it audit methodologies

1. IT Audit Methodologies IT Audit Methodologies

BS 7799 - Code of Practice (CoP)

BSI - IT Baseline Protection Manual

Common Criteria (CC)

CobiT: www.isaca.org

BS7799: www.bsi.org.uk/disc/

BSI: www.bsi.bund.de/gshb/english/menue.htm

ITSEC: www.itsec.gov.uk

CC: csrc.nist.gov/cc/

IT Audits

Risk Analysis

Health Checks (Security Benchmarking)

Security Concepts

Security Manuals / Handbooks

Confidentiality

Integrity

Correctness

Completeness

Availability

Governance, Control & Audit for IT

Developed by ISACA

Releases

CobiT 1: 1996

32 Processes

271 Control Objectives

CobiT 2: 1998

34 Processes

302 Control Objectives

36 Control models used as basis:

Business control models (e.g. COSO)

IT control models (e.g. DTIs CoP)

CobiT control model covers:

Security (Confidentiality, Integrity, Availability)

Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information)

IT Resources (Data, Application Systems, Technology, Facilities, People)

4 Domains

PO - Planning & Organisation

11 processes (high-level control objectives)

AI - Acquisition & Implementation

DS - Delivery & Support

M - Monitoring

PO 1Define a Strategic IT Plan

PO 2Define the Information Architecture

PO 3Determine the Technological Direction

PO 4Define the IT Organisation and Relationships

PO 5Manage the IT Investment

PO 6Communicate Management Aims and Direction

PO 7Manage Human Resources

PO 8Ensure Compliance with External Requirements

PO 9Assess Risks

PO 10Manage Projects

PO 11Manage Quality

AI 1Identify Solutions

AI 2Acquire and Maintain Application Software

AI 3Acquire and Maintain Technology Architecture

AI 4Develop and Maintain IT Procedures

AI 5Install and Accredit Systems

AI 6Manage Changes

DS 1Define Service Levels

DS 2Manage Third-Party Services

DS 3 Manage Performance andCapacity

DS 4Ensure Continuous Service

DS 5Ensure Systems Security

DS 6Identify and Attribute Costs

DS 7Educate and Train Users

DS 8Assist and Advise IT Customers

DS 9Manage the Configuration

DS 10Manage Problems and Incidents

DS 11Manage Data

DS 12Manage Facilities

DS 13Manage Operations

M 1 Monitor the Processes

M 2 Assess Internal Control Adequacy

M 3 Obtain Independent Assurance

M 4 Provide for Independent Audit

Information Criteria

Effectiveness

Efficiency

Confidentiality

Integrity

Availability

Compliance

Reliability

IT Resources

People

Applications

Technology

Facilities

Mainly used for IT audits, incl. security aspects

No detailed evaluation methodology described

Developed by international organisation (ISACA)

Up-to-date: Version 2 released in 1998

Only high-level control objectives described

Detailed IT control measures are not documented

Not very user friendly - learning curve!

Evaluation results not shown ingraphic form

May be used for self assessments

Useful aid in implementing IT control systems

No suitable basis to write security handbooks

CobiT package from ISACA:$ 100.--

3 parts freely downloadable from ISACA site

Software available from Methodware Ltd., NZ(www.methodware.co.nz)

CobiT Advisor 2nd edition: US$ 600.--

Code of Practice for Inform. Security Manag.

Developed by UK DTI, BSI: British Standard

Releases

CoP: 1993

BS 7799: Part 1: 1995

BS 7799: Part 2: 1998

Certification & Accreditation scheme (c:cure)

10 control categories

32 control groups

109 security controls

10 security key controls

Information security policy

Security organisation

Assets classification & control

Personnel security

Physical & environmental security

Computer & network management

System access control

Systems development & maintenance

Business continuity planning

Compliance

Information security policy document

Allocation of information security responsibilities

Information security education and training

Reporting of security incidents

Virus controls

Business continuity planning process

Control of proprietary software copying

Safeguarding of organizational records

Data protection

Compliance with security policy

Main use: Security Concepts & Health Checks

No evaluation methodology described

British Standard, developed by UK DTI

Certification scheme in place (c:cure)

BS7799, Part1, 1995 is being revised in 1999

Lists 109 ready-to-use security controls

No detailed security measures described

Very user friendly - easy to learn

Evaluation results not shown in graphic form

May be used for self assessments

BS7799, Part1: 94.--

BS7799, Part2: 36.--

BSI Electronic book of Part 1: 190.-- + VAT

Several BS7799 c:cure publications from BSI

CoP-iT software from SMH, UK: 349+VAT(www.smhplc.com)

IT Baseline Protection Manual (IT- Grundschutzhandbuch )

Developed by German BSI (GISA: German Information Security Agency)

Releases:

IT security manual: 1992

IT baseline protection manual: 1995

New versions (paper and CD-ROM): each year

Used to determine IT security measures for medium-level protection requirements

Straight forward approach since detailed risk analysis is not performed

Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks

List of assembled security measures may be used to establishor enhance baseline protection

IT security measures

7 areas

34 modules (building blocks)

Safeguards catalogue

6 categories of security measures

Threats catalogue

5 categories of threats

Protection for generic components

Infrastructure

Non-networked systems

Data transfer systems

Telecommunications

Other IT components

3.1 Organisation

3.2 Personnel

3.3 Contingency Planning

3.4 Data Protection

4.1 Buildings

4.2 Cabling

4.3 Rooms

4.3.1 Office

4.3.2 Server Room

4.3.3 Storage Media Archives

4.3.4 Technical Infrastructure Room

4.4 Protective cabinets

4.5 Home working place

5.1 DOS PC (Single User)

5.2 UNIX System

5.3 Laptop

5.4 DOS PC (multiuser)

5.5 Non-networked Windows NT computer

5.6 PC with Windows 95

5.99 Stand-alone IT systems

6.1 Server-Based Network

6.2 Networked Unix Systems

6.3 Peer-to-Peer Network

6.4 Windows NT network

6.5 Novell Netware 3.x

6.6 Novell Netware version 4.x

6.7 Heterogeneous networks

7.1 Data Carrier Exchange

7.2 Modem

7.3 Firewall

7.4 E-mail

8.1 Telecommunication system

8.2 Fax Machine

8.3 Telephone Answering Machine

8.4 LAN integration of an IT system via ISDN

9.1 Standard Software

9.2 Databases

9.3 Telecommuting

Threats- Technical failure:

T 4.13 Loss of stored data

Security Measures- Contingency planning:

S 6.36 Stipulating a minimum data protection concept

S 6.37 Documenting data protection procedures

S 6.33 Development of a data protection concept (optional)

S 6.34 Determining the factors influencing data protection (optional)

S 6.35 Stipulating data protection procedures (optional)

S 6.41 Training data reconstruction

Security Measures- Organisation:

S 2.41 Employees' commitment to data protection

S 2.137 Procurement of a suitable data backup system

S1 - Infrastructure (45 safeguards)

S2 - Organisation (153 safeguards)

S3 - Personnel (22 safeguards)

S4 - Hardware & Software (83 safeguards)

S5 - Communications (62 safeguards)

S6 - Contingency Planning ( 55safeguards)

S 1.7 Hand-held fire extinguishers

S 1.10 Use of safety doors

S 1.17 Entrance control service

S 1.18 Intruder and fire detection devices

S 1.27 Air conditioning

S 1.28 Local uninterruptible power supply [UPS]

S 1.36 Safekeeping of data carriers before and afterdispatch

T1 - Force Majeure (10 threats)

T2 - Organisational Shortcomings (58 threats)

T3 - Human Errors (31 threats)

T4 - Technical Failure (32 threats)

T5 - Deliberate acts (78 threats)

T 3.1 Loss of data confidentiality/integrity as a result of ITuser error

T 3.3 Non-compliance with IT security measures

T 3.6 Threat posed by cleaning staff or outside staff

T 3.9 Incorrect management of the IT system

T 3.12 Loss of storage media during transfer

T 3.16 Incorrect administration of site and data access rights

T 3.24 Inadvertent manipulation of data

T 3.25 Negligent deletion of objects

Main use: Security concepts & manuals

No evaluation methodology described

Developed by German BSI (GISA)

Updated version released each year

Lists 209 threats & 420 security measures

34 modules cover generic & platform specific security requirements

User friendly with a lot of security details

Not suitable for security risk analysis

Results of security coverage not shown in graphic form

Manual in HTML format on BSI web server

Manual in Winword format on CD-ROM(first CD free, additional CDs cost DM 50.-- each)

Paper copy of manual:DM 118.--

Software BSI Tool(only in German) :DM 515.--

ITSEC:IT Security Evaluation Criteria

Developed by UK, Germany, France, Netherl.and based primarily on USA TCSEC (Orange Book)

Releases

ITSEC: 1991

ITSEM: 1993(IT Security Evaluation Manual)

UK IT Security Evaluation & Certification scheme: 1994

Common Criteria (CC)

Developed by USA, EC: based on ITSEC

ISO International Standard

Releases

CC 1.0: 1996

CC 2.0: 1998

ISO IS 15408: 1999

Based on systematic, documented approach for security evaluations of systems & products

Open ended with regard to defined set of security objectives

ITSEC Functionality classes; e.g. FC-C2

CC protection profiles

Evaluation steps:

Definition of functionality

Assurance: confidence in functionality

Security objectives(Why)

Risk analysis (Threats, Countermeasures)

Security policy

Security enforcing functions(What)

technical & non-technical

Security mechanisms(How)

Evaluation levels

Goal: Confidence in functions & mechanisms

Correctness

Construction (development process & environment)

Operation (process & environment)

Effectiveness

Suitability analysis

Strength of mechanism analysis

Vulnerabilities (construction & operation)

Introduction toApproach

Terms and Model

Requirements for Protection Profiles (PP) and Security Targets (ST)

Functional Classes

Functional Families

Functional Components

Detailed Requirements

Assurance Classes

Assurance Families

Assurance Components

Detailed Requirements

Evaluation Assurance Levels (EAL)

Functional Requirements

for defining security behavior of theIT product or system:

implemented requirements

become security functions

Assurance Requirements

for establishing confidence in SecurityFunctions:

correctness of implementation

effectiveness in satisfyingobjectives

Used primarily for security evaluations and not for generalized IT audits

Defines evaluation methodology

Based on International Standard (ISO 15408)

Certification scheme in place

Updated & enhanced on a yearly basis

Includes extensible standard sets of security requirements (Protection Profile libraries)

Standardisation

Independence

Certifiability

Applicability in practice

Adaptability

Extent of Scope

Presentation of Results

Efficiency

Update frequency

Ease of Use

CobiT: Audit method for all IT processes

ITSEC, CC: Systematic approach for evaluations

BS7799, BSI: List of detailed security measures to be used as best practice documentation

Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.)

What is needed in addition:

Audit concept (general aspects, infrastructure audits, application audits)

it audit methodologies

Technology

control objectives cobit

control audit

data ds

facilities ds

support ds

organisation po

systems security ds

incidents ds