Post on 10-Feb-2016
description
transcript
IT and the Auditor – The Sequel
Depression Era Tactics for ITAre you Tough Enough?
2 GA GMIS Spring 2009 Conference
What is IT? What is audit? What you will learn Let’s Introduce ourselves
May 19, 2009
Introduction
GA GMIS Spring 2009 Conference
Introduction IT Management Overview Audit Management Overview What do we have in common? Strategies Closing
May 19, 20093
Agenda
GA GMIS Spring 2009 Conference 4
Overview IT Auditors defined Relationship Risk as a common
ground KPI Results
May 19, 2009
5 GA GMIS Spring 2009 Conference
Accountability The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This
supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
Assurance Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and
accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.
Availability The security goal that generates the requirement for protection against— Intentional or accidental attempts to
(1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data Unauthorized use of system resources.
Confidentiality The security goal that generates the requirement for protection from intentional or accidental attempts to
perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit. Denial of Service
The prevention of authorized access to resources or the delaying of time critical The prevention of authorized access to resources or the delaying of time critical operations.
Due Care Managers and their organizations have a duty to provide for information security to ensure that the type of
control, the cost of control, and the deployment of control are appropriate for the system being managed. Integrity
The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).
May 19, 2009
Vocabulary
6 GA GMIS Spring 2009 Conference
Risk Within this presentation, synonymous with IT-Related Risk.
Risk Assessment The process of identifying the risks to system security and determining the probability of occurrence, the resulting
impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis.
Risk Management The total process of identifying, controlling, and mitigating information system–related risks. It includes risk assessment;
cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.
Security Information system security is a system characteristic and a set of mechanisms that span the system both logically and
physically. Security Goals
The five security goals are integrity, availability, confidentiality, accountability, and assurance. Threat
The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threat-source
Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
Threat Analysis The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a
particular operational environment. Vulnerability
A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
May 19, 2009
Vocabulary Continued
Vocabulary Continued IT Related Risk
The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to— 1. Unauthorized (malicious or accidental) disclosure,
modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the
implementation and operation of the IT system.
May 19, 2009GA GMIS Spring 2009 Conference 77
IT Defined
May 19, 2009GA GMIS Spring 2009 Conference 8
12 Hours
CIO/CTO/CSO
GA GMIS Spring 2009 Conference
Audit Supports
Audit
May 19, 20099
GA GMIS Spring 2009 Conference
Auditor and IT – Converging!
May 19, 200910
Auditor IT
GA GMIS Spring 2009 Conference
Qualities of a good auditor!
May 19, 200911
Ethical Open minded
Diplomatic
Observant
PerceptiveVersatileTenacious
DecisiveSelf reliant
12 GA GMIS Spring 2009 Conference
Auditor vs CIO
May 19, 2009
Compare the qualities of an Auditor to a CIO
Auditor
Ethical
Open minded
Diplomatic
Observant
Perceptive
Versatile
Tenacious
Decisive
Self Reliant
CIO
Good communicator
Honesty
Visionary
Technically SoundGreat Team Leader
MotivatorConsistent
Tough Skinned
13 GA GMIS Spring 2009 Conference
Internal Auditor versus External Auditor
May 19, 2009
Compare Internal and External Auditor
Internal Auditor
More accessibleCommon in large and
medium org
Organization jealousy
Intimate Org knowledge
He belongs to the org
External Auditor
Usually less accessible
Available to all org
Usually independent
By appointments
No guarantee of the same auditor annually
GA GMIS Spring 2009 Conference
Establishing and maintaining a positive relationship with Auditor! It starts with the request for information
This should be your opportunity to highlight your well run IT organization
Provide them all the information they need and get them out the door or back in another department Type of Audit/Auditor
Internal External (Annual) Federal Was it planned or provoked?
May 19, 200914
GA GMIS Spring 2009 Conference
Auditor’s Request for IT information Document1 18 pages 200 elements requiring a response Range of questions
Risk assessment and monitoring Program Development and Implementation Analysis and Design – Testing and QA Data Conversion –Go Live Documentation and Training Change Management – Security Policy Security (Apps, Network, Physical) Business Continuity
May 19, 200915
GA GMIS Spring 2009 Conference
IT Budget and the auditor The auditor could provide the support you need for
additional resources Answer questions honestly and completely
May 19, 200916
GA GMIS Spring 2009 Conference
Auditor’s Hot buttons – concept of least privileges!
May 19, 200917
Change Managem
ent
Configuration
Management
Audit Trails
User Privileges
Password
Passphrases
GA GMIS Spring 2009 Conference
IT Charter/Project Charter
May 19, 200918
IT Charter and Governance
• Defines Auditor role!
Project Charter
• Defines Auditor role!
GA GMIS Spring 2009 Conference
Application Environments
May 19, 20091953
Development
• Developers
Functional
• QA
User Acceptance
• Users
Production
• Prod Users
GA GMIS Spring 2009 Conference
What is an Auditable IT Org?
May 19, 200920
Who• Rights
What• Change
When• When
GA GMIS Spring 2009 Conference
A Great IT Org!
May 19, 200921
Good
Auditor and IT
rapport
Auditable IT
Org
Great IT Org
GA GMIS Spring 2009 Conference
Security Concern
May 19, 200922
Physical Security
Logical Securit
y
GA GMIS Spring 2009 Conference
IT Steering Team Secure membership for the Auditor If the Organization does not have an internal
auditor – a qualified member of the organization should fulfill this role on the Team
Lean on the Auditor for help in setting the standards for RISK ANALYSIS
Maintain formal documentation in all meetings Share written minutes with all members of the
team
May 19, 200923
24 GA GMIS Spring 2009 Conference
What is risk?
May 19, 2009
Definition of Uncertainty and Risk
25 GA GMIS Spring 2009 Conference
What is risk?
It is really the measurement of uncertainty.
May 19, 2009
Definition of Uncertainty and Risk
26 GA GMIS Spring 2009 Conference
What is uncertainty?
It is the lack of sureness about an outcome, ranging from just short of certainty to almost complete lack of knowledge about and outcome.
May 19, 2009
Definition of Uncertainty and Risk
27 GA GMIS Spring 2009 Conference
Risk event Risk as an opportunity Risk as a threat
May 19, 2009
Aspects of Risk
28 GA GMIS Spring 2009 Conference
Seeker
Averse
Neutral
May 19, 2009
What is your manager’s tolerance for Risk?
29 GA GMIS Spring 2009 Conference
RiskUnmanage
dIssue
s
May 19, 2009
Issues or Risks?
What is your manager’s tolerance for Risk?
May 19, 2009GA GMIS Spring 2009 Conference 303030
Risk
Cost
General Risk Management Strategy
May 19, 2009GA GMIS Spring 2009 Conference 31
Risk Manageme
nt
Risk Mitigation
May 19, 2009GA GMIS Spring 2009 Conference 32
Residual Risk
Add a targeted control
New or Enhanced Controls
Reduce Number of
flaws or errors
Residual Risk
Reduce Magnitude of
Impact
Risk Management Importance of Risk Management Integration of Risk Management into
the SDLC Key Roles Risk Ownership
May 19, 2009GA GMIS Spring 2009 Conference 33
Risk Management Importance of Risk Management
Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.
An effective risk management process is an important component of a successful IT security program.
The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets.
Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.
May 19, 2009GA GMIS Spring 2009 Conference 34
Risk Management Integration of Risk Management into the SDLC
May 19, 2009GA GMIS Spring 2009 Conference
SDLC Phases Phase Characteristics
Support from RiskManagement Activities
Phase 1—Initiation The need for an IT system isexpressed and the purpose and scope of the IT system isdocumented
• Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations(strategy)
Phase 2—Development orAcquisition
The IT system is designed,purchased, programmed,developed, or otherwiseconstructed
• The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during systemdevelopment
Phase 3—Implementation
The system security featuresshould be configured, enabled, tested, and verified
• The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation35
Risk Management Integration of Risk Management into the SDLC
May 19, 2009GA GMIS Spring 2009 Conference
SDLC Phases Phase Characteristics
Support from RiskManagement Activities
Phase 4—Operation orMaintenance
The system performs itsfunctions. Typically the system is being modified on an ongoing basis through the addition ofhardware and software and by changes to organizational processes, policies, and procedures
• Risk management activities areperformed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)
Phase 5—Closing This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software
• Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and thatsystem migration is conducted in a secure and systematic manner
36
Risk Management Key Roles
Senior Management Chief Information Officer (CIO) Systems and Information Owners Business and Functional Managers Internal auditor IT Security Practitioners
May 19, 2009GA GMIS Spring 2009 Conference 37
Risk Assessment System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation
May 19, 2009GA GMIS Spring 2009 Conference 38
Risk Assessment Activities System Characterization
Input
HardwareSoftware
System interfaces
Data and information
PeopleSystem mission
Step1
System Characteri
zation
Output
System BoundarySystem
FunctionsSystem and
Data Criticality
System and Data Sensitivity
May 19, 2009GA GMIS Spring 2009 Conference 39
Risk Assessment Activities System Characterization
Establish the Scope of effort Define the authorization boundaries Provide the information essential to risk definition
(input)
May 19, 2009GA GMIS Spring 2009 Conference 40
Information Gathering
May 19, 2009GA GMIS Spring 2009 Conference 41
Brainstorming
Interviewing
Checklist
SWOT
Information Gathering
Risk Assessment Activities System Characterization
System related information Input Additional input
IT Systems Functional requirements System Knowledge workers Current Security policy System security architecture Network Topology – diagrams Information storage info Information flow Controls (technical, management and operational) Physical and Environmental security)
May 19, 2009GA GMIS Spring 2009 Conference 42
Risk Assessment Activities Human Threats: Threat-Source, Motivation, and Threat Actions
Threat-Source Motivation Threat Actions
Threat-Source Motivation Threat ActionsHacker, cracker Challenge
EgoRebellion
• Hacking• Social engineering• System intrusion, break-ins• Unauthorized system access
Computer criminal Destruction of informationIllegal information disclosureMonetary gainUnauthorized data alteration
• Computer crime (e.g., cyberstalking)• Fraudulent act (e.g., replay,impersonation, interception)• Information bribery• Spoofing• System intrusion
Terrorist BlackmailDestructionExploitationRevenge
• Bomb/Terrorism• Information warfare• System attack (e.g., distributeddenial of service)• System penetration• System tampering
May 19, 2009GA GMIS Spring 2009 Conference 43
Risk Assessment Activities Human Threats: Threat-Source, Motivation, and Threat Actions Threat-Source Motivation Threat Actions -
ContThreat-Source Motivation Threat ActionsIndustrial espionage(companies, foreigngovernments, othergovernment interests)
Competitive advantageEconomic espionage
• Economic exploitation• Information theft• Intrusion on personal privacy• Social engineering• System penetration• Unauthorized system access(access to classified, proprietary,and/or technology-relatedinformation)
Insiders (poorly trained,disgruntled, malicious,negligent, dishonest, orterminated employees)
CuriosityEgoIntelligenceMonetary gainRevengeUnintentional errors andomissions (e.g., data entryerror, programming error)
• Assault on an employee• Blackmail• Browsing of proprietaryinformation• Computer abuse• Fraud and theft• Information bribery• Input of falsified, corrupted data• Interception• Malicious code (e.g., virus, logicbomb, Trojan horse)• Sale of personal information• System bugs• System intrusion• System sabotage• Unauthorized system access
May 19, 2009GA GMIS Spring 2009 Conference 44
Risk Assessment Activities Vulnerability Identification
Vulnerability/Threat Vulnerability Threat-Source Threat ActionTerminated employees’ system identifiers (ID) are not removed from the system
Terminated employees Dialing into the company’snetwork and accessingcompany proprietary data
Company firewall allows inbound telnet, and guest ID is enabled on XYZ server
Unauthorized users (e.g.,hackers, terminatedemployees, computercriminals, terrorists)
Using telnet to XYZ serverand browsing system fileswith the guest ID
The vendor has identified flaws in the security design of the system; however, new patches have not been applied to the system
Unauthorized users (e.g.,hackers, disgruntledemployees, computercriminals, terrorists)
Obtaining unauthorizedaccess to sensitive systemfiles based on knownsystem vulnerabilities
Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipmentfrom water damage are not in place
Fire, negligent persons Water sprinklers beingturned on in the data center
May 19, 2009GA GMIS Spring 2009 Conference 45
Risk Assessment Activities Vulnerability Identification Development of Security Requirements Checklist (Security Criteria)
Security Area Security CriteriaManagement Security • Assignment of
responsibilities• Continuity of support• Incident response capability• Periodic review of security controls• Personnel clearance and background investigations• Risk assessment• Security and technical training• Separation of duties• System authorization and reauthorization• System or application security plan
May 19, 2009GA GMIS Spring 2009 Conference 46
Risk Assessment Activities Vulnerability Identification Development of Security Requirements Checklist (Security Criteria)
Security Area Security CriteriaOperational Security • Control of air-borne
contaminants (smoke, dust, chemicals)• Controls to ensure the quality of the electrical power supply• Data media access and disposal• External data distribution and labeling• Facility protection (e.g., computer room, data center, office)• Humidity control• Temperature control• Workstations, laptops, and stand-alone personal computers May 19, 2009GA GMIS Spring 2009 Conference 47
Risk Assessment Activities Vulnerability Identification Development of Security Requirements Checklist (Security Criteria)
Security Area Security CriteriaTechnical Security • Communications (e.g.,
dial-in, system interconnection, routers)• Cryptography• Discretionary access control• Identification and authentication• Intrusion detection• Object reuse• System audit
May 19, 2009GA GMIS Spring 2009 Conference 48
Risk Mitigation Risk Mitigation Options Risk Mitigation Strategies Approach for Control Implementation Control Categories Cost-Benefit Analysis Residual Risk
May 19, 2009GA GMIS Spring 2009 Conference 49
Risk Mitigation
May 19, 2009GA GMIS Spring 2009 Conference 50
Residual Risk
Add a targeted control
New or Enhanced Controls
Reduce Number of
flaws or errors
Residual Risk
Reduce Magnitude of
Impact
General Risk Management Strategy
May 19, 2009GA GMIS Spring 2009 Conference 51
Risk Manageme
nt
What is your manager’s tolerance for Risk?
May 19, 2009GA GMIS Spring 2009 Conference 52
Risk
Cost
Issues or Risks?
May 19, 2009GA GMIS Spring 2009 Conference 53
RiskUnmanage
dIssue
s
GA GMIS Spring 2009 Conference
Take the following Action: Request the auditor or his designee serve on IT
committees Create an IT Master Calendar that contains all
recurring IT tasks, along with the task date due and lead time
Create an IT profile repository that highlights the form and functions of the IT Organization (MOSS would be ideal)
Within the profile, reference all IT Policies and Governance along with their storage and version number
Where possible IT should express a preference for an electronic request for the audit informationMay 19, 200954
Key Performance Indicators
May 19, 2009GA GMIS Spring 2009 Conference 55
Percent decrease in security breaches Percent decrease in the impact of security
breaches Security procedures that are supported by
senior management Increase in acceptance and conformance of
security procedures Increase support by senior management A mechanism for continuous improvement Decrease in audit findings regarding security
non-conformance
GA GMIS Spring 2009 Conference
Benefits of Action taken: IT Capability is no longer a Black Box Effective and Efficient IT Smooth Audit Happy Board Improves IT ability to get funded A great perception of IT Increase confidence in IT Improved relationship with IT and stakeholders Aid in process re-engineering
May 19, 200956
Summary Briefly review Ways to apply training Review Common ground Discussion
May 19, 2009GA GMIS Spring 2009 Conference 57