Embed Size (px)
Citation preview
11/26/13
1
IT Auditing for the Non-IT Auditor
Danny M. Goldberg, Founder
Danny M. Goldberg
• Founder, GOLDSRD (www.goldsrd.com)
• Former Partner, Professional Development - Sunera
• Founding Partner, SOFT GRC (sold to Sunera)
• Former Director of Corporate Audit/SOX at Dr Pepper Snapple Group
• Former CAE - Tyler Technologies
• Published Author (Book/Articles)
• Texas A&M University – 97/98
• CPA – Since 2000 • CIA – Since 2008 • CISA – Since 2008 • CGEIT (Certification in the
Governance of Enterprise IT) – Since 2009
• CRISC (Certification in Risk and Information Systems Control) – Since 2011
• CRMA (Certification in Risk Management Assurance) – Since 2011
• CCSA (Certification in Control Self-Assessment) – Since 2007
• CGMA (Chartered Global Management Accountant) – Since 2012
11/26/13
2
• Chairman of the Leadership Council of the American Lung Association - North Texas – Calendar Year 2012
• Served on the Audit Committee of the Dallas Independent School District (CY 2008)
• Current Dallas and Fort Worth IIA Programs Co-Chair • Highly-Rated, Nationally Recognized Speaker
– 6th Rated Speaker (out of 116), 2013 IIA International Conference – 8th Rated Speaker (out of 120), 2012 IIA International Conference
• Published Author – Bureau of National Affairs - Internal Audit: Fundamental Principles and Best
Practices (Professional Commentator) – Audit Report Articles (June 2013 Cover, March 2012, March 2011, June 2010
Cover) – “Critical Thoughts on Critical Thinking” – ISACA Journal (May 2012, August 2012) – Internal Auditor Articles (August 2007, December 2007, October 2010) – ISACA Online Article (December 2009) – New Perspectives (December 2010) – Dallas Business Journal (January 2011) – “The Yes Man Phenomenon”
Danny M. Goldberg (cont.)
GOLDSRD Snapshot
Staff Augmentation:
§ Market leader in locating cost-effective, recognized resources in accounting, finance, audit and IT
§ All requests filled within 72 hours
Professional Development:
§ Nationally-Recognized Leader in Audit and People-Centric Skill Training
§ Over 100 Full-Day Courses on Audit, Accounting, Finance and People-Centric Skills
§ Registered with NASBA to offer CPE’s for all courses in course catalog
§ Competitive Pricing
§ Interactive and Educational Courses for all levels
Executive Recruiting:
§ Unique approach to filling positions, including personality assessment for candidate and organization
§ Expansive network of qualified candidates actively looking
§ Competitive Pricing (17.5% Placement Fee)
11/26/13
3
Value of this Course
• IT Auditing Basics, including: – General Controls
– Application Controls
– Pre-implementation/Post-implementation audits
• Being able to talk the talk – No more IT snowballing!
IIA Standards and IT Auditing
• 1210 – Proficiency – 1210.A3: Internal auditors must have sufficient
knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.
GTAG I – Categories of IT Knowledge
• IIA GTAG-I defines three categories of IT knowledge for auditors: – Category I: Knowledge of IT needed by all
professional auditors, from new recruits up through the CAE.
– Category II: Knowledge of IT needed by audit supervisors.
– Category III: Knowledge of IT needed by IT Audit Specialists.
11/26/13
4
Category I Knowledge
• Understanding concepts such as applications, operating systems and systems software, and networks.
• IT security and control components such as perimeter defenses, intrusion detection, authentication, and application system controls.
• Understanding how business controls and assurance objectives can be impacted by vulnerabilities in business operations and the related and supporting systems, networks, and data components.
• Understanding IT risks without necessarily possessing significant technical knowledge.
Type of Audit Objectives
• IT Objectives – Security – Availability – Confidentiality – Integrity – Scalability – Reliability – Effectiveness – Efficiency
• Financial – Completeness
– Accuracy – Validity
– Authorization – Rights & Obligations
– Presentation & Disclosure
11/26/13
5
Control Types
• Automated – Programmed
controls – Strong in nature
– Lack human error – Repetitive, same
functioning
– Test of 1 vs. Many
• Duel Controls (Partially Automated and Manual) – People enabled controls – People rely on
information from IT systems for the control to function
• Manual – People enable control – Fully independent of IT
systems
Control Frameworks
• Internal Controls – COSO Internal Control – Integrated Framework
(Most Popular)
• General Computer Controls – COBIT (Most Popular)
• Control Objectives for Information and Related Technology • Generally applicable and accepted standard for good IT security
and control practices that provides a reference framework for management, users, and audit practitioners
• Developed by the IT Governance Institute
– ITGI Control Objectives For Sarbanes Oxley – ITIL (IT Infrastructure Library) – Others?
11/26/13
6
GCC – CobiT vs/ ITIL • The ITIL was designed for external financial audit. It seeks to
obtain control assurance that financial statements are accurate and well presented (“Only concern is relevance to passing SOX)
• Audit may (WILL) seek broader control assurance than just controls related to financial information
• Other examples where control assurance is important to Internal Audit reviews of IT controls: – Company policies are being adhered to (e.g. code of conduct, security
policies, cost cutting policies, etc.) – Regulatory laws are adhered to (SOX, HIPAA, PCI privacy, etc.) – Safeguarding of assets (e.g. Customer/client identity theft threats,
fraud, hackers, etc.)
CobiT
• CobiT – Designed to be used by auditors and business
process owners • Uses a set of 34 high-level control objectives grouped
into four domains: – Plan and Organize
– Acquire and Implement
– Deliver and Support
– Monitor and Evaluate
IT Risk Framework Benefits
• Aligned with business risk – focus on what is important to the business
• Valuable input to the IT and business strategy, as well as the IT Audit plan
• Linked to maturity assessment to provide roadmap for process improvement
• Addresses risk factors affecting each aspect of the IT environment:
– IT Governance, IT Processes, IT Applications and Infrastructure
• Compatible with other IT frameworks including COBIT, PMI, ITIL, ISO, etc.
• End-to-End (comprehensive) view of all IT processes, such as development, support, help desk, security, etc.
• Addresses all critical “layers” of the IT environment, i.e. applications and infrastructure such as network, OS, DB
11/26/13
7
IT Controls Overview
• Classification – General Controls – Application Controls
• Classification – Preventative – Detective – Corrective
• Classification – Governance controls – Management controls – Technical controls
IT Controls Overview
Types of IT Controls
• Preventive controls prevent errors, omissions, or security incidents from occurring – e.g., data-entry edits, access controls, antivirus software,
firewalls, intrusion prevention systems • Detective controls detect errors or incidents that
elude preventative controls – e.g., monitoring accounts or transactions to identify
unauthorized or fraudulent activity • Corrective controls correct errors, omissions, or
incidents once they have been detected – e.g., correction of data-entry errors, recovery from
incidents, disruptions or disasters
11/26/13
8
• Results from IIA external Quality Assessment Reviews (QARs) - developing an appropriate IT audit plan is one of the weakest links in internal audit activities
• Many times, instead of risk-based auditing,
internal auditors review what they know or outsource to other companies, letting them decide what to audit
Background
Introduction & Overview
• What is a Risk Assessment? – The process of identifying, estimating and evaluating the nature and severity of
risks associated with an organization, specific business unit or product – A methodology to produce a risk model to optimize the assignment of company
resources through a comprehensive understanding of the organization’s business environment and associated risks
• What is an IT Risk Assessment? • A risk assessment with a focus on development, use, management and
monitoring of information technology
• A methodology to produce a risk model to optimize the assignment of IT audit resources through a comprehensive understanding of the organization’s IT environment and the risks associated with each auditable unit
• An integral component of an overall risk assessment for a company
11/26/13
9
Introduction & Overview • Why perform an IT Risk Assessment? – Identify areas of highest relative IT risk for an
organization – Bring IT risk awareness to management – Assist management to develop an approach to manage
and respond to their IT Risks – Develop a risk-based internal audit plan to assess
controls that address identified IT risks
Introduction & Overview • An IT Risk Assessment addresses key IT
management processes and supporting technologies. Areas for consideration include: – IT Governance and Control; Performance Measurement
– Program Management; Technology Management; Vendor Management
– Applications Support and Development
– Systems Operations, Maintenance and Support
– Information Systems Security
– Business Continuity and Disaster Recovery Planning (Dallas County Records Building)
IT Audit Plan Development Process
Source: IIA – GTAG 11
11/26/13
10
The first step in defining the annual IT audit plan is to understand the business. As part of this step, auditors need to identify the strategies, company objectives, and business models that will enable them to understand the organization’s unique business risks. And how business and IT service functions support the organization.
Understand the Business
• Gather information: - Business objectives and strategies - Organizational structure and changes
- Key business processes and locations - Company’s disclosed risks (10-K) - Available company risk information - Key industry risks and issues • Organize information on the company’s
structure (process and locations)
• Client Profile • Business Objectives/Strategies • Organizational structure • Business Process and Locations
• Preliminary risk information • 10-K disclosed risks • Other company risk information • Key industry issues
Key Activities Key Deliverables
Next, auditors need to define the IT universe. This can be done through a top-down approach that identifies key business objectives an d processes, significant applications that support the business processes, the infrastructure needed for the business applications, the organization’s support model for IT, and the role of common supporting technologies such as network devices.
Define IT Universe
• Degree of System and Geographic Centralization
• The technologies deployed • Degree of customization • Degree of formalized policies and standards • Degree of regulation and compliance • Degree and method of outsourcing • Degree of operational (changes,
configuration) standardization • Level of reliance on technology
• IT Inventory tied to business processes/applications
Key Activities Key Deliverables
After auditors have a clear picture of the organization’s IT environment, the third step is to perform the risk assessment – a methodology for determining the likelihood of an event that could hinder the organization from attaining its business goals and objectives in an effective, efficient, and controlled manner.
Perform Risk Assessment
• Conduct interviews or workshops to gather risk ratings by designated key client participants
• Based on the executive risk assessment inputs, develop the Risk Assessment / Risk Map
• Risk Scorecard / Risk Map - Risks prioritized based on Impact and
Likelihood/Vulnerability risk ratings - A summary of risk assessment interview
notes as an attachment would be a useful tool to the internal audit plan development process and to the overall risk management process
Key Ac'vi'es Key Deliverables
11/26/13
11
Define Impact and Vulnerability Criteria
• Impact – Strategic
– Financial
– Reputation
– Legal and Regulatory
– Operational
– Stakeholders
– Competitor
• Vulnerability – Complexity
– Control Effectiveness
– Prior Risk Experience
– Rate of Change
– Preparedness
The objective of the audit plan is to determine where to focus the auditor’s assurance and consulting work to provide management with objective information to manage the organization’s risk and control environment.
Formalize Audit Plan
• Determine the resource needs (skill sets, tools, competencies) given the risk information for the planned audits
• Allocate resources and schedule the audits
• Detailed risk-based internal audit plan showing: - linkage of IA projects to the risk
assesment process and risk information - alignment of resource compentencies to risk focus of the project - audit timeline
Key Ac'vi'es Key Deliverables
Key Deliverables • IT Risk Assessment deliverables can include: – Risk Scorecards
– Risk Maps
– IT Audit Universe
– Internal Audit Plan: • List of audit projects to be executed, timeframe, and budgeted hours
11/26/13
12
Agenda • Overview
• General Computer Controls (“GCC”) – Information Security
– IS Operations
– System Implementation & Maintenance
– Database Implementation and Support
– Network Support
– System Software Support
What are GCC’s • A Framework for Evaluating Control Exceptions
and Deficiencies: – What does that mean?
• Policies and procedures that relate to many applications and support the effective functioning of application controls by helping to ensure the continued proper operation of information systems.
– This includes four basic IT areas that are relevant to internal control over financial reporting (“ICFR” = SOX!): • Program Development • Program Change • Computer Operations • Access to Programs and Data
11/26/13
13
Information Security — Designing, implementing, and maintaining information security, including both physical and logical security over all access paths to programs and data. Accessing and prioritizing relevant security risks. Defining data owners, classifying data as to necessary security, and selecting and implementing security tools and techniques.
• Critical Areas • Tools and techniques restrict access to
programs, data, and other information resources
• Restricts access to programs and information • Physical access restrictions are implemented
and administered to restrict access to information
• All information resources subject to appropriate physical and logical security
• Value Add Areas • Virus Protection • Software is used in accordance with licensing
agreements and management’s authorization • Information is protected against environmental
hazards and related damage
• Security policies
• Security standards
• Data ownership
• Information security architecture
• Security administration • Logical access
• Security logging & monitoring
• Physical access
• Environmental
Control Objectives Covers
Information Security
Information Systems Operations — Supervising and maintaining computer systems operations. Providing scheduled, monitored, and secure computer operations. Satisfying end-user requirements for computer processing support and problem resolution.
IS Operations
• Critical Areas • Production to process batch and on-line
transactions and prepare related reports are executed timely and completely
• Only valid production programs are executed
• Value Add Areas • Data is retained in accordance with laws,
regulations, and company policy • Computer processing environment service
levels meet or exceed management’s expectations
• Users receive appropriate systems training in the use of application systems
• Users receive appropriate support to ensure that application systems function as intended
• Job scheduling
• Processing control
• Output control
• Problem logging, tracking & reporting
• Problem escalation & resolution
• Capacity planning
• Performance monitoring
• Facilities management
• Help desk procedures
• Backup & Recovery
• Business Continuity/Disaster Recovery
Control Objectives Covers
Backup and Recovery Controls
• Requirements should be defined for backup of critical data (type and frequency)
• Periodic inventory of backup files should be performed
• Procedures should be in place to periodically validate recovery process
• Procedures should exist to destroy old backup media
• Physical controls should be in place at onsite and offsite storage locations
11/26/13
14
Business Continuity/Disaster Recovery
• Disaster recovery plan should be documented, updated and tested
• Management should identify, analyze, and prioritize mission-critical functions based on: Criticality
• Scope and consequences of disruption • Survivability (time-sensitivity) • Coordination requirements with other units or
external partners • Facilities, infrastructure, and IT support requirements.
Application Systems Implementation and Maintenance — Selecting or developing, implementing, and maintaining application systems.
Application Sys Implementation & Maintenance
Control Objectives Covers
Change Control
• Types of changes: – Program code changes, software updates, system patches, new software
implementations
• Change controls should include: – Monitoring and logging of all changes – Steps to detect unauthorized changes – Confirmation of testing – Authorization for moving changes to production – Tracking movement of hardware and other infrastructure components – Periodic review of logs – Back out plans – User training
• Specific procedures should be defined and followed for emergency changes
11/26/13
15
Database Implementa-on and Support — Managing the data architecture and maintenance in terms of defining and maintaining the structure of master file data, transacHon data, and organizaHon data. Maintaining the database management system (or its equivalent).
Database Implementation & Support
• CriHcal Areas • The data structure is appropriately implemented and funcHons consistent with management’s intenHons
• All necessary modificaHons to the data structure are implemented Hmely and with proper approval (SDLC)
• ModificaHons to the data structure are appropriately implemented and the modified data structure funcHons consistent with management’s intenHons
• Data architecture • Database implementaHon • Database administraHon & monitoring • Database maintenance & modificaHons
Control Objec'ves Topics Covered
Network Support — Designing, installing and operaHng networks and communicaHon soZware and protocols. This includes defining the structure and interrelaHonships between components of the network, configuring the physical locaHons of files and equipment, and planning the operaHng capacity and capabiliHes to meet current network needs.
Network Support
• CriHcal Areas • New network and communicaHon soZware is appropriately implemented and funcHons properly and implemented in a Hmely manner.
• ModificaHons to exisHng network and communicaHons soZware are properly implemented and funcHon as expected
• Value Add Areas • New network and communicaHon soZware is acquired consistent with management’s intenHons
• Network and communicaHon soZware is maintainable and supportable
• Network & communicaHon soZware: • AcquisiHon & approval • ImplementaHon & tesHng • Support • Maintenance • Performance monitoring • DocumentaHon
Control Objec'ves Topics Covered
11/26/13
16
Systems So7ware Support — SelecHng, implemenHng, and maintaining necessary systems soZware, including the parameters that configure and control such soZware. ImplemenHng and monitoring system soZware changes, including vendor upgrades.
System Software Support
• CriHcal Areas • New system soZware is appropriately implemented and funcHons properly
• All necessary modificaHons to system soZware are implemented Hmely
• ModificaHons to system soZware are properly implemented and funcHon as intended
• Value Add Areas • New system soZware is acquired consistent with management’s intenHons
• System soZware is maintainable and supportable
• OperaHng system acquisiHon, installaHon, configuraHon and updates/patches
Control Objec'ves Topics Covered
11/26/13
17
• Is IT a Service or an integral piece of Management/Strategy Se@ng? • Is IA a part of the IT Steering CommiCee?
• Do you find out about system implementa'ons AFTER they are installed?
• IT Risk Management – Policies, procedures and processes used to miHgate risk in IT environment
• Project Risk Management – FuncHon of IT Risk Management. PRM policies, procedures and processes help ensure projects are delivered on schedule within budget and meet business objecHves
• Systems Development Life Cycle – Set of PRM policies and procedures that help guide development of project from concept to implementaHon
• Project Management – Set of policies and procedures that guide IT project management
• IT Change Management – Set of policies and procedures that guide management of changes in IT development environment
Key Concepts
• Quality Management – Set of Project Risk Management policies and procedures that define
independent oversight inherent in the Project Risk Management • Pre-‐implementaHon Review
– IT project review conducted before project is implemented into producHon environment
• Post-‐implementaHon Review – IT project review conducted six weeks to six months aZer project has
been implemented into producHon environment
Key Concepts (con’t.)
11/26/13
18
Project Risk Management
• Project Management Controls • Systems Development Life Cycle Controls • Change Management Controls • Quality Management (SoZware tesHng) • Management and oversight of all of the above
The policies and procedures that define and support systems development:
Pre-‐implementa'on Review
Pre-‐implementaHon review validates that all Project Risk Management components are designed and implemented into the project under development:
• Project plan (Hme/schedule, resources, quality) in place • Requirements are documented, approved and finalized • Program design is in place • Test plans and procedures are in place • An implementaHon plan has been created
All project components adhere to change management procedures; quality management and oversight are in place through documentaHon reviews and status updates.
Post-‐implementa'on Review
Post-‐implementaHon review validates that all components of the Project Risk Management are present in the completed project documentaHon:
• The project plan is updated and finalized • Requirements were documented, approved and finalized • Program design were documented • Test plans, procedures and results were documented • Issues lists were maintained • An implementaHon plan was finalized
All project components adhered to change management procedures; quality management and oversight were evident through meeHngs, status reports, issues follow up and project sign off.
11/26/13
19
Application Systems Auditing
• All key business processes are supported by application systems. – Financial Reporting, Sales, Inventory Management, et al.
• Most companies have not optimized identification of application controls and flipped the switch on application versus manual controls
• Application systems help achieve: – Efficiency and effectiveness of operations – Reliability of financial reporting – Compliance with applicable laws and regulations
• What are application controls?
General Areas of Risk
Application configuration: – Business process rules configured incorrectly:
• Transactions not processed
• Transactions processed incorrectly
– Business process and procedures not configured (depreciation is miscalculated): • Transactions processed inconsistently
• Transactions processed outside system – not recorded
11/26/13
20
General Areas of Risk (con’t.)
Security: – Unauthorized access to critical business data or
transactions
– Excessive access • Lack of proper segregation of duties
• Unauthorized changes to information
Audi'ng Applica'on Systems Approach
• Meet with business process owners to: – Understand business funcHon that applicaHon supports
– IdenHfy responsible personnel (owner, superusers, applicaHon administrators, security administrators)
– Map out process (if appropriate)
– IdenHfy applicaHon inputs, outputs, interfaces
– IdenHfy applicaHon controls and manual controls
– IdenHfy exisHng documentaHon
– Highlight any issues or concerns
• IdenHfy key risks and test key controls – All key controls should be driven by risk
• Same approach to audiHng in general
Application Configuration
• Audit plan considerations: – Application configuration changes should follow a
well-controlled change methodology (CHANGE CONTROL): • Appropriate request documentation
• Approval processes
• Testing
• Promotion to production
11/26/13
21
Input Controls
• Audit plan considerations: – Input data validation checks
• Limit test: test of reasonableness • Validity test: comparison against master files • Self-checking number: check for accuracy
– Batch integrity of online or database systems – Input controls for batch processing
• Item count – check for completeness • Control total – check for accuracy • Hash total – can be a sum of all order numbers
– Error reporting and handling
Data • Audit plan considerations: – Legacy data cleansed and purged prior to loading into
application – Access to master data maintenance restricted to
authorized personnel – Data validation routines used to enhance data input
accuracy – Data archiving and retention strategies support
business objectives – Batch input and interface input monitored and
controlled
Transaction Processing
• Audit plan considerations: – Batch processing of transactions monitored and
controlled
– Off transactions identified and held for review if possible prior to posting
– Access to process transactions limited to personnel responsible for those transactions only
11/26/13
22
Security
• Audit plan considerations: – Defined, structured methodology used to design
and implement application level security – Application level security granular enough to
properly segregate of duties – Appropriate level of access granted to
superusers and application administrators – List of allowable exceptions to SOD – Structured approach to granting, removing, and
changing users’ access
Reporting • Audit plan considerations: – Defined reporting strategy
– Reports limited to authorized personnel only
– Ad hoc reporting tools disallowing access to confidential or sensitive data
– Appropriate controls developed around “shadow systems”
• Data Interfaces – Garbage in-Garbage out phenomenon
– ERP environments commonly have many interfaces with other applications that could be reviewed • Evaluate materiality and risk of each interface to determine which should be
in scope
• Data Conversions – Usually relevant only first year after implementation
– Reviews typically cover combination of: • Master data (e.g. vendors, customers, inventory masters etc.)
• Transactional data (usually a combination of open balances and transaction history)
Data Interfaces and Conversions
11/26/13
23
Summary
• Application system controls include manual controls and IT controls: ― Need to test both; coordination can be a
challenge
• Controls should be linked to a framework; typically based on control objectives
• Any business process may have one or more primary applications driving the process: ― Need to identify key applications
• If it has not changed, do we need to retest annually? • Defined through SOX testing (PCAOB) • Factors to consider:
1. Effectiveness of the controls over the IT control environment i.e the controls over application changes, application purchases and overall computer operations.
2. In case of changes in softwares/applications during the period of audit, how well does the auditor understand the changes to the applications and the resulting comfort factor.
3. The nature and timing of other related tests for application and business related controls.
4. Last but not the least, in case there are errors relating to the application controls that were benchmarked, what are the resulting consequences of errors.
Benchmarking
11/26/13
24
Summary (con’t.)
• Most applications have common elements for audit focus: ― Data ― Transaction processing ― Configuration ― Security ― Reporting
• Audits should encompass all the above
11/26/13
25
Information Security Governance
• Information security governance is the process of ensuring that security decisions are aligned with business strategy, optimized for value, and managed within acceptable risk boundaries.
• Provides assurance that: – Information security strategies are aligned with business objectives
– Information security strategies are consistent with applicable laws and regulations
– Information security strategies are appropriate in scope and scale for the organization
– Information security strategies are standards-based
Security Organization and Policies
• Security Organization: – Is there a separate security organization with appropriate authority and
influence? – Is it appropriately staffed with qualified resources? – How is it positioned within the organization?
• Security Policies: – Are policies based on industry standards, appropriate to the
organization and actionable? – Are policies formally documented and approved? – Are policies current and comprehensive? – Have they been communicated and implemented? – Do they address all stakeholders (Management, Security, IT, Users)? – What categories would you include in a security policy/procedure
document?
User Access Administration COBIT: DS5 Ensure systems security
• DS 5.4 User account management control objective: – Management should establish procedures to ensure timely action relating to
requesting, establishing, issuing, suspending and closing user accounts – Should include formal approval procedure outlining data or system owner granting the
access privileges. • DS. 5.3 Identity Management:
– All users (internal, external and temporary) and their activity on IT systems (business application, system operation, development and maintenance) should be uniquely identifiable. User access rights to systems and data should be in line with defined and documented business needs and job requirements. User access rights are requested by user management, approved by system owner and implemented by the security-responsible person.
• DS. 5.5 Security Testing, Surveillance and Monitoring – Ensure that IT security implementation is tested and monitored proactively. IT security
should be reaccredited periodically to ensure the approved security level is maintained. A logging and monitoring function enables the early detection of unusual or abnormal activities that may need to be addressed. Access to the logging information is in line with business requirements in terms of access rights and retention requirements.
COBIT Control Objectives, 4th Edition, IT Governance Institute July 2005.
11/26/13
26
User Access Administration (con’t.)
• Common control concerns: – Informal, decentralized or fragmented process
– User roles not formally defined
– Inadequate user access request methods: • Forms too general
• Requests and approvals not documented
• Audit trail not maintained
– User termination notification processes not effective
– User removal processes not comprehensive
– Periodic reviews not performed
– No intuitive access report available for management review
Technology Based Access Security Controls
• Logical access security levels: – Application – Database – Operating System – Network
• Common control Objectives: – Only authorized users granted access (Need-to-know basis)
– Access granted in accordance with assigned job responsibilities (Least privilege)
– User access rights restricted to enforce adequate segregation of duties (Administrative management)
– Advanced access rights and sensitive functions appropriately restricted (Super user access restricted to nominal few)
– Security parameters including password controls help to ensure that access is restricted to only authorized personnel (Configuration management)
– Information resources protected (e.g. file and directory permissions)
– Security events logged and monitored
Secure Systems Development
• New systems developed and implemented in accordance with security requirements “baked in”
• Systems modifications do not degrade security compliance
• Written policies and procedures should define responsibilities and requirements relevant to systems development
• Software capability maturity model: – Based on the premise that the quality of a software product is a direct
function of the quality of its associated software development and maintenance process. The CISSP Prep Guide, Ronald L. Krutz and Russell Dean Vines, Wiley Publishing Inc., 2003.
11/26/13
27
Secure Systems Development (con’t)
• Certifying and accrediting compliance of business applications and infrastructure to enterprise’s information security governance framework.
CISM Review Manual 2004, Information Systems Auditing and Control Association
• Including security early in the information system development life cycle (SDLC) will usually result in less expensive and more effective security than adding it to an operational system.
NIST Special Publication 800-64, Security Considerations in the Information System Development Life Cycle
• Security organization and Internal Audit participation is highly encouraged: – Can be consultative or assessment / compliance
– Can occur throughout the life cycle • Pre-, Go-Live and Post-Implementation
Incident Response • DS5.6 Security Incident Definition
– Ensure that the characteristics of potential security incidents are clearly defined and communicated so security incidents can be properly treated by the incident or problem management process. Characteristics include a description of what is considered a security incident and its impact level. A limited number of impact levels are defined and for each the specific actions required and the people who need to be notified are identified • Incident response management and integration • Identify suspicious activities or security breaches • Manage new security threats
• NIST Special Publication 800-61, Computer Security Incident Handling Guide: – Organizing computer security incident response capability – Establishing incident response policies and procedures – Structuring incident response team – Handling incidents from initial preparation through post-incident lessons learned
phase
Remote Access and Third Parties
• DS5.11 Exchange of Sensitive Data – Ensure sensitive transaction data are exchanged only over a trusted path or medium with controls
to provide authenticity of content, proof of submission, proof of receipt and non-repudiation of origin.
– Remote access control objectives: • Authorization, authentication, logging, monitoring • Consider strong (2-factor) authentication methods: i.e. Smart Cards, Passwords, tokens • Consider limiting access capabilities to selected information resources • Ensure controls are consistent for remote access • Data transferred should be encrypted.
• Third-party access: – 100% third parties with direct access should be known and documented – Written, signed contracts should establish security requirements:
• Unique user IDs for all users • Appropriate password controls • Termination notification, automated terminated dates, and removal procedures • Limit access to minimum required (principle of least privilege) • Design controls to monitor and evaluate third-party activities
11/26/13
28
User Awareness and Training • Successful security is NOT a technical solution:
– The Business owns security from design and approval perspectives. IT owns the maintenance and administration of security.
– Users must be aware of importance of security
– Users must understand their responsibilities
– Control environment / tone at the top / senior management attitude
• Awareness and training life cycle: – Design program (inclusion of department heads, such as CIO, IT security
Manager have key responsibilities)
– Provide targeted training
• Users
• IT
• Security Personnel
• Management
– Raise and maintain awareness
Physical Security
• Physical access is restricted: – Physical access policies
– Buildings, data centers, computer rooms, network and telecommunications equipment
– Personal computers and laptops
• Management control objectives: – Access approval
– Access logging and monitoring
– Termination notification and removal/resumption procedures
– Periodic review
– Asset management
Legal and Regulatory Compliance
• As regulatory and legal requirements are imposed on business the importance of information protection increases.
• Legal and regulatory pressure increasing:
– Sarbanes-Oxley (SOX) – HIPAA Privacy Regulations and Security Rules – Gramm-Leach-Bliley Act – California Security Breach Information Act (S.B.
1386) – FDICIA requirements – Basel II
11/26/13
29
• IT Auditing is not just for IT people – we all can do it.
• Many important aspects but common sense must prevail.
• IT must take ownership or part ownership of the control environment.
• With proper segregation of duties, many significant control and fraud issues are eliminated.
• IT General Controls are the foundation for every good control environment; without it the foundation of the home will have cracks.
Summary
