Presentation is loading. Please wait.

Presentation is loading. Please wait.

21.05.2015, Name, Folie 1 IT Audit Methodologies.

Published byAmie Higgins Modified over 9 years ago

Similar presentations

Presentation on theme: "21.05.2015, Name, Folie 1 IT Audit Methodologies."— Presentation transcript:

1 21.05.2015, Name, Folie 1 IT Audit Methodologies

2 IT Audit Methodoloies 21.05.2015, Name, Folie 2 IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC)

3 IT Audit Methodoloies 21.05.2015, Name, Folie 3 IT Audit Methodologies - URLs CobiT:www.isaca.org BS7799:www.bsi.org.uk/disc/ BSI:www.bsi.bund.de/gshb/english/menue.htm ITSEC:www.itsec.gov.uk CC:csrc.nist.gov/cc/

4 IT Audit Methodoloies 21.05.2015, Name, Folie 4 Main Areas of Use IT Audits Risk Analysis Health Checks (Security Benchmarking) Security Concepts Security Manuals / Handbooks

5 IT Audit Methodoloies 21.05.2015, Name, Folie 5 Security Definition Confidentiality Integrity Correctness Completeness Availability

6 IT Audit Methodoloies 21.05.2015, Name, Folie 6 CobiT Governance, Control & Audit for IT Developed by ISACA Releases CobiT 1: 1996 32 Processes 271 Control Objectives CobiT 2: 1998 34 Processes 302 Control Objectives

7 IT Audit Methodoloies 21.05.2015, Name, Folie 7 CobiT - Model for IT Governance 36 Control models used as basis: Business control models (e.g. COSO) IT control models (e.g. DTI‘s CoP) CobiT control model covers: Security (Confidentiality, Integrity, Availability) Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) IT Resources (Data, Application Systems, Technology, Facilities, People)

8 IT Audit Methodoloies 21.05.2015, Name, Folie 8 CobiT - Framework

9 IT Audit Methodoloies 21.05.2015, Name, Folie 9 CobiT - Structure 4 Domains PO - Planning & Organisation 11 processes (high-level control objectives) AI - Acquisition & Implementation 6 processes (high-level control objectives) DS - Delivery & Support 13 processes (high-level control objectives) M - Monitoring 4 processes (high-level control objectives)

10 IT Audit Methodoloies 21.05.2015, Name, Folie 10 PO - Planning and Organisation PO 1 Define a Strategic IT Plan PO 2 Define the Information Architecture PO 3 Determine the Technological Direction PO 4 Define the IT Organisation and Relationships PO 5 Manage the IT Investment PO 6 Communicate Management Aims and Direction PO 7 Manage Human Resources PO 8 Ensure Compliance with External Requirements PO 9 Assess Risks PO 10 Manage Projects PO 11 Manage Quality

11 IT Audit Methodoloies 21.05.2015, Name, Folie 11 AI - Acquisition and Implementation AI 1 Identify Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Architecture AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes

12 IT Audit Methodoloies 21.05.2015, Name, Folie 12 DS - Delivery and Support DS 1 Define Service Levels DS 2 Manage Third-Party Services DS 3Manage Performance and Capacity DS 4 Ensure Continuous Service DS 5 Ensure Systems Security DS 6 Identify and Attribute Costs DS 7 Educate and Train Users DS 8 Assist and Advise IT Customers DS 9 Manage the Configuration DS 10 Manage Problems and Incidents DS 11 Manage Data DS 12 Manage Facilities DS 13 Manage Operations

13 IT Audit Methodoloies 21.05.2015, Name, Folie 13 M - Monitoring M 1Monitor the Processes M 2Assess Internal Control Adequacy M 3Obtain Independent Assurance M 4Provide for Independent Audit

14 IT Audit Methodoloies 21.05.2015, Name, Folie 14 CobiT - IT Process Matrix Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources People Applications Technology Facilities Data IT Processes

15 IT Audit Methodoloies 21.05.2015, Name, Folie 15 CobiT - Summary Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form

16 IT Audit Methodoloies 21.05.2015, Name, Folie 16 CobiT - Summary May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.-- 3 parts freely downloadable from ISACA site Software available from Methodware Ltd., NZ (www.methodware.co.nz) CobiT Advisor 2nd edition:US$ 600.--

17 IT Audit Methodoloies 21.05.2015, Name, Folie 17 BS 7799 - CoP Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases CoP: 1993 BS 7799: Part 1: 1995 BS 7799: Part 2: 1998 Certification & Accreditation scheme (c:cure)

18 IT Audit Methodoloies 21.05.2015, Name, Folie 18 BS 7799 - Security Baseline Controls 10 control categories 32 control groups 109 security controls 10 security key controls

19 IT Audit Methodoloies 21.05.2015, Name, Folie 19 BS 7799 - Control Categories Information security policy Security organisation Assets classification & control Personnel security Physical & environmental security Computer & network management

20 IT Audit Methodoloies 21.05.2015, Name, Folie 20 BS 7799 - Control Categories System access control Systems development & maintenance Business continuity planning Compliance

21 IT Audit Methodoloies 21.05.2015, Name, Folie 21 BS7799 - 10 Key Controls Information security policy document Allocation of information security responsibilities Information security education and training Reporting of security incidents Virus controls

22 IT Audit Methodoloies 21.05.2015, Name, Folie 22 BS7799 - 10 Key Controls Business continuity planning process Control of proprietary software copying Safeguarding of organizational records Data protection Compliance with security policy

23 IT Audit Methodoloies 21.05.2015, Name, Folie 23 BS7799 - Summary Main use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure) BS7799, Part1, 1995 is being revised in 1999 Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn

24 IT Audit Methodoloies 21.05.2015, Name, Folie 24 BS7799 - Summary Evaluation results not shown in graphic form May be used for self assessments BS7799, Part1:£ 94.-- BS7799, Part2:£ 36.-- BSI Electronic book of Part 1:£ 190.-- + VAT Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK: £349+VAT (www.smhplc.com)

25 IT Audit Methodoloies 21.05.2015, Name, Folie 25 BSI (Bundesamt für Sicherheit in der Informationstechnik) IT Baseline Protection Manual (IT- Grundschutzhandbuch ) Developed by German BSI (GISA: German Information Security Agency) Releases: IT security manual:1992 IT baseline protection manual:1995 New versions (paper and CD-ROM):each year

26 IT Audit Methodoloies 21.05.2015, Name, Folie 26 BSI - Approach

27 IT Audit Methodoloies 21.05.2015, Name, Folie 27 BSI - Approach Used to determine IT security measures for medium-level protection requirements Straight forward approach since detailed risk analysis is not performed Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks List of assembled security measures may be used to establish or enhance baseline protection

28 IT Audit Methodoloies 21.05.2015, Name, Folie 28 BSI - Structure IT security measures 7 areas 34 modules (building blocks) Safeguards catalogue 6 categories of security measures Threats catalogue 5 categories of threats

29 IT Audit Methodoloies 21.05.2015, Name, Folie 29 BSI - Security Measures (Modules) Protection for generic components Infrastructure Non-networked systems LANs Data transfer systems Telecommunications Other IT components

30 IT Audit Methodoloies 21.05.2015, Name, Folie 30 BSI - Generic Components 3.1Organisation 3.2Personnel 3.3Contingency Planning 3.4Data Protection

31 IT Audit Methodoloies 21.05.2015, Name, Folie 31 BSI - Infrastructure 4.1Buildings 4.2Cabling 4.3Rooms 4.3.1Office 4.3.2Server Room 4.3.3Storage Media Archives 4.3.4Technical Infrastructure Room 4.4Protective cabinets 4.5Home working place

32 IT Audit Methodoloies 21.05.2015, Name, Folie 32 BSI - Non-Networked Systems 5.1DOS PC (Single User) 5.2UNIX System 5.3Laptop 5.4DOS PC (multiuser) 5.5Non-networked Windows NT computer 5.6PC with Windows 95 5.99Stand-alone IT systems

33 IT Audit Methodoloies 21.05.2015, Name, Folie 33 BSI - LANs 6.1Server-Based Network 6.2Networked Unix Systems 6.3Peer-to-Peer Network 6.4Windows NT network 6.5Novell Netware 3.x 6.6Novell Netware version 4.x 6.7Heterogeneous networks

34 IT Audit Methodoloies 21.05.2015, Name, Folie 34 BSI - Data Transfer Systems 7.1Data Carrier Exchange 7.2Modem 7.3Firewall 7.4E-mail

35 IT Audit Methodoloies 21.05.2015, Name, Folie 35 BSI - Telecommunications 8.1Telecommunication system 8.2Fax Machine 8.3Telephone Answering Machine 8.4LAN integration of an IT system via ISDN

36 IT Audit Methodoloies 21.05.2015, Name, Folie 36 BSI - Other IT Components 9.1Standard Software 9.2Databases 9.3Telecommuting

37 IT Audit Methodoloies 21.05.2015, Name, Folie 37 BSI - Module „Data Protection“ (3.4) Threats -Technical failure: T 4.13Loss of stored data Security Measures -Contingency planning: S 6.36Stipulating a minimum data protection concept S 6.37Documenting data protection procedures S 6.33Development of a data protection concept (optional) S 6.34Determining the factors influencing data protection (optional) S 6.35Stipulating data protection procedures (optional) S 6.41Training data reconstruction Security Measures -Organisation: S 2.41Employees' commitment to data protection S 2.137Procurement of a suitable data backup system

38 IT Audit Methodoloies 21.05.2015, Name, Folie 38 BSI - Safeguards (420 safeguards) S1 - Infrastructure( 45safeguards) S2 - Organisation(153safeguards) S3 - Personnel( 22safeguards) S4 - Hardware & Software ( 83 safeguards) S5 - Communications ( 62 safeguards) S6 - Contingency Planning ( 55 safeguards)

39 IT Audit Methodoloies 21.05.2015, Name, Folie 39 BSI - S1-Infrastructure (45 safeguards) S 1.7Hand-held fire extinguishers S 1.10Use of safety doors S 1.17Entrance control service S 1.18Intruder and fire detection devices S 1.27Air conditioning S 1.28Local uninterruptible power supply [UPS] S 1.36Safekeeping of data carriers before and after dispatch

40 IT Audit Methodoloies 21.05.2015, Name, Folie 40 BSI - Security Threats (209 threats) T1 - Force Majeure(10threats) T2 - Organisational Shortcomings(58threats) T3 - Human Errors(31threats) T4 - Technical Failure(32threats) T5 - Deliberate acts(78threats)

41 IT Audit Methodoloies 21.05.2015, Name, Folie 41 BSI - T3-Human Errors (31 threats) T 3.1Loss of data confidentiality/integrity as a result of IT user error T 3.3Non-compliance with IT security measures T 3.6Threat posed by cleaning staff or outside staff T 3.9Incorrect management of the IT system T 3.12Loss of storage media during transfer T 3.16Incorrect administration of site and data access rights T 3.24Inadvertent manipulation of data T 3.25Negligent deletion of objects

42 IT Audit Methodoloies 21.05.2015, Name, Folie 42 BSI - Summary Main use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year Lists 209 threats & 420 security measures 34 modules cover generic & platform specific security requirements

43 IT Audit Methodoloies 21.05.2015, Name, Folie 43 BSI - Summary User friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in graphic form Manual in HTML format on BSI web server Manual in Winword format on CD-ROM (first CD free, additional CDs cost DM 50.-- each) Paper copy of manual: DM 118.-- Software ‚BSI Tool‘ (only in German) : DM 515.--

44 IT Audit Methodoloies 21.05.2015, Name, Folie 44 ITSEC, Common Criteria ITSEC: IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book) Releases ITSEC: 1991 ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification scheme: 1994

45 IT Audit Methodoloies 21.05.2015, Name, Folie 45 ITSEC, Common Criteria Common Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases CC 1.0: 1996 CC 2.0: 1998 ISO IS 15408: 1999

46 IT Audit Methodoloies 21.05.2015, Name, Folie 46 ITSEC - Methodology Based on systematic, documented approach for security evaluations of systems & products Open ended with regard to defined set of security objectives ITSEC Functionality classes; e.g. FC-C2 CC protection profiles Evaluation steps: Definition of functionality Assurance: confidence in functionality

47 IT Audit Methodoloies 21.05.2015, Name, Folie 47 ITSEC - Functionality Security objectives (Why) Risk analysis (Threats, Countermeasures) Security policy Security enforcing functions (What) technical & non-technical Security mechanisms (How) Evaluation levels

48 IT Audit Methodoloies 21.05.2015, Name, Folie 48 ITSEC - Assurance Goal: Confidence in functions & mechanisms Correctness Construction (development process & environment) Operation (process & environment) Effectiveness Suitability analysis Strength of mechanism analysis Vulnerabilities (construction & operation)

49 IT Audit Methodoloies 21.05.2015, Name, Folie 49 CC - Security Concept

50 IT Audit Methodoloies 21.05.2015, Name, Folie 50 CC - Evaluation Goal

51 IT Audit Methodoloies 21.05.2015, Name, Folie 51 CC - Documentation CC Part 1 Introduction and Model Introduction to Approach Terms and Model Requirements for Protection Profiles (PP) and Security Targets (ST) CC Part 2 Functional Requirements Functional Classes Functional Families Functional Components Detailed Requirements CC Part 3 Assurance Requirements Assurance Classes Assurance Families Assurance Components Detailed Requirements Evaluation Assurance Levels (EAL)

52 IT Audit Methodoloies 21.05.2015, Name, Folie 52 CC - Security Requirements Functional Requirements for defining security behavior of the IT product or system: implemented requirements become security functions Assurance Requirements for establishing confidence in Security Functions: correctness of implementation effectiveness in satisfying objectives

53 IT Audit Methodoloies 21.05.2015, Name, Folie 53 CC - Security Functional Classes Name Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels Class FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP

54 IT Audit Methodoloies 21.05.2015, Name, Folie 54 CC - Security Assurance Classes Name Configuration Management Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance Class ACM ADO ADV AGD ALC ATE AVA APE ASE AMA

55 IT Audit Methodoloies 21.05.2015, Name, Folie 55 CC - Eval. Assurance Levels (EALs) *TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book” Name Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested EAL EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 *TCSEC C1 C2 B1 B2 B3 A1

56 IT Audit Methodoloies 21.05.2015, Name, Folie 56 ITSEC, CC - Summary Used primarily for security evaluations and not for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place Updated & enhanced on a yearly basis Includes extensible standard sets of security requirements (Protection Profile libraries)

57 IT Audit Methodoloies 21.05.2015, Name, Folie 57 Comparison of Methods - Criteria Standardisation Independence Certifiability Applicability in practice Adaptability

58 IT Audit Methodoloies 21.05.2015, Name, Folie 58 Comparison of Methods - Criteria Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use

59 IT Audit Methodoloies 21.05.2015, Name, Folie 59 Comparison of Methods - Results CobiT 3.4 3.3 2.7 2.8 3.3 3.1 1.9 3.0 3.1 2.3 Standardisation Independence Certifyability Applicability in practice Adaptability Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use BS 7799 3.3 3.6 3.3 3.0 2.8 2.9 2.2 2.8 2.4 2.7 BSI 3.1 3.5 3.0 3.1 3.3 2.7 2.6 3.0 3.4 2.8 ITSEC /CC 3.9 3.7 2.5 3.0 2.6 1.7 2.5 2.8 2.0 Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger

60 IT Audit Methodoloies 21.05.2015, Name, Folie 60 CobiT - Assessment

61 IT Audit Methodoloies 21.05.2015, Name, Folie 61 BS 7799 - Assessment

62 IT Audit Methodoloies 21.05.2015, Name, Folie 62 BSI - Assessment

63 IT Audit Methodoloies 21.05.2015, Name, Folie 63 ITSEC/CC - Assessment

64 IT Audit Methodoloies 21.05.2015, Name, Folie 64 Use of Methods for IT Audits CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures to be used as best practice documentation Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.) What is needed in addition: Audit concept (general aspects, infrastructure audits, application audits)

65 21.05.2015, Name, Folie 65 Herzlichen Dank für Ihr Interesse an IT Audit Methodologies

Download ppt "21.05.2015, Name, Folie 1 IT Audit Methodologies."

Similar presentations

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.

ASYCUDA Overview … a summary of the objectives of ASYCUDA implementation projects and features of the software for the Customs computer system.
Module 1 Evaluation Overview © Crown Copyright (2000)

Module 1 Evaluation Overview © Crown Copyright (2000)
University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.

University of Tulsa - Center for Information Security Common Criteria Dawn Schulte Leigh Anne Winters.
Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.

Common Criteria Evaluation and Validation Scheme Syed Naqvi XtreemOS Training Day.
IT Audit Methodologies

IT Audit Methodologies
Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.

Computer Science CSC 474Dr. Peng Ning1 CSC 474 Information Systems Security Topic 5.2: Evaluation of Secure Information Systems.
Software Quality Assurance Plan

Software Quality Assurance Plan
Auditing Corporate Information Security John R. Robles Tuesday, November 1, 2005 Tel: 787-647-396.

Auditing Corporate Information Security John R. Robles Tuesday, November 1, Tel:
IT Security Evaluation By Sandeep Joshi

IT Security Evaluation By Sandeep Joshi
ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.

ACG 6415 SPRING 2012 KRISTIN DONOVAN & BETH WILDMAN IT Security Frameworks.
TI BISNIS ITG using COBIT &

TI BISNIS ITG using COBIT &
COBIT - II.

COBIT - II.
1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.

1 Evaluating Systems CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 6, 2004.
1 Information Security Standards Gary Gaskell © 2001.

1 Information Security Standards Gary Gaskell © 2001.
SOX and IT Audit Programs John R. Robles Thursday, May 31, 2007 Tel: 787-647-396.

SOX and IT Audit Programs John R. Robles Thursday, May 31, Tel:
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.

Cybersecurity Summit 2004 Andrea Norris Deputy Chief Information Officer/ Director of Division of Information Systems.
MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

MSIS 110: Introduction to Computers; Instructor: S. Mathiyalakan1 Systems Design, Implementation, Maintenance, and Review Chapter 13.
1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.

1 IS112 – Chapter 1 Notes Computer Organization and Programming Professor Catherine Dwyer Fall 2005.

Similar presentations

Ads by Google