Upload
kamuturi
View
214
Download
0
Embed Size (px)
Citation preview
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
1/65
1
Information SystemsAudit Overview and
MethodologiesBy
Juma Tom VLecturer
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
2/65
2
Agenda
CobiT
BS 7799 - Code of Practice (CoP)
BSI - IT Baseline Protection Manual
ITSEC
Common Criteria (CC)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
3/65
3
IT Audit Methodologies - URLs
CobiT: www.isaca.org
BS7799: www.bsi.org.uk/disc/
BSI: www.bsi.bund.de/gshb/english/menue.htm
ITSEC: www.itsec.gov.uk
CC: csrc.nist.gov/cc/
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
4/65
4
Main Areas of Use
IT Audits
Risk Analysis
Health Checks (Security Benchmarking)
Security Concepts
Security Manuals / Handbooks
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
5/65
5
Security Definition
Confidentiality
Integrity
Correctness
Completeness
Availability
Non-repudiation
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
6/65
6
CobiT
Governance, Control & Audit for IT
Developed by ISACA
Releases
CobiT 1: 1996
32 Processes
271 Control Objectives
CobiT 2: 199834 Processes
302 Control Objectives
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
7/65
7
CobiT - Model for IT Governance
36 Control models used as basis:
Business control models (e.g. COSO)
IT control models (e.g. DTIs CoP)
CobiT control model covers:
Security (Confidentiality, Integrity, Availability)
Fiduciary (Effectiveness, Efficiency, Compliance,
Reliability of Information) IT Resources (Data, Application Systems,
Technology, Facilities, People)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
8/65
8
CobiT - Framework
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
9/65
9
CobiT - Structure
4 Domains
PO - Planning & Organisation
11 processes (high-level control objectives)
AI - Acquisition & Implementation6 processes (high-level control objectives)
DS - Delivery & Support
13 processes (high-level control objectives)M - Monitoring
4 processes (high-level control objectives)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
10/65
10
PO - Planning and Organisation
PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture
PO 3 Determine the Technological Direction
PO 4 Define the IT Organisation and Relationships
PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction
PO 7 Manage Human Resources
PO 8 Ensure Compliance with External Requirements
PO 9 Assess Risks
PO 10 Manage Projects
PO 11 Manage Quality
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
11/65
11
AI - Acquisition and Implementation
AI 1 Identify Solutions
AI 2 Acquire and Maintain Application Software
AI 3 Acquire and Maintain Technology Architecture
AI 4 Develop and Maintain IT Procedures
AI 5 Install and Accredit Systems
AI 6 Manage Changes
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
12/65
12
DS - Delivery and Support
DS 1 Define Service Levels DS 2 Manage Third-Party Services
DS 3 Manage Performance and Capacity
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Attribute Costs
DS 7 Educate and Train Users
DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
DS 10 Manage Problems and Incidents DS 11 Manage Data
DS 12 Manage Facilities
DS 13 Manage Operations
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
13/65
13
M - Monitoring
M 1 Monitor the Processes
M 2 Assess Internal Control Adequacy
M 3 Obtain Independent Assurance
M 4 Provide for Independent Audit
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
14/65
14
CobiT - IT Process Matrix
Information Criteria Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources People
Applications
Technology
Facilities
Data
IT Processes
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
15/65
15
CobiT - Summary
Mainly used for IT audits, incl. security aspectsNo detailed evaluation methodology described
Developed by international organisation (ISACA)
Up-to-date: Version 2 released in 1998
Only high-level control objectives described
Detailed IT control measures are not documented
Not very user friendly - learning curve!
Evaluation results not shown in graphic form
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
16/65
16
CobiT - Summary
May be used for self assessments
Useful aid in implementing IT control
systems
No suitable basis to write security
handbooks
3 parts freely downloadable from ISACA
site
CobiT Advisor 2nd edition:
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
17/65
17
BS 7799 - CoP
Code of Practice for Inform. Security Manag.
Developed by UK DTI, BSI: British Standard
Releases
CoP: 1993 BS 7799: Part 1: 1995
BS 7799: Part 2: 1998
Certification & Accreditation scheme (c:cure)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
18/65
18
BS 7799 - Security Baseline Controls
10 control categories
32 control groups
109 security controls 10 security key controls
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
19/65
19
BS 7799 - Control Categories
Information security policy
Security organisation
Assets classification & control Personnel security
Physical & environmental security
Computer & network management
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
20/65
20
BS 7799 - Control Categories
System access control
Systems development & maintenance
Business continuity planningCompliance
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
21/65
21
BS7799 - 10 Key Controls
Information security policy document
Allocation of information security
responsibilities
Information security education and training
Reporting of security incidents
Virus controls
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
22/65
22
BS7799 - 10 Key Controls
Business continuity planning process
Control of proprietary software copying
Safeguarding of organizational records
Data protection
Compliance with security policy
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
23/65
23
BS7799 - Summary
Main use: Security Concepts & Health ChecksNo evaluation methodology described
British Standard, developed by UK DTI
Certification scheme in place (c:cure)
BS7799, Part1, 1995 is being revised in 1999
Lists 109 ready-to-use security controls
No detailed security measures described
Very user friendly - easy to learn
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
24/65
24
BS7799 - Summary
Evaluation results not shown in graphic form
May be used for self assessments
BS7799, Part1:
BS7799, Part2:
BSI Electronic book of Part 1:
Several BS7799 c:cure publications from BSICoP-iT software from SMH, UK:
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
25/65
25
BSI (Bundesamt fr Sicherheit in der
Informationstechnik)
IT Baseline Protection Manual
(IT- Grundschutzhandbuch )
Developed by German BSI (GISA: German
Information Security Agency)
Releases:
IT security manual: 1992
IT baseline protection manual: 1995
New versions (paper and CD-ROM): each year
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
26/65
26
BSI - Approach
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
27/65
27
BSI - Approach
Used to determine IT security measures formedium-level protection requirements
Straight forward approach since detailed risk
analysis is not performedBased on generic & platform specific security
requirements detailed protection measures are
constructed using given building blocksList of assembled security measures may be
used to establish or enhance baseline protection
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
28/65
28
BSI - Structure
IT security measures
7 areas
34 modules (building blocks)
Safeguards catalogue
6 categories of security measures
Threats catalogue 5 categories of threats
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
29/65
29
BSI - Security Measures (Modules)
Protection for generic components
Infrastructure
Non-networked systemsLANs
Data transfer systems
Telecommunications
Other IT components
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
30/65
30
BSI - Generic Components
3.1 Organisation
3.2 Personnel
3.3 Contingency Planning
3.4 Data Protection
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
31/65
31
BSI - Infrastructure
4.1 Buildings
4.2 Cabling
4.3 Rooms
4.3.1 Office 4.3.2 Server Room
4.3.3 Storage Media Archives
4.3.4 Technical Infrastructure Room 4.4 Protective cabinets
4.5 Home working place
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
32/65
32
BSI - Non-Networked Systems
5.1 DOS PC (Single User)
5.2 UNIX System
5.3 Laptop
5.4 DOS PC (multiuser)
5.5 Non-networked Windows NT computer
5.6 PC with Windows 95 5.99 Stand-alone IT systems
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
33/65
33
BSI - LANs
6.1 Server-Based Network
6.2 Networked Unix Systems
6.3 Peer-to-Peer Network 6.4 Windows NT network
6.5 Novell Netware 3.x
6.6 Novell Netware version 4.x 6.7 Heterogeneous networks
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
34/65
34
BSI - Data Transfer Systems
7.1 Data Carrier Exchange
7.2 Modem
7.3 Firewall 7.4 E-mail
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
35/65
35
BSI - Telecommunications
8.1 Telecommunication system
8.2 Fax Machine
8.3 Telephone Answering Machine 8.4 LAN integration of an IT system via ISDN
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
36/65
36
BSI - Other IT Components
9.1 Standard Software
9.2 Databases
9.3 Telecommuting
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
37/65
37
BSI - Module Data Protection (3.4)
Threats - Technical failure:
T 4.13 Loss of stored data
Security Measures - Contingency planning:
S 6.36 Stipulating a minimum data protection concept
S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional)
S 6.34 Determining the factors influencing data protection (optional)
S 6.35 Stipulating data protection procedures (optional)
S 6.41 Training data reconstruction
Security Measures - Organisation:
S 2.41 Employees' commitment to data protection
S 2.137Procurement of a suitable data backup system
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
38/65
38
BSI - Safeguards (420 safeguards)
S1 - Infrastructure ( 45 safeguards)
S2 - Organisation (153 safeguards)
S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards)
S5 - Communications ( 62 safeguards)
S6 - Contingency Planning ( 55 safeguards)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
39/65
39
BSI - S1-Infrastructure (45 safeguards)
S 1.7 Hand-held fire extinguishers
S 1.10 Use of safety doors
S 1.17 Entrance control service
S 1.18 Intruder and fire detection devices
S 1.27 Air conditioning
S 1.28 Local uninterruptible power supply [UPS]
S 1.36 Safekeeping of data carriers before and after
dispatch
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
40/65
40
BSI - Security Threats (209 threats)
T1 - Force Majeure (10 threats)
T2 - Organisational Shortcomings (58
threats)T3 - Human Errors (31 threats)
T4 - Technical Failure (32 threats)
T5 - Deliberate acts (78 threats)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
41/65
41
BSI - T3-Human Errors (31 threats)
T 3.1 Loss of data confidentiality/integrity as a result of ITuser error
T 3.3 Non-compliance with IT security measures
T 3.6 Threat posed by cleaning staff or outside staff
T 3.9 Incorrect management of the IT system
T 3.12 Loss of storage media during transfer
T 3.16 Incorrect administration of site and data access rights
T 3.24 Inadvertent manipulation of data
T 3.25 Negligent deletion of objects
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
42/65
42
BSI - Summary
Main use: Security concepts & manuals
No evaluation methodology described
Developed by German BSI (GISA)Updated version released each year
Lists 209 threats & 420 security measures
34 modules cover generic & platform specificsecurity requirements
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
43/65
43
BSI - Summary
User friendly with a lot of security detailsNot suitable for security risk analysis
Results of security coverage not shown in
graphic formManual in HTML format on BSI web server
Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
Paper copy of manual: DM 118.--
Software BSI Tool (only in German): DM 515.--
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
44/65
44
ITSEC, Common Criteria
ITSEC: IT Security Evaluation Criteria
Developed by UK, Germany, France, Netherl.and based primarily on USA TCSEC (Orange Book)
Releases
ITSEC: 1991
ITSEM: 1993 (IT Security Evaluation Manual)
UK IT Security Evaluation & Certification
scheme: 1994
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
45/65
45
ITSEC, Common Criteria
Common Criteria (CC)
Developed by USA, EC: based on ITSEC
ISO International StandardReleases
CC 1.0: 1996
CC 2.0: 1998 ISO IS 15408: 1999
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
46/65
46
ITSEC - Methodology
Based on systematic, documented approach forsecurity evaluations of systems & products
Open ended with regard to defined set of
security objectives ITSEC Functionality classes; e.g. FC-C2
CC protection profiles
Evaluation steps:Definition of functionality
Assurance: confidence in functionality
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
47/65
47
ITSEC - Functionality
Security objectives (Why)
Risk analysis (Threats, Countermeasures)
Security policy
Security enforcing functions (What)
technical & non-technical
Security mechanisms (How)Evaluation levels
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
48/65
48
ITSEC - Assurance
Goal: Confidence in functions & mechanisms
Correctness
Construction (development process & environment)Operation (process & environment)
Effectiveness
Suitability analysis Strength of mechanism analysis
Vulnerabilities (construction & operation)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
49/65
49
CC - Security Concept
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
50/65
50
CC - Evaluation Goal
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
51/65
51
CC - Documentation
CC Part 3Assurance Requirements
CC Part 2Functional Requirements
CC Part 1Introduction and Model
* Introduction toApproach
* Terms and Model
* Requirements forProtection Profiles (PP)and Security Targets (ST)
* Functional Classes
* Functional Families
* FunctionalComponents
* Detailed Requirements
* Assurance Classes
* Assurance Families
* AssuranceComponents
* Detailed Requirements
* Evaluation AssuranceLevels (EAL)
CC S
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
52/65
52
CC - Security Requirements
Functional Requirements- for defining security behavior
of the IT product or system:
implemented requirements
become security functions
Assurance Requirements- for establishing confidence in
Security Functions:
correctness of implementation
effectiveness in satisfying
objectives
CC - Security Functional
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
53/65
53
CC - Security FunctionalClasses
ClassFAU
FCO
FCS
FDPFIA
FMT
FPR
FPT
FRUFTA
FTP
NameAudit
Communications
Cryptographic Support
User Data ProtectionIdentification & Authentication
Security Management
Privacy
Protection of TOE Security Functions
Resource UtilizationTOE (Target Of Evaluation) Access
Trusted Path / Channels
CC - Security Assurance
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
54/65
54
CC Security AssuranceClasses
ClassACM
ADO
ADV
AGDALC
ATE
AVA
APEASE
AMA
NameConfiguration Management
Delivery & Operation
Development
Guidance DocumentsLife Cycle Support
Tests
Vulnerability Assessment
Protection Profile EvaluationSecurity Target Evaluation
Maintenance of Assurance
CC - Eval Assurance Levels
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
55/65
55
CC Eval. Assurance Levels(EALs)
*TCSEC
C1
C2B1
B2
B3
A1
EALEAL1
EAL2
EAL3EAL4
EAL5
EAL6
EAL7
NameFunctionally Tested
Structurally Tested
Methodically Tested & CheckedMethodically Designed, Tested & Reviewed
Semiformally Designed & Tested
Semiformally Verified Design & Tested
Formally Verified Design & Tested
*TCSEC = Trusted Computer Security Evaluation Criteria --Orange Book
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
56/65
56
ITSEC, CC - Summary
Used primarily for security evaluations and notfor generalized IT audits
Defines evaluation methodology
Based on International Standard (ISO 15408)
Certification scheme in place
Updated & enhanced on a yearly basis
Includes extensible standard sets of security
requirements (Protection Profile libraries)
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
57/65
57
ITSEC, CC - Summary
Allows to determine confidence level in
planned resp. implemented security
Evaluation results not shown in graphic form
Not very user friendly - learning curve!
Detailed documentation in electronic PDF
format freely available on web server
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
58/65
58
Comparison of Methods - Criteria
Standardisation
Independence
CertifiabilityApplicability in practice
Adaptability
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
59/65
59
Comparison of Methods - Criteria
Extent of Scope
Presentation of Results
EfficiencyUpdate frequency
Ease of Use
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
60/65
60
Comparison of Methods - Results
CobiT BS 7799 BSI ITSEC/CCStandardisation 3.4 3.3 3.1 3.9
Independence 3.3 3.6 3.5 3.9
Certifyability 2.7 3.3 3.0 3.7
Applicability in practice 2.8 3.0 3.1 2.5Adaptability 3.3 2.8 3.3 3.0
Extent of Scope 3.1 2.9 2.7 2.6
Presentation of Results 1.9 2.2 2.6 1.7
Efficiency 3.0 2.8 3.0 2.5Update frequency 3.1 2.4 3.4 2.8
Ease of Use 2.3 2.7 2.8 2.0Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
61/65
61
CobiT - Assessment
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
62/65
62
BS 7799 - Assessment
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
63/65
63
BSI - Assessment
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
64/65
64
ITSEC/CC - Assessment
7/30/2019 Lecture 1 - Information Systems Auditing Overview and Methodologies
65/65
65
Use of Methods for IT Audits
CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations
BS7799, BSI: List of detailed security measures
to be used as best practice documentationDetailed audit plans, checklists, tools for
technical audits (operating systems, LANs, etc.)
What is needed in addition:Audit concept (general aspects, infrastructure audits,
application audits)