Professional Documents
Culture Documents
Methodologies
IT Audit Methodologies
IT Audit Methodoloies
IT Audit Methodologies
CobiT
BS 7799 - Code of Practice (CoP)
BSI - IT Baseline Protection Manual
ITSEC
Common Criteria (CC)
IT Audit Methodoloies
Security Definition
Confidentiality
Integrity
Correctness
Completeness
Availability
IT Audit Methodoloies
CobiT
Governance, Control & Audit for IT
Developed by ISACA
Releases
CobiT 1: 1996
32 Processes
271 Control Objectives
CobiT 2: 1998
34 Processes
302 Control Objectives
IT Audit Methodoloies
CobiT - Framework
IT Audit Methodoloies
CobiT - Structure
4 Domains
PO - Planning & Organisation
11 processes (high-level control objectives)
AI - Acquisition & Implementation
6 processes (high-level control objectives)
DS - Delivery & Support
13 processes (high-level control objectives)
M - Monitoring
4 processes (high-level control objectives)
IT Audit Methodoloies
M - Monitoring
M1 Monitor the Processes
M2 Assess Internal Control Adequacy
M3 Obtain Independent Assurance
M4 Provide for Independent Audit
IT Audit Methodoloies
Efficiency Applications
Confidentiality Technology
Integrity Facilities
Availability Data
Compliance
Reliability
IT Processes
IT Audit Methodoloies
CobiT - Summary
Mainly used for IT audits, incl. security aspects
No detailed evaluation methodology described
Developed by international organisation (ISACA)
Up-to-date: Version 2 released in 1998
Only high-level control objectives described
Detailed IT control measures are not documented
Not very user friendly - learning curve!
Evaluation results not shown in graphic form
IT Audit Methodoloies
CobiT - Summary
May be used for self assessments
Useful aid in implementing IT control systems
No suitable basis to write security handbooks
CobiT package from ISACA: $ 100.--
3 parts freely downloadable from ISACA site
Software available from Methodware Ltd., NZ (www.methodware.co.nz)
CobiT Advisor 2nd edition: US$ 600.--
IT Audit Methodoloies
BS 7799 - CoP
Code of Practice for Inform. Security Manag.
Developed by UK DTI, BSI: British Standard
Releases
CoP: 1993
BS 7799: Part 1: 1995
BS 7799: Part 2: 1998
Certification & Accreditation scheme (c:cure)
IT Audit Methodoloies
BS7799 - Summary
Main use: Security Concepts & Health Checks
No evaluation methodology described
British Standard, developed by UK DTI
Certification scheme in place (c:cure)
BS7799, Part1, 1995 is being revised in 1999
Lists 109 ready-to-use security controls
No detailed security measures described
Very user friendly - easy to learn
IT Audit Methodoloies
BS7799 - Summary
Evaluation results not shown in graphic form
May be used for self assessments
BS7799, Part1: £ 94.--
BS7799, Part2: £ 36.--
BSI Electronic book of Part 1: £ 190.-- + VAT
Several BS7799 c:cure publications from BSI
CoP-iT software from SMH, UK: £349+VAT (www.smhplc.com)
IT Audit Methodoloies
BSI - Approach
IT Audit Methodoloies
BSI - Approach
Used to determine IT security measures for medium-level protection requirements
Straight forward approach since detailed risk analysis is not performed
Based on generic & platform specific security requirements detailed protection
measures are constructed using given building blocks
List of assembled security measures may be used to establish or enhance baseline
protection
IT Audit Methodoloies
BSI - Structure
IT security measures
7 areas
34 modules (building blocks)
Safeguards catalogue
6 categories of security measures
Threats catalogue
5 categories of threats
IT Audit Methodoloies
BSI - Infrastructure
4.1 Buildings
4.2 Cabling
4.3 Rooms
4.3.1 Office
4.3.2 Server Room
4.3.3 Storage Media Archives
4.3.4 Technical Infrastructure Room
4.4 Protective cabinets
4.5 Home working place
IT Audit Methodoloies
BSI - LANs
6.1 Server-Based Network
6.2 Networked Unix Systems
6.3 Peer-to-Peer Network
6.4 Windows NT network
6.5 Novell Netware 3.x
6.6 Novell Netware version 4.x
6.7 Heterogeneous networks
IT Audit Methodoloies
BSI - Telecommunications
8.1 Telecommunication system
8.2 Fax Machine
8.3 Telephone Answering Machine
8.4 LAN integration of an IT system via ISDN
IT Audit Methodoloies
BSI - Summary
Main use: Security concepts & manuals
No evaluation methodology described
Developed by German BSI (GISA)
Updated version released each year
Lists 209 threats & 420 security measures
34 modules cover generic & platform specific security requirements
IT Audit Methodoloies
BSI - Summary
User friendly with a lot of security details
Not suitable for security risk analysis
Results of security coverage not shown in graphic form
Manual in HTML format on BSI web server
Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
ITSEC - Methodology
Based on systematic, documented approach for security evaluations of systems &
products
Open ended with regard to defined set of security objectives
ITSEC Functionality classes; e.g. FC-C2
CC protection profiles
Evaluation steps:
Definition of functionality
Assurance: confidence in functionality
IT Audit Methodoloies
ITSEC - Functionality
Security objectives (Why)
Risk analysis (Threats, Countermeasures)
Security policy
Security enforcing functions (What)
technical & non-technical
Security mechanisms (How)
Evaluation levels
IT Audit Methodoloies
ITSEC - Assurance
Goal: Confidence in functions & mechanisms
Correctness
Construction (development process & environment)
Operation (process & environment)
Effectiveness
Suitability analysis
Strength of mechanism analysis
Vulnerabilities (construction & operation)
IT Audit Methodoloies
CC - Security Concept
IT Audit Methodoloies
CC - Evaluation Goal
IT Audit Methodoloies
CC - Documentation
CC Part 3
Assurance Requirements
CC Part 2 Assurance Classes
Functional Requirements Assurance Families
Functional Classes
CC Part 1 Assurance Components
Introduction and Model Functional Families
Introduction to Detailed Requirements
Functional
Approach Components Evaluation Assurance
Terms and Model Levels (EAL)
Detailed Requirements
Requirements for
Protection Profiles (PP)
and Security Targets (ST)
IT Audit Methodoloies
CC - Security Requirements
ITSEC, CC - Summary
Used primarily for security evaluations and not for generalized IT audits
Defines evaluation methodology
Based on International Standard (ISO 15408)
Certification scheme in place
Updated & enhanced on a yearly basis
Includes extensible standard sets of security requirements (Protection Profile libraries)
IT Audit Methodoloies
CobiT - Assessment
IT Audit Methodoloies
BS 7799 - Assessment
IT Audit Methodoloies
BSI - Assessment
IT Audit Methodoloies
ITSEC/CC - Assessment
IT Audit Methodoloies