Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.

Published byVernon Stewart Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation."— Presentation transcript:

1 Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation

2 Overview of scripting languages Demonstrations IT Audit Automation

3 A type of programming language Interprets and automates the execution of tasks Script Language

4 Examples 1. Bash – UNIX or UNIX-like operating systems 2. Visual Basic – Microsoft Office Applications 3. ACLScript – Audit Command Language (ACL) Analytics Script Language

5 When to use scripts? 1. If repetitive tasks need to be completed 2. If a large number of sample items need to be reviewed 3. If similar reviews will be conducted in the future Script Language

6 Items to consider before writing a script 1. What do you need the script to do? 2. What criteria will be used for tests? 3. How will source data be obtained? Script Language

7 You don’t always need a formal programming background to write and use scripts! Script Language

8 Web searches and help files are a great starting place. Script Language

9 Demonstration

10

11

12

13

14

15

16

17 When not to use scripts? 1. When source data will be provided in an inconsistent format 2. When there is no positive cost benefit 3. When resource limitations become a barrier Script Language

18 Risks when using scripts 1. Errors in scripting logic producing improper results 2. Could prompt auditors to jump to faulty conclusions 3. Costs could exceed benefits Script Language

19 Questions And Answers (3 Minutes)

20 Illustration: Oracle

21 Summary - Oracle Illustration 1. Obtain an understanding 2. Establish criteria 3. Identify tables 4. Request files 5. Design import script 6. Design testing script 7. Design export script 8. Design master script

22 Handout – “Oracle Example Script”

23  Identify the database and version  V$Version Obtain An Understanding

24  CIS benchmarks  Policies and procedures  Determine the most restrictive Obtain Criteria ?

25  DBA_Users  DBA_Profiles  DBA_Parameters Identifying Tables  DBA_RolePrivs  DBA_TabPrivs  DBA_SysPrivs

26  Request files  Easiest format Data Gathering

27  Perform manually  Import scripts  Comments  Perform reconciliations Designing Scripts Step 1 -Formatting

28  Add comments  Define the fields  Use established criteria to create tests  Direct tests  Indirect tests  Other information (Criteria reference) Designing Scripts Step 2 - Testing

29 Defining Fields

30 Direct Tests Input “Not In Compliance” in the virtual field V_COMPLIANCE if “Failed Login Attempts” is greater than 5 or set to “Unlimited” and is not “DEFAULT.”

31 Indirect Tests/ Other Information

32  Export script  Perform manually  Follow up on all items Step 3 Output & Overview

33 Master Script  Create 1 script that controls all other scripts  Identifies which scripts are ran  Sets overall variables  Identifies outputs

34

35 Questions And Answers (3 Minutes)

36 Statewide UNIX Security Controls Illustration

37 Summary – UNIX Illustration Selecting audit criteria and defining tests Visual Basic Writing a data gathering script Solaris operating system Automating testing in ACL Importing criteria and source files

38 Background UNIX is a multiuser and multitasking operating system Various open source and commercial variations Automation for data gathering and data analytics

39 Audit Criteria & Defining Tests Selecting audit criteria Defining the tests applicable to the operating system Separate criteria and tests per operating system Making audit criteria variable Simple and efficient changes Visual Basic

40 Demonstration

41 Data Gathering Selecting a script language Using audit criteria Other sources of information Testing commands and reviewing results

42 Demonstration

43 Data Gathering – Continued Commenting and formatting your scripts Determine the need for multiple scripts Thoroughly test the final scripts Ensure auditee cooperation Request auditee review the script Make scripts simple or complex Ensure uniformity Allow for efficient adjustments

44 Demonstration

45 Importing data Audit criteria (Visual Basic) Data gathering results (source files from server) Creating control scripts Dialog boxes for users of the scripts Allow the user to determine tests ran and outputs generated Using variables and adding pertinent information Data Analysis – ACL

46 Demonstration

47 Testing & Results - ACL Testing Scripts Base script logic on audit criteria Thoroughly test Results Export necessary information Manually review results and make conclusions Perform normal testing procedures with script outputs

48 Demonstration

49 Concluding Thoughts Putting it all together Lessons learned Impact on IT audits

50 fin.

51 Contact Information Brandon McAndrew – bmcandrew@audgen.michigan.gov Jordan Schafer – jschafer@audgen.michigan.gov Keith Edwards – kedwards@audgen.michigan.gov

Download ppt "Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation."

Similar presentations

Participation in the development of certification tests for LCG/GLITE Galaktionov V.V. The works presented in the report are executed in accordance to.

Participation in the development of certification tests for LCG/GLITE Galaktionov V.V. The works presented in the report are executed in accordance to.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Lesson 17: Configuring Security Policies

Lesson 17: Configuring Security Policies
Chapter One The Essence of UNIX.

Chapter One The Essence of UNIX.
The Islamic University of Gaza

The Islamic University of Gaza
Chapter 8 Embedded SQL.

Chapter 8 Embedded SQL.
A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.

A Guide to Oracle9i1 Introduction To Forms Builder Chapter 5.
Stored Procedures & User Defined Functions MacDonald Ch. 23 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.

Stored Procedures & User Defined Functions MacDonald Ch. 23 MIS 424 MIS 424 Professor Sandvig Professor Sandvig.
Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.

Backup The flip side of recovery. Types of Failures Transaction failure –Transaction must be aborted System failure –Hardware or software problem resulting.
Quality Assurance CS 615. Mission Statement The Quality Assurance team will provide assurance to stakeholders in CS-615/616 projects that their projects.

Quality Assurance CS 615. Mission Statement The Quality Assurance team will provide assurance to stakeholders in CS-615/616 projects that their projects.
Nu Project Management Office A web based tool to Manage Projects.

Nu Project Management Office A web based tool to Manage Projects.
Bar|Scan ® Asset Inventory System The leader in asset and inventory management.

Bar|Scan ® Asset Inventory System The leader in asset and inventory management.
What is Crystal Reports By: Wase Siddiqui. History Crystal Reports was not created by SAP. It was a Software created by Terry Cunningham. It was created.

What is Crystal Reports By: Wase Siddiqui. History Crystal Reports was not created by SAP. It was a Software created by Terry Cunningham. It was created.
Adaptive Server Farms for the Data Center Contact: Ron Sheen Fujitsu Siemens Computers, Inc Sever Blade Summit, Getting the.

Adaptive Server Farms for the Data Center Contact: Ron Sheen Fujitsu Siemens Computers, Inc Sever Blade Summit, Getting the.
Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.

Microsoft Office Word 2013 Expert Microsoft Office Word 2013 Expert Courseware # 3251 Lesson 4: Working with Forms.
State of Connecticut Core-CT Project Query 4 hrs Updated 1/21/2011.

State of Connecticut Core-CT Project Query 4 hrs Updated 1/21/2011.
1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.

1 of 5 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2007 Microsoft Corporation.
Advanced File Processing

Advanced File Processing
AFISS, ◊ Tel: (519) 323-3515 ◊ ◊ ◊ Web: ◊

AFISS, ◊ Tel: (519) ◊ ◊ ◊ Web: ◊
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Similar presentations

Ads by Google