www.sil.mu

Moderator:

Dhan KoolwantSales ManagerBusiness Development GroupState Informatics Limited – Mauritiusrkoolwant@sil.mu - +230 2536377

       www.sil.mu

IT STREAM IT STREAM

       www.sil.mu

IT Security Audit of Information Systems

Presentation by Mr Imran Ameerally

of the IT Security Unit of the Ministry of Information and Communication Technology

       www.sil.mu

IT STREAM IT STREAM

       www.sil.mu

Incorporating Security in IT Solutions for Corporate Registers

Presentation by Mr Vishal Soockeea

Account Manager

Business Development Group

State Informatics Limited

       www.sil.mu

IT STREAM IT STREAM

       www.sil.mu

• About IT Security Unit

• Types of Audits Conducted

• Companies Division Audit

• Audit Tasks

• Audit Deliverables

• Audit Findings

• Benefits of an Audit

       www.sil.mu

IT SECURITY AUDIT OF INFORMATION SYSTEMSIT SECURITY AUDIT OF INFORMATION SYSTEMS

       www.sil.mu

• ISO/IEC 27001 Internal audits

• Information Security Assesments

• In House Security Audits

• Outsourced Security Audits

       www.sil.mu

TYPES OF AUDITS CONDUCTEDTYPES OF AUDITS CONDUCTED

       www.sil.mu

Phase 1 – Planning the Audit

Phase 2 – Performing the Audit Work

Phase 3 – Reporting Audit Findings

Findings are broken into 3 Categories

Application Security

Network and System Security

Physical Security

       www.sil.mu

PHASES & FINDINGS IN AN AUDITPHASES & FINDINGS IN AN AUDIT

       www.sil.mu

Finding DescriptionPassword can be decrypted for Application Server Control Console

Severity Rating (H/M/L) High

Recommended Action(s)Short Term – Stronger encryption algorithm to encrypt data passing

between client and server should be implemented

Long Term – Security considerations should be a must in software requirement specification and analysis

       www.sil.mu

EXAMPLE 1 - FINDING UNDER AN APPLICATION EXAMPLE 1 - FINDING UNDER AN APPLICATION SECURITY AUDITSECURITY AUDIT

       www.sil.mu

Finding DescriptionIt is possible to view the contents of authenticated page from Back button of

the browser.

Severity Rating (H/M/L) High

Recommended Action(s)• Short Term – The back button of the browser should be disabled for all

authenticated pages. Otherwise, the user may lose track and a malicious user can get access to his session simply by clicking on the back button of the browser.

• Long Term – Necessary controls in an application should be identified using Threat modeling to ensure that the application is protected against common types of attacks based on the threats it faces

       www.sil.mu

EXAMPLE 2 - FINDING UNDER AN APPLICATION EXAMPLE 2 - FINDING UNDER AN APPLICATION SECURITY AUDITSECURITY AUDIT

       www.sil.mu

• Physical Security

• Server and System Software Security

• Database Security and Audit Trail

• Authentication to the Application

• Application Level Security

• Online Applications Security

       www.sil.mu

SECURITY COMPONENTS IN IT SOLUTIONS FOR SECURITY COMPONENTS IN IT SOLUTIONS FOR CORPORATE REGISTERS CORPORATE REGISTERS

       www.sil.mu

• Physical Security

• Server and System Software Security

• Database Security and Audit Trail

• Authentication to the Application

• Application Level Security

• Online Applications Security

       www.sil.mu

ITIT SYSTEM COMPONENTS FOR SECURITY SYSTEM COMPONENTS FOR SECURITY CONSIDERATIONCONSIDERATION

       www.sil.mu

QUESTIONS RAISED & CLARIFICATIONS REQUESTED

       www.sil.mu

IT SECURITY AUDIT OF INFORMATION SYSTEMSIT SECURITY AUDIT OF INFORMATION SYSTEMS&&

INCORPORATING SECURITY IN IT SOLUTIONS INCORPORATING SECURITY IN IT SOLUTIONS FOR CORPORATE REGISTERS FOR CORPORATE REGISTERS

       www.sil.mu

• English : How are You ?

• French : Comment allez vous ?

• Creole (Mauritian Dialect): Ki Maniere ?

• Response: Corek (fine) / pas Corek (not fine)

       www.sil.mu

A MAURITIAN COMMONLY USED EXPRESSIONA MAURITIAN COMMONLY USED EXPRESSION

       www.sil.mu       www.sil.mu

Thank You