Lecture 1 - Information Systems Auditing Overview and Methodologies

7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies

1/65

1

Information SystemsAudit Overview and

MethodologiesBy

Juma Tom VLecturer


2/65

2

Agenda

CobiT

BS 7799 - Code of Practice (CoP)

BSI - IT Baseline Protection Manual

ITSEC

Common Criteria (CC)


3/65

3

IT Audit Methodologies - URLs

CobiT: www.isaca.org

BS7799: www.bsi.org.uk/disc/

BSI: www.bsi.bund.de/gshb/english/menue.htm

ITSEC: www.itsec.gov.uk

CC: csrc.nist.gov/cc/


4/65

4

Main Areas of Use

IT Audits

Risk Analysis

Health Checks (Security Benchmarking)

Security Concepts

Security Manuals / Handbooks


5/65

5

Security Definition

Confidentiality

Integrity

Correctness

Completeness

Availability

Non-repudiation


6/65

6

CobiT

Governance, Control & Audit for IT

Developed by ISACA

Releases

CobiT 1: 1996

32 Processes

271 Control Objectives

CobiT 2: 199834 Processes

302 Control Objectives


7/65

7

CobiT - Model for IT Governance

36 Control models used as basis:

Business control models (e.g. COSO)

IT control models (e.g. DTIs CoP)

CobiT control model covers:

Security (Confidentiality, Integrity, Availability)

Fiduciary (Effectiveness, Efficiency, Compliance,

Reliability of Information) IT Resources (Data, Application Systems,

Technology, Facilities, People)


8/65

8

CobiT - Framework


9/65

9

CobiT - Structure

4 Domains

PO - Planning & Organisation

11 processes (high-level control objectives)

AI - Acquisition & Implementation6 processes (high-level control objectives)

DS - Delivery & Support

13 processes (high-level control objectives)M - Monitoring

4 processes (high-level control objectives)


10/65

10

PO - Planning and Organisation

PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture

PO 3 Determine the Technological Direction

PO 4 Define the IT Organisation and Relationships

PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction

PO 7 Manage Human Resources

PO 8 Ensure Compliance with External Requirements

PO 9 Assess Risks

PO 10 Manage Projects

PO 11 Manage Quality


11/65

11

AI - Acquisition and Implementation

AI 1 Identify Solutions

AI 2 Acquire and Maintain Application Software

AI 3 Acquire and Maintain Technology Architecture

AI 4 Develop and Maintain IT Procedures

AI 5 Install and Accredit Systems

AI 6 Manage Changes


12/65

12

DS - Delivery and Support

DS 1 Define Service Levels DS 2 Manage Third-Party Services

DS 3 Manage Performance and Capacity

DS 4 Ensure Continuous Service

DS 5 Ensure Systems Security

DS 6 Identify and Attribute Costs

DS 7 Educate and Train Users

DS 8 Assist and Advise IT Customers

DS 9 Manage the Configuration

DS 10 Manage Problems and Incidents DS 11 Manage Data

DS 12 Manage Facilities

DS 13 Manage Operations


13/65

13

M - Monitoring

M 1 Monitor the Processes

M 2 Assess Internal Control Adequacy

M 3 Obtain Independent Assurance

M 4 Provide for Independent Audit


14/65

14

CobiT - IT Process Matrix

Information Criteria Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability

IT Resources People

Applications

Technology

Facilities

Data

IT Processes


15/65

15

CobiT - Summary

Mainly used for IT audits, incl. security aspectsNo detailed evaluation methodology described

Developed by international organisation (ISACA)

Up-to-date: Version 2 released in 1998

Only high-level control objectives described

Detailed IT control measures are not documented

Not very user friendly - learning curve!

Evaluation results not shown in graphic form


16/65

16

CobiT - Summary

May be used for self assessments

Useful aid in implementing IT control

systems

No suitable basis to write security

handbooks

3 parts freely downloadable from ISACA

site

CobiT Advisor 2nd edition:


17/65

17

BS 7799 - CoP

Code of Practice for Inform. Security Manag.

Developed by UK DTI, BSI: British Standard

Releases

CoP: 1993 BS 7799: Part 1: 1995

BS 7799: Part 2: 1998

Certification & Accreditation scheme (c:cure)


18/65

18

BS 7799 - Security Baseline Controls

10 control categories

32 control groups

109 security controls 10 security key controls


19/65

19

BS 7799 - Control Categories

Information security policy

Security organisation

Assets classification & control Personnel security

Physical & environmental security

Computer & network management


20/65

20

BS 7799 - Control Categories

System access control

Systems development & maintenance

Business continuity planningCompliance


21/65

21

BS7799 - 10 Key Controls

Information security policy document

Allocation of information security

responsibilities

Information security education and training

Reporting of security incidents

Virus controls


22/65

22

BS7799 - 10 Key Controls

Business continuity planning process

Control of proprietary software copying

Safeguarding of organizational records

Data protection

Compliance with security policy


23/65

23

BS7799 - Summary

Main use: Security Concepts & Health ChecksNo evaluation methodology described

British Standard, developed by UK DTI

Certification scheme in place (c:cure)

BS7799, Part1, 1995 is being revised in 1999

Lists 109 ready-to-use security controls

No detailed security measures described

Very user friendly - easy to learn


24/65

24

BS7799 - Summary


May be used for self assessments

BS7799, Part1:

BS7799, Part2:

BSI Electronic book of Part 1:

Several BS7799 c:cure publications from BSICoP-iT software from SMH, UK:


25/65

25

BSI (Bundesamt fr Sicherheit in der

Informationstechnik)

IT Baseline Protection Manual

(IT- Grundschutzhandbuch )

Developed by German BSI (GISA: German

Information Security Agency)

Releases:

IT security manual: 1992

IT baseline protection manual: 1995

New versions (paper and CD-ROM): each year


26/65

26

BSI - Approach


27/65

27

BSI - Approach

Used to determine IT security measures formedium-level protection requirements

Straight forward approach since detailed risk

analysis is not performedBased on generic & platform specific security

requirements detailed protection measures are

constructed using given building blocksList of assembled security measures may be

used to establish or enhance baseline protection


28/65

28

BSI - Structure

IT security measures

7 areas

34 modules (building blocks)

Safeguards catalogue

6 categories of security measures

Threats catalogue 5 categories of threats


29/65

29

BSI - Security Measures (Modules)

Protection for generic components

Infrastructure

Non-networked systemsLANs

Data transfer systems

Telecommunications

Other IT components


30/65

30

BSI - Generic Components

3.1 Organisation

3.2 Personnel

3.3 Contingency Planning

3.4 Data Protection


31/65

31

BSI - Infrastructure

4.1 Buildings

4.2 Cabling

4.3 Rooms

4.3.1 Office 4.3.2 Server Room

4.3.3 Storage Media Archives

4.3.4 Technical Infrastructure Room 4.4 Protective cabinets

4.5 Home working place


32/65

32

BSI - Non-Networked Systems

5.1 DOS PC (Single User)

5.2 UNIX System

5.3 Laptop

5.4 DOS PC (multiuser)

5.5 Non-networked Windows NT computer

5.6 PC with Windows 95 5.99 Stand-alone IT systems


33/65

33

BSI - LANs

6.1 Server-Based Network

6.2 Networked Unix Systems

6.3 Peer-to-Peer Network 6.4 Windows NT network

6.5 Novell Netware 3.x

6.6 Novell Netware version 4.x 6.7 Heterogeneous networks


34/65

34

BSI - Data Transfer Systems

7.1 Data Carrier Exchange

7.2 Modem

7.3 Firewall 7.4 E-mail


35/65

35

BSI - Telecommunications

8.1 Telecommunication system

8.2 Fax Machine

8.3 Telephone Answering Machine 8.4 LAN integration of an IT system via ISDN


36/65

36

BSI - Other IT Components

9.1 Standard Software

9.2 Databases

9.3 Telecommuting


37/65

37

BSI - Module Data Protection (3.4)

Threats - Technical failure:

T 4.13 Loss of stored data

Security Measures - Contingency planning:

S 6.36 Stipulating a minimum data protection concept

S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional)

S 6.34 Determining the factors influencing data protection (optional)

S 6.35 Stipulating data protection procedures (optional)

S 6.41 Training data reconstruction

Security Measures - Organisation:

S 2.41 Employees' commitment to data protection

S 2.137Procurement of a suitable data backup system


38/65

38

BSI - Safeguards (420 safeguards)

S1 - Infrastructure ( 45 safeguards)

S2 - Organisation (153 safeguards)

S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards)

S5 - Communications ( 62 safeguards)

S6 - Contingency Planning ( 55 safeguards)


39/65

39

BSI - S1-Infrastructure (45 safeguards)

S 1.7 Hand-held fire extinguishers

S 1.10 Use of safety doors

S 1.17 Entrance control service

S 1.18 Intruder and fire detection devices

S 1.27 Air conditioning

S 1.28 Local uninterruptible power supply [UPS]

S 1.36 Safekeeping of data carriers before and after

dispatch


40/65

40

BSI - Security Threats (209 threats)

T1 - Force Majeure (10 threats)

T2 - Organisational Shortcomings (58

threats)T3 - Human Errors (31 threats)

T4 - Technical Failure (32 threats)

T5 - Deliberate acts (78 threats)


41/65

41

BSI - T3-Human Errors (31 threats)

T 3.1 Loss of data confidentiality/integrity as a result of ITuser error

T 3.3 Non-compliance with IT security measures

T 3.6 Threat posed by cleaning staff or outside staff

T 3.9 Incorrect management of the IT system

T 3.12 Loss of storage media during transfer

T 3.16 Incorrect administration of site and data access rights

T 3.24 Inadvertent manipulation of data

T 3.25 Negligent deletion of objects


42/65

42

BSI - Summary

Main use: Security concepts & manuals

No evaluation methodology described

Developed by German BSI (GISA)Updated version released each year

Lists 209 threats & 420 security measures

34 modules cover generic & platform specificsecurity requirements


43/65

43

BSI - Summary

User friendly with a lot of security detailsNot suitable for security risk analysis

Results of security coverage not shown in

graphic formManual in HTML format on BSI web server

Manual in Winword format on CD-ROM

(first CD free, additional CDs cost DM 50.-- each)

Paper copy of manual: DM 118.--

Software BSI Tool (only in German): DM 515.--


44/65

44

ITSEC, Common Criteria

ITSEC: IT Security Evaluation Criteria

Developed by UK, Germany, France, Netherl.and based primarily on USA TCSEC (Orange Book)

Releases

ITSEC: 1991

ITSEM: 1993 (IT Security Evaluation Manual)

UK IT Security Evaluation & Certification

scheme: 1994


45/65

45

ITSEC, Common Criteria

Common Criteria (CC)

Developed by USA, EC: based on ITSEC

ISO International StandardReleases

CC 1.0: 1996

CC 2.0: 1998 ISO IS 15408: 1999


46/65

46

ITSEC - Methodology

Based on systematic, documented approach forsecurity evaluations of systems & products

Open ended with regard to defined set of

security objectives ITSEC Functionality classes; e.g. FC-C2

CC protection profiles

Evaluation steps:Definition of functionality

Assurance: confidence in functionality


47/65

47

ITSEC - Functionality

Security objectives (Why)

Risk analysis (Threats, Countermeasures)

Security policy

Security enforcing functions (What)

technical & non-technical

Security mechanisms (How)Evaluation levels


48/65

48

ITSEC - Assurance

Goal: Confidence in functions & mechanisms

Correctness

Construction (development process & environment)Operation (process & environment)

Effectiveness

Suitability analysis Strength of mechanism analysis

Vulnerabilities (construction & operation)


49/65

49

CC - Security Concept


50/65

50

CC - Evaluation Goal


51/65

51

CC - Documentation

CC Part 3Assurance Requirements

CC Part 2Functional Requirements

CC Part 1Introduction and Model

* Introduction toApproach

* Terms and Model

* Requirements forProtection Profiles (PP)and Security Targets (ST)

* Functional Classes

* Functional Families

* FunctionalComponents

* Detailed Requirements

* Assurance Classes

* Assurance Families

* AssuranceComponents

* Detailed Requirements

* Evaluation AssuranceLevels (EAL)

CC S


52/65

52

CC - Security Requirements

Functional Requirements- for defining security behavior

of the IT product or system:

implemented requirements

become security functions

Assurance Requirements- for establishing confidence in

Security Functions:

correctness of implementation

effectiveness in satisfying

objectives

CC - Security Functional


53/65

53

CC - Security FunctionalClasses

ClassFAU

FCO

FCS

FDPFIA

FMT

FPR

FPT

FRUFTA

FTP

NameAudit

Communications

Cryptographic Support

User Data ProtectionIdentification & Authentication

Security Management

Privacy

Protection of TOE Security Functions

Resource UtilizationTOE (Target Of Evaluation) Access

Trusted Path / Channels

CC - Security Assurance


54/65

54

CC Security AssuranceClasses

ClassACM

ADO

ADV

AGDALC

ATE

AVA

APEASE

AMA

NameConfiguration Management

Delivery & Operation

Development

Guidance DocumentsLife Cycle Support

Tests

Vulnerability Assessment

Protection Profile EvaluationSecurity Target Evaluation

Maintenance of Assurance

CC - Eval Assurance Levels


55/65

55

CC Eval. Assurance Levels(EALs)

*TCSEC

C1

C2B1

B2

B3

A1

EALEAL1

EAL2

EAL3EAL4

EAL5

EAL6

EAL7

NameFunctionally Tested

Structurally Tested

Methodically Tested & CheckedMethodically Designed, Tested & Reviewed

Semiformally Designed & Tested

Semiformally Verified Design & Tested

Formally Verified Design & Tested

*TCSEC = Trusted Computer Security Evaluation Criteria --Orange Book


56/65

56

ITSEC, CC - Summary

Used primarily for security evaluations and notfor generalized IT audits

Defines evaluation methodology

Based on International Standard (ISO 15408)

Certification scheme in place

Updated & enhanced on a yearly basis

Includes extensible standard sets of security

requirements (Protection Profile libraries)


57/65

57

ITSEC, CC - Summary

Allows to determine confidence level in

planned resp. implemented security


Not very user friendly - learning curve!

Detailed documentation in electronic PDF

format freely available on web server


58/65

58

Comparison of Methods - Criteria

Standardisation

Independence

CertifiabilityApplicability in practice

Adaptability


59/65

59

Comparison of Methods - Criteria

Extent of Scope

Presentation of Results

EfficiencyUpdate frequency

Ease of Use


60/65

60

Comparison of Methods - Results

CobiT BS 7799 BSI ITSEC/CCStandardisation 3.4 3.3 3.1 3.9

Independence 3.3 3.6 3.5 3.9

Certifyability 2.7 3.3 3.0 3.7

Applicability in practice 2.8 3.0 3.1 2.5Adaptability 3.3 2.8 3.3 3.0

Extent of Scope 3.1 2.9 2.7 2.6

Presentation of Results 1.9 2.2 2.6 1.7

Efficiency 3.0 2.8 3.0 2.5Update frequency 3.1 2.4 3.4 2.8

Ease of Use 2.3 2.7 2.8 2.0Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger


61/65

61

CobiT - Assessment


62/65

62

BS 7799 - Assessment


63/65

63

BSI - Assessment


64/65

64

ITSEC/CC - Assessment


65/65

65

Use of Methods for IT Audits

CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations

BS7799, BSI: List of detailed security measures

to be used as best practice documentationDetailed audit plans, checklists, tools for

technical audits (operating systems, LANs, etc.)

What is needed in addition:Audit concept (general aspects, infrastructure audits,

application audits)