Скачать презентацию IT Audit Methodologies 20 03 2018 Name Folie
268517f1edb3f4d8888851bd0f9df95f.ppt
- Количество слайдов: 65
IT Audit Methodologies 20. 03. 2018, Name, Folie 1
IT Audit Methodoloies IT Audit Methodologies n Cobi. T n BS 7799 - Code of Practice (Co. P) n BSI - IT Baseline Protection Manual n ITSEC n Common Criteria (CC) 20. 03. 2018, Name, Folie 2
IT Audit Methodoloies IT Audit Methodologies - URLs n Cobi. T: www. isaca. org n BS 7799: www. bsi. org. uk/disc/ n BSI: n ITSEC: www. itsec. gov. uk n CC: 20. 03. 2018, Name, Folie 3 www. bsi. bund. de/gshb/english/menue. htm csrc. nist. gov/cc/
IT Audit Methodoloies Main Areas of Use n IT Audits n Risk Analysis n Health Checks (Security Benchmarking) n Security Concepts n Security Manuals / Handbooks 20. 03. 2018, Name, Folie 4
IT Audit Methodoloies Security Definition n Confidentiality n Integrity n n n Correctness Completeness Availability 20. 03. 2018, Name, Folie 5
IT Audit Methodoloies Cobi. T n Governance, Control & Audit for IT n Developed by ISACA n Releases n Cobi. T 1: 1996 n n n 32 Processes 271 Control Objectives Cobi. T 2: 1998 n 34 Processes n 302 Control Objectives 20. 03. 2018, Name, Folie 6
IT Audit Methodoloies Cobi. T - Model for IT Governance n 36 Control models used as basis: n n n Business control models (e. g. COSO) IT control models (e. g. DTI‘s Co. P) Cobi. T control model covers: n Security (Confidentiality, Integrity, Availability) n Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) n IT Resources (Data, Application Systems, Technology, Facilities, People) 20. 03. 2018, Name, Folie 7
IT Audit Methodoloies Cobi. T - Framework 20. 03. 2018, Name, Folie 8
IT Audit Methodoloies Cobi. T - Structure n 4 Domains n PO - Planning & Organisation n n AI - Acquisition & Implementation n n 6 processes (high-level control objectives) DS - Delivery & Support n n 11 processes (high-level control objectives) 13 processes (high-level control objectives) M - Monitoring n 20. 03. 2018, Name, Folie 9 4 processes (high-level control objectives)
IT Audit Methodoloies PO - Planning and Organisation n PO 1 Define a Strategic IT Plan n PO 2 Define the Information Architecture n PO 3 Determine the Technological Direction n PO 4 Define the IT Organisation and Relationships n PO 5 Manage the IT Investment n PO 6 Communicate Management Aims and Direction n PO 7 Manage Human Resources n PO 8 Ensure Compliance with External Requirements n PO 9 Assess Risks n PO 10 Manage Projects n PO 11 Manage Quality 20. 03. 2018, Name, Folie 10
IT Audit Methodoloies AI - Acquisition and Implementation n AI 1 Identify Solutions n AI 2 Acquire and Maintain Application Software n AI 3 Acquire and Maintain Technology Architecture n AI 4 Develop and Maintain IT Procedures n AI 5 Install and Accredit Systems n AI 6 Manage Changes 20. 03. 2018, Name, Folie 11
IT Audit Methodoloies DS - Delivery and Support n DS 1 Define Service Levels n DS 8 Assist and Advise IT Customers n DS 2 Manage Third-Party Services n DS 9 Manage the Configuration n DS 3 Manage Performance and n DS 10 Manage Problems and Incidents n DS 11 Manage Data n DS 12 Manage Facilities n DS 13 Manage Operations Capacity n DS 4 Ensure Continuous Service n DS 5 Ensure Systems Security n DS 6 Identify and Attribute Costs n DS 7 Educate and Train Users 20. 03. 2018, Name, Folie 12
IT Audit Methodoloies M - Monitoring n M 1 Monitor the Processes n M 2 Assess Internal Control Adequacy n M 3 Obtain Independent Assurance n M 4 Provide for Independent Audit 20. 03. 2018, Name, Folie 13
IT Audit Methodoloies Cobi. T - IT Process Matrix Information Criteria n Effectiveness n Efficiency n Confidentiality n Integrity n Availability n Compliance n Reliability 20. 03. 2018, Name, Folie 14 IT Resources n People n Applications n Technology n Facilities n Data
IT Audit Methodoloies Cobi. T - Summary n Mainly used for IT audits, incl. security aspects n No detailed evaluation methodology described n Developed by international organisation (ISACA) n Up-to-date: Version 2 released in 1998 n Only high-level control objectives described n Detailed IT control measures are not documented n Not very user friendly - learning curve! n Evaluation results not shown in graphic form 20. 03. 2018, Name, Folie 15
IT Audit Methodoloies Cobi. T - Summary n May be used for self assessments n Useful aid in implementing IT control systems n No suitable basis to write security handbooks n Cobi. T package from ISACA: $ 100. -- n 3 parts freely downloadable from ISACA site n Software available from Methodware Ltd. , NZ (www. methodware. co. nz) n Cobi. T Advisor 2 nd edition: US$ 600. -- 20. 03. 2018, Name, Folie 16
IT Audit Methodoloies BS 7799 - Co. P n Code of Practice for Inform. Security Manag. n Developed by UK DTI, BSI: British Standard n Releases n Co. P: 1993 n BS 7799: Part 1: 1995 n BS 7799: Part 2: 1998 n Certification & Accreditation scheme (c: cure) 20. 03. 2018, Name, Folie 17
IT Audit Methodoloies BS 7799 - Security Baseline Controls n 10 control categories n 32 control groups n 109 security controls n 10 security key controls 20. 03. 2018, Name, Folie 18
IT Audit Methodoloies BS 7799 - Control Categories n Information security policy n Security organisation n Assets classification & control n Personnel security n Physical & environmental security n Computer & network management 20. 03. 2018, Name, Folie 19
IT Audit Methodoloies BS 7799 - Control Categories n System access control n Systems development & maintenance n Business continuity planning n Compliance 20. 03. 2018, Name, Folie 20
IT Audit Methodoloies BS 7799 - 10 Key Controls n Information security policy document n Allocation of information security responsibilities n Information security education and training n Reporting of security incidents n Virus controls 20. 03. 2018, Name, Folie 21
IT Audit Methodoloies BS 7799 - 10 Key Controls n Business continuity planning process n Control of proprietary software copying n Safeguarding of organizational records n Data protection n Compliance with security policy 20. 03. 2018, Name, Folie 22
IT Audit Methodoloies BS 7799 - Summary n Main use: Security Concepts & Health Checks n No evaluation methodology described n British Standard, developed by UK DTI n Certification scheme in place (c: cure) n BS 7799, Part 1, 1995 is being revised in 1999 n Lists 109 ready-to-use security controls n No detailed security measures described n Very user friendly - easy to learn 20. 03. 2018, Name, Folie 23
IT Audit Methodoloies BS 7799 - Summary n Evaluation results not shown in graphic form n May be used for self assessments n BS 7799, Part 1: £ 94. -- n BS 7799, Part 2: £ 36. -- n BSI Electronic book of Part 1: £ 190. -- + VAT n Several BS 7799 c: cure publications from BSI n Co. P-i. T software from SMH, UK: £ 349+VAT (www. smhplc. com) 20. 03. 2018, Name, Folie 24
IT Audit Methodoloies BSI (Bundesamt für Sicherheit in der Informationstechnik) n IT Baseline Protection Manual (IT- Grundschutzhandbuch ) n Developed by German BSI (GISA: German Information Security Agency) n Releases: n IT security manual: 1992 n IT baseline protection manual: 1995 n New versions (paper and CD-ROM): each year 20. 03. 2018, Name, Folie 25
IT Audit Methodoloies BSI - Approach 20. 03. 2018, Name, Folie 26
IT Audit Methodoloies BSI - Approach n Used to determine IT security measures for medium-level protection requirements n Straight forward approach since detailed risk analysis is not performed n Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks n List of assembled security measures may be used to establish or enhance baseline protection 20. 03. 2018, Name, Folie 27
IT Audit Methodoloies BSI - Structure n IT security measures n n n 7 areas 34 modules (building blocks) Safeguards catalogue n n 6 categories of security measures Threats catalogue n 5 categories of threats 20. 03. 2018, Name, Folie 28
IT Audit Methodoloies BSI - Security Measures (Modules) n Protection for generic components n Infrastructure n Non-networked systems n LANs n Data transfer systems n Telecommunications n Other IT components 20. 03. 2018, Name, Folie 29
IT Audit Methodoloies BSI - Generic Components 3. 1 n 3. 2 n 3. 3 n 3. 4 n Organisation Personnel Contingency Planning Data Protection 20. 03. 2018, Name, Folie 30
IT Audit Methodoloies BSI - Infrastructure n 4. 1 4. 2 4. 3. 1 4. 3. 2 4. 3. 3 4. 3. 4 4. 4 Buildings Cabling Rooms Office Server Room Storage Media Archives Technical Infrastructure Room Protective cabinets n 4. 5 Home working place n n n n 20. 03. 2018, Name, Folie 31
IT Audit Methodoloies BSI - Non-Networked Systems n n n n 5. 1 5. 2 5. 3 5. 4 5. 5 5. 6 5. 99 DOS PC (Single User) UNIX System Laptop DOS PC (multiuser) Non-networked Windows NT computer PC with Windows 95 Stand-alone IT systems 20. 03. 2018, Name, Folie 32
IT Audit Methodoloies BSI - LANs n n n n 6. 1 6. 2 6. 3 6. 4 6. 5 6. 6 6. 7 Server-Based Networked Unix Systems Peer-to-Peer Network Windows NT network Novell Netware 3. x Novell Netware version 4. x Heterogeneous networks 20. 03. 2018, Name, Folie 33
IT Audit Methodoloies BSI - Data Transfer Systems 7. 1 n 7. 2 n 7. 3 n 7. 4 n Data Carrier Exchange Modem Firewall E-mail 20. 03. 2018, Name, Folie 34
IT Audit Methodoloies BSI - Telecommunications 8. 1 n 8. 2 n 8. 3 n 8. 4 n Telecommunication system Fax Machine Telephone Answering Machine LAN integration of an IT system via ISDN 20. 03. 2018, Name, Folie 35
IT Audit Methodoloies BSI - Other IT Components 9. 1 n 9. 2 n 9. 3 n Standard Software Databases Telecommuting 20. 03. 2018, Name, Folie 36
IT Audit Methodoloies BSI - Module „Data Protection“ (3. 4) Threats - Technical failure: n T 4. 13 Loss of stored data n Security Measures - Contingency planning: n S 6. 36 Stipulating a minimum data protection concept n S 6. 37 Documenting data protection procedures n S 6. 33 Development of a data protection concept (optional) n S 6. 34 Determining the factors influencing data protection (optional) n S 6. 35 Stipulating data protection procedures (optional) n S 6. 41 Training data reconstruction n Security Measures - Organisation: n S 2. 41 Employees' commitment to data protection n S 2. 137 Procurement of a suitable data backup system n 20. 03. 2018, Name, Folie 37
IT Audit Methodoloies BSI - Safeguards (420 safeguards) n S 1 - Infrastructure ( 45 safeguards) n S 2 - Organisation (153 safeguards) n S 3 - Personnel ( 22 safeguards) n S 4 - Hardware & Software ( 83 safeguards) n S 5 - Communications ( 62 safeguards) n S 6 - Contingency Planning ( 55 safeguards) 20. 03. 2018, Name, Folie 38
IT Audit Methodoloies BSI - S 1 -Infrastructure (45 safeguards) n S 1. 7 Hand-held fire extinguishers n n n S 1. 10 S 1. 17 S 1. 18 S 1. 27 S 1. 28 S 1. 36 Use of safety doors Entrance control service Intruder and fire detection devices Air conditioning Local uninterruptible power supply [UPS] Safekeeping of data carriers before and after dispatch 20. 03. 2018, Name, Folie 39
IT Audit Methodoloies BSI - Security Threats (209 threats) n T 1 - Force Majeure (10 threats) n T 2 - Organisational Shortcomings (58 threats) n T 3 - Human Errors (31 threats) n T 4 - Technical Failure (32 threats) n T 5 - Deliberate acts(78 threats) 20. 03. 2018, Name, Folie 40
IT Audit Methodoloies BSI - T 3 -Human Errors n n n n T 3. 1 T 3. 3 T 3. 6 T 3. 9 T 3. 12 T 3. 16 T 3. 24 T 3. 25 (31 threats) Loss of data confidentiality/integrity as a result of IT user error Non-compliance with IT security measures Threat posed by cleaning staff or outside staff Incorrect management of the IT system Loss of storage media during transfer Incorrect administration of site and data access rights Inadvertent manipulation of data Negligent deletion of objects 20. 03. 2018, Name, Folie 41
IT Audit Methodoloies BSI - Summary n Main use: Security concepts & manuals n No evaluation methodology described n Developed by German BSI (GISA) n Updated version released each year n Lists 209 threats & 420 security measures n 34 modules cover generic & platform specific security requirements 20. 03. 2018, Name, Folie 42
IT Audit Methodoloies BSI - Summary n User friendly with a lot of security details n Not suitable for security risk analysis n Results of security coverage not shown in graphic form n Manual in HTML format on BSI web server n Manual in Winword format on CD-ROM (first CD free, additional CDs cost DM 50. -- each) n Paper copy of manual: DM 118. -- n Software ‚BSI Tool‘ (only in German): DM 515. -- 20. 03. 2018, Name, Folie 43
IT Audit Methodoloies ITSEC, Common Criteria n ITSEC: IT Security Evaluation Criteria n Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book) n Releases n ITSEC: 1991 n ITSEM: 1993 (IT Security Evaluation Manual) n UK IT Security Evaluation & Certification scheme: 1994 20. 03. 2018, Name, Folie 44
IT Audit Methodoloies ITSEC, Common Criteria n Common Criteria (CC) n Developed by USA, EC: based on ITSEC n ISO International Standard n Releases n CC 1. 0: 1996 n CC 2. 0: 1998 n ISO IS 15408: 1999 20. 03. 2018, Name, Folie 45
IT Audit Methodoloies ITSEC - Methodology n Based on systematic, documented approach for security evaluations of systems & products n Open ended with regard to defined set of security objectives n n n ITSEC Functionality classes; e. g. FC-C 2 CC protection profiles Evaluation steps: n Definition of functionality n Assurance: confidence in functionality 20. 03. 2018, Name, Folie 46
IT Audit Methodoloies ITSEC - Functionality n Security objectives (Why) n n n Risk analysis (Threats, Countermeasures) Security policy Security enforcing functions (What) n technical & non-technical n Security mechanisms (How) n Evaluation levels 20. 03. 2018, Name, Folie 47
IT Audit Methodoloies ITSEC - Assurance n Goal: Confidence in functions & mechanisms n Correctness n n n Construction (development process & environment) Operation (process & environment) Effectiveness n Suitability analysis n Strength of mechanism analysis n Vulnerabilities (construction & operation) 20. 03. 2018, Name, Folie 48
IT Audit Methodoloies CC - Security Concept 20. 03. 2018, Name, Folie 49
IT Audit Methodoloies CC - Evaluation Goal 20. 03. 2018, Name, Folie 50
IT Audit Methodoloies CC - Documentation CC Part 3 Assurance Requirements CC Part 2 CC Part 1 Functional Requirements Assurance Families n n Functional Classes Introduction and Model Functional Families n n Introduction to Approach n Terms and Model n Requirements for n Functional Components n Detailed Requirements Protection Profiles (PP) and Security Targets (ST) 20. 03. 2018, Name, Folie 51 n Assurance Classes n Assurance Components n Detailed Requirements n Evaluation Assurance Levels (EAL)
IT Audit Methodoloies CC - Security Requirements Functional Requirements Assurance Requirements n for defining security behavior of the n for establishing confidence in Security IT product or system: n implemented requirements n become security functions 20. 03. 2018, Name, Folie 52 Functions: n correctness of implementation n effectiveness in satisfying objectives
IT Audit Methodoloies CC - Security Functional Classes Class Name FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels 20. 03. 2018, Name, Folie 53
IT Audit Methodoloies CC - Security Assurance Classes Class Name ACM ADO ADV AGD ALC ATE AVA APE ASE AMA Configuration Management 20. 03. 2018, Name, Folie 54 Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance
IT Audit Methodoloies CC - Eval. Assurance Levels (EALs) EAL Name EAL 1 EAL 2 EAL 3 EAL 4 EAL 5 EAL 6 EAL 7 Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested *TCSEC C 1 C 2 B 1 B 2 B 3 A 1 *TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book” 20. 03. 2018, Name, Folie 55
IT Audit Methodoloies ITSEC, CC - Summary n Used primarily for security evaluations and not for generalized IT audits n Defines evaluation methodology n Based on International Standard (ISO 15408) n Certification scheme in place n Updated & enhanced on a yearly basis n Includes extensible standard sets of security requirements (Protection Profile libraries) 20. 03. 2018, Name, Folie 56
IT Audit Methodoloies Comparison of Methods - Criteria n Standardisation n Independence n Certifiability n Applicability in practice n Adaptability 20. 03. 2018, Name, Folie 57
IT Audit Methodoloies Comparison of Methods - Criteria n Extent of Scope n Presentation of Results n Efficiency n Update frequency n Ease of Use 20. 03. 2018, Name, Folie 58
IT Audit Methodoloies Comparison of Methods - Results Cobi. T Standardisation Independence Certifyability Applicability in practice Adaptability Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use 3. 4 3. 3 2. 7 2. 8 3. 3 3. 1 1. 9 3. 0 3. 1 2. 3 BS 7799 BSI 3. 3 3. 6 3. 3 3. 0 2. 8 2. 9 2. 2 2. 8 2. 4 2. 7 3. 1 3. 5 3. 0 3. 1 3. 3 2. 7 2. 6 3. 0 3. 4 2. 8 ITSEC/CC 3. 9 3. 7 2. 5 3. 0 2. 6 1. 7 2. 5 2. 8 2. 0 Scores between 1 (low) and 4 (high) - Scores for Cobi. T, BS 7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H. P. Winiger 20. 03. 2018, Name, Folie 59
IT Audit Methodoloies Cobi. T - Assessment 20. 03. 2018, Name, Folie 60
IT Audit Methodoloies BS 7799 - Assessment 20. 03. 2018, Name, Folie 61
IT Audit Methodoloies BSI - Assessment 20. 03. 2018, Name, Folie 62
IT Audit Methodoloies ITSEC/CC - Assessment 20. 03. 2018, Name, Folie 63
IT Audit Methodoloies Use of Methods for IT Audits n Cobi. T: Audit method for all IT processes n ITSEC, CC: Systematic approach for evaluations n BS 7799, BSI: List of detailed security measures to be used as best practice documentation n Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc. ) n What is needed in addition: n Audit concept (general aspects, infrastructure audits, application audits) 20. 03. 2018, Name, Folie 64
Herzlichen Dank für Ihr Interesse an IT Audit Methodologies 20. 03. 2018, Name, Folie 65