapplication controls.• Application controls and related controlobjectives are procedures designed to ensurethe integrity of the accounting records.
Control objectives include:• Completeness : all transactions are recorded,entered into the system, and accepted forprocessing once and only once. Alltransactions input are updated to theappropriate files, and once updated remaincorrect and current.
• Accuracy : data and information are recordedand accurately input to the computer. Changesmade to data files are accurately input, and allinput transactions are accepted for processingand updated to the appropriate data files.• Validity: transactions are authorized andrepresent true and valid transactions relatedto the appropriate client. Changes to existingdata are not made without appropriateauthorization.
• Restricted access : only individuals by virtue oftheir job function can access data files forchanges or updates. Controls protect theconfidentiality of the data and physicalcontrols protect cash and inventory.
• When testing the general computer controls,the auditor is looking for potential errors incompleteness, accuracy, validity, andrestricted access.• Tests of validity ensure that for a process thatis taking place, whether it is a calculation orallowing a user to gain access to a system, it isa relevant and legitimate process.
• A risk-based approach to auditing determineshow often a particular application oroperating system is audited and will dependon the assessed risk to the organization aswell as the strength of the controlenvironment for a particular application oroperating system.
LEVEL THREE COMPLIANCE: THESECURITY TEAM• The Security Team or Committee isresponsible for ensuring that security isimplemented organization wide.• An ISA that has been developed andimplemented needs to be continuouslyassessed for effectiveness, changes to theenvironment that will require changes to theISA, and modifications for improvement to theoverall architecture.
• The Security Team is looking for somethingdifferent than that of the system auditors.• The Security Team is looking for implementationof the policies, standards, and procedures thathave been developed under its direction.• Auditors are looking for the effectiveness ofcontrols as they are implemented for criticalprograms and applications.• The network administrator is concerned with thespecific implementation details for a particularcomponent.
How does the Security Team assessthe effectiveness of the ISA?• The Security Team should be involved inreviewing the results of all audit, control, orsecurity reviews that occur within theorganization.• The Security Team is tasked withunderstanding why the results may not havebeen so spectacular and what was thesystemic reason for lax or ineffective controls.
• The Security Team also acts as theinvestigative arm to security issues andincidences.
LINE OF BUSINESS (LOB) SECURITYPLAN• The LOB Security Plan should provide anoverview of the operational environment,identify key controls within the organization,and provide the basis for measuringcompliance to the corporate security policies,standards, and procedures.
• The LOB Security Plan is designed to provide abaseline document for understanding theprocessing environment, performing baselinesecurity assessments of that environment, andseeking to make improvements to meet thecorporate goals and objectives for security.
ENTERPRISE MANAGEMENT TOOLS• Account integrity : to identify and prevent usersfrom having security privileges that exceed thesecurity policy• Backup integrity : to identify files that are notbeing backed up• File access : to examine files to verify securitysettings that are established in the security policy• File attributes : to identify files whose attributeshave changed from the baseline
• File find : to check files for viruses and othercorruption that could lead to data loss• Log-in parameters : to scan for log-inparameters that fall outside the security policy• Object integrity : to identify changes inownership and permissions for softwareobjects• Password strength : to check the passwordparameters for validation against the securitypolicy
• Startup files : to examine startup files forpotential security breaches• System auditing : to monitor audit trails andsystem accounts• System mail : to check known problem areasfor security lapses
Pitfalls to an Effective ISA Program• Lack of project sponsorship and executive managementsupport• Executive management’s lack of understanding ofrealistic risk• Lack of resources• Impact of mergers and acquisitions on disparatesystems• Independent operations throughout business units• Discord between mainframe versus distributedcomputing cultures
• Corporate cultures with the objective to fostertrust in the organization that contradict anenvironment requiring more stringent controls• Fortune 500 enterprises that have grown frommom-and-pop shop beginnings and do notcompletely support the constraints conduciveto secure operations• Third-party and remote network management• The rate of change in technology