Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Value of Experience 5/12/08 IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP

Published byDeborah Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "The Value of Experience 5/12/08 IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP"— Presentation transcript:

1 The Value of Experience 5/12/08 IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP lbarken@hwcpa.com

2 Auditing IT Controls Why should I care? Because I have to: Sarbanes Oxley (SOX) SAS94 Because I have to: Sarbanes Oxley (SOX) SAS94 Because I want to: I’m Loosing Sleep. It Just Makes Sense… Because I want to: I’m Loosing Sleep. It Just Makes Sense…

3 Auditing IT Controls Why should I care? Because I have to: Sarbanes Oxley (SOX) SAS94 Because I have to: Sarbanes Oxley (SOX) SAS94 Because I want to: I’m Loosing Sleep. It Just Makes Sense… Because I want to: I’m Loosing Sleep. It Just Makes Sense…

4 Control Objective “An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.” - COBIT

5 Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

6 Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

7 Control Objective “An IT Control Objective is defined as a statement of the desired result or purpose to be achieved by implementing control procedures in a particular activity.” - COBIT

8 Control Activity “The policies, procedures, practices, and organizational structures designed to provide reasonable assurance that business objectives will be achieved, and that undesired events will be prevented or detected and corrected.” - COBIT

9 Real-World Example

10

11 Oops…

12 “Hey, we need some internal controls!” Committee

13 Policy Thou shalt not speed.

14 Control Objective Control Objective = Car Safety (Risk = Crashes are Bad.)

15 Control Activities

16

17 Evaluating Risk When performing a risk analysis, you must consider: Probability (likelihood) Severity (impact) Low High

18 Evaluating Risk Low High Probability (likelihood) Severity (impact) PS (Risk = Crashes are Bad.)

19 COBIT COBIT (COFIRT?) = Control Objectives for Information and related Technology Published by ISACA (Information Systems Audit and Control Association) A Set of Best Practices, i.e. “a Framework” 4 Domains –Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate 34 Process Areas 318 Control Objectives

20 IT Control Objectives Control Objective = Prevent unauthorized access. (Risk = Unauthorized access is bad.)

21 IT Control Activities Control Activity = Restrict access to authorized individuals. How? Passwords! Password minimum length is 8 characters. Password complexity is enabled.

22 Password Controls Example: 6 Character Password, No Complexity Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case (26) abcdefghijklmnopqrstuvwxyz Numbers (10) 0123456789 26 + 26 + 10 = 62 possibilities for each character 62 ^ 6 = 56,800,235,584 unique password permutations

23 Password Controls Example: 6 Character Password, No Complexity Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case (26) abcdefghijklmnopqrstuvwxyz Numbers (10) 0123456789 26 + 26 + 10 = 62 possibilities for each character 62 ^ 6 = 56,800,235,584 unique password permutations Permutations Combinations

24 Password Controls Example: 8 Character Password, w/Complexity Upper Case (26) ABCDEFGHIJKLMNOPQRSTUVWXYZ Lower Case (26) abcdefghijklmnopqrstuvwxyz Numbers (10) 0123456789 Symbols (32) !"#$%&'()*+,-./:; ?@[\]^_`{|}~ 26 + 26 + 10 + 32 = 94 possible characters 94 ^ 8 = 6,095,689,385,410,816 unique password permutations

25 Password Controls Brute Force Attack Cain & Abel –http://www.oxid.it/cain.html

26 Password Controls Brute Force Attack Try every possible permutation in a given keyspace. aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaab aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaac ………………………………………………………………… zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

27 Password Controls My slow, crappy laptop = 3,000,000 guesses per second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations

28 Password Controls My slow, crappy laptop = 3,000,000 guesses per second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations 5 Hours 64 Years

29 Password Controls Medium Sized Cluster = 1,000,000,000 guesses/second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations

30 Password Controls My slow, crappy laptop = 3,000,000 guesses per second 6 characters, Upper/Lower/Numbers (62) –62 ^ 6 = 56,800,235,584 unique password permutations 8 characters, Upper/Lower/Numbers/Symbols (94) –94 ^ 8 = 6,095,689,385,410,816 unique password permutations 57 Seconds 71 Days

31 Password Controls Where do you stand? Medium Sized Cluster = 1,000,000,000 guesses/second No Complexity (62 characters) Complexity (94 characters) 4 characters.01 seconds.08 seconds 5 characters.92 seconds7.34 seconds 6 characters57 seconds11.5 minutes 7 characters59 minutes18 hours 8 characters2.5 days71 days 9 characters6.5 years276 years 10 characters405 years25,975 years Great! So-So Doo-Doo Legend

32 Password Controls What can we do? >= 8 Characters Enable Password Complexity

33 Password Controls What else can we can do? Maximum Password Age < 60-90 days

34 Password Controls Any more that we can do? Enforce Password History Minimum Password Age Password Expires: (xyz) Change Password: (abc) Change Password again: (xyz) Password Expires: (xyz) Change Password: (abc) Change Password again: (xyz)

35 Kodak Moment There are good reasons to enforce password controls: >= 8 Characters Enable Password Complexity Maximum Password Age < 60-90 days Enforce Password History Minimum Password Age

36 Where Are Your Risks? It’s a big ocean…

37 Where Are Your Risks? It’s a big ocean… How fast can I paddle? Why is the sky blue? What year was my kayak made? Do I taste like chicken? How fast can the shark swim? How close am I to shore?

38 Where Are Your Risks? Evaluating IT Risks IIA (Institute of Internal Auditors) Guide to Assessment of IT Controls (GAIT) http://www.theiia.org/guidance/technology/gait/ ISACA (Information Systems Audit and Control Association) IT Control Objectives for Sarbanes-Oxley 2nd Edition http://www.isaca.org/Template.cfm?Section=Research2&CONTENT ID=29763&TEMPLATE=/ContentManagement/ContentDisplay.cfm

39 Where Are Your Risks? Evaluating IT Risks IIA (Institute of Internal Auditors) Sarbanes-Oxley Section 404: A Guide for Management by Internal Controls Practitioners http://www.theiia.org/download.cfm?file=31866

40 Where Are Your Risks? Password Controls User Access Controls New Hire Procedure Termination Procedure Program Changes (SDLC) Physical Security / Data Center E-Mail Retention Backups Disaster Recovery / Business Continuity Network Security

41 User Access Controls Administrators Network Shares/Folders Financial Applications

42 New Hire Procedure “Welcome to XYZ Corporation”

43 Termination Procedure “Goodbye from XYZ Corporation”

44 Program Changes (SDLC) In-house Software Development?

45 Physical Security/Data Center Physical Access to the Server Room Environmental Controls

46 E-Mail Retention Litigation Federal Rules of Civil Procedure

47 Backups Data Loss

48 Disaster Recovery/Business Continuity St*ff Happens

49 Network Security Hackers and Evil-Doers

50

51 16485 Laguna Canyon Road 3rd Floor Irvine, CA 92618 T (949) 450-6200 F (949)753-1224 12707 High Bluff Drive Suite 200 San Diego, CA 92130 T (858) 350-4215 F (858) 350-4218 IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP lbarken@hwcpa.com Questions?

Download ppt "The Value of Experience 5/12/08 IT Auditing So easy, a caveman can do it… Lee Barken, CPA, CISSP, CISA, CCNA, MCP"

Similar presentations

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.

Nishidh, CISSP. To comply with Sarbanes oxley and other legislations To comply with industry standards and business partner requirements To protect.
OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.

Managing Outsourced Service Providers By: Philip Romero, CISSP, CISA.
The World of Access Controls

The World of Access Controls
IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….

IT Web Application Audit Principles Presented by: James Ritchie, CISA, CISSP….
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Module 4: Implementing User, Group, and Computer Accounts

Module 4: Implementing User, Group, and Computer Accounts
1 Sarbanes-Oxley Section 404 June 29, 2005. 2  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.

1 Sarbanes-Oxley Section 404 June 29,  SOX 404 Background 3  SOX 404 Goals 4  SOX 404 Requirements 5  SOX 404 Assertions 6  SOX 404 Compliance.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
A Practical IT Approach To Sarbanes-Oxley Compliance

A Practical IT Approach To Sarbanes-Oxley Compliance
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.

1 Pertemuan 6 Internal Control System Matakuliah:A0274/Pengelolaan Fungsi Audit Sistem Informasi Tahun: 2005 Versi: 1/1.
Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.

Internal Control Concepts Knowledge. Best Practices for IT Governance IT Governance Structure of Relationship Audit Role in IT Governance.
1 Sarbanes-Oxley IT Audits. 2 Sarbanes-Oxley 2002 Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work.

1 Sarbanes-Oxley IT Audits. 2 Sarbanes-Oxley 2002 Recommended “audit firms place a high priority on enhancing the overall effectiveness of auditors’ work.
SOX, COSO, COBIT Timeline

SOX, COSO, COBIT Timeline
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

Similar presentations

Ads by Google