This document provides an overview of several IT audit methodologies: CobiT, BS 7799, BSI, ITSEC, and Common Criteria. CobiT is a framework for IT governance and control developed by ISACA that defines 34 processes across 4 domains (planning, acquisition, delivery, and monitoring). BS 7799 is a British standard focused on IT security baseline controls across 10 categories. BSI is a German manual that describes 34 security modules, 420 security measures, and 209 threats. ITSEC and Common Criteria are methodologies for evaluating the security of IT systems and products at defined assurance levels. Each methodology has different strengths in areas like scope, structure, user-friendliness, and frequency of updates

2. IT AUDIT
METHODOLOGIES

3. IT Audit Methodologies
• CobiT
• BS 7799 - Code of Practice (CoP)
• BSI - IT Baseline Protection Manual
• ITSEC
• Common Criteria (CC)

4. Main Areas of Use
• IT Audits
• Risk Analysis
• Health Checks (Security Benchmarking)
• Security Concepts
• Security Manuals / Handbooks

5. Security Definition
• Confidentiality
• Integrity
– Correctness
– Completeness
• Availability

6. CobiT
• Governance, Control & Audit for IT
• Developed by ISACA
• Releases
– CobiT 1: 1996
• 32 Processes
• 271 Control Objectives
– CobiT 2: 1998
• 34 Processes
• 302 Control Objectives

7. CobiT - Model for IT Governance
• 36 Control models used as basis:
– Business control models (e.g. COSO)
– IT control models (e.g. DTI‘s CoP)
• CobiT control model covers:
– Security (Confidentiality, Integrity, Availability)
– Fiduciary (Effectiveness, Efficiency, Compliance,
Reliability of Information)
– IT Resources (Data, Application Systems,
Technology, Facilities, People)

8. CobiT - Framework

9. CobiT - Structure
• 4 Domains
– PO - Planning & Organisation
• 11 processes (high-level control objectives)
– AI - Acquisition & Implementation
• 6 processes (high-level control objectives)
– DS - Delivery & Support
• 13 processes (high-level control objectives)
– M - Monitoring
• 4 processes (high-level control objectives)

10. PO - Planning and Organisation
• PO 1 Define a Strategic IT Plan
• PO 2 Define the Information Architecture
• PO 3 Determine the Technological Direction
• PO 4 Define the IT Organisation and Relationships
• PO 5 Manage the IT Investment
• PO 6 Communicate Management Aims and Direction
• PO 7 Manage Human Resources
• PO 8 Ensure Compliance with External Requirements
• PO 9 Assess Risks
• PO 10 Manage Projects
• PO 11 Manage Quality

11. AI - Acquisition and Implementation
• AI 1 Identify Solutions
• AI 2 Acquire and Maintain Application
Software
• AI 3 Acquire and Maintain Technology
Architecture
• AI 4 Develop and Maintain IT Procedures
• AI 5 Install and Accredit Systems
• AI 6 Manage Changes

12. DS - Delivery and Support
• DS 1 Define Service Levels
• DS 2 Manage Third-Party
Services
• DS 3 Manage Performance and
Capacity
• DS 4 Ensure Continuous Service
• DS 5 Ensure Systems Security
• DS 6 Identify and Attribute Costs
• DS 7 Educate and Train Users
DS 8 Assist and Advise IT
Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and
Incidents
DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations

13. M - Monitoring
• M 1 Monitor the Processes
• M 2 Assess Internal Control Adequacy
• M 3 Obtain Independent Assurance
• M 4 Provide for Independent Audit

14. CobiT - IT Process Matrix
Information
Criteria
– Effectiveness
– Efficiency
– Confidentiality
– Integrity
– Availability
– Compliance
– Reliability
IT Resources
People
Applications
Technology
Facilities
Data

15. CobiT - Summary
• Mainly used for IT audits, incl. security aspects
• No detailed evaluation methodology described
• Developed by international organisation (ISACA)
• Up-to-date: Version 2 released in 1998
• Only high-level control objectives described
• Detailed IT control measures are not documented
• Not very user friendly - learning curve!
• Evaluation results not shown in graphic form

16. BS 7799 - Security Baseline Controls
• 10 control categories
• 32 control groups
• 109 security controls
• 10 security key controls

17. BS 7799 - Control Categories
• Information security policy
• Security organisation
• Assets classification & control
• Personnel security
• Physical & environmental security
• Computer & network management

18. BS 7799 - Control Categories
• System access control
• Systems development & maintenance
• Business continuity planning
• Compliance

19. BS7799 - 10 Key Controls
• Information security policy document
• Allocation of information security
responsibilities
• Information security education and training
• Reporting of security incidents
• Virus controls

20. BS7799 - 10 Key Controls
• Business continuity planning process
• Control of proprietary software copying
• Safeguarding of organizational records
• Data protection
• Compliance with security policy

21. BS7799 - Summary
• Main use: Security Concepts & Health Checks
• No evaluation methodology described
• British Standard, developed by UK DTI
• Certification scheme in place (c:cure)
• BS7799, Part1, 1995 is being revised in 1999
• Lists 109 ready-to-use security controls
• No detailed security measures described
• Very user friendly - easy to learn

22. BSI - Structure
• IT security measures
– 7 areas
– 34 modules (building blocks)
• Safeguards catalogue
– 6 categories of security measures
• Threats catalogue
– 5 categories of threats

23. BSI - Security Measures (Modules)
• Protection for generic components
• Infrastructure
• Non-networked systems
• LANs
• Data transfer systems
• Telecommunications
• Other IT components

24. BSI - Generic Components
• 3.1 Organisation
• 3.2 Personnel
• 3.3 Contingency Planning
• 3.4 Data Protection

25. BSI - Infrastructure
• 4.1 Buildings
• 4.2 Cabling
• 4.3 Rooms
• 4.3.1 Office
• 4.3.2 Server Room
• 4.3.3 Storage Media Archives
• 4.3.4 Technical Infrastructure Room
• 4.4 Protective cabinets
• 4.5 Home working place

26. BSI - Non-Networked Systems
• 5.1 DOS PC (Single User)
• 5.2 UNIX System
• 5.3 Laptop
• 5.4 DOS PC (multiuser)
• 5.5 Non-networked Windows NT computer
• 5.6 PC with Windows 95
• 5.99 Stand-alone IT systems

27. BSI - LANs
• 6.1 Server-Based Network
• 6.2 Networked Unix Systems
• 6.3 Peer-to-Peer Network
• 6.4 Windows NT network
• 6.5 Novell Netware 3.x
• 6.6 Novell Netware version 4.x
• 6.7 Heterogeneous networks

28. BSI - Data Transfer Systems
• 7.1 Data Carrier Exchange
• 7.2 Modem
• 7.3 Firewall
• 7.4 E-mail

29. BSI - Telecommunications
• 8.1 Telecommunication system
• 8.2 Fax Machine
• 8.3 Telephone Answering Machine
• 8.4 LAN integration of an IT system via
ISDN

30. BSI - Other IT Components
• 9.1 Standard Software
• 9.2 Databases
• 9.3 Telecommuting

31. BSI - Module „Data Protection“ (3.4)
• Threats - Technical failure:
– T 4.13 Loss of stored data
• Security Measures - Contingency planning:
– S 6.36 Stipulating a minimum data protection concept
– S 6.37 Documenting data protection procedures
– S 6.33 Development of a data protection concept (optional)
– S 6.34 Determining the factors influencing data protection (optional)
– S 6.35 Stipulating data protection procedures (optional)
– S 6.41 Training data reconstruction
• Security Measures - Organisation:
– S 2.41 Employees' commitment to data protection
– S 2.137 Procurement of a suitable data backup system

32. BSI - Safeguards (420 safeguards)
• S1 - Infrastructure ( 45 safeguards)
• S2 - Organisation (153 safeguards)
• S3 - Personnel ( 22 safeguards)
• S4 - Hardware & Software ( 83 safeguards)
• S5 - Communications ( 62 safeguards)
• S6 - Contingency Planning ( 55 safeguards)

33. BSI - S1-Infrastructure (45 safeguards)
• S 1.7 Hand-held fire extinguishers
• S 1.10 Use of safety doors
• S 1.17 Entrance control service
• S 1.18 Intruder and fire detection devices
• S 1.27 Air conditioning
• S 1.28 Local uninterruptible power supply [UPS]
• S 1.36 Safekeeping of data carriers before and
after dispatch

34. BSI - Security Threats (209 threats)
• T1 - Force Majeure (10 threats)
• T2 - Organisational Shortcomings (58
threats)
• T3 - Human Errors (31 threats)
• T4 - Technical Failure (32 threats)
• T5 - Deliberate acts (78 threats)

35. BSI - T3-Human Errors (31 threats)
• T 3.1 Loss of data confidentiality/integrity as a result of IT
user error
• T 3.3 Non-compliance with IT security measures
• T 3.6 Threat posed by cleaning staff or outside staff
• T 3.9 Incorrect management of the IT system
• T 3.12 Loss of storage media during transfer
• T 3.16 Incorrect administration of site and data access rights
• T 3.24 Inadvertent manipulation of data
• T 3.25 Negligent deletion of objects
IT Audit Methodoloies

36. BSI - Summary
• Main use: Security concepts & manuals
• No evaluation methodology described
• Developed by German BSI (GISA)
• Updated version released each year
• Lists 209 threats & 420 security measures
• 34 modules cover generic & platform specific
security requirements

37. BSI - Summary
• User friendly with a lot of security details
• Not suitable for security risk analysis
• Results of security coverage not shown in
graphic form
• Manual in HTML format on BSI web server
• Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
• Paper copy of manual: DM 118.--
• Software ‚BSI Tool‘ (only in German): DM 515.--

38. ITSEC, Common Criteria
• ITSEC: IT Security Evaluation Criteria
• Developed by UK, Germany, France, Netherl. and
based primarily on USA TCSEC (Orange Book)
• Releases
– ITSEC: 1991
– ITSEM: 1993 (IT Security Evaluation Manual)
– UK IT Security Evaluation & Certification scheme:
1994

39. ITSEC, Common Criteria
• Common Criteria (CC)
• Developed by USA, EC: based on ITSEC
• ISO International Standard
• Releases
– CC 1.0: 1996
– CC 2.0: 1998
– ISO IS 15408: 1999

40. ITSEC - Methodology
• Based on systematic, documented approach for
security evaluations of systems & products
• Open ended with regard to defined set of
security objectives
– ITSEC Functionality classes; e.g. FC-C2
– CC protection profiles
• Evaluation steps:
– Definition of functionality
– Assurance: confidence in functionality

41. ITSEC - Functionality
• Security objectives (Why)
– Risk analysis (Threats, Countermeasures)
– Security policy
• Security enforcing functions (What)
– technical & non-technical
• Security mechanisms (How)
• Evaluation levels

42. ITSEC - Assurance
• Goal: Confidence in functions & mechanisms
• Correctness
– Construction (development process & environment)
– Operation (process & environment)
• Effectiveness
– Suitability analysis
– Strength of mechanism analysis
– Vulnerabilities (construction & operation)

43. CC - Security Concept

44. CC - Evaluation Goal

45. CC - Documentation
CC Part 2
Functional Requirements
Functional Classes
Functional Families
Functional
CC Part 1
Introduction and Model
Introduction to
Approach
Terms and Model
Requirements for
Protection Profiles (PP)
and Security Targets (ST)
Components
Detailed Requirements
CC Part 3
Assurance Requirements
Assurance Classes
Assurance Families
Assurance Components
Detailed Requirements
Evaluation Assurance
Levels (EAL)

46. CC - Security Requirements
Functional Requirements
for defining security behavior of the
IT product or system:
implemented requirements
become security functions
Assurance Requirements
for establishing confidence in Security
Functions:
correctness of implementation
effectiveness in satisfying
objectives

47. CC - Security Functional Classes
Name
Audit
Communications
Cryptographic Support
User Data Protection
Identification & Authentication
Security Management
Privacy
Protection of TOE Security Functions
Resource Utilization
TOE (Target Of Evaluation) Access
Trusted Path / Channels
Class
FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FRU
FTA
FTP

48. CC - Security Assurance Classes
Name
Configuration Management
Delivery & Operation
Development
Guidance Documents
Life Cycle Support
Tests
Vulnerability Assessment
Protection Profile Evaluation
Security Target Evaluation
Maintenance of Assurance
Class
ACM
ADO
ADV
AGD
ALC
ATE
AVA
APE
ASE
AMA

49. CC - Eval. Assurance Levels (EALs)
Name
Functionally Tested
Structurally Tested
Methodically Tested & Checked
Methodically Designed, Tested & Reviewed
Semiformally Designed & Tested
Semiformally Verified Design & Tested
Formally Verified Design & Tested
EAL
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
*TCSEC
C1
C2
B1
B2
B3
A1
*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”

50. ITSEC, CC - Summary
• Used primarily for security evaluations and not
for generalized IT audits
• Defines evaluation methodology
• Based on International Standard (ISO 15408)
• Certification scheme in place
• Updated & enhanced on a yearly basis
• Includes extensible standard sets of security
requirements (Protection Profile libraries)

51. Comparison of Methods - Criteria
• Standardisation
• Independence
• Certifiability
• Applicability in practice
• Adaptability

52. Comparison of Methods - Criteria
• Extent of Scope
• Presentation of Results
• Efficiency
• Update frequency
• Ease of Use

53. Comparison of Methods - Results
CobiT
3.4
3.3
2.7
2.8
3.3
3.1
1.9
3.0
3.1
2.3
Standardisation
Independence
Certifyability
Applicability in practice
Adaptability
Extent of Scope
Presentation of Results
Efficiency
Update frequency
Ease of Use
BS 7799
3.3
3.6
3.3
3.0
2.8
2.9
2.2
2.8
2.4
2.7
BSI
3.1
3.5
3.0
3.1
3.3
2.7
2.6
3.0
3.4
2.8
ITSEC/CC
3.9
3.9
3.7
2.5
3.0
2.6
1.7
2.5
2.8
2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger

54. CobiT - Assessment

55. BS 7799 - Assessment

56. BSI - Assessment

57. ITSEC/CC - Assessment

58. Use of Methods for IT Audits
• CobiT: Audit method for all IT processes
• ITSEC, CC: Systematic approach for evaluations
• BS7799, BSI: List of detailed security measures
to be used as best practice documentation
• Detailed audit plans, checklists, tools for
technical audits (operating systems, LANs, etc.)
• What is needed in addition:
– Audit concept (general aspects, infrastructure
audits, application audits)