Information Systems Audit Overview and Methodologies

By

Juma Tom V Lecturer

1

Agenda
CobiT
BS BSI

7799 - Code of Practice (CoP) - IT Baseline Protection Manual

ITSEC
Common

Criteria (CC)
2

IT Audit Methodologies - URLs

CobiT:

www.isaca.org

BS7799: www.bsi.org.uk/disc/

BSI:

www.bsi.bund.de/gshb/english/menue.htm

ITSEC: www.itsec.gov.uk CC: csrc.nist.gov/cc/

3

Main Areas of Use

IT

Audits Analysis

Risk

Health

Checks (Security Benchmarking)

Concepts

Security

Security

Manuals / Handbooks
4

Security Definition

Confidentiality Integrity

Correctness Completeness

Availability Non-repudiation
5

CobiT
Governance,

Control & Audit for IT Developed by ISACA Releases

CobiT
32

1: 1996

Processes 271 Control Objectives

CobiT
34

2: 1998

Processes 302 Control Objectives

6

CobiT - Model for IT Governance

36

Control models used as basis:

Business

control models (e.g. COSO) IT control models (e.g. DTIs CoP)

CobiT

control model covers:

Security

(Confidentiality, Integrity, Availability) Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) IT Resources (Data, Application Systems, Technology, Facilities, People)
7

CobiT - Framework

CobiT - Structure
4

Domains
- Planning & Organisation
processes (high-level control objectives)
11

PO

AI

- Acquisition & Implementation

processes (high-level control objectives)
processes (high-level control objectives)

DS

- Delivery & Support

13

- Monitoring
processes (high-level control objectives)
9

PO - Planning and Organisation

PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 PO 11

Define a Strategic IT Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality
10

AI - Acquisition and Implementation

AI 1 AI 2 AI 3 AI 4 AI 5 AI 6

Identify Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Architecture Develop and Maintain IT Procedures Install and Accredit Systems Manage Changes

11

DS - Delivery and Support

DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13

Define Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Attribute Costs Educate and Train Users Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations
12

M - Monitoring

M1 M2 M3 M4

Monitor the Processes Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit

13

CobiT - IT Process Matrix

Information Criteria

IT Resources

Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability

People Applications Technology Facilities Data

IT Processes
14

CobiT - Summary
Mainly

used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form
15

CobiT - Summary
May

be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks 3 parts freely downloadable from ISACA site
CobiT

Advisor 2nd edition:

16

BS 7799 - CoP
Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases

CoP: 1993 BS 7799: Part 1: 1995 BS 7799: Part 2: 1998

Certification

& Accreditation scheme (c:cure)

17

BS 7799 - Security Baseline Controls

10

control categories 32 control groups 109 security controls 10 security key controls

18

BS 7799 - Control Categories

Information

security policy Security organisation Assets classification & control Personnel security Physical & environmental security Computer & network management

19

BS 7799 - Control Categories

System

access control Systems development & maintenance Business continuity planning Compliance

20

BS7799 - 10 Key Controls

Information
Allocation

security policy document

of information security responsibilities

Information
Reporting

security education and training

of security incidents

Virus

controls
21

BS7799 - 10 Key Controls

Business
Control

continuity planning process

of organizational records

of proprietary software copying

Safeguarding Data

protection with security policy

Compliance

22

BS7799 - Summary
Main

use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure) BS7799, Part1, 1995 is being revised in 1999 Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn
23

BS7799 - Summary
Evaluation

results not shown in graphic form May be used for self assessments BS7799, Part1: BS7799, Part2: BSI Electronic book of Part 1: Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK:
24

BSI (Bundesamt fr Sicherheit in der Informationstechnik)

IT

Baseline Protection Manual (IT- Grundschutzhandbuch ) Developed by German BSI (GISA: German Information Security Agency) Releases:
IT

security manual: 1992 IT baseline protection manual: 1995 New versions (paper and CD-ROM): each year
25

BSI - Approach

26

BSI - Approach
Used

to determine IT security measures for medium-level protection requirements Straight forward approach since detailed risk analysis is not performed Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks List of assembled security measures may be used to establish or enhance baseline protection
27

BSI - Structure
IT

security measures

areas 34 modules (building blocks)

Safeguards
6

catalogue

categories of security measures

Threats
5

catalogue

categories of threats
28

BSI - Security Measures (Modules)

Protection

for generic components Infrastructure Non-networked systems LANs Data transfer systems Telecommunications Other IT components
29

BSI - Generic Components

3.1
3.2 3.3

Organisation
Personnel Contingency Planning

3.4

Data Protection

30

BSI - Infrastructure

4.1

Buildings

4.2
4.3 4.3.1

Cabling
Rooms Office

4.3.2
4.3.3 4.3.4

Server Room
Storage Media Archives Technical Infrastructure Room

4.4
4.5

Protective cabinets
Home working place
31

BSI - Non-Networked Systems

5.1

DOS PC (Single User)

5.2
5.3 5.4 5.5 5.6 5.99

UNIX System
Laptop DOS PC (multiuser) Non-networked Windows NT computer PC with Windows 95 Stand-alone IT systems
32

BSI - LANs

6.1 6.2 6.3

Server-Based Network Networked Unix Systems Peer-to-Peer Network

6.4
6.5 6.6 6.7

Windows NT network
Novell Netware 3.x Novell Netware version 4.x Heterogeneous networks
33

BSI - Data Transfer Systems

7.1 7.2 7.3

Data Carrier Exchange Modem Firewall

7.4

E-mail

34

BSI - Telecommunications

8.1 Telecommunication system 8.2 Fax Machine 8.3 Telephone Answering Machine

8.4 LAN integration of an IT system via ISDN

35

BSI - Other IT Components

9.1 9.2 9.3

Standard Software Databases Telecommuting

36

BSI - Module Data Protection (3.4)

Threats - Technical failure: T 4.13 Loss of stored data Security Measures - Contingency planning:

S 6.36 Stipulating a minimum data protection concept S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional) S 6.34 Determining the factors influencing data protection (optional) S 6.35 Stipulating data protection procedures (optional) S 6.41 Training data reconstruction Security Measures - Organisation:

S 2.41 Employees' commitment to data protection S 2.137Procurement of a suitable data backup system
37

BSI - Safeguards (420 safeguards)

S1

- Infrastructure ( 45 safeguards) S2 - Organisation (153 safeguards) S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards) S5 - Communications ( 62 safeguards) S6 - Contingency Planning ( 55 safeguards)

38

BSI - S1-Infrastructure (45 safeguards)

S 1.7

Hand-held fire extinguishers

S 1.10 Use of safety doors

S 1.17 Entrance control service S 1.18 Intruder and fire detection devices S 1.27 Air conditioning S 1.28 Local uninterruptible power supply [UPS]

S 1.36 Safekeeping of data carriers before and after dispatch

39

BSI - Security Threats (209 threats)

T1

- Force Majeure (10 threats) T2 - Organisational Shortcomings (58 threats) T3 - Human Errors (31 threats) T4 - Technical Failure (32 threats) T5 - Deliberate acts (78 threats)

40

BSI - T3-Human Errors

(31 threats)

T 3.1 T 3.3 T 3.6 T 3.9

Loss of data confidentiality/integrity as a result of IT user error Non-compliance with IT security measures Threat posed by cleaning staff or outside staff Incorrect management of the IT system

T 3.12 Loss of storage media during transfer T 3.16 Incorrect administration of site and data access rights

T 3.24 Inadvertent manipulation of data

T 3.25 Negligent deletion of objects
41

BSI - Summary
Main

use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year Lists 209 threats & 420 security measures 34 modules cover generic & platform specific security requirements
42

BSI - Summary
User

friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in graphic form Manual in HTML format on BSI web server Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)

Paper

copy of manual: DM 118.- Software BSI Tool (only in German): DM 515.-43

ITSEC, Common Criteria

ITSEC:

IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl.

and based primarily on USA TCSEC (Orange Book)
Releases
ITSEC:

1991 ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification scheme: 1994
44

ITSEC, Common Criteria

Common

Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases
CC

1.0: 1996 CC 2.0: 1998 ISO IS 15408: 1999

45

ITSEC - Methodology
Based

on systematic, documented approach for security evaluations of systems & products Open ended with regard to defined set of security objectives
ITSEC

Functionality classes; e.g. FC-C2 CC protection profiles

Evaluation

steps:

Definition

of functionality Assurance: confidence in functionality

46

ITSEC - Functionality
Security
Risk

objectives (Why)

analysis (Threats, Countermeasures) Security policy

Security Security

enforcing functions (What)

& non-technical

technical

mechanisms (How) Evaluation levels

47

ITSEC - Assurance
Goal:

Confidence in functions & mechanisms Correctness

Construction

(development process & environment) Operation (process & environment)

Effectiveness
Suitability

analysis Strength of mechanism analysis Vulnerabilities (construction & operation)

48

CC - Security Concept

49

CC - Evaluation Goal

50

CC - Documentation
CC Part 3
Assurance Requirements

CC Part 2
Functional Requirements

* Assurance Classes

CC Part 1
Introduction and Model
* Introduction to Approach * Terms and Model * Requirements for Protection Profiles (PP) and Security Targets (ST)

* Functional Classes * Functional Families * Functional Components

* Assurance Families
* Assurance Components * Detailed Requirements * Evaluation Assurance Levels (EAL)

* Detailed Requirements

51

CC - Security Requirements
Functional Requirements
- for defining security behavior of the IT product or system: implemented requirements become security functions

Assurance Requirements
- for establishing confidence in Security Functions: correctness of implementation effectiveness in satisfying objectives

52

CC - Security Functional Classes

Class
FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP

Name
Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels
53

CC - Security Assurance Classes

Class
ACM ADO ADV AGD ALC ATE AVA APE ASE AMA

Name
Configuration Management Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance
54

CC - Eval. Assurance Levels (EALs)

EAL
EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7

Name
Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested

*TCSEC
C1 C2 B1 B2 B3 A1

*TCSEC = Trusted Computer Security Evaluation Criteria --Orange Book

55

ITSEC, CC - Summary
Used

primarily for security evaluations and not for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place Updated & enhanced on a yearly basis Includes extensible standard sets of security requirements (Protection Profile libraries)
56

ITSEC, CC - Summary
Allows

to determine confidence level in planned resp. implemented security Evaluation results not shown in graphic form Not very user friendly - learning curve! Detailed documentation in electronic PDF format freely available on web server

57

Comparison of Methods - Criteria

Standardisation Independence Certifiability

Applicability
Adaptability

in practice

58

Comparison of Methods - Criteria

Extent

of Scope Presentation of Results Efficiency Update frequency Ease of Use

59

Comparison of Methods - Results

CobiT BS 7799 Standardisation 3.4 3.3 Independence 3.3 3.6 Certifyability 2.7 3.3 Applicability in practice 2.8 3.0 Adaptability 3.3 2.8 Extent of Scope 3.1 2.9 Presentation of Results 1.9 2.2 Efficiency 3.0 2.8 Update frequency 3.1 2.4 Ease of Use 2.3 2.7
60

BSI ITSEC/CC 3.1 3.9 3.5 3.9 3.0 3.7 3.1 2.5 3.3 3.0 2.7 2.6 2.6 1.7 3.0 2.5 3.4 2.8 2.8 2.0

Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger

CobiT - Assessment

61

BS 7799 - Assessment

62

BSI - Assessment

63

ITSEC/CC - Assessment

64

Use of Methods for IT Audits

CobiT:

Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures to be used as best practice documentation Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.) What is needed in addition:
Audit

concept (general aspects, infrastructure audits, application audits)

65