1. Office of Internal Audit (OIA) Board of Regents of the University System of Georgia June 8, 2009 Erwin (Chris) L. Carrow, IT Auditor,CISSP, INFOSEC, CSSP, CCNP, OCM, plus a bunch of others (Who Cares?) The IT Auditing Process (Everything you dont want to know about the impending IT Audit and are afraid to ask)

2. Schedule of Events

1.Introduction Quick Hello

2.Orientation Where are we at / Where we want to go?

3.Slide Presentation

Part I, II, III OIA Background; Audit Process, Plan, and Expectations; and the On-site Audit

(1 hour and break)

Part IV Example of How to Prepare COBIT 4.01

(1 hour and break for Lunch)

Part V - High Level Simple Application ofIdentity Management, Access Control, and Security Management

Regroup Discussion What do you want to focus on?

5.Lock-into the Particulars and Do It

3. Agenda and Overview

Part I OIA Background

• Mission and Charter

• Audit Staff Background & Organizational Structure

• Audit Selection Process: Risk Assessment, Planning Process, Methodology, Scope of Application, Standards of Application

• Type of Audit Role of Auditors: Federal, State, Campus, & BOR Audits

Part II Audit Process, Plan, and Expectations

• The Process: Notification to Final Report

• The Audit Finding & Follow-Up Process

• Expectations

• Part III The On-site Audit

• Audit Objectives

• Audit Plan

• Audit Schedule

Part IV Example of How to Prepare COBIT 4.01

Part V High Level Simple Example

4. What IT Auditors are Not! (Despite the Similar Resemblance)

We have Families and like being able to spend time with them

We enjoy our Jobs

We are Relational

We can Speak in other than Audit, Tech, and Business terminology

We have no problems Sleeping at nights

5. Part I OIA Background ( The Untold Story) 6. Why We Audit Mission & Charter

Internal auditing is an independent appraisal activity authorized by the Board of Regents toexamine ,evaluate , andadvisecomponents of the University System of Georgia.The objectives of internal auditing are to assist members of the Board, the Chancellor, and institution management in the effective discharge of their responsibilities by furnishing them withanalyses ,appraisals ,recommendations ,counsel , andinformation concerning the activities reviewed and bypromoting efficient operations and effective controls .

- Internal Audit Charter approved by the Board of Regents

*(underline added )

7. Staff Background &Organizational Structure 8. Audits Selection Process Risk Assessment & Planning Process (The Why Us Syndrome?)

OIAs Annual Risk Assessment

• Survey USG and System Office Leadership

• Survey members of the BOR

• Incorporate financial data, management turnover, fraud, state audit reports, and additional criteria

• USG institutions ranked by risk score

Annual Audit Plan

• Designed to ensure coverage of institutions with high risk

• Also designed to ensure OIA coverage at all USG institutions at least once every 3-4 years

• Specifies institution and broad categories in which to audit

• May also incorporate consulting engagements and other special projects

9. Audit Plan We ask the Question, WhatHigh Critical RiskExist?

Determined how the categories of risk may or may not apply:

• Strategic: Affects the entities ability to achieve goals and objectives

• Compliance: Affects compliance with laws and regulations, safety and environmental issues, litigation, conflicts of interest, etc.

• Reputational : Affects reputation, public perception, political issues, etc.

• Financial : Affects loss of assets, technology, etc.

• Operational :Affects on-going management processes and procedures

10. Audit Plan The Focus on Risk TheHigh Critical Riskthat Exist 11. Audit Methodology & Plan

• Audit Methodology & Plan

• • Provides roadmap to auditor on which areas to focus audit steps (assess controls)

• • • Preventive : controls to stop the problem from occurring

• • • Detective : controls to find the problem

• • • Corrective : controls to repair the problem after detection

• • • Administrative : policies, standards, guidelines, & procedures

• • • Technical : controls using hardware or software for processing & analysis

• • • Physical : controls to implement barriers or deterrents

• • Based upon industry certification standards & requirements

12. Methodology & Scope of Audit

• Standards for the Methodology

• • • Institute of Internal Auditor(IIA -www.theiia.org )

• • • Information System Audit & Control Association (ISACA -www.isaca.org )

Scopeof Application:Area of Emphasis (Entity or Process)

• Usually focused on institution-wide processes, e.g., data classification, IT services, NOC, incident response / emergency planning, strategic planning, change management,etc.

• Will incorporate recommended focus areas from institutional leadership

• Scope can change during the course of an audit if warranted

13. Standards of Application

Industry Standards

• COBiT 4.1 (Control Objectives for Information Technology)

• NIST(National Institute of Standards and Technology)

• ISO 17799/27001 (International Organization for Standardization)

• ITIL (Information Technology Infrastructure Library)

Compliance and Regulatory Requirements (FISMA, FERPA, HIPAA, PCI, SOX, SCADA, etc.)

Board of Regents Standards

• OIIT Security Guidelines

• Business Process Manual

Institutions LocalPolicies and Procedures

14. Evaluation Criteria - CMMI

Common Maturity Model of Internal Controls

• Variants of the CMMI: CMM & ISO 15504

• IdentifiesWHEREyou are at in the application ofIT risk mitigation controls andHOWto get to the next level

• Levels of Application

• • Level 0:No Recognizable Process , though one is needed

• • Level 1:Process isAd-hocand perform by key individuals

• • Level 2:Process isRepeatable, but not controlled

• • Level 3:Process isDefined&Documentedand periodicallyEvaluated

• • Level 4:Managed & Measurable ; effective Internal Controls with Risk Management

• • Level 5:OptimizedEnterprise wide risk and control program

15. Areas Commonly Reviewed& Priority of Emphasis Information Technology Department (High) Auxiliaries (Low) Academic Units (Limited) AdministrativeUnits(Medium) 16. Types of Audits Federal, State, Campus, and Board of Regents

Federal Auditors

• Rely on work of state auditors

• May focus on federal compliance (FISMA, FERPA, HIPAA, etc.), financial aid, and federal grants management

State Auditors Financial and Performance

• Financial / Operational auditors - external auditors validating internal controls and the AFR

• Performance auditors external auditors focused on specific system-wide process or policy issue

Campus Auditors

• Varies by campus

• Generally focused on departmental reviews

• Report to institution President and USO Chief Audit Officer

Board of Regents Auditors

• Shoot the gaps that other agencies do not address and engage with specific BOR or Legislative concerns

17. Policing the Process and Safe-Guarding What's Important Purchase the Family Trunk Monkey! 18.

Part II Audit Process & Evaluation

(What you can Expect)

19. The Process We Follow From Notification to Final Report

1 stPhase:Pre-Campus Work

• Notification Letter Sent to President upon annual audit plan approval

• Engagement Letter Sent to President approx. 30 days prior to start of audit

• Data Collection Initial interviews, data requests, network scans may take place prior to arrival on campus the more we get ahead of time the less we have to spend onsite

2 ndPhase:On-Campus Fieldwork

• Initiated with Entrance Conference (Line in the Sand)

• Scope of work may expand/contract

• Campus POC kept informed on audit progress and issues

• Wrap-Up meeting conducted at close of work summarizing initial results

3 rdPhase:Post-Campus Work

• Draft Report prepared and sent as discussion document

• Exit Conference held either in person or via phone

• Official Draft Report sent requiring response from institution

• Institutions response incorporated in report

• Report published and distributed

20. Summary of Audit Flow Timeframes Audit Letter with data request sent preliminary assessment Entrance meeting & Audit field work Draft Report Sent Final Report with Responses issued 30 Days 30 Days 2 to 6 weeks Exit Conference with President Action items reviewed quarterly 3 to 5 weeks Draft with Responses Returned 21. Auditing by the Numbers (Fear -Factor)? 22. Audit: Application of Standards

Standards& Identification

• Gather Information / Evidence

• Assess Control Weaknesses

• Calculate Level of Criteria Applied (CMMI)

Analysis to Determine if Compliant with Standards

Document Variances orExceptions(Findings)

Report Per Charter Requirements (Audit Rating)

23. Snapshot of Documentation Format

General Area of Impact or Effect , e.g., Network infrastructure

Finding:Identification of theProblemandSolution(typically a combination of exceptions weighted per threat or impact, e.g., thethreat is likely ,vulnerabilities exist , therefore loss can be expected ,if corrective action is not taken )

• Observation/ Condition:Identify the context &weaknessorlack of control

• • Managerial Overview short high level summary of issuesfor upper management

• • Technical Details longparticularized explanation of the key issues

• Criteria :WhatRightLooks Like

• Cause :TheReasonWhy something is not right

• Risk / Effect :Problemsbecause of the weakness or lack of control

• Recommendation :What isRequiredto correct the weakness or lack of control

• • Minimums (non-negotiable)

• • Ideal (optional and subject to capability or constraints)

• Managements Documented Response

24. Sample Audit Finding Executive Summary

Network Design, Security Architecture, .

A review was made of the design and implementation of theAudited Entitiesnetwork.This review focused on the design of the network, the infrastructure used to support the network and the ability of the network to support critical operations and recover from failures.The security of the network services and support infrastructure were also assessed.The following observations were noted:

Report Item #1: Significant(Rating of Exception)

Insecure protocols and access procedures were being used to configure, manage, and monitor network infrastructure resources.The use of insecure protocols could allow a potential attacker to create a network failure or takeover network resources.(Problem Statement)

25. Sample Audit Finding Observations High Level

Report Item #1.

Ensure secure connections and protocols are being used for operational configuration and management of remote services and resources. (Solution Statement)

Observation:(When doing the audit these are the things we found)

Managerial Overview

The procedures and protocols used to configure and manageAudited Entitiesresources were not using a secure process or protocols.Lack of a secure method of controlling critical resources could provide an opportunity for malicious intent.Hostile attackers could damage or take over improperly configured or managed network resources.

26. Sample Audit Finding Observations Low Level

Technical Details

It was identified that was the main method used to help mitigate risk.While this implementation would limit possible to the remotely administrated devices, it does not mitigate or circumvent Zero Day application layer threats / vulnerabilities, , or trusted internal disgruntled users.More significant security precautions need to be given consideration and are addressed in the following observations.

Session connectivity to remotely manage or configure a device should be established through a secure means.The Internet Operating System (IOS) on several of the routers should have been updated to accommodate Secure Shell (SSH) or Virtual Private Networking (VPN) for secure communication for configuration and management requirements

Both Telnet and System Network Management Protocols (version 1 & version 2c) were implemented for systems and applications that monitor and manage remote network infrastructure devices.Telnet is a clear text transmission through a terminal command-line and should not be used for configuration and management access.

27. Sample Audit Finding Criteria, Cause, Risk/Effect

Criteria:

The exchange of sensitive system configuration and management information should be by means of a trusted path or medium with controls to provide authenticity of content, proof of submission, proof of receipt, and non-repudiation of origin.

Cause:

Lack of secure exchange of information due to the limitations of older systems or software that was used to support and manage the network infrastructure.Inappropriate procedures were being practiced for remotely accessing the networks critical services and resources.

Risk/Effect:

Lack of trusted means of communication for configuration and management of network infrastructure

Sensitive information exposed or violation of system integrity by unauthorized parties

Unauthorized access to or manipulation of key systems or resources

28. Sample Audit Finding Recommendation / Response

Recommendation:

We recommend the following changes for configuration, management, and monitoring ofAudited Entitiesnetwork infrastructure resources.

Discontinue Telnet protocol use for connections to remote resources unless .Secure Shell (SSH) or Virtual Private network (VPN) connection should be used for all operational requirements

Simple Network Management Protocol (SNMP) versions 1 and 2c should be discontinued and version 3 utilized for all network management needs.For software applications that are dependent upon .

Management Response :

The identified recommendations will be implemented by , who should complete the worknot later than .

Evaluation of Response:

Response was satisfactory

29. The Report Individual Finding Ratings

Through investigation and analysis, a number ofexceptionsgenerated are often summarized to identify a weakness or risk and create a Finding

The impact of aFindingcan be classified in one of the four following ways:

Insignificant= Nominal violations of procedures, rules or regulations.Not included in report. Corrective action suggested verbally, but not required.

Notable= Minor violation of policies and procedures; and/or weak internal controls; and/or opportunity to improve effectiveness and efficiency. Moderate risk identified. Corrective action recommended.

Significant = Significant violation of policies/procedures/laws; and/or poor internal controls; and/or significant opportunity to improve effectiveness and efficiency. Significant risk identified. Corrective action required.

Major= Major violation of policies/procedures/laws; and/or unacceptable internal controls; and/or high risk for fraud/waste/abuse; and/or major opportunity to improve effectiveness and efficiency. Major risk identified. Immediate corrective action required.

Relationship ofException(s)toFindingcan be ,One to OneorMany to One

30. Overall Report Ratings

The overall rating is typically based on thenumberandtypeof Findings

Excellent= Few notable observations.No internal control weaknesses noted, good adherence to laws, regulations and policies.Excellent control environment.

Good= Several notable and/or one or two significant observations.Minor violations of policies and procedures.No violation of laws.Minor opportunities for improvement.

Fair= Many notable observations and/or few significant observations.Several notable violations of policy.Minor violations of regulations.No violations of laws. Moderate opportunities for improvement.

Poor =Several significant observations and no major observations.Controls were weak in one or more areas.Noncompliance with policies/regulations put the University/College at risk.Violation of law (not serious).Substantial opportunities for improvement.

Adverse = Several significant observations orone or more major observations .Significant risk for noncompliance with policies/regulations.Serious violation of laws.Significant opportunities for improvement.

31. Audit Finding Follow-Up Process

Our expectations from leadership upon completion of the audit draft report

Response to audit report is to be provided in the form of an action plan WHOwill doWHATto implement recommendation byWHEN

Status of action plan isreported on a quarterly basisto the BOR Audit Committeeuntil issue is resolved

32. Snapshot of Evidence Gathering Process(Typically Inductive to Deductive Approach) 33. What Does Evidence Look like?

Definition:Evidence must beSufficient, Reliable and Relevant

The various types of audit evidence that the IS auditor consider using include:

• Observed processes and existence of physical items, e.g., A computer room security system in operation

• Documentary audit evidence, e.g., Activity and control logs, System development documentation

• Representations, e.g., Written policies and procedures, System flowcharts, Written or oral statements

• Analysis, e.g., Benchmarking IS performance against other organizations or past periods; Comparison of error rates between applications, transactions and users

Evidence gathering procedures considered are:Inquiry, Observation, Inspection, Confirmation, Re-performance ,and Monitoring

Audit evidence should be useful to form an opinion or support the findings and conclusions.

Evidence gathered should be appropriately documented and organized to support the findings and conclusions.

34. We Help Support the Process ,We are Life Savers! Purchase the First-Aid Trunk Monkey! 35. Part III The On-site Audit (Preliminaries, Logistics & Execution) 36. Part III The On-site Audit Preliminaries 37. Sample Engagement Letter To Your Institutions Leadership

Dear Dr.So and So or Whomever :

In accordance with the Internal Audit Plan approved by , we plan to conduct an audit ofAudited Entity Universitys network and associated systems beginning onDate .This letter is to confirm .

The audit engagement will constitute an independent and objective service performed on behalf of the Board of Regents.The purpose of this audit will be to evaluate .

The scope of the audit will include such areas as:

Identity Management ; the management of user credentials and the means by which users might log onto to and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities

Access Control ; the mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares

Perimeter and Network Security ; the provisions made in an underlying computer network infrastructure to protect network-accessible resources from unauthorized access and the effectiveness of these measures.

Please note that the scope of the audit is subject to change/modification during the course of the audit.Please designate an individual that will serve as your representative and primary contact for the audit..Additional information regarding our audit process, as well as specific requests for logistical assistance, is attached. .Please have these materials assembled and ready for review byDate ..

Engagement Letter of Generic- Revised Aug 2008.doc

38. Sample Engagement Letter Attachments Included

A Practical list of Procedures and Requirements

• Engagement Process

• Logistical Assistance

• • Work Space Room, Desk, printer, etc.

• • Technical Assistance VPN capability, etc.

• • • BOR Engagement Process and Request for Logistical Assistance.doc

IT Auditor Technical Needs and Requirements

• Audited Entities Policies, Procedures, Guidelines, etc

• Audited Entities Topology, Configs, Hardware, etc.

• Data Store(s) Access Requirements for Testing

• • • IT Audit Request List-Generic - Reduced.doc

• Script(s) to Apply to the Data Store(s)

• • • Oracle Audit Privileges.doc and Audit Steps for Oracle Databases.doc

Contact will be made withAudited Entities CIO / CISOby Auditor toNegotiatethe practicality of technical needs and requirements

39.

Part III The On-site Audit Logistics and THE PLAN

40. Sample Audit Plan OIA Internal Use by the Auditors - Situation

Situation:

WhatRisk or Requirement justifies a specific Audit(Implementation of the Tactical guidance and associated functional requirements)?

What Critical Business process or function needs to be assessed and why?

What precedence is there for an investigation or the gathering of evidence?

What regulatory or policy compliance issue exist to support the goals and objective for a specific audit?

How does this one audit fit into the bigger picture, e.g., time, resources, the Tactical / Strategic goals, and other auditor agencies that will audit our institution?

Is the goal to place emphasis upon Risk Assessment, Risk Management, or Risk Avoidance?

What Critical Process Information is available to support the goals and objectives for a specific audit?

Will the process be deductive (investigation of predefined particulars to prove some hypotheses) or inductive (the collection of facts that may or may not reveal patterns or activities that introduce risk)?

41. Sample Audit Plan OIA Internal Use by the Auditors Other Considerations

Pre-Audit Considerations or Outcomes:

Define what is to be audited and associate outcomes scope and criteria.

• What process of examining and validating documents, data, processes, procedures, systems, or other activities will be used to ensure that the audited entity complies with objectives?

• What set of business rules, system control, government regulations, or security policies will be used to measure and determine compliance of the audited entity ?

Define expected outcomes or results for which the audit will produce, e.g., a report which identifies ,(goals or objectives resulting from the audit).

42. Sample Audit Plan OIA Internal Use by the Auditors - Mission

Mission(goals and objectives):

The OIA IT department will conduct an audit ofAudited Institution or entity nameondate of onsite audit to validate that appropriate controls and procedures exist to mitigate the potential threat of the inappropriate access to theInstitutesnetwork and resources.The focus of the audit will review:

• The management of user credentials and the means by which users might log onto to and use various systems or resources, e.g., the provisioning and de-provisioning of student, faculty, staff, and outside agencies identities

• The mechanisms in place to permit or deny the use of a particular resource by a particular entity, e.g., technical or administrative controls to allow or deny access to file shares

• The provisions made in an underlying computer network infrastructure to protect network-accessible resources from unauthorized access and the effectiveness of these measures.

43. Sample Audit Plan OIA Internal Use by the Auditors Execution of Audit

Execution(Operational Requirements Part 1):

The explanation of how critical characteristics of the mission will be complete- what steps and / or processes involved to complete the mission:

• Controls to be assessed are:preventive, detective, corrective, administrative, technical, and physical(Need to address specifics per the types of systems being employed at Audited Entity)

• Audit programs / processes to support the mission and target specific application of controls and the individuals who will complete each set of tasks and the time to be invested during the audit - Identity Management (50%) Access Control (25%) Network and Perimeter Security (25%)

• Key system(s) to be evaluated are the major network support systems associated with user access:

• • Data Stores: Banner, PeopleSoft, Other database systems

• • Directory services (NDS, AD, LDAP, etc.)

• • One Card system, and others ,

• User access to network resources and associated policies and procedures for:NOC, Administration, Auxiliary Services, Faculty, Students

• • Internal and external network devices

44. Sample Audit Plan OIA Internal Use by the Auditors Execution of Audit

Execution(Operational Requirements - Part 2) :

Standards for the Audit Methodology

• Standards for the execution of the audit will comply with IIA guidance.Processes or outcomes will be measured using Industry Standard businesses practices identified in ISACA (CoBIT4.01) and the additional guidelines where applicable, e.g., NIST, ISO, ITL, BPM, Local Policies, etc.

CMMI level 3 will be the minimum criteria for measuring key processes for maturity

Objectives and milestones of the audit (programs and process) to support the mission

45. Sample Audit Plan OIA Internal Use by the Auditors C3

Command, Control, & Communication :

Key Leadership contact information and communication procedures or protocolexpected

• Key shareholders (contact information): President, Chief Business Officer, Chief Information Officer, Chief Security Officer, and is there a local campus auditor?

• Are they any special requirements or considerations outside of our normal operations?

Logistics Resources required to complete the mission Identify & coordinate logical requirements

• The audited institution or entities location

• Travel mileage and driving time from USGBOR to Institution/ Hotel

• Timeline and general schedule of hours to be invested

• Support needs to conduct the audit or coordinated e.g., office space, interview rooms, parking passes, etc

Coordination and schedulingwith audited entity POC in how the audit evidence will be gathered and what resources needed e.g., people for interviews, IT systems, documentation, etc.

Communications notification and dialogue required to complete the mission

• Key shareholders regular situational audit updates to the audited entity

• Interviewees coordination and conduct:Administration or Operational Services, e.g., IT, HR, etc; Functional Faculty; Auxiliary Service or outside agencies contracted to support the audited entity

• Colleagues (peer auditors) and superiors special or general guidance as the process progresses

46. Sample Audit Plan OIA Internal Use by the Auditors Safety

Safety(physical or political considerations):

Sensitivity to issues that are local to the audited entity

Physical safety concerns

• Assessments involving or around resources or equipment that is hazardous

• Avoidance of placing the auditor in a situation that could compromise the integrity of the evidence being gathered or their personal character

47. With Your IT Auditor Around ,You have no need to fear! Purchase the Karate Trunk Monkey! 48.

Part III The On-siteExecution of Audit

49. Your Institution- Audit Objectives (Sample of Business Logic and Associated Risk Areas Understanding the Objective )

Entrance Conference:

Your Institutionplays a vital role for theAudit Entityneeds of USG.Loss oftheAudit Entitysfunctionality would have a major impact onyour institutions ' capability to (business practice, controls to mitigaterisk, and / or effect if not protected or working properly)in support of USG development, growth, cost, etc., oradversely impact USGs image .

Possible areas to be reviewed:

• Governance, Administration, Policies and Procedures

• Physical Security and Environmental Controls

• Network Design and Security Architecture

• User Management / Logical Access to Applications and Sensitive Data

• Incident and Disaster Response

• Change Management, Systems Monitoring and Trend Analysis

50. Your Institution- Plan of Action

Doing the Audit:

Gather Information / Evidence

• Interviews with key personnel

• Test and Validate Objectives

Document initial analysis (informal)

Dialogue and gain Confirmation ofObservations

Dialogue and gain Common Understanding ofExceptionsandFindings

Get Key Shareholders toSignAudit Report Worksheets (ARWs)

Up until the final report is completed, dialogue will continue with audited entity regarding findings

51. Your Institution- Schedule of Events

Support Auditors logistical needs and evidence gathering requirements (sent with engagement letter)

• Key shareholders schedule time for Interviews with personnel requested

• Need to provide an institutional administrative contact to coordinate interviews and logistics, e.g., 10:00 AM at Building A, room 120, withJoe or Jill Somebody.

• Order of precedence; leadership to line worker, or dean / director to faculty

• Need to speak with key areas leadership the 1 stweek

• Hours of operation from 8:00 to 7:00 (with working lunch split shift is possible if needed, 45-60 minutes per each interview)

• Leadership should recommend others as needed

• Interviewees will need to be from key functional areas

Need to havephysical accessto system resources or locationsto assess and confirm controls(e.g., look over the shoulder or direct access)

Auditor will provide status updates toyour institutionsaudit POC each week

Brief exit meeting with Key leadership to address ARWs

52.

Did Someone Mention Break?

53.

Part IV - Example of How to Prepare

BIA, CMMI, and COBIT 4.01

54.

Education versus Industry

Everyones goalin USG is to:Create a More Educated Georgiaby,providingInformation Technologicalservice and supportforfunctional and operational businessneeds or requirements

55. IT Challenges and Business Requirements - Where are you at?Can seem likeHERDING CATS ! EDS Cat Herding1:07 minutes 56. IT Challenges and Business Requirements - Where are you at?Can seem like herding cats!

Business Functions and Processes?

• Herding Cats can have its challenges

• Herding Cats has its risks

Education is distinct from Industry practices due to:

• Diversity of AdministrativeOperationalRequirements

• Fluctuation ofFunctionalInstructor / Faculty Requirements

• Changes in Leadership

Educational requirements do overlap with Industry!

• Business rules and requirements, e.g. compliance, integrity, confidentiality, availability, effectiveness, reliability, efficiency, etc.

• Processes, e.g.,domains (scope of application for controls), procedures, operational activities, etc.

• Resources, e.g., people, information, infrastructure, applications, etc.

57. Pitch Hit Fingers in Dike 1# Where are you at?Prioritizing the process We Do Understand! 58. Pitch Hit Fingers in Dike 2#Real World Real Problems We Are Concerned! 59. Pitch Hit Fingers in Dike 3# Running out of Fingers? We Recognize the Challenge! 60. Know Yourself Know Your Enemy!The Art of War( Chinese : ;pinyin :Sn Z Bng F ) is aChinese military treatisethat was written during the6th century BCbySun Tzu .

Two Possible not Recommended Responses to the Challenge

• Freak Out : Embrace Hopelessness, Hide, Ignore, Deny, andPlay Computer games until theInevitable Occurs

• IdealisticandUnrealistic : Do the Don Quixote(To Dream the Impossible Dream and Fight the Impossible Fight) - Wear yourself out Fighting Windmills byshooting at whatever pops its head out!

Third Approach How do you Eat the Elephant standing in the corner, Instead of Avoid it?Take ONE BITE at a time by

• Strategizing a Response

• Create a deliberate Long term Plan

• Identify Short term Objectives and Milestones

• GainKey Shareholderownership of the challenges

• Test and Monitor the process with Identifiable Outcomes

61. Making a Lose / Lose Situation ,a Win / Win

Givens:AperfectIT Operational environment does not exist!You will have Exceptions and Findings (if not you should complain about the auditor)

Priority of effort should be directed tolikely threats for known vulnerabilitiesby ,

• Affirming good controls and practices

• Uncovering unknown vulnerabilities

Focus upon what is essentialfor the success ofYour Institutions Business Functions. Which are comprised of

• Business Rules or Requirements :A statement that defines or constrains some aspect of the business.It is intended to assert business structure or to control or influence the behavior of the business.

• Business Standards or Practices :A related group of business processes that support some aspects of the mission of an enterprise.

62. Dealing with the Nuts The Old Way!Assessing Risk? 20 thCentury FOX Ice Age1:55 min/sec 63. Nuts Can Be Challenging Business Process Gathering and Storing NUTS and the Big Squeeze

Tasks of Dealing with the NUTS

• 1. Gather Nuts

• 2. Store Nuts

• 3. The Big Squeeze?OperationalversusFunctionalneeds!

What are the Associated Risks?

20 thCentury FOX Ice Age 64. In Time, Nut Requirements Change The New Way !Risk Assessment? 20 thCentury FOX Ice Age 2: The Meltdown55 sec 65. Different Nuts, Different Methods History has a Way of Repeating Itself!

Old Ways can Influence New Ways of ,

Different Business Requirements Use of Different Methods (Variety of NUTS)

Sometimes the NUTS get Bigger and Harder to CRACK

Risk may Change or Increase!

20 thCentury FOX Ice Age 2: The Meltdown 66. Making Peanut Butter Out of Nuts Moral:Life is Always Going to Be a Little Squirrelly.

Business functionGoalsandObjectivescan make the IT requirements a little NUTTY

Risk Implicationsassociatedwith ITImplementationsare NOT always CONSIDERED

Clearly Define the Task:Try makingPEANUT BUTTERout of a difficult situation it is easier to Store

WHERE DO YOU START?

20 thCentury FOX Ice Age 2: The Meltdown 67. A Business Functions- Rules and Practices

YOU MUST KNOW

What are the Business Principles in Operation?

Reasons- Whyyou do things a certainWay

Control Objectives for Information and related Technology (COBIT) 68. Business Requirements Objectives and Rules of Engagement

Requirements Who needs it?What is it suppose to do?How do I ensure its?

• Effectiveness

• Efficiency

• Confidentiality

• Availability

• Compliance

• Reliability

69. IT Resources New or Existing

Resources Who or what is involved for the implementation & maintenance?

• Applications: What systems are involved?

• Information: What Data Dependencies exist?

• Infrastructure: What will the current or new IT environment require?

• People: Who will it support?

70. IT Processes Operational Considerations

Processes What is the scope of functionality for the business implementation and what needs to be done to make it work?

• Domains: Who or what is involved?

• Processes: What major events will occur?

• Activities: What individual events must support those processes?

71. Four Principles for Consideration Does a process exist or a means in place for?

1 stTop-down Risk Basedidentificationof threats and vulnerabilities forkeyBusinessprocessesandrelatedITsupport processes , e.g., change management, access security, operations, etc. ( General Risk Assessment )

2 ndControl of IT Risk that affect critical IT functionality infinancially significant applications and related data ( Particularized Risk Assessment )

3 rd Layered IT controls to mitigate risk for application program code, databases, operating systems, and the network ( Operational processes that align with precedence of Risk )

4 th Risk mitigationbased upon Business and IT control objectives (not the limitations of individual controls), have a IRP, DRP, & BCP

72. Four Principles for Consideration Possible Suggestions!

1 st Security Policythat supports theIT Strategic Planand identifies the general scope of application General Risk Assessment

2 nd Detailed Risk Assessment that is conducted and evaluated periodically

3 rd Layered IT controls

4 thBusiness and IT control objectives are aligned IRP, DRP, & BCPJustify Response

Layer Change Management Operations Security Application Database Operating System Network Infrastructure 73. COBIT 4.01 Business Rules, Requirements and Practices How Processes Are Evaluated? 74. Sample Key Process Ecommerce e.g., One Card System Requirements?

Business Rules and Requirements (step 1):

• Business Goals

• IT Goals

IT Resources (step 2)

IT Processes (step 3)

Capacity and Performance Measurement (Quality of Service being delivered step 4)

Controls to Measure and Mitigate Risk (Security of Service provided step 5)

Contingency Planning & Rehearsal (step 6)

Access Control ? Identity Management? Regulatory PCI Constrains and Requirements? Vendors ? Network Infrastructure and Security? 75. Example: One Card System Identity Management

Thinking About Identity Management (IdM)

Corporate Culture

• Is management ready to meet the challenges of IdM?

• Is there enough buy-in to implement an IdM program effectively and efficiently?

• What are the prevailing perceptions and expectations of IdM?

• Has the IT strategic plan been updated to reflect the need or concern for IdM?

• Has management considered the impact of IdMon the organizations long-term strategy?

• Is the corporate culture ready for and accepting of change?

• Has a risk assessment been performed on the current environment?

Dedication of Resources

• What are the limitations with regard to resources that can be dedicated to implementing an IdM solution?

• Are the resources centralized or decentralized?

76. Example: One Card System Identity Management

Planning for the Implementation of Identity Management (IdM)

IT Inventory and Resources

• Have an analysis and assessment of the IT architecture (hardware, software and resources) been performed?

• Will new web servers, OSs, DBs, and application be required for the implementation?

• Is the legal department up to date on the latest privacy laws and their impact on maintaining and protecting data?

• Are users shared between organization units and if so how?

• Has the impact on the restructuring of IT operations as a result of the IdM implementation been considered?

• Have designated IT resources for the implementation of IdM been assigned?

• Has a clear budget been established for the implementation?

• Is the entitys data classified into different categories (confidential, sensitive, public access)?

• Has an assessment of alternate forms of authentication been analyzed (i.e., PKI, biometrics)?

77. Example: One Card System Identity Management

Meeting the Needs of the Business

• What are the business needs and expectations of the organizations management and IT department? How will IdM help meet these expectations?

• Are the needs of the organizations management aligned with those of the IT department?

• Does the IT department have the necessary resources, time and funding to meet or exceed the expectations of management?

• Is there a timeline/deadline associated with the implementation of IdM?

• Has a process review been performed (identifying key areas for streamlining and reducing costs)?

• Have all applications been mapped to a timed life cycle?

• Has a segregation of duties been established for implementing IdM?

• Has management communicated to the users of the organization regarding IdM?

• Has a cost-benefit analysis been performed?

• Have external implications been considered (laws, regulations, etc.)?

• What will the new IdM savings be benchmarked against?

78. Business Impact Analysis (BIA) The ABCs by the Numbers CISA Study Guide, SYBEX, 2006 79. Areas of Concern BIA to Contingency Planning Principles of Information Security, Thompson, 2007 80. One Method of Service Support and Risk AssurancePurchase the IT Trunk Monkey! 81. COBIT 4.01 What Is It? Four Major Areas of Review

Plan and Organize (PO) Provides direction to solution delivery(AI) and service delivery (DS)

Acquire and Implement (AI) Provides the solutions and passes them to be turned into services

Deliver and Support (DS) Receives the solutions and makes them usable for end users

Monitor and Evaluate (ME) Monitors all processes to ensure that the direction provided is followed

82. COBIT 4.01 Narrowing the Scope Delivery and Support (DS)

DS1 Define and Manage Service Levels

DS2 Manage Third-party Services

DS3 Manage Performance and Capacity

DS4 Ensure Continuous Service

DS5 Ensure Systems Security

DS6 Identify and Allocate Costs

DS7 Educate and Train Users

DS8 Manage Service Desk and Incidents

DS9 Manage the Configuration

DS10 Manage Problems

DS11 Manage Data

DS12 Manage the Physical Environment

DS13 Manage Operations

13 Categories 83. DS5 Ensure Systems Security

DS5.1 Management of IT Security

DS5.2 IT Security Plan

DS5.3 Identity Management

DS5.4 User Account Management

DS5.5 Security Testing, Surveillance and Monitoring

DS5.6 Security Incident Definition

DS5.7 Protection of Security Technology

DS5.8 Cryptographic Key Management

DS5.9 Malicious Software Prevention, Detection and Correction

DS5.10 Network Security

DS5.11 Exchange of Sensitive Data.

11 Sub-Categories 84. DS5.3 Identity Management Goals and Objectives

DS5.3 Identity Management

Ensure thatall users (internal, external and temporary) and their activityon IT systems (business application, IT environment, system operations, development and maintenance)areuniquelyidentifiable . Enable user identities via authentication mechanisms.

Confirm thatuser access rightsto systems and data are in line withdefined and documented business needsand that job requirements are attached to user identities.

Ensure thatuser accessrights arerequestedby user management,approvedby system owners andimplementedby the security-responsible person.

Maintain useridentitiesand accessrightsin a central repository.

Deploy cost-effectivetechnical and procedural measures , and keep themcurrentto establish useridentification, implement authentication and enforce access rights .

85. Logical Didactic Approach DS5.3 Identity Management (How it is Evaluated)

Control over the IT processofEnsure systems securitythat satisfies thebusiness requirement for ITof maintaining the integrity of information and processing infrastructure and minimizing the impact of security vulnerabilities and incidents

By focusing on

• defining IT security policies, plans and procedures, and monitoring, detecting, reporting and resolving security vulnerabilities and incidents

Is achieved by

• Understanding security requirements, vulnerabilities and threats

• Managing user identities and authorizations in a standardized manner

• Testing security regularly

And is measured by

• Number of incidents damaging the organization's reputation with the public

• Number of systems where security requirements are not met

• Number of violations in segregation of duties

86. How We Measure Success?Maturity Model CMMI DS5 Snapshoot (Criteria)

DS5 Ensure Systems Security -Management of the process ofEnsure systems securitythat satisfies thebusiness requirements for ITof maintaining theintegrityof information and processing infrastructure andminimizing the impact of security vulnerabilities and incidentsis:

0 Non-existentwhen The organization does not recognize the need for IT security. Responsibilities and accountabilities are not assigned There is a complete lack of a recognizable system security administration process .

1 Initial/Ad Hoc when The organization recognizes the need for IT security. Awareness of the need for security depends primarily on the individual. IT security is addressed on a reactive basis. IT security is not measured.Detected IT security breaches invoke finger-pointing responses , to IT security breaches are unpredictable.

2 Repeatable but Intuitive when Responsibilities and accountabilities for IT security are assigned to an IT security , although the management authority ... Awareness of the need for security is fragmented and limited. Although security-relevant information ,it is not analyzed . IT security is seen primarily as the responsibility and domain of IT andthe business does not see IT security as within its domain .

3 Definedwhen Security awareness exists and is promoted by management. IT security procedures are defined and aligned with IT security policy. Responsibilities for IT security are assigned and understood, but not consistently enforced.An IT security plan and security solutions exist as driven by risk analysis .Reporting on security does not contain a clear business focus.Ad hoc security testing (e.g.,intrusion testing) is performed. Security training is available for IT and the business, but is only informally scheduled and managed.

4 Managed and Measurablewhen Responsibilities for IT security are clearly assigned, managed and enforced. IT security risk and impact analysis is consistently performed. Security policies and procedures are completed with specific security baselines. ....User identification, authentication and authorization are standardized .Security certification is pursued for staff members ... . Security testing is completed using standard and formalized processes, leading to improvements of security levels. .IT security reporting is linked to business objectives . IT security training is conducted. ITsecurity trainingis planned and managed in a manner that responds to business needs and defined security risk profiles. Goals and metrics for security management have been defined but are not yet measured.

5 OptimizedwhenIT security is a joint responsibility of business and IT management and is integrated with corporate security business objectives . IT security requirements are clearly defined, optimized and included in an approved security plan. Users and customers are increasingly accountable for definingsecurity requirements, and security functions are integrated with applications at the design stage . Security incidents are promptly addressed withformalized incident response proceduressupported by automated tools. Periodic security assessments are conducted to evaluate the effectiveness of the implementation of the security plan. Information on threats and vulnerabilities is systematically collected and analyzed. Adequate controls to mitigate risks are promptly communicated .

87. COBIT 4.01 Standards to NIST Mapping Integration with other Standards(Alignment of IT Controls to Mitigate Risk) 88. NIST 800-53, Revision 1 Standards Terminology and Application 89. Sample Key Process Ecommerce e.g., One Card System

Solutions to Other Questions Relating to the Ecommerce system

• Plan and Organize(PO)Provides direction to solution delivery(AI) and service delivery (DS): PO1, PO4, PO5, PO6, PO8, PO9, PO10, and PO11

• Acquire and Implement(AI) Provides the solutions and passes them to be turned into services AI5 and AI4

• Deliver and Support(DS) Receives the solutions and makes them usable for end users: DS1, DS5 and DS11

Map the requirementsto your preferred checklist, e.g. NIST or ISO

Requirements for EcommerceCompliment other Processes

• Less work required for other system implementations

• No duplication of effort if requirements are properly addressed

Identity Managementapplies to many different other process requirements, e.g., Applications, Operating Systems, and Databases

90. COBIT 4.0-4.01 Available Mappings

ISACA web site atwww.isaca.org/cobitmapping (many more available then listed here)

A few of the available mappings

• COBIT Mapping: Mapping of NIST SP800-53 with COBIT 4.1

• COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.0

• COBIT Mapping: Mapping of ISO/IEC 17799:2000 With COBIT, 2nd Edition

• COBIT Mapping: Mapping of ISO/IEC 17799:2005 With COBIT 4.0

• COBIT Mapping: Mapping of ITIL With COBIT 4.0

Other planned detailed mappings include:

• COBIT Mapping: Mapping of ITIL V3 With COBIT 4.1

• COBIT Mapping: Mapping of COSO ERM With COBIT 4.1

• COBIT Mapping: Mapping of ISO 20000 With COBIT 4.1

• COBIT Mapping: Mapping of CMMI for Development V1.2 With COBIT 4.1

• COBIT Mapping: Mapping of PMBOK With COBIT 4.1

• COBIT Mapping: Mapping of ISI/IEC 1220 With COBIT 4.1

• COBIT Mapping: Mapping of ISO 19770-1 With COBIT 4.1

91.

Did Someone Mention , Another Break?

92.

Part V High Level Simple Example:

Identity Management, Access Control, & Network Security

93. Birthing of a New Approach? Purchase the Birthing Trunk Monkey! 94. Entities Assessed During the AuditScopeof Application:Areas of Emphasis (Entity or Process)

IAM:Identity and Access Control Management

• Identity Management ; the management of user credentials and the means by which users might log onto anduse various systems or resources , e.g., theprovisioning and de-provisioningof student, faculty, staff, and outside agencies identities

• Access Control ; the mechanisms in place to permit or deny theuse of a particular resource by a particular entity , e.g., technical or administrative controls to allow or deny access to file shares

NETSEC:Perimeter and Network Security

• Theprovisions and managementfor the underlying computer network infrastructure toprotect network-accessible resourcesfrom unauthorized access and theeffectiveness of these measures

95. Users Involved in Business Functions and Types of System Information? (Provisioning of High Risk or Critical Information)

Business Functional responsibility for assigning Rights & Permissions to various roles within the organization

• Business Owner :Responsible for theprovisioning and delegationof the processes or functions and associated privileges, e.g., Payroll, Registrar, FinAid, HR, ConEd, etc.

• Trustees : Responsible to maintain trust granted by Business owner, e.g., Worker Bees in the associated departments thatconduct day to day operations

• Stewards : Responsible toservice and support the business function , typically provide a technical system or infrastructure to facilitate business needs, e.g., ITS, OIIT, etc.

Types of Information (Data Classification) per BORs BPM

• Unrestricted / Public :No consequence typically general information

• Sensitive :typically references legal or externally imposed constraints that requires this restriction

• Confidential :highest level of restriction, applies to the risk or harm that may result from disclosure or inappropriate use, e.g., FERPA

96. Following the Business Function Information from Origin to Destination

We Identify how the information travels and is managed throughout the business function life cycle!

• Technical Considerations: How packets of data are managed, provisioned, formatted, and transferred throughout business functions

• Administrative Considerations: How the handling of information is conducted per the classification of this information and its intended use

• Attempt to assess information and information system security from various perspectives

97. High level Simple Example Paradigm Shift CAN YOU DO IT?

Technology Management of User Space and Services through Security Threat Gateways

• Techniques and Current Management Practices

• Recognition of the Challenges for Network Infrastructure Security

• Discussion:

• • User Profile Characteristics and Service Needs Identification Process

• • Tactical Significance of the Security Threat Gateway in Mitigating Risk

98. Overall Audit Plan & Program: Summary of Situation

The methodology for auditing the Information Systems assessment will be aTop Downapproach

• Business Goals to Standards and Practices

• Business Function to Information System

• Leadership (administrator) to Technician or Staff member (end user)

The approach will focus on key business functions and their associatedBusiness Goals and Objectivesas it relates toIAMandNETSEC .

Once identified and agreed upon for eachbusiness function, the key associated requirements, resources, and processeswill be identified andassessed to determine if high or critical risk is being managed .

Focus will be uponControl Practices and Responsibility / Accountability associated with key activitieswith an expectedCMMI level 3 criteriafor High Risk Critical processes.

99. High level Simple Example Traditional Network Paradigm

Techniques and Current Management Practices

100. Management of User Space and Services - Threat Controls

Recognition of the Challenges for Network Infrastructure Security

• Resources

• Controls

• Security in Depth

Principles of Information Security, Thompson, 2007 Your Institution's Security Topology! 101. Management of User Space and Services -Regulatory Compliance

Further Recognition of the Challenges for Network Infrastructure Security

CISA Study Guide, SYBEX, 2006 The LAW: We Are Not Exempt! 102. Management of User Space and Services Through Security Threat Gateways

Discussion(Relate it to COBIT) :

• User Profile Characteristics and Service Needs Identification Process

• • Survey Business Functionality ( Goals and Objectives )

• • IT Service Needs Identification ( Rules and Requirements; Scope, Processes, and Activities; and Resources )

• • Virtual Playgrounds ( Context of the Audited Entities )

• • • User Space(IT, Faculty, Staff, Students, etc)

• • • Service Space (access to various resources and services)

• Tactical / Operational Significance of the Security Threat Gateway in Mitigating Risk( Controls for the Audited Entities )

103. Your InstitutionsBusiness Functions for (the Audited Entities)- What Rules and Practices Exist?

Contextualize the Issues!

What are the Business Principles in Operation?

Reasons- Whyyou do things a certainWay

Who are the Key Shareholders?

Control Objectives for Information and related Technology (COBIT) 104. Identity Management, Access Control, and Network Security Business Rules, Requirements and Practices Self-Evaluated? Do a Check-up If theVisionisUnclear , theCostis Always toMuch ! 105. Management of User Space and Services Through Security Threat Gateways Sample User Survey

Some of the questions to pose in the survey may look like this:

What information technology services do you need to perform your duties?Please briefly describe how you use technology on a daily basis.

Do you use email and if so do you require that it be sent securely, so no one but the intended user can read it?If so please describe a practical example in the past where this was necessary or would have been beneficial.

Do you use or exchange data that may be considered sensitive, and if so briefly describe how you do this?

Do you need information technology when you travel, or do you work from home?If so, what resources do you need access to, and for what purpose?

How long have you been with the organization and what is your current position?

How often do you use some type information technology, and what level of knowledge or experience would you classify yourself as, e.g., novice, intermediate, expert, or somewhere in between?

Does your department have any special needs or requirements that may introduce a threat to the overall information technology services on our network?

SurveyMonkey.com free, easy, and effective 106. Management of User Space and Services Through Security Threat Gateways Sample User Services 107. Management of User Space and Services Through Security Threat Gateways Virtual Play Grounds Controls to Mitigate or Avoid Risk? 108. Management of User Space and Services Through Security Threat Gateways Identity Management Choke Points

No longer a FRONT-DOOR Issue

• We live in a glass house with no closed doors and lots of open windows need a 3D solution

• • User Space, Service Space, and STGs

• The challenge is internal andcan bewithout boundaries

Boundaries must be how YOU draw them

• Proactively rethink through the Traditional Topology paradigm

• The STG Channels Resource Access

• Defined boundaries and regulate the channels to ..

• • Control and Mitigate Risk

• People are the biggest vulnerability on the network

• • Political Fiefdoms and Turf Battles for freedom of expression?

• • Work with them or against them?

• • Give them a virtual Playground with clearly defined boundaries

109. Management of User Space and Services Through Security Threat Gateways Tactical Network Paradigm Shift

• Match user needs to services

• Segment service access

• Fluid controls in place to mitigate risk

• Create Security Threat Gateways to control andmitigating risk

110. Management of User Space and Services Through Security Threat Gateways Keys of Success to Mitigate Risk

Step1:Clearly Poll andDefine User Needs and Requirements (Business Function!)

Step 2:Identity Policy and Legal Requirements

Step 3:Create and Segregate into Logical Buckets (Spaces & Places)

• User Groups (User Space)

• Service Groups (Service Space)

Step 4: Map out the Topologyand Physical Requirements

• Physical Hardware software

• Routing, Switching, IDS, IPS, DAM

Step 5:Redefine Security Requirements and Implement Security Threat Gateways(the Perimeter is Everywhere) !

Step 6:Create the Virtual User Playground

Step 7:Document, Manage, and Monitor User Activity and Resources

111. Summary Overview of IT Audits

OIA Background

Audit Process, Plan, and Expectations

• The On-site Audit

Example of How to Prepare COBIT 4.01

Simple Example Security Threat Gateways

112. Key Resources

IIA -www.theiia.org

ISACA -www.isaca.org

ISC(2) -www.isc2.org

ISO -www.iso.org

NIST -csrc.nist.gov

NSA -www.nsa.gov

IASE -iase.disa.mil

Web App Consortium -www.webappsec.org

EDUCAUSE -educause.edu/security

Univ. Austin Texas Sec. -security.utexas.edu

Univ. Cornell Sec. -www.cit.cornell.edu/security

Virginia Tech Sec. -security.vt.edu

Ga. Tech Info Sec. Center -www.gtisc.gatech.edu

Video Clips -www.imdb.com/video/screenplay

113. Call to Action & Challenge Birds of a Feather, Flock Together or Life is For the BirdsBe Different? PIXAR For the Birds3:16 minutes 114. Where are you in the Process of Preparation for the Audit? Standing Alone ?ITCan Seem a Little Funny ,BUTITWILL WORK OUT! Moral:Dont Drink theKool-Aid and BeCaught with YourShorts Down Possible Situation :The Emperor has No Clothes -Who is Going to Tell Him? Disclaimer: AllPUNSare intended, and should not be held against theRetarded Auditor or OIA 115. Discussion & Questions? Suggestion?

• Build Relational Bridges of Trust with Superiors -even though it Requires a Level of Vulnerability(I am anIdealistUSEWisdom hopefully, we have build one today)

• Strategize a Plan toAddress the Elephant in the Corner

• • Step 1:Where are your weaknesses for the Areas being Audited?

• • Step 2:What will it take to get to CMMI level 3?

• • Step 3:Who else needs to be include in the solution process?

• • Step 4:Make a physical list of resources that need to be accessed?

• • Step 5:Notify Key Shareholders of their involvement and what you need from them to be successful!

• • Step 6:Take the time leftbefore your auditandbackward plan !

• • Step 7:No one likesugly surprises you can run, but you cant hide!