Information Security Audit and

Features
 Information Security Audit
• An information security audit is one of the
best ways to determine the security of an
organization's information without incurring
the cost and other associated damages of a
security incident.
 Information Systems Audit versus
Information Security Audit
• Information Systems Audit: an examination of
the controls within an entity's Information
technology infrastructure.
• Information Security Audit: a systematic,
measurable technical assessment of how the
organization’s security policy is employed.
 Security Audit
• Purpose
a. Build awareness of current practices and risks
b. Reducing risk, by evaluating, planning and supplementing
security efforts
c. Strengthening controls including both automated and human
d. Compliance with customer and regulatory requirements and
expectations
e. Building awareness and interaction between technology and
business teams
f. Improving overall IT governance in the organization
 Scope of the Audit
• Site business plan
• Type of data assets to be protected
• Value of importance of the data and relative
priority
• Previous security incidents
• Time available
• Auditors experience and expertise
What is an Information Security Audit?
 Key Questions
• Are passwords secure and difficult to crack?
• Are access control lists (ACLs) in place on network
devices to control who has access to shared data?
• Are there audit logs to record to identify who accesses
data?
• Are the audit logs reviewed effectively and how are
they reviewed?
• Are the security settings for operating systems in
accordance with accepted industry security practices?
 Key Questions
• How are unnecessary applications and computer
services managed? Are they eliminated in a
timely and effective manner for each system?
• Are these operating systems and commercial
applications patched? How and when did the
patching take place?
• How is backup media stored? What is the backup
policy and is it followed? Who has access to the
backup media and is it up-to-date?
 Key Questions
• Is there a disaster recovery plan? Have the
participants and stakeholders ever rehearsed the
disaster recovery plan? Does it have gaps in its
construct?
• Are there adequate cryptographic tools in place to
govern data encryption, and have these tools been
properly configured?
• What security considerations were used while writing
custom-built applications, are these adequate and
well documented?
 Key Questions
• How have these custom applications been tested
for security flaws?
• How are configuration and code changes
documented at every level? How are these
records reviewed and who conducts the review?
What makes a good security audit?
• Clearly defined objectives
• Coverage of security is comprehensive and cross-
cutting audit across the entire organization.
Partial audits may be done for specific purposes.
• Audit team is experienced, independent and
objective. Every audit team should consist of at
least two auditors to guarantee the independence
and objectivity of the audit (” two - person rule”).
There credentials should be verifiable.
What makes a good security audit?
• There is unrestricted right to obtain and view
information.
• Important IS audit meetings such as the opening
and the closing meetings as well as the
interviews should be conducted as a team. This
procedure ensures objectivity, thoroughness, and
impartiality.
What makes a good security audit?
• No member of the audit team, for reasons of
independence and objectivity, should have participated
directly in supporting or managing the areas to be audited,
e.g. they must not have been involved in the development
of concepts or the configuration of the IT systems.
• It should be ensured that actual operations in the
organization are not significantly disrupted by the audit
when initiating the audit. The auditors never actively
intervene in systems, and therefore should not provide
any instructions for making changes to the objects being
audited.
What makes a good security audit?
• Management responsibility for supporting the
conduct of a fair and comprehensive audit.
• Appropriate communication and appointment of
central point of contact and other support for the
auditors.
• The execution is planned and carried out in a
phase wise manner.
 Functions in an Audit
A. Define the security perimeter – what is being
examined?
B. Describe the components – and be detailed about it.
C. Determine threats – what kinds of damage could be
done to the systems.
D. Delineate the available tools – what documents and
tools are in use or need to be created?
E. Reporting mechanism – how will you show progress
and achieve validation in all areas?
 Functions in an Audit – contd.
F. Review history – is there institutional knowledge about
existing threats?
G. Determine Network Access Control list – who really
needs access to this?
H. Prioritize risk – calculate risk as Risk = probability * harm .
I. Delineate mitigation plan – what are the exact steps
required to minimize the threats?
J. Implement procedures – start making changes.
K. Review results – perform an After Action Review (AAR) on the
audit process
 Constraints of a security audit
• Time constraints
• Third party access constraints
• Business operations continuity constraints
• Scope of audit engagement
• Technology tools constraints
 Types of Security Audits
• Internal - conducted by experts linked to the
organization
• External - conducted by independent, certified
parties
 Categories
• Penetration Test
• Vulnerability Audit
• Web Application Security Audit
• Mobile Application Security Audit
• Audit Overall Concept
• IT-Risk Analyses
• Audit Access Control / Social Engineering
• Architecture, Design and Code Review
• Wireless Systems Audit
 Categories – contd.
• Embedded Systems Audit
• Information Protection Audit
• Roles and Rights Audit
• Endpoint Audit (clients)
• Digital Guard Service
• Configuration Audit (firewalls, servers, etc.)
 Phases of Information Security
Audit
• Pre-audit agreement stage
• Initiation and Planning stage
• Data collection and fieldwork (Test phase)
• Analysis
• Reporting
• Follow-through
 Information Security Audit
Methodology
• Need for a Methodology
• Audit methodologies
- according to type of activity
1. Testing
2. Examination and Review
3. Interviews and Discussion
 Auditing techniques
• Examination Techniques
• Target Identification and Analysis Techniques
• Target Vulnerability Validation Techniques
 Security Testing Frameworks
• Open Source Security Testing Methodology
Manual (OSSTMM)
• Information Systems Security Assessment
Framework (ISSAF)
• NIST 800-115
• Open Web Application Security Project
(OWASP)
 OSSTMM
• Information Security
• Process Security
• Internet Technologies Security
• Communications Security
• Wireless Security
• Physical Security
 ISSAF
• two primary documents
– business aspect of security
– penetration test framework
 NIST 800-115
• Security testing policies
• Management's role in security testing
• Testing methods
• Security review techniques
• Identification and analysis of systems
• Scanning and vulnerability assessments
• Vulnerability validation (pen testing)
• Information security test planning
• Security test execution
• Post-test activities
 OWASP
• Information gathering
• Configuration management
• Authentication testing
• Session management
• Authorization testing
• Business logic testing
• Data validation testing
• Denial of service testing
• Web services testing
• AJAX testing
 Audit Process
1. Establish a prioritized list of risks to an
organization.
2. Delineate a plan to alleviate those risks.
3. Validate that the risks have been mitigated.
4. Develop an ongoing process to minimize risk.
5. Establish a cycle of reviews to validate the
process on a perpetual basis.
 Auditing Security Practices
• Criteria
(Criteria)
- Evaluation against the organization’s own security
policy and security baselines
- Regulatory/industry compliance—Health Insurance
Portability and Accountability Act (HIPAA), Sarbanes-
Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and
Payment Card Industry (PCI)
- Evaluation against standards such as NIST 800 or ISO
27002
- Governance frameworks such as COBIT or Coso
 Auditing Security Practices
(Assessments)
• Risk assessments
• Policy assessment
• Social engineering
• Security design review
• Security process review
• Interviews
• Observation
• Document review
• Technical review
 Testing Security Technology
• Two distinct levels of security testing
- Vulnerability assessment
- Penetration test
- Red Team/Blue Team assessment
- White-Box
- Black-Box
- Gray-box
 Reliance on Checklists and
Templates
• ensure the templates and checklists are
agreed upon prior to use and from recognised
sources
 Role of an Auditor
• To identify, measure, and report on risk.
• Auditors ask the questions, test the controls,
and determine whether the security policies
are followed in a manner that protects the
assets
• Independent advisor and inspector.
 Role of an Auditor
(Objectives)
• Responsible for planning and conducting audits in a
manner that is fair and consistent to the people and
processes that are examined.
• The auditing charter or engagement letter defines
the conduct and responsibilities of an auditor.
 Role of an Auditor
(Objectives) – contd.
• Depending on how a company’s auditing program is
structured, ultimate accountability for the auditor is
usually to senior management or the Board of
Directors.
• Auditors are usually required to present a report to
management about the findings of the audit and also
make recommendations about how to reduce the
risk identified.
 Role of an Auditor
• The auditors are responsible:
- Plan, execute and lead security audits across an
organization.
- Inspect and evaluate financial and information
systems, management procedures and security
controls
- Evaluate the efficiency, effectiveness and
compliance of operation processes with corporate
security policies and related government regulations
 Role of an Auditor – contd.
- Develop and administer risk-focused exams for IT
systems
- Review or interview personnel to establish security
risks and complications
- Execute and properly document the audit process on a
variety of computing environments and computer
applications
- Assess the exposures resulting from ineffective or
missing control practices
- Accurately interpret audit results against defined criteria
 Role of an Auditor – contd.
- Weigh the relevancy, accuracy and perspective of
conclusions against audit evidence.
- Provide a written and verbal report of audit findings
- Develop rigorous “best practice” recommendations
to improve security on all levels
- Work with management to ensure security
recommendations comply with company procedure
- Collaborate with departments to improve security
compliance, manage risk and bolster effectiveness
 Auditor Activities
(Tasks and activities area)
• Auditing the information asset management process
will verify that the critical assets are being managed
in accordance with the IT/IS policies.
• The auditor audits the information security and
privacy policies and standards.
• To verify that the policies and standards are not just
documented but are actually being implemented by
users across the enterprise.
• IAM process
 Auditor Activities
(Tasks and activities area) – contd.
• The auditor should understand how the policies and
standards are being communicated across the enterprise.
• The responsible auditor should determine if logging is
enabled in critical systems.
• The auditor examines corporate governance processes
and verifies that an infrastructure has been created to
identify and manage risks.
• The internal auditor should identify how the organization
is connected to the outside, and who on the outside is
connected to the organization.
 Auditor Activities
(Tasks and activities area) – contd.
• The auditor should follow the entire process within the
extended enterprise where the critical data assets
reside.
• The auditor verifies that a business continuity plan exists
and is maintained and tested periodically.
• The auditor identifies a catalog of IT initiatives, reviews
the business reasons for the project and identifies the
executive sponsor for the project.
 Information Security Audit
Consultants
• Categories:
- Management
- Technical
- Forensic
 Required Skills Sets of an
Information Security Auditor
• Organization wide security program planning and
management
• Access control
• Application software development and change
control
• System software
• Segregation of duties
• Service continuity
• Application controls
 Required Skills Sets of an
Information Security Auditor
• Network analyst
• Windows/Novell analyst
• Unix analyst
• Database analyst
• Mainframe system software analyst
• Mainframe access control analyst