INFORMATION SECURITY AUDITING

Audit
Independent review and examination of records and activities to assess the adequacy of internal
controls, to ensure compliance with established policies and operational procedures, and to
recommend necessary changes in controls, policies, or procedures.

• Auditing is a posteriori technique for determining security violations.

• An effective auditing subsystem is a key security component of any system.

IT/IS Audit
 The process of collecting and evaluating evidence to determine whether computer system
safeguards assets, maintain data integrity, achieves organisational goals effectively and
consumes resources effectively.

Objectives of IT/IS Audit

Improved Data
Integrity

Safeguarding of IT/IS Improved System

Assets Audit Effectiveness

Improved System
Efficiency

What are the elements of IT/IS Audit?

1. Physical and Environmental
2. System Administration
3. Application Software
4. Application Development
5. Network Security
6. Business Continuity
7. Data Integrity
Types of Information system audit
Internal vs External
 Audit function can be performed internally or externally
 Internal audit is an independent appraisal of operations, conducted under the direction of
management, to assess the effectiveness of internal administrative and accounting
controls and help ensure conformance with managerial policies
 External Audit is an audit conducted by an individual of a firm that is independent of the
company being audited.

 A typical structure and context showing where IS Audit fits within a typical large
corporation
Internal Audit Reporting Structure

Head of Audit Dept

Head of IT Audit Head of Non-IT Audit

IT Audit Team Members Non-IT Audit Team

Members

IS Auditor Qualifications

Independent:

 Professional Independence: Auditor acts independent of group being audited

 No friendships, dating, suggestive language, parties, lunches

 Organizational Independence: Auditor and his/her organization has no special interest

in the audited organization

 Accounting Controls – those controls which are intended to safeguard the client’s assets
and ensure the reliability of the financial records. Whether financial processes have been
carried out properly.

Knowledge, Skills, Abilities required

 Knowledge of auditing, IS and network security
 Investigation and process flow analysis skills
 Interpersonal/human relation skills
 Verbal and written communications skills
 Ability to exercise good judgment
  Ability to maintain confidentiality
 Ability to use IT desktop office tools, vulnerability analysis tools, and other IT tools

Adhere to Professional Ethics Standard

 ISACA standard and professional care

Professional Competence

 Has skills/knowledge to complete task

 Continued professional training/education

The Role of IT Auditors in the Financial Audit Process

 Develop an understanding and perform preliminary audit work
 Develop audit plan by designing a tch based audit approach
 Evaluate internal control systems
 Determine degree of reliance on internal controls, overseeing investigation of
inappropriate use.
 Examine the effectiveness of the IS by performing substantive testing
 Review work and issue audit report
 Conduct follow-up work
 Reviewing and assessing enterprise mgt controls before performing tests on them

Roles of IT Audit Team

Audit Planning Table
Audit Area Time- Date of Responsibility
frame Last Test

Policies & Procedures 1Q Never Internal Auditor

for Registration,
Advising

Business Continuity 2Q 2005 CIO, Security

Consultant

FERPA: Personnel 3Q Never Internal Auditor

interviews

IT: Penetration Test 4Q 2006 CIO, Security

consultant

Family Educational Rights and Privacy Act of 1974 (FERPA or the Buckley Amendment) is a
United States federal law.
Roles and Responsibilities in IT Audit
 Ensure IT governance by assessing risks and monitoring controls over those risks
 Works as either internal or external auditor
 Works on many kind of audit engagements
 Reviewing and assessing enterprise management controls
 Review and perform test of enterprise internal controls
 Report to management

Job Tasks and Responsibilities include:

 Design a technology-based audit approaches; analyzes and evaluates enterprise IT
processes
 Works independently or in a team to review enterprise IT controls
 Examines the effectiveness of the information security policies and procedures
 Develops and presents training workshops for audit staff
 Conduct and oversees investigation of inappropriate computer use
 Performs special projects and other duties as assigned

Effective IT Audit
 Early involvement
 Informal audits
 Knowledge sharing
 Self-assessments

Why do you need IS Audit?

• Describe security state
– Determine if system enters unauthorized state
• Evaluate effectiveness of protection mechanisms
– Determine which mechanisms are appropriate and working
– Deter attacks because of presence of record
• What do you log?
– Hint: looking for violations of a policy, so record at least what will show such
violations
• What do you audit?
– Need not audit everything
– Key: what is the policy involved?
• IT audit work on financial audit engagements is likely to increase as internal control
evaluation becomes more important

Classifications of Audit
 Financial Audit: Assure integrity of financial statements
 Operational Audit: Evaluate internal controls for a given process or area
 Integrated Audit: Includes both Financial and Operational aspects
  Forensic Audit: Follows up on fraud/crime
 IS Audit: Does IS safeguard data, provide CIA in efficient way?
 Administrative Audit: Assess efficiency of a process or organization
 Specialized Audit: Example:
 SAS 70: Assesses internal controls of a service organization
 Standards, such as SAS No. 94, guide the work of IT auditors on financial audit
engagements

COMPUTERISED INFORMATION SYSTEMS

What Is an Information System?
Information system has been defined in terms of two perspectives:
 Relating to its function-From a functional perspective an information system is a
technologically implemented medium for the purpose of recording, storing, and
disseminating linguistic expressions as well as for the supporting of inference making.
 Relating to its structure- An information system consists of a collection of people,
processes, data, models, technology and partly formalized language, forming a cohesive
structure which serves some organizational purpose or function.

The functional definition has its merits in focusing on what actual users - from a conceptual point
of view- do with the information system while using
it. They communicate with experts to solve a particular problem.

The structural definition makes clear that IS are socio-technical systems, i.e., systems consisting
of humans, behavior rules, and conceptual and technical artifacts.

 An information system can be defined technically as a set of interrelated

components that collect (or retrieve), process, store, and distribute information to
support decision making and control in an organization. In addition to supporting
decision making, coordination, and control, information systems may also help
managers and workers analyze problems, visualize complex subjects, and create
new products.

Three activities in an information system produce the information that organizations need to
make decisions, control operations, analyze problems, and create new products or services.
These activities are:
 input,
 processing,
 output

Input captures or collects raw data from within the organization or from its external environment.
Processing converts this raw input into a more meaningful form.
Output transfers the processed information to the people who will use it or to the activities for
which it will be used. Information systems also require feedback, which is output that is returned
to appropriate members of the organization to help them evaluate or correct the input stage.

What Is A Computer-Based Information System?

A computer-based information system (CBIS) is an information system that uses computer
technology to perform some or all of its intended tasks. Such a system can include as little as a
personal computer and software. Or it may include several thousand computers of various sizes
with hundreds of printers, plotters, and other devices as well as communication networks (wire-
line and wireless) and databases. In most cases an information system also includes people. The
basic components of information systems are:

Components of Information Systems

1. Resources of people: (end users and IS specialists, system analyst, programmers, data
administrators etc.).
2. Hardware: (Physical computer equipments and associate device, machines and media).
3. Software: (programs and procedures).
4. Data: (data and knowledge bases), and
5. Networks: (communications media and network support).

People Resources
 End users: (also called users or clients) are people who use an information system or the
information it produces. They can be accountants, salespersons, engineers, clerks,
customers, or managers. Most of us are information system end users.
 IS Specialists: people who actually develop and operate information systems. They
include systems analysts, programmers, testers, computer operators, and other
managerial, technical, and clerical IS personnel.
 Systems analysts design information systems based on the information requirements of
end uses, programmers prepare computer programs based on the specifications of
systems analysts, and computer operators operate large computer systems.

Hardware Resources
 Machines: as computers and other equipment along with all data media, objects on which
data is recorded and saved.
 Computer systems: consist of variety of interconnected peripheral devices. Examples are
microcomputer systems, midrange computer systems, and large computer systems.

Software Resources
Software Resources includes all sets of information processing instructions. This generic concept
of software includes not only the programs, which direct and control computers but also the sets
of information processing (procedures). Software Resources includes:
 System software, such as an operating system
 Application software, which are programs that direct processing for a
particular use of computers by end users.
 Procedures, which are operating instructions for the people, who will use
an information system. Examples are instructions for filling out a paper
form or using a particular software package.

Data Resources
Data resources include data (which is raw material of information systems) and database. Data
can take many forms, including traditional alphanumeric data, composed of numbers and
alphabetical and other characters that describe business transactions and other events and
entities.
Text data, consisting of sentences and paragraphs used in written communications; image data,
such as graphic shapes and figures; and audio data, the human voice and other sounds, are also
important forms of data.
Data resources must meet the following criteria:
 Comprehensiveness: means that all the data about the subject are actually
present in the database.
 Non-redundancy: means that each individual piece of data exists only once
in the database.
 Appropriate structure: means that the data are stored in such a way as to
minimize the cost of expected processing and storage. The data resources of IS are typically
organized into:
o Processed and organized data-Databases.
o Knowledge in a variety of forms such as facts, rules, and case examples about
successful business practices.

Network Resources
Telecommunications networks like the Internet, intranets, and extranets have become essential to
the successful operations of all types of organizations and their computer-based information
systems. Telecommunications networks consist of computers, communications processors, and
other devices interconnected by communications media and controlled by communications
software. The concept of Network Resources emphasizes that communications networks are a
fundamental resource component of all information systems.
Network resources include:
•Communications media: such as twisted pair wire, coaxial cable, fiber-optic cable, microwave
systems, and communication satellite systems.
•Network support: This generic category includes all of the people, hardware, software, and data
resources that directly support the operation and use of a communications network. Examples
include communications control software such as network operating systems and Internet
packages.
Components of Information Systems

Difference between Computers and Information Systems

Computers provide effective and efficient ways of processing data, and they are a necessary part
of an information system. An IS, however, involves much more than just computers. The
successful application of an IS requires an understanding of the business and its environment that
is supported by the IS. For example, to build an IS that supports transactions executed on the
Nairobi Stock Exchange, it is necessary to understand the procedures related to buying and
selling stocks, bonds, options, and so on, including irregular demands made on the system, as
well as all related government regulations.
In learning about information systems, it is therefore not sufficient just to learn about computers.
Computers are only one part of a complex system that must be designed, operated, and
maintained. A public transportation system in a city provides an analogy. Buses are a necessary
ingredient of the system, but more is needed. Designing the bus ro
utes, bus stops, different schedules, and so on requires considerable understanding of customer
demand, traffic patterns, city regulations, safety requirements, and the like. Computers, like
buses, are only one component in a complex system.

Information Technology and Information Systems Information technology broadly defi

ned as the collection of computer systems used by an organization. Information technology, in its
narrow definition, refers to the technological side of an information system. It includes the
hardware, software, databases, networks, and other electronic devices. It can be viewed as a
subsystem of an information system. Sometimes, though,
the term information technology is also used interchangeably with information system.
 THREATS TO AN IS AND WHY THESE THREATS ARE INCREASING

 Examples of natural and political disasters

– fire or excessive heat
– floods
– earthquakes
– high winds
– war
 Examples of software errors and equipment malfunctions
– hardware failures
– power outages and fluctuations
– undetected data transmission errors
 Examples of unintentional acts
– accidents caused by human carelessness
– innocent errors of omissions
– lost or misplaced data
– logic errors
– systems that do not meet company needs
 Examples of intentional acts
– sabotage
– computer fraud
– embezzlement

Why are IS Threats Increasing?

 Increasing numbers of client/server systems mean that information is available to an

unprecedented number of workers.
 Because LANs and client/server systems distribute data to many users, they are harder to
control than centralized mainframe systems.
 WANs are giving customers and suppliers access to each other’s systems and data,
making confidentiality a concern.

Generic IS structure

Internal controls

Storage
Input Processes Outputs
s

CONCEPTS OF IT AUDITING
The purpose of Information Security Auditing is to create a careful balance of the audit process,
governance, and compliance regulations, as well as hands-on introduction to the latest
technology tools.
Internal control is the plan of organization and the methods a business uses to safeguard assets,
provide accurate and reliable information, promote and improve operational efficiency, and
encourage adherence to prescribed managerial policies.
 The specific control procedures used in the internal control and management control
systems may be classified using the following four internal control classifications:
 Preventive, detective, and corrective controls
 General and application controls
 Administrative and accounting controls
 Input, processing, and output controls

Management control encompasses the following three features:

1 It is an integral part of management responsibilities.
2 It is designed to reduce errors, irregularities, and achieve organizational goals.

IT Governance

 …the process for controlling an organization’s IT resources, including information and

communication systems, and technology.

 …using IT to promote an organization’s objectives and enable business processes and to

manage and control IT related risks.
 To ensure that effective IT management and security principles, policies and processes
with appropriate compliance measurement tools are in place, requires an active audit
committee

Compliance audit
What is a compliance audit?

 A compliance audit is a comprehensive review of an organization's adherence to

regulatory guidelines. Independent accounting, security or IT consultants evaluate the
strength and thoroughness of compliance preparations. Auditors review security polices,
user access controls and risk management procedures over the course of a compliance
audit.
 What, precisely, is examined in a compliance audit will vary depending upon whether an
organization is a public or private company, what kind of data it handles and if it
transmits or stores sensitive financial data.
  Compliance auditors will generally ask CIOs, CTOs and IT administrators a series of
pointed questions over the course of an audit. These may include what users were added
and when, who has left the company, whether user IDs were revoked and which IT
administrators have access to critical systems. IT administrators prepare for compliance
audits using event log managers and robust change management software to allow
tracking and documentation authentication and controls in IT systems. The growing
category of GRC (governance, risk management and compliance) software enables CIOs
to quickly show auditors (and CEOs) that the organization is in compliance and will not
be not subject to costly fines

Governance

Policies

IT
Standards

Management
IT General and Application Management and
Controls Hierarchy Organization

Physical and
Environmental Controls

Systems Software Controls

Technical

Systems Development Controls

Application – based controls

What does Auditing involve?

• Logging
– Recording events or statistics to provide information about system use and
performance
• Auditing
– Analysis of log records to present information about the system in a clear,
understandable manner
THE IMPACT OF INFORMATION TECHNOLOGY ON THE AUDIT FUNCTION
How Information Technologies Enhance Internal Control
 Computer controls replace manual controls

 Higher-quality information is available

 Separation of duties
 Delegation of authority and responsibility
 Competent and trustworthy personnel
 System of authorizations
 Adequate documents and records
 Physical control over asset and records
 Adequate management supervision
 Independent check on performance
 Comparing recorded accountability with assets

Effects of computers on auditing

 Changes to evidence collection
 Changes to evidence evaluation

Changing IT & Its Effect on Auditing

 Distributed data processing- IP at division/user level (as opposed to central/HQ)

 networking,-LAN, WAN

 electronic data interchange (EDI)- business transactions over networks/internet; benefits:

reduction in paperwork, faster turnaround time;

- Audit implications:

# DDP  access controls/telecom controls that transmit data to/from the central computer;
completeness/accuracy of data transmitted btw central & divisions

# Networking  need to understand network & accounting cycles affected by network; access
controls – validity, authorisation, completeness of transactions processed

 e-commerce

 Real-time systems:

- batch transactions  transactions entered into a group, batched, transaction file then
created & run against master file
 - Online/real time system  transactions entered individually, master file changed
immediately (e.g. ATM, JIT, EPOS)

- Audit implications:

# Fewer hard copy source documents

# No batch controls (to ensure completeness)

# Access controls

# Electronic authorisation in system

# Auditing needs to be continuous

 Intelligent systems – DSS & ES

- Knowledge & decision processes of experts into a computer program

- E.g. American Express – Authoriser’s Assistant  no credit limit, so need to know when
to accept/deny a credit card transaction

- Audit implications:

- Integrity of knowledge captured in the system, logic of decision-making process

 End-user computing

- End users use own applications/files – shorter development time, reduction in conflicts
btw user/IT dept

- But end users may not be subject to the same IT controls at central

- Audit implications:

- Weak controls may allow end users to access/modify data at main computer centre 
safeguarding of assets/data integrity

COMPLEXITY OF IT SYSTEMS
 Low complexity:

- Stand-alone PC/a few PC’s in a network

- Lack of segregation of duties, limited security/access controls, limited data/operation

controls
  Medium complexity:

- mini-computer/server, number of PC’s/terminals networked to server

- More advanced software, utility programs to enter/change data, purchased software

used/modified

- Limited segregation of duties within computer dept & btw IT/user depts

- May not be a separate/secure location for computer

- Documentation of system may be limited

 Advanced systems:

- telecommunications, extensive DB systems, online/real-time processing, automatic

transaction initiation/EDI/e-commerce, no visual audit trail

- Mainframe computers

- General/application controls

Internal Controls Specific to Information Technology

General controls = relate to overall IP environment, have pervasive effect on computer
operations

Application controls = relate to processing of specific computer applications

Control environment factors affected by IT

 Assignment of authority & responsibility

- DBMS – authorisation of access, responsibility over data integrity

- Remote locations – needs to build in supervisory controls & monitoring processes into
computer systems

 Human resource policies/procedures

- trustworthy, skillful employees

 Information processing:

- Transaction authorisation  part of computer program, e.g. automatic credit approval

within set credit limit, automatic pricing of sales transaction
 - Unauthorised access

- Keeping of adequate documents  paper audit trail may not be present  auditor must
rely on CAAT’s to obtain evidence on transaction processing

 Segregation of duties:

- In an IT environment, programs within a computer system may perform all the following
functions: initiating transactions, authorisation, recording, custody of assets.

- Must have adequate controls to compensate

 Physical controls

- Easier to hide theft of assets, e.g. fictitious purchases of goods, then mail cheque to
fictitious supplier  cash goes to personal funds

- Backup controls, disaster recovery plan

The Audit Process in an IT Environment

Auditor's knowledge of the entity's computer processing must include:

 The extent to which the computer is used in each significant accounting

application.

 The complexity of the entity's computer operations.

 The organizational structure of the computer processing activities.

 The availability of data for audit evidence.

NB: Audit objectives do not change in an IT environment.

However, methods of applying specific audit procedures change  need to use CAAT’s

How PC’s can be used as an Audit Tool

 Lead schedule preparation.

 Working paper preparation and data retrieval and analysis.

 Audit program preparation.

 Analytical procedures.
  Documentation of internal control .

 Performance of statistical sampling applications.

Key IT areas involved in IT Audit

 General Controls (physical, DR, users)
 Technology (Windows, Unix, Networks, Firewalls)
 Penetration Tests and vulnerability assessments
 Systems Development Life Cycle
 Application Reviews
 Post Implementation Reviews
 THE BUSINESS PROCESS AND IT RISK
Key Problems – Management & Organisational
• Management has no detailed insight into Information or IT Risks
– The Value of Information, Applications and systems is unknown
– The Costs of Security Incidents cannot be predicted
– The Effectiveness and Efficiency of Controls cannot be evaluated and measured
• Organisational Structure
– Responsibility for Information, Applications, IT Systems not clearly defined
– Monitoring and Evaluation of Security posture lacking
– Disaster Preparedness, Business Continuity and Testing not clearly embedded in
organisational structure

Why Standards?
Costs • Use of proven and existing Models
• Methodology of standardisation and repeatability
• Consolidation of resources through continuity and
standardization
Introduction of a • State of the Art technological standards
relevant security • Currency
framework model • Improving the security maturity through cyclical
assessment
Competition • Certification of organisations, services or products
• Improve the image of the organisation
• Reduce litigation risk
• Leading edge over competitors through meeting
standards
Compliance • Readiness for impending regulatory requirements
• Compliance with existing regulations

Best Practice – Key Areas

Roles & • Clear Segregation of Duties
Responsibilities • Clear Definition of Roles and Responsibilities
SODs • Defined Security Management Processes
Policies & • Central Acquisition of systems and
Procedures infrastructure
• Prohibit private systems and software use
• Physical access to data centre, interfaces etc.
• Maintenance and upgrade schedule
• Guidelines to destroy unused data and systems
• Clear definition of communications protocols
• Use of preventative control systems (AV,
Firewalls, IDSs, etc.)
• Design and implementation of BCP/ DRP
concepts
Documentation • State-of-the-Art Network and System
documentation
• User Matrix
• Labelling of hosts, cables, devices, etc.
• Up-to-Date IT Inventory
• Port Matrix
Audit and Control • Authentication and Authorisation Rules
• Regular audits of controls and behaviour of
users
• Logging

What is information security?

• Safeguarding your company’s business interests by protecting its information assets’
Confidentiality, Integrity, and Availability.

• Protect information against unauthorised access, disclosure, modification, manipulation,

misuse, destruction or loss, whether intentional or otherwise.

• Information Security is not about Safety

• Information Security is not restricted to Physical Security (access control, etc…) but
covers data protection, business continuity, operations, communications, project
development, etc…

Understanding the Risk

• What Are You Trying To Protect ?

• What Are You Trying To Protect It From ?

 • How Do You Protect It ?

What are You Trying to Protect?

• Your Data
– Confidentiality - don’t want others to know it
– Integrity - don’t want others to change it
– Availability - the ability to use it yourself

• Your Resources
– Computer time and disk space

• Your Reputation
– What you do and what others do posing as you

What are You Trying to Protect Against?

• Types of Attacks
– Intrusion - the most common
– Denial of Service - preventing usage (including , etc)
– Information Theft - exploit Internet services

• That’s not all you’re protecting against!

– Accidents
• 55% of incidents result from untrained users doing what they shouldn’t
(Computer Security Institute)

Why Do They Break In?

• Money or profit (theft)

• Modification of information

• Fun, challenge, and acceptance

• Vengeance or justice

• Religious or political beliefs

• Military or economic advantage

• Gathering or destruction of information

The Internet: Benefits v. Risks
• The Benefits:
– Low-cost access to huge databases
– Access to World Wide Web
– E-mail / E-Commerce
– Information!

• The Risks:
– Reduced security for system resources
– Possibility of compromised confidential data
– Possibility of malicious attacks from outside sources
– Information!

Real Threats
1. Hacker

2. Social Engineering
• Attackers usually assume a position of trust
– People are naturally helpful and trusting

• Used by attackers to gain information or open holes

– Dumpster diving and shoulder surfing
• Org charts, passwords, phone books, log files

• The Best Defence: SECURE AUTHENTICATION and AWARENESS

3. Sniffing
• Sniffing is a term for digital wiretapping on the network

• Similar to a phone tap but undetectable

 • Defeated by encrypting data (Kerberos, SSL, Certificates)

4. Viruses
• Can perform unauthorised actions

• Caught by downloading infected program or data files

• Viruses reproduce by copying themselves into other files

5. Hoaxes

• An e-mail or rumour of computer viruses, free giveaways or chain letter contests that are
untrue.
• There is no way to track e-mail proliferation.

• Hoaxes tie up e-mail bandwidth and job time as well as embarrass the sender.
– II.1 Letter from tsunami victim (hoax)
• The Bait: An email that wants you to transfer money for them (like the
Nigerian hoax)
• What it tries to make you do: Reply to the email
• Where you can see how it actually appears:
http://www.sophos.com/virusinfo/hoaxes/tsunami.html
– II.2 Unidentified tsunami boy (hoax)
• The Bait: A picture of a Tsunami victim
• What it tries to make you do: Forward the email (2MB in size) to slow
down your network.
• Where you can read more on this story:
http://www.sophos.com/virusinfo/hoaxes/tsunami_boy.html

6. Denial of Service
• Most result from an overload of resources
– Disk
– Network bandwidth
– Internal tables
– Input buffers

• Examples of Denial of Service attacks

– Ping floods
– TCP Syn floods
– Ping of death
– UDP bombs
The financial impact

• 80% of information attacks/leaks come from inside a company (CSI/FBI)

 • Corporate Firewall is no guarantee of protection

• Our network is a microcosm of the World Wide Internet

– Employees
– Joint Venture Employees
– Contractors
– Non-Kenyan Citizens

The Solution
Implementing a suitable set of controls…

People Process Technology

Organisational structures Policies, IT infrastructure/

practices and Architecture
procedures

….while incorporating business and other requirements e.g. regulatory and in reference to best
practise

Regulations, Standards, Best Practices

• Sarbanes-Oxley Act of 2002 (SOX)

• Payment Card Industry Data Security Standard (PCI DSS)
• ISO17799 & ISO27001 for Information Security Management
• COBIT (Control Objectives for Information Technology) for IT Governance and
Controls
• ITIL (IT Infrastructure Library) and ISO20000 for IT service management, etc.
• COSO (Committee of Sponsoring Organizations of the Treadway Commission)

• Health Insurance Portability and Accountability Act (HIPAA)

• Gramm-Leach-Bliley Act of 1999(GLBA)