21.05.2015, name, folie 1 it audit methodologies

18.04.23, Name, Folie 1

IT AuditMethodologies

IT Audit Methodologies

IT Audit Methodoloies

18.04.23, Name, Folie 2

IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC)


18.04.23, Name, Folie 3

IT Audit Methodologies - URLs CobiT: www.isaca.org BS7799: www.bsi.org.uk/disc/ BSI: www.bsi.bund.de/gshb/english/menue.htm ITSEC: www.itsec.gov.uk CC: csrc.nist.gov/cc/


18.04.23, Name, Folie 4

Main Areas of Use IT Audits Risk Analysis Health Checks (Security Benchmarking) Security Concepts Security Manuals / Handbooks


18.04.23, Name, Folie 5

Security Definition Confidentiality Integrity

Correctness Completeness

Availability


18.04.23, Name, Folie 6

CobiT Governance, Control & Audit for IT Developed by ISACA Releases

CobiT 1: 1996 32 Processes 271 Control Objectives

CobiT 2: 1998 34 Processes 302 Control Objectives


18.04.23, Name, Folie 7

CobiT - Model for IT Governance 36 Control models used as basis:

Business control models (e.g. COSO) IT control models (e.g. DTI‘s CoP)

CobiT control model covers: Security (Confidentiality, Integrity, Availability) Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) IT Resources (Data, Application Systems, Technology, Facilities, People)


18.04.23, Name, Folie 8

CobiT - Framework


18.04.23, Name, Folie 9

CobiT - Structure 4 Domains

PO - Planning & Organisation 11 processes (high-level control objectives)

AI - Acquisition & Implementation 6 processes (high-level control objectives)

DS - Delivery & Support 13 processes (high-level control objectives)

M - Monitoring 4 processes (high-level control objectives)


18.04.23, Name, Folie 10

PO - Planning and Organisation PO 1 Define a Strategic IT Plan

PO 2 Define the Information Architecture

PO 3 Determine the Technological Direction

PO 4 Define the IT Organisation and Relationships

PO 5 Manage the IT Investment

PO 6 Communicate Management Aims and Direction

PO 7 Manage Human Resources

PO 8 Ensure Compliance with External Requirements

PO 9 Assess Risks

PO 10 Manage Projects

PO 11 Manage Quality


18.04.23, Name, Folie 11

AI - Acquisition and Implementation AI 1 Identify Solutions AI 2 Acquire and Maintain Application Software AI 3 Acquire and Maintain Technology Architecture AI 4 Develop and Maintain IT Procedures AI 5 Install and Accredit Systems AI 6 Manage Changes


18.04.23, Name, Folie 12

DS - Delivery and Support DS 1 Define Service Levels

DS 2 Manage Third-Party Services

DS 3 Manage Performance and

Capacity

DS 4 Ensure Continuous Service

DS 5 Ensure Systems Security

DS 6 Identify and Attribute Costs

DS 7 Educate and Train Users

DS 8 Assist and Advise IT

Customers

DS 9 Manage the Configuration

DS 10 Manage Problems and

Incidents

DS 11 Manage Data

DS 12 Manage Facilities

DS 13 Manage Operations


18.04.23, Name, Folie 13

M - Monitoring M 1 Monitor the Processes M 2 Assess Internal Control Adequacy M 3 Obtain Independent Assurance M 4 Provide for Independent Audit


18.04.23, Name, Folie 14

CobiT - IT Process MatrixInformation Criteria

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

IT Resources People Applications Technology Facilities Data

IT Processes

Microsoft Excel-Tabelle


18.04.23, Name, Folie 15

CobiT - Summary Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form


18.04.23, Name, Folie 16

CobiT - Summary May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.-- 3 parts freely downloadable from ISACA site Software available from Methodware Ltd., NZ (www.methodware.co.nz)

CobiT Advisor 2nd edition: US$ 600.--


18.04.23, Name, Folie 17

BS 7799 - CoP Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases

CoP: 1993 BS 7799: Part 1: 1995 BS 7799: Part 2: 1998

Certification & Accreditation scheme (c:cure)


18.04.23, Name, Folie 18

BS 7799 - Security Baseline Controls 10 control categories 32 control groups 109 security controls 10 security key controls


18.04.23, Name, Folie 19

BS 7799 - Control Categories Information security policy Security organisation Assets classification & control Personnel security Physical & environmental security Computer & network management


18.04.23, Name, Folie 20

BS 7799 - Control Categories System access control Systems development & maintenance Business continuity planning Compliance


18.04.23, Name, Folie 21

BS7799 - 10 Key Controls Information security policy document Allocation of information security responsibilities Information security education and training Reporting of security incidents Virus controls


18.04.23, Name, Folie 22

BS7799 - 10 Key Controls Business continuity planning process Control of proprietary software copying Safeguarding of organizational records Data protection Compliance with security policy


18.04.23, Name, Folie 23

BS7799 - Summary Main use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure) BS7799, Part1, 1995 is being revised in 1999 Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn


18.04.23, Name, Folie 24

BS7799 - Summary Evaluation results not shown in graphic form May be used for self assessments BS7799, Part1: £ 94.-- BS7799, Part2: £ 36.-- BSI Electronic book of Part 1: £ 190.-- + VAT Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK: £349+VAT (www.smhplc.com)


18.04.23, Name, Folie 25

BSI (Bundesamt für Sicherheit in der Informationstechnik) IT Baseline Protection Manual

(IT- Grundschutzhandbuch ) Developed by German BSI (GISA: German Information Security Agency) Releases:

IT security manual: 1992 IT baseline protection manual: 1995 New versions (paper and CD-ROM): each year


18.04.23, Name, Folie 26

BSI - Approach


18.04.23, Name, Folie 27

BSI - Approach Used to determine IT security measures for medium-level protection requirements Straight forward approach since detailed risk analysis is not performed Based on generic & platform specific security requirements detailed protection

measures are constructed using given building blocks List of assembled security measures may be used to establish or enhance baseline

protection


18.04.23, Name, Folie 28

BSI - Structure IT security measures

7 areas 34 modules (building blocks)

Safeguards catalogue 6 categories of security measures

Threats catalogue 5 categories of threats


18.04.23, Name, Folie 29

BSI - Security Measures (Modules)

Protection for generic components Infrastructure Non-networked systems LANs Data transfer systems Telecommunications Other IT components


18.04.23, Name, Folie 30

BSI - Generic Components 3.1 Organisation 3.2 Personnel 3.3 Contingency Planning 3.4 Data Protection


18.04.23, Name, Folie 31

BSI - Infrastructure 4.1 Buildings 4.2 Cabling 4.3 Rooms 4.3.1 Office 4.3.2 Server Room 4.3.3 Storage Media Archives 4.3.4 Technical Infrastructure Room 4.4 Protective cabinets 4.5 Home working place


18.04.23, Name, Folie 32

BSI - Non-Networked Systems 5.1 DOS PC (Single User) 5.2 UNIX System 5.3 Laptop 5.4 DOS PC (multiuser) 5.5 Non-networked Windows NT computer 5.6 PC with Windows 95 5.99 Stand-alone IT systems


18.04.23, Name, Folie 33

BSI - LANs 6.1 Server-Based Network 6.2 Networked Unix Systems 6.3 Peer-to-Peer Network 6.4 Windows NT network 6.5 Novell Netware 3.x 6.6 Novell Netware version 4.x 6.7 Heterogeneous networks


18.04.23, Name, Folie 34

BSI - Data Transfer Systems 7.1 Data Carrier Exchange 7.2 Modem 7.3 Firewall 7.4 E-mail


18.04.23, Name, Folie 35

BSI - Telecommunications 8.1 Telecommunication system 8.2 Fax Machine 8.3 Telephone Answering Machine 8.4 LAN integration of an IT system via ISDN


18.04.23, Name, Folie 36

BSI - Other IT Components 9.1 Standard Software 9.2 Databases 9.3 Telecommuting


18.04.23, Name, Folie 37

BSI - Module „Data Protection“ (3.4) Threats - Technical failure:

T 4.13 Loss of stored data Security Measures - Contingency planning:

S 6.36 Stipulating a minimum data protection concept S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional) S 6.34 Determining the factors influencing data protection (optional) S 6.35 Stipulating data protection procedures (optional) S 6.41 Training data reconstruction

Security Measures - Organisation: S 2.41 Employees' commitment to data protection S 2.137 Procurement of a suitable data backup system


18.04.23, Name, Folie 38

BSI - Safeguards (420 safeguards) S1 - Infrastructure ( 45 safeguards) S2 - Organisation (153 safeguards) S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards) S5 - Communications ( 62 safeguards) S6 - Contingency Planning ( 55 safeguards)


18.04.23, Name, Folie 39

BSI - S1-Infrastructure (45 safeguards) S 1.7 Hand-held fire extinguishers S 1.10 Use of safety doors S 1.17 Entrance control service S 1.18 Intruder and fire detection devices S 1.27 Air conditioning S 1.28 Local uninterruptible power supply [UPS] S 1.36 Safekeeping of data carriers before and after dispatch


18.04.23, Name, Folie 40

BSI - Security Threats (209 threats) T1 - Force Majeure (10 threats) T2 - Organisational Shortcomings (58 threats) T3 - Human Errors (31 threats) T4 - Technical Failure (32 threats) T5 - Deliberate acts (78 threats)


18.04.23, Name, Folie 41

BSI - T3-Human Errors (31 threats)

T 3.1 Loss of data confidentiality/integrity as a result of IT user error T 3.3 Non-compliance with IT security measures T 3.6 Threat posed by cleaning staff or outside staff T 3.9 Incorrect management of the IT system T 3.12 Loss of storage media during transfer T 3.16 Incorrect administration of site and data access rights T 3.24 Inadvertent manipulation of data T 3.25 Negligent deletion of objects


18.04.23, Name, Folie 42

BSI - Summary Main use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year Lists 209 threats & 420 security measures 34 modules cover generic & platform specific security requirements


18.04.23, Name, Folie 43

BSI - Summary User friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in graphic form Manual in HTML format on BSI web server Manual in Winword format on CD-ROM

(first CD free, additional CDs cost DM 50.-- each)

Paper copy of manual: DM 118.--

Software ‚BSI Tool‘ (only in German): DM 515.--


18.04.23, Name, Folie 44

ITSEC, Common Criteria ITSEC: IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange

Book) Releases

ITSEC: 1991 ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification scheme: 1994


18.04.23, Name, Folie 45

ITSEC, Common Criteria Common Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases

CC 1.0: 1996 CC 2.0: 1998 ISO IS 15408: 1999


18.04.23, Name, Folie 46

ITSEC - Methodology Based on systematic, documented approach for security evaluations of systems &

products Open ended with regard to defined set of security objectives

ITSEC Functionality classes; e.g. FC-C2 CC protection profiles

Evaluation steps: Definition of functionality Assurance: confidence in functionality


18.04.23, Name, Folie 47

ITSEC - Functionality Security objectives (Why)

Risk analysis (Threats, Countermeasures) Security policy

Security enforcing functions (What) technical & non-technical

Security mechanisms (How) Evaluation levels


18.04.23, Name, Folie 48

ITSEC - Assurance Goal: Confidence in functions & mechanisms Correctness

Construction (development process & environment) Operation (process & environment)

Effectiveness Suitability analysis Strength of mechanism analysis Vulnerabilities (construction & operation)


18.04.23, Name, Folie 49

CC - Security Concept


18.04.23, Name, Folie 50

CC - Evaluation Goal


18.04.23, Name, Folie 51

CC - Documentation

CC Part 1Introduction and Model Introduction to

Approach

Terms and Model

Requirements forProtection Profiles (PP)and Security Targets (ST)

CC Part 2Functional Requirements

Functional Classes

Functional Families

FunctionalComponents

Detailed Requirements

CC Part 3Assurance Requirements

Assurance Classes

Assurance Families

Assurance Components

Detailed Requirements

Evaluation AssuranceLevels (EAL)


18.04.23, Name, Folie 52

CC - Security Requirements

Functional Requirements

for defining security behavior of the IT product or system:

implemented requirements become security functions

Assurance Requirements

for establishing confidence in Security Functions:

correctness of implementation effectiveness in satisfying

objectives


18.04.23, Name, Folie 53

CC - Security Functional ClassesNameAuditCommunicationsCryptographic SupportUser Data ProtectionIdentification & AuthenticationSecurity ManagementPrivacyProtection of TOE Security FunctionsResource UtilizationTOE (Target Of Evaluation) AccessTrusted Path / Channels

ClassFAUFCOFCSFDPFIAFMTFPRFPTFRUFTAFTP


18.04.23, Name, Folie 54

CC - Security Assurance ClassesNameConfiguration Management

Delivery & OperationDevelopmentGuidance DocumentsLife Cycle SupportTestsVulnerability AssessmentProtection Profile EvaluationSecurity Target EvaluationMaintenance of Assurance

ClassACMADOADVAGDALCATEAVAAPEASEAMA


18.04.23, Name, Folie 55

CC - Eval. Assurance Levels (EALs)

*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”

NameFunctionally TestedStructurally TestedMethodically Tested & CheckedMethodically Designed, Tested & ReviewedSemiformally Designed & TestedSemiformally Verified Design & TestedFormally Verified Design & Tested

EALEAL1EAL2EAL3EAL4EAL5EAL6EAL7

*TCSEC

C1C2B1B2B3A1


18.04.23, Name, Folie 56

ITSEC, CC - Summary Used primarily for security evaluations and not for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place Updated & enhanced on a yearly basis Includes extensible standard sets of security requirements (Protection Profile libraries)


18.04.23, Name, Folie 57

Comparison of Methods - Criteria Standardisation Independence Certifiability Applicability in practice Adaptability


18.04.23, Name, Folie 58

Comparison of Methods - Criteria Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use


18.04.23, Name, Folie 59

Comparison of Methods - Results

CobiT3.43.32.72.83.33.11.93.03.12.3

StandardisationIndependenceCertifyabilityApplicability in practiceAdaptabilityExtent of ScopePresentation of ResultsEfficiencyUpdate frequencyEase of Use

BS 77993.33.63.33.02.82.92.22.82.42.7

BSI3.13.53.03.13.32.72.63.03.42.8

ITSEC/CC

3.93.93.72.53.02.61.72.52.82.0

Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger


18.04.23, Name, Folie 60

CobiT - Assessment


18.04.23, Name, Folie 61

BS 7799 - Assessment


18.04.23, Name, Folie 62

BSI - Assessment


18.04.23, Name, Folie 63

ITSEC/CC - Assessment


18.04.23, Name, Folie 64

Use of Methods for IT Audits CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures to be used as best practice

documentation Detailed audit plans, checklists, tools for technical audits (operating systems, LANs,

etc.) What is needed in addition:

Audit concept (general aspects, infrastructure audits, application audits)

18.04.23, Name, Folie 65

Herzlichen Dank für Ihr Interesse an

IT Audit Methodologies

21.05.2015, name, folie 1 it audit methodologies

Documents

audit methodoloies

control audit

control objectives cobit

support ds

data ds

facilities ds

systems security ds

capacity ds