CHAPTER 7: THE INFORMATION SECURITY AUDIT - If controls are likely to be effective and are relevant to audit

objectives, the auditor will determine nature and extent of audit work
INFORMATION SECURITY AUDIT – A measure of how confidentiality, needed to confirm tentative conclusions
availability and integrity of an organization’s information is protected and - If controls are not likely to be effective, auditor must develop a
assured sufficient understanding of related control risks to
(1) Develop appropriate findings and related recommendations for
- A systematic, measurable technical assessment of how the
corrective action
organization’s security policy is employed at a specific site.
(2) Determine the nature, timing, and extent of substantive testing
- Part of the ongoing process of defining and maintain effective
necessary
security policies
Many audits will involve everyone who uses computer
Pre-audit tasks
resources in the organization
 Review previous audits (baselining)
General Methodology  Assess site survey
 Assess IT security controls which include: - Asset inventory including technical description of the system’s hosts
- General controls at the entity level - Includes management and user demographics
- General controls as they are applied to the specific applications  Administer security questionnaires
being examined  Review previous security incidents
- Application controls, which are the controls over input, processing,  Read and evaluate the most recent risk assessment
and output of data associated with individual applications  Read and evaluate all policies & procedures
 Develop the audit plan
- Prepare audit checklist tailored for the audit environment
General Controls  Discuss audit objective and details with the client, ensuring objectives are
 Policies and procedures that apply to all or a large segment of an entity’s understood and mutually agreed upon
information systems and help ensure their proper operation
Examples of primary objectives for general controls: Site Survey
- Safeguard data  May need to be completed by client staff or may be prepared by a
- Protect computer application programs member of the audit team based on an existing asset inventory and other
- Prevent unauthorized access to system software information provided by the client.
- Ensure continued computer operations in case of unexpected  Should present auditors with a complete picture of the information
interruptions technology environment of the client
 Effectiveness of general controls a significant factor in determining
effectiveness of application controls Security Questionnaires
 Self-assessment tools allowing client staff both IT professional staff and
Relationship of Policy to General Controls end users to measure knowledge of and compliance with security
 Security policies are a standardization of security practices put in writing controls in place
 Should be phrased in terms of “ranking” (i.e. 1-5, 1-10 scales) as to
- Employees must read & agree to them
knowledge and compliance in specific areas
- In many enterprise today, security policies many informal or
unwritten
Pre-Audit Audit Report
 Informal/unwritten policies not legally enforceable
 If policies and procedures do not prescribe adequate controls for the
 Typically, policies prescribe methods of implementing general and
described risks auditors may need to:
application controls
- Develop appropriate findings and related recommendations for
corrective action
Nature & Extent of the Audit
 Depends on audit objective and other factors - Delay remaining portions of the audit until appropriate corrections
 Factors to consider: have been put in place
- Nature and complexity of the information systems - Prepare a preliminary audit report to facilitate proper
implementation of controls
- The control environment
- Particular accounts and applications significant to the areas of
2. INTERNAL CONTROL PHASE
interest
 Auditors obtain detailed information on control policies, procedures, and
objectives
Audit scope
 Perform tests of control activities
 Audit objectives determine the scope of the audit
 First test general controls through a combination of procedures, which
Scope determination factors
may include
- Site business plan a. Observation
- Type of data being protected b. Inquiry
- Value/importance of data to the client organization c. Inspection
- Previous security incidents  If theses controls operate effectively, auditors should then test & evaluate
- Time available to complete the audit effectiveness of general controls for applications significant to the audit
- Talent/expertise/experience of the auditors  If general controls are not operating effectively, application-level controls
 Auditors & client must agree on scope prior to the commencement of the are generally not tested
actual audit Note: in the audits we conduct, we will not be testing any application-level
controls
 Audit is conducted in four stages
1. PLANNING PHASE
- Auditor gains understanding of information system operations
controls and related risks Application Level Testing
- In view of these risks reach tentatively conclusions as to which  As an example of application-level control testing, auditors might test a
controls are likely to be effective system to ensure
 - Data prepared for entry is complete, valid, and reliable - Are there adequate cryptographic tools in place to govern data
- Data is converted to an automated form and entered into the encryption, and have these tools been properly configured?
application accurately, completely and on time - Have custom-built applications been written with security in mind?
- Data is processed by the application completely, on time, and in - How have these custom applications been tested for security flaws?
accordance with established requirements - How are configuration and code changes documented at every
- Output is protected from unauthorized modification or damage and level? How are these records reviewed and who conducts the
distributed in accordance with prescribed policies review?
 Auditors evaluate and test the effectiveness of application controls by
- Observing the controls in operation Audit Checklists
- Examining related documentation  Audits are conducted by checklist
- Discussing the controls with pertinent personnel  Checklists are widely available but should be tailored for each audit by
- Reperforming the control being tested the audit team
 Checklists may be challenge-response (i.e. check-in-the-box or yes-or-no
3. TESTING PHASE answers) or they may be scale rankings (1-4, 1-5, 1-10, etc.)
In this phase, substantive technical testing is performed
This may include: Exit Briefing
- Application security and integrity testing on appropriate workstation  Ensure management is made aware of any problems requiring immediate
& terminals attention or correction
 Checking for patches and updates  Answer questions in a very general manner so as not to create a false
impression of the audit’s outcome
- Network security testing through both passive monitoring and active
- At this stage auditors are not in a position to provide definite
measures
answers
- Restoration of backed-up material
- Final answers can only be provided following the final analysis of
- If conducted in concert with a broader audit (i.e. a financial audit),
the audit data
auditors may be called upon to assist financial audits in
identifying/selecting computer-processed transactions for testing,
4. REPORTING PHASE
possibly using computer audit software
 Back at the ranch, auditors will review and analyze checklist data and
analyze any data discovered through use of vulnerability assessment
Site Visit
tools
 Internal Control and Testing phases are normally accomplished through a
 There should be initial meeting to help focus the outcome of the audit
site visit
results
 Aim of auditors is to not to adversely affect business transactions during
- Auditors should identify problems areas and possible solutions
the audit
 Auditors should conduct an entry briefing where they outline the scope of
the audit and what they hope to accomplish Writing the Audit Report
 Auditors should be thorough, fair and apply consistent standards and  The audit report may be prepared in a number of formats
procedures throughout the audit  Keep it simple and direct, containing concrete findings with measurable
 During the visit, auditors may: ways to correct identified deficiencies
Typical format
- Collect data about the physical security of computer assets
- Executive summary
- Perform interviews of site staff
- Detailed findings
- Perform network vulnerability assessments
- Supporting data (checklists, scan reports etc.) should be included
- Perform operating system and application security assessments &
as report appendices
vulnerability testing
 Develop executive summary first as it may be necessary to report to
- Perform access controls assessment
management before details are done
- Other evaluations  Include an audit summary which may emphasize the positive findings of
 Auditors should follow their checklists, but keep their eyes (and ears!) the audit
open for unexpected problems  Organize audit findings in a simple and logical manner with a half-page or
full page for each identified problem
Key Audit Questions  Each problem entry should outline the problem, discuss implications and
 Remember, audits are principally concerned with how security policies describe appropriate corrective actions
are actually implemented
 Key questions to be answered: The Audit Report
- Are passwords difficult to crack?  Describe information security control weaknesses clearly in terms
 Are they on post-it notes on the monitor or inside the desk’s understandable to those with limited knowledge of information system
top drawer? issues
- Are there access control lists (ACLs) in place on network devices to  Define all technical terms and avoid jargon and acronyms
control who has access to shared data? Discuss each weakness in terms of
- Are there audit logs to record who accesses data? - Related criteria
- Are the audit logs reviewed? - The condition identified
- Are the security settings for operating systems in accordance with - The cause of the weakness
accepted industry security practices - Actual or potential impact on the organization
- Have all unnecessary applications and computer services been - Appropriate corrective action
eliminated for each systems?  This helps senior management to understand the significance of the
- Are these operating systems and commercial applications patched problem and to ensure development of appropriate corrective actions
to current levels? Technical Reporting
- How is backup media stored? Who has access to it? It is up-to-  Weaknesses reported to technical staff should be the same as that
date? reported to senior management but should include necessary technical
- Is there a disaster recovery plan? Have the participants and detail to allow the staff
stakeholder ever rehearsed the disaster recovery plan? - To understand the precise cause of the weaknesses
 - To aid them in developing corrective actions 2. Site Visit
- Entry briefing but probably no exit briefing
Report Timeliness & Follow-up 3. Prepare Report
 Prepare the audit report as quickly as accuracy allows so that site staff 4. Deliver report
can correct problems identified
 Auditors may be called upon to assist technical staff in implementation of
appropriate controls and solutions
 Management should follow-up until all identified deficiencies are
corrected

Typical Problems Identified in Audits

 Lack of formal IT planning mechanisms with the result that IT does not
serve the organization’s pressing needs or does not do so in a timely and
secure manner
 Lack of formal security policies resulting in a piecemeal or “after-an-
incident” approach to security
 Inadequate program change control leaving software vulnerable to
unauthorized changes
 Little or no awareness of key security issues and inadequate technical
staff to address the issues
 Failure to take advantage of security software features such as selective
monitoring capabilities, enforcement of stringent password rules, &
review of key security reports
 Inadequate user involvement in testing and sign-off for new applications
resulting in systems that fail to meet user requirements or confidentiality,
integrity, and availability needs
 Installation of software or upgrades without adequate attention to default
configurations or default passwords
 Virus definitions not kept up-to-date
 Inadequate continuity of operation plans
 Failure to formally assign security administration responsibilities to staff
who are technically competent, independent, and report to senior
management
 Lack of user awareness
 Unnecessarily high access rights
 Lack of or inadequate plans for
- An information security management program
- Physical and logical access controls
- Software change controls
- Segregated duties
- Continuity of business

What should Auditors know?

Generally accepted accounting practices state “staff assigned to conduct the
audit should be collectively possess adequate professional proficiency for the
tasks required.”
- This include computer skills and security knowledge for IS audits
Although each member of an audit team need not have all attributes, the team
must collectively possess the requisite attributes to be able to
- Adequately plan the audit
- Assess computer-related controls
- Test the controls
- Determine the effect on the overall audit plan
- Develop findings and recommendations
- Report the results

Audits
1. Pre-audit
- Policy review
- Administer any qustionnaires
- Plan the audit
 Create audit checklist
 Arrange site visit