Successfully reported this slideshow.

It audit methodologies

2,473 views

Published on

Internal Audit

Published in: Business
  • Be the first to comment

  • Be the first to like this

It audit methodologies

  1. 1. IT AUDIT METHODOLOGIES
  2. 2. IT Audit Methodologies • CobiT • BS 7799 - Code of Practice (CoP) • BSI - IT Baseline Protection Manual • ITSEC • Common Criteria (CC)
  3. 3. Main Areas of Use • IT Audits • Risk Analysis • Health Checks (Security Benchmarking) • Security Concepts • Security Manuals / Handbooks
  4. 4. Security Definition • Confidentiality • Integrity – Correctness – Completeness • Availability
  5. 5. CobiT • Governance, Control & Audit for IT • Developed by ISACA • Releases – CobiT 1: 1996 • 32 Processes • 271 Control Objectives – CobiT 2: 1998 • 34 Processes • 302 Control Objectives
  6. 6. CobiT - Model for IT Governance • 36 Control models used as basis: – Business control models (e.g. COSO) – IT control models (e.g. DTI‘s CoP) • CobiT control model covers: – Security (Confidentiality, Integrity, Availability) – Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) – IT Resources (Data, Application Systems, Technology, Facilities, People)
  7. 7. CobiT - Framework
  8. 8. CobiT - Structure • 4 Domains – PO - Planning & Organisation • 11 processes (high-level control objectives) – AI - Acquisition & Implementation • 6 processes (high-level control objectives) – DS - Delivery & Support • 13 processes (high-level control objectives) – M - Monitoring • 4 processes (high-level control objectives)
  9. 9. PO - Planning and Organisation • PO 1 Define a Strategic IT Plan • PO 2 Define the Information Architecture • PO 3 Determine the Technological Direction • PO 4 Define the IT Organisation and Relationships • PO 5 Manage the IT Investment • PO 6 Communicate Management Aims and Direction • PO 7 Manage Human Resources • PO 8 Ensure Compliance with External Requirements • PO 9 Assess Risks • PO 10 Manage Projects • PO 11 Manage Quality
  10. 10. AI - Acquisition and Implementation • AI 1 Identify Solutions • AI 2 Acquire and Maintain Application Software • AI 3 Acquire and Maintain Technology Architecture • AI 4 Develop and Maintain IT Procedures • AI 5 Install and Accredit Systems • AI 6 Manage Changes
  11. 11. DS - Delivery and Support • DS 1 Define Service Levels • DS 2 Manage Third-Party Services • DS 3 Manage Performance and Capacity • DS 4 Ensure Continuous Service • DS 5 Ensure Systems Security • DS 6 Identify and Attribute Costs • DS 7 Educate and Train Users DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations
  12. 12. M - Monitoring • M 1 Monitor the Processes • M 2 Assess Internal Control Adequacy • M 3 Obtain Independent Assurance • M 4 Provide for Independent Audit
  13. 13. CobiT - IT Process Matrix Information Criteria – Effectiveness – Efficiency – Confidentiality – Integrity – Availability – Compliance – Reliability IT Resources People Applications Technology Facilities Data
  14. 14. CobiT - Summary • Mainly used for IT audits, incl. security aspects • No detailed evaluation methodology described • Developed by international organisation (ISACA) • Up-to-date: Version 2 released in 1998 • Only high-level control objectives described • Detailed IT control measures are not documented • Not very user friendly - learning curve! • Evaluation results not shown in graphic form
  15. 15. BS 7799 - Security Baseline Controls • 10 control categories • 32 control groups • 109 security controls • 10 security key controls
  16. 16. BS 7799 - Control Categories • Information security policy • Security organisation • Assets classification & control • Personnel security • Physical & environmental security • Computer & network management
  17. 17. BS 7799 - Control Categories • System access control • Systems development & maintenance • Business continuity planning • Compliance
  18. 18. BS7799 - 10 Key Controls • Information security policy document • Allocation of information security responsibilities • Information security education and training • Reporting of security incidents • Virus controls
  19. 19. BS7799 - 10 Key Controls • Business continuity planning process • Control of proprietary software copying • Safeguarding of organizational records • Data protection • Compliance with security policy
  20. 20. BS7799 - Summary • Main use: Security Concepts & Health Checks • No evaluation methodology described • British Standard, developed by UK DTI • Certification scheme in place (c:cure) • BS7799, Part1, 1995 is being revised in 1999 • Lists 109 ready-to-use security controls • No detailed security measures described • Very user friendly - easy to learn
  21. 21. BSI - Structure • IT security measures – 7 areas – 34 modules (building blocks) • Safeguards catalogue – 6 categories of security measures • Threats catalogue – 5 categories of threats
  22. 22. BSI - Security Measures (Modules) • Protection for generic components • Infrastructure • Non-networked systems • LANs • Data transfer systems • Telecommunications • Other IT components
  23. 23. BSI - Generic Components • 3.1 Organisation • 3.2 Personnel • 3.3 Contingency Planning • 3.4 Data Protection
  24. 24. BSI - Infrastructure • 4.1 Buildings • 4.2 Cabling • 4.3 Rooms • 4.3.1 Office • 4.3.2 Server Room • 4.3.3 Storage Media Archives • 4.3.4 Technical Infrastructure Room • 4.4 Protective cabinets • 4.5 Home working place
  25. 25. BSI - Non-Networked Systems • 5.1 DOS PC (Single User) • 5.2 UNIX System • 5.3 Laptop • 5.4 DOS PC (multiuser) • 5.5 Non-networked Windows NT computer • 5.6 PC with Windows 95 • 5.99 Stand-alone IT systems
  26. 26. BSI - LANs • 6.1 Server-Based Network • 6.2 Networked Unix Systems • 6.3 Peer-to-Peer Network • 6.4 Windows NT network • 6.5 Novell Netware 3.x • 6.6 Novell Netware version 4.x • 6.7 Heterogeneous networks
  27. 27. BSI - Data Transfer Systems • 7.1 Data Carrier Exchange • 7.2 Modem • 7.3 Firewall • 7.4 E-mail
  28. 28. BSI - Telecommunications • 8.1 Telecommunication system • 8.2 Fax Machine • 8.3 Telephone Answering Machine • 8.4 LAN integration of an IT system via ISDN
  29. 29. BSI - Other IT Components • 9.1 Standard Software • 9.2 Databases • 9.3 Telecommuting
  30. 30. BSI - Module „Data Protection“ (3.4) • Threats - Technical failure: – T 4.13 Loss of stored data • Security Measures - Contingency planning: – S 6.36 Stipulating a minimum data protection concept – S 6.37 Documenting data protection procedures – S 6.33 Development of a data protection concept (optional) – S 6.34 Determining the factors influencing data protection (optional) – S 6.35 Stipulating data protection procedures (optional) – S 6.41 Training data reconstruction • Security Measures - Organisation: – S 2.41 Employees' commitment to data protection – S 2.137 Procurement of a suitable data backup system
  31. 31. BSI - Safeguards (420 safeguards) • S1 - Infrastructure ( 45 safeguards) • S2 - Organisation (153 safeguards) • S3 - Personnel ( 22 safeguards) • S4 - Hardware & Software ( 83 safeguards) • S5 - Communications ( 62 safeguards) • S6 - Contingency Planning ( 55 safeguards)
  32. 32. BSI - S1-Infrastructure (45 safeguards) • S 1.7 Hand-held fire extinguishers • S 1.10 Use of safety doors • S 1.17 Entrance control service • S 1.18 Intruder and fire detection devices • S 1.27 Air conditioning • S 1.28 Local uninterruptible power supply [UPS] • S 1.36 Safekeeping of data carriers before and after dispatch
  33. 33. BSI - Security Threats (209 threats) • T1 - Force Majeure (10 threats) • T2 - Organisational Shortcomings (58 threats) • T3 - Human Errors (31 threats) • T4 - Technical Failure (32 threats) • T5 - Deliberate acts (78 threats)
  34. 34. BSI - T3-Human Errors (31 threats) • T 3.1 Loss of data confidentiality/integrity as a result of IT user error • T 3.3 Non-compliance with IT security measures • T 3.6 Threat posed by cleaning staff or outside staff • T 3.9 Incorrect management of the IT system • T 3.12 Loss of storage media during transfer • T 3.16 Incorrect administration of site and data access rights • T 3.24 Inadvertent manipulation of data • T 3.25 Negligent deletion of objects IT Audit Methodoloies
  35. 35. BSI - Summary • Main use: Security concepts & manuals • No evaluation methodology described • Developed by German BSI (GISA) • Updated version released each year • Lists 209 threats & 420 security measures • 34 modules cover generic & platform specific security requirements
  36. 36. BSI - Summary • User friendly with a lot of security details • Not suitable for security risk analysis • Results of security coverage not shown in graphic form • Manual in HTML format on BSI web server • Manual in Winword format on CD-ROM (first CD free, additional CDs cost DM 50.-- each) • Paper copy of manual: DM 118.-- • Software ‚BSI Tool‘ (only in German): DM 515.--
  37. 37. ITSEC, Common Criteria • ITSEC: IT Security Evaluation Criteria • Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book) • Releases – ITSEC: 1991 – ITSEM: 1993 (IT Security Evaluation Manual) – UK IT Security Evaluation & Certification scheme: 1994
  38. 38. ITSEC, Common Criteria • Common Criteria (CC) • Developed by USA, EC: based on ITSEC • ISO International Standard • Releases – CC 1.0: 1996 – CC 2.0: 1998 – ISO IS 15408: 1999
  39. 39. ITSEC - Methodology • Based on systematic, documented approach for security evaluations of systems & products • Open ended with regard to defined set of security objectives – ITSEC Functionality classes; e.g. FC-C2 – CC protection profiles • Evaluation steps: – Definition of functionality – Assurance: confidence in functionality
  40. 40. ITSEC - Functionality • Security objectives (Why) – Risk analysis (Threats, Countermeasures) – Security policy • Security enforcing functions (What) – technical & non-technical • Security mechanisms (How) • Evaluation levels
  41. 41. ITSEC - Assurance • Goal: Confidence in functions & mechanisms • Correctness – Construction (development process & environment) – Operation (process & environment) • Effectiveness – Suitability analysis – Strength of mechanism analysis – Vulnerabilities (construction & operation)
  42. 42. CC - Security Concept
  43. 43. CC - Evaluation Goal
  44. 44. CC - Documentation CC Part 2 Functional Requirements Functional Classes Functional Families Functional CC Part 1 Introduction and Model Introduction to Approach Terms and Model Requirements for Protection Profiles (PP) and Security Targets (ST) Components Detailed Requirements CC Part 3 Assurance Requirements Assurance Classes Assurance Families Assurance Components Detailed Requirements Evaluation Assurance Levels (EAL)
  45. 45. CC - Security Requirements Functional Requirements for defining security behavior of the IT product or system: implemented requirements become security functions Assurance Requirements for establishing confidence in Security Functions: correctness of implementation effectiveness in satisfying objectives
  46. 46. CC - Security Functional Classes Name Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels Class FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP
  47. 47. CC - Security Assurance Classes Name Configuration Management Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance Class ACM ADO ADV AGD ALC ATE AVA APE ASE AMA
  48. 48. CC - Eval. Assurance Levels (EALs) Name Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested EAL EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 *TCSEC C1 C2 B1 B2 B3 A1 *TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”
  49. 49. ITSEC, CC - Summary • Used primarily for security evaluations and not for generalized IT audits • Defines evaluation methodology • Based on International Standard (ISO 15408) • Certification scheme in place • Updated & enhanced on a yearly basis • Includes extensible standard sets of security requirements (Protection Profile libraries)
  50. 50. Comparison of Methods - Criteria • Standardisation • Independence • Certifiability • Applicability in practice • Adaptability
  51. 51. Comparison of Methods - Criteria • Extent of Scope • Presentation of Results • Efficiency • Update frequency • Ease of Use
  52. 52. Comparison of Methods - Results CobiT 3.4 3.3 2.7 2.8 3.3 3.1 1.9 3.0 3.1 2.3 Standardisation Independence Certifyability Applicability in practice Adaptability Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use BS 7799 3.3 3.6 3.3 3.0 2.8 2.9 2.2 2.8 2.4 2.7 BSI 3.1 3.5 3.0 3.1 3.3 2.7 2.6 3.0 3.4 2.8 ITSEC/CC 3.9 3.9 3.7 2.5 3.0 2.6 1.7 2.5 2.8 2.0 Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger
  53. 53. CobiT - Assessment
  54. 54. BS 7799 - Assessment
  55. 55. BSI - Assessment
  56. 56. ITSEC/CC - Assessment
  57. 57. Use of Methods for IT Audits • CobiT: Audit method for all IT processes • ITSEC, CC: Systematic approach for evaluations • BS7799, BSI: List of detailed security measures to be used as best practice documentation • Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.) • What is needed in addition: – Audit concept (general aspects, infrastructure audits, application audits)

×