it and the auditor – the sequel

IT and the Auditor – The Sequel

Depression Era Tactics for ITAre you Tough Enough?

2 GA GMIS Spring 2009 Conference

What is IT? What is audit? What you will learn Let’s Introduce ourselves

May 19, 2009

Introduction

GA GMIS Spring 2009 Conference

Introduction IT Management Overview Audit Management Overview What do we have in common? Strategies Closing

May 19, 20093

Agenda

GA GMIS Spring 2009 Conference 4

Overview IT Auditors defined Relationship Risk as a common

ground KPI Results

May 19, 2009


Accountability The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This

supports nonrepudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.

Assurance Grounds for confidence that the other four security goals (integrity, availability, confidentiality, and

accountability) have been adequately met by a specific implementation. “Adequately met” includes (1) functionality that performs correctly, (2) sufficient protection against unintentional errors (by users or software), and (3) sufficient resistance to intentional penetration or bypass.

Availability The security goal that generates the requirement for protection against— Intentional or accidental attempts to

(1) perform unauthorized deletion of data or (2) otherwise cause a denial of service or data Unauthorized use of system resources.

Confidentiality The security goal that generates the requirement for protection from intentional or accidental attempts to

perform unauthorized data reads. Confidentiality covers data in storage, during processing, and in transit. Denial of Service

The prevention of authorized access to resources or the delaying of time critical The prevention of authorized access to resources or the delaying of time critical operations.

Due Care Managers and their organizations have a duty to provide for information security to ensure that the type of

control, the cost of control, and the deployment of control are appropriate for the system being managed. Integrity

The security goal that generates the requirement for protection against either intentional or accidental attempts to violate data integrity (the property that data has when it has not been altered in an unauthorized manner) or system integrity (the quality that a system has when it performs its intended function in an unimpaired manner, free from unauthorized manipulation).

May 19, 2009

Vocabulary


Risk Within this presentation, synonymous with IT-Related Risk.

Risk Assessment The process of identifying the risks to system security and determining the probability of occurrence, the resulting

impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis.

Risk Management The total process of identifying, controlling, and mitigating information system–related risks. It includes risk assessment;

cost-benefit analysis; and the selection, implementation, test, and security evaluation of safeguards. This overall system security review considers both effectiveness and efficiency, including impact on the mission and constraints due to policy, regulations, and laws.

Security Information system security is a system characteristic and a set of mechanisms that span the system both logically and

physically. Security Goals

The five security goals are integrity, availability, confidentiality, accountability, and assurance. Threat

The potential for a threat source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability. Threat-source

Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.

Threat Analysis The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a

particular operational environment. Vulnerability

A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

May 19, 2009

Vocabulary Continued

Vocabulary Continued IT Related Risk

The net mission impact considering (1) the probability that a particular threat-source will exercise (accidentally trigger or intentionally exploit) a particular information system vulnerability and (2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission loss due to— 1. Unauthorized (malicious or accidental) disclosure,

modification, or destruction of information 2. Unintentional errors and omissions 3. IT disruptions due to natural or man-made disasters 4. Failure to exercise due care and diligence in the

implementation and operation of the IT system.

May 19, 2009GA GMIS Spring 2009 Conference 77

IT Defined


12 Hours

CIO/CTO/CSO


Audit Supports

Audit

May 19, 20099


Auditor and IT – Converging!

May 19, 200910

Auditor IT


Qualities of a good auditor!

May 19, 200911

Ethical Open minded

Diplomatic

Observant

PerceptiveVersatileTenacious

DecisiveSelf reliant


Auditor vs CIO

May 19, 2009

Compare the qualities of an Auditor to a CIO

Auditor

Ethical

Open minded

Diplomatic

Observant

Perceptive

Versatile

Tenacious

Decisive

Self Reliant

CIO

Good communicator

Honesty

Visionary

Technically SoundGreat Team Leader

MotivatorConsistent

Tough Skinned


Internal Auditor versus External Auditor

May 19, 2009

Compare Internal and External Auditor

Internal Auditor

More accessibleCommon in large and

medium org

Organization jealousy

Intimate Org knowledge

He belongs to the org

External Auditor

Usually less accessible

Available to all org

Usually independent

By appointments

No guarantee of the same auditor annually


Establishing and maintaining a positive relationship with Auditor! It starts with the request for information

This should be your opportunity to highlight your well run IT organization

Provide them all the information they need and get them out the door or back in another department Type of Audit/Auditor

Internal External (Annual) Federal Was it planned or provoked?

May 19, 200914


Auditor’s Request for IT information Document1 18 pages 200 elements requiring a response Range of questions

Risk assessment and monitoring Program Development and Implementation Analysis and Design – Testing and QA Data Conversion –Go Live Documentation and Training Change Management – Security Policy Security (Apps, Network, Physical) Business Continuity

May 19, 200915


IT Budget and the auditor The auditor could provide the support you need for

additional resources Answer questions honestly and completely

May 19, 200916


Auditor’s Hot buttons – concept of least privileges!

May 19, 200917

Change Managem

ent

Configuration

Management

Audit Trails

User Privileges

Password

Passphrases


IT Charter/Project Charter

May 19, 200918

IT Charter and Governance

• Defines Auditor role!

Project Charter

• Defines Auditor role!


Application Environments

May 19, 20091953

Development

• Developers

Functional

• QA

User Acceptance

• Users

Production

• Prod Users


What is an Auditable IT Org?

May 19, 200920

Who• Rights

What• Change

When• When


A Great IT Org!

May 19, 200921

Good

Auditor and IT

rapport

Auditable IT

Org

Great IT Org


Security Concern

May 19, 200922

Physical Security

Logical Securit

y


IT Steering Team Secure membership for the Auditor If the Organization does not have an internal

auditor – a qualified member of the organization should fulfill this role on the Team

Lean on the Auditor for help in setting the standards for RISK ANALYSIS

Maintain formal documentation in all meetings Share written minutes with all members of the

team

May 19, 200923


What is risk?

May 19, 2009

Definition of Uncertainty and Risk


What is risk?

It is really the measurement of uncertainty.

May 19, 2009



What is uncertainty?

It is the lack of sureness about an outcome, ranging from just short of certainty to almost complete lack of knowledge about and outcome.

May 19, 2009



Risk event Risk as an opportunity Risk as a threat

May 19, 2009

Aspects of Risk


Seeker

Averse

Neutral

May 19, 2009

What is your manager’s tolerance for Risk?


RiskUnmanage

dIssue

s

May 19, 2009

Issues or Risks?



Risk

Cost

General Risk Management Strategy


Risk Manageme

nt

Risk Mitigation


Residual Risk

Add a targeted control

New or Enhanced Controls

Reduce Number of

flaws or errors

Residual Risk

Reduce Magnitude of

Impact

Risk Management Importance of Risk Management Integration of Risk Management into

the SDLC Key Roles Risk Ownership


Risk Management Importance of Risk Management

Risk management plays a critical role in protecting an organization’s information assets, and therefore its mission, from IT-related risk.

An effective risk management process is an important component of a successful IT security program.

The principal goal of an organization’s risk management process should be to protect the organization and its ability to perform their mission, not just its IT assets.

Therefore, the risk management process should not be treated primarily as a technical function carried out by the IT experts who operate and manage the IT system, but as an essential management function of the organization.


Risk Management Integration of Risk Management into the SDLC

May 19, 2009GA GMIS Spring 2009 Conference

SDLC Phases Phase Characteristics

Support from RiskManagement Activities

Phase 1—Initiation The need for an IT system isexpressed and the purpose and scope of the IT system isdocumented

• Identified risks are used to support the development of the system requirements, including security requirements, and a security concept of operations(strategy)

Phase 2—Development orAcquisition

The IT system is designed,purchased, programmed,developed, or otherwiseconstructed

• The risks identified during this phase can be used to support the security analyses of the IT system that may lead to architecture and design tradeoffs during systemdevelopment

Phase 3—Implementation

The system security featuresshould be configured, enabled, tested, and verified

• The risk management process supports the assessment of the system implementation against its requirements and within its modeled operational environment. Decisions regarding risks identified must be made prior to system operation35

Risk Management Integration of Risk Management into the SDLC

May 19, 2009GA GMIS Spring 2009 Conference

SDLC Phases Phase Characteristics

Support from RiskManagement Activities

Phase 4—Operation orMaintenance

The system performs itsfunctions. Typically the system is being modified on an ongoing basis through the addition ofhardware and software and by changes to organizational processes, policies, and procedures

• Risk management activities areperformed for periodic system reauthorization (or reaccreditation) or whenever major changes are made to an IT system in its operational, production environment (e.g., new system interfaces)

Phase 5—Closing This phase may involve the disposition of information, hardware, and software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software

• Risk management activities are performed for system components that will be disposed of or replaced to ensure that the hardware and software are properly disposed of, that residual data is appropriately handled, and thatsystem migration is conducted in a secure and systematic manner

36

Risk Management Key Roles

Senior Management Chief Information Officer (CIO) Systems and Information Owners Business and Functional Managers Internal auditor IT Security Practitioners


Risk Assessment System Characterization Threat Identification Vulnerability Identification Control Analysis Likelihood Determination Impact Analysis Risk Determination Control Recommendations Results Documentation


Risk Assessment Activities System Characterization

Input

HardwareSoftware

System interfaces

Data and information

PeopleSystem mission

Step1

System Characteri

zation

Output

System BoundarySystem

FunctionsSystem and

Data Criticality

System and Data Sensitivity



Establish the Scope of effort Define the authorization boundaries Provide the information essential to risk definition

(input)


Information Gathering


Brainstorming

Interviewing

Checklist

SWOT

Information Gathering


System related information Input Additional input

IT Systems Functional requirements System Knowledge workers Current Security policy System security architecture Network Topology – diagrams Information storage info Information flow Controls (technical, management and operational) Physical and Environmental security)


Risk Assessment Activities Human Threats: Threat-Source, Motivation, and Threat Actions

Threat-Source Motivation Threat Actions

Threat-Source Motivation Threat ActionsHacker, cracker Challenge

EgoRebellion

• Hacking• Social engineering• System intrusion, break-ins• Unauthorized system access

Computer criminal Destruction of informationIllegal information disclosureMonetary gainUnauthorized data alteration

• Computer crime (e.g., cyberstalking)• Fraudulent act (e.g., replay,impersonation, interception)• Information bribery• Spoofing• System intrusion

Terrorist BlackmailDestructionExploitationRevenge

• Bomb/Terrorism• Information warfare• System attack (e.g., distributeddenial of service)• System penetration• System tampering


Risk Assessment Activities Human Threats: Threat-Source, Motivation, and Threat Actions Threat-Source Motivation Threat Actions -

ContThreat-Source Motivation Threat ActionsIndustrial espionage(companies, foreigngovernments, othergovernment interests)

Competitive advantageEconomic espionage

• Economic exploitation• Information theft• Intrusion on personal privacy• Social engineering• System penetration• Unauthorized system access(access to classified, proprietary,and/or technology-relatedinformation)

Insiders (poorly trained,disgruntled, malicious,negligent, dishonest, orterminated employees)

CuriosityEgoIntelligenceMonetary gainRevengeUnintentional errors andomissions (e.g., data entryerror, programming error)

• Assault on an employee• Blackmail• Browsing of proprietaryinformation• Computer abuse• Fraud and theft• Information bribery• Input of falsified, corrupted data• Interception• Malicious code (e.g., virus, logicbomb, Trojan horse)• Sale of personal information• System bugs• System intrusion• System sabotage• Unauthorized system access


Risk Assessment Activities Vulnerability Identification

Vulnerability/Threat Vulnerability Threat-Source Threat ActionTerminated employees’ system identifiers (ID) are not removed from the system

Terminated employees Dialing into the company’snetwork and accessingcompany proprietary data

Company firewall allows inbound telnet, and guest ID is enabled on XYZ server

Unauthorized users (e.g.,hackers, terminatedemployees, computercriminals, terrorists)

Using telnet to XYZ serverand browsing system fileswith the guest ID

The vendor has identified flaws in the security design of the system; however, new patches have not been applied to the system

Unauthorized users (e.g.,hackers, disgruntledemployees, computercriminals, terrorists)

Obtaining unauthorizedaccess to sensitive systemfiles based on knownsystem vulnerabilities

Data center uses water sprinklers to suppress fire; tarpaulins to protect hardware and equipmentfrom water damage are not in place

Fire, negligent persons Water sprinklers beingturned on in the data center


Risk Assessment Activities Vulnerability Identification Development of Security Requirements Checklist (Security Criteria)

Security Area Security CriteriaManagement Security • Assignment of

responsibilities• Continuity of support• Incident response capability• Periodic review of security controls• Personnel clearance and background investigations• Risk assessment• Security and technical training• Separation of duties• System authorization and reauthorization• System or application security plan



Security Area Security CriteriaOperational Security • Control of air-borne

contaminants (smoke, dust, chemicals)• Controls to ensure the quality of the electrical power supply• Data media access and disposal• External data distribution and labeling• Facility protection (e.g., computer room, data center, office)• Humidity control• Temperature control• Workstations, laptops, and stand-alone personal computers May 19, 2009GA GMIS Spring 2009 Conference 47


Security Area Security CriteriaTechnical Security • Communications (e.g.,

dial-in, system interconnection, routers)• Cryptography• Discretionary access control• Identification and authentication• Intrusion detection• Object reuse• System audit


Risk Mitigation Risk Mitigation Options Risk Mitigation Strategies Approach for Control Implementation Control Categories Cost-Benefit Analysis Residual Risk


Risk Mitigation


Residual Risk

Add a targeted control

New or Enhanced Controls

Reduce Number of

flaws or errors

Residual Risk

Reduce Magnitude of

Impact

General Risk Management Strategy


Risk Manageme

nt



Risk

Cost

Issues or Risks?


RiskUnmanage

dIssue

s


Take the following Action: Request the auditor or his designee serve on IT

committees Create an IT Master Calendar that contains all

recurring IT tasks, along with the task date due and lead time

Create an IT profile repository that highlights the form and functions of the IT Organization (MOSS would be ideal)

Within the profile, reference all IT Policies and Governance along with their storage and version number

Where possible IT should express a preference for an electronic request for the audit informationMay 19, 200954

Key Performance Indicators


Percent decrease in security breaches Percent decrease in the impact of security

breaches Security procedures that are supported by

senior management Increase in acceptance and conformance of

security procedures Increase support by senior management A mechanism for continuous improvement Decrease in audit findings regarding security

non-conformance


Benefits of Action taken: IT Capability is no longer a Black Box Effective and Efficient IT Smooth Audit Happy Board Improves IT ability to get funded A great perception of IT Increase confidence in IT Improved relationship with IT and stakeholders Aid in process re-engineering

May 19, 200956

Summary Briefly review Ways to apply training Review Common ground Discussion


it and the auditor – the sequel

Documents