Professional Documents
Culture Documents
IT Audit Methodologies
IT Audit Methodoloies
IT Audit Methodologies
CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC)
IT Audit Methodoloies
CobiT: BSI:
www.isaca.org www.bsi.bund.de/gshb/english/menue.htm
CC:
csrc.nist.gov/cc/
IT Audit Methodoloies
IT Audit Methodoloies
Security Definition
Confidentiality Integrity
Correctness Completeness
Availability
IT Audit Methodoloies
CobiT
CobiT 1: 1996
32 Processes
271 Control Objectives 34 Processes 302 Control Objectives
CobiT 2: 1998
IT Audit Methodoloies
Business control models (e.g. COSO) IT control models (e.g. DTIs CoP)
IT Audit Methodoloies
CobiT - Framework
IT Audit Methodoloies
CobiT - Structure
4 Domains
M - Monitoring
IT Audit Methodoloies
PO 1 PO 2 PO 3 PO 4
Define a Strategic IT Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships
PO 5
PO 6 PO 7 PO 8 PO 9 PO 10 PO 11
IT Audit Methodoloies
AI 1 AI 2 AI 3 AI 4
Identify Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Architecture Develop and Maintain IT Procedures
AI 5
AI 6
IT Audit Methodoloies
DS 1 DS 2 DS 3
Define Service Levels Manage Third-Party Services Manage Performance and Capacity
DS 8 DS 9 DS 10 DS 11 DS 12 DS 13
Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations
DS 4 DS 5 DS 6
Ensure Continuous Service Ensure Systems Security Identify and Attribute Costs
DS 7
IT Audit Methodoloies
M - Monitoring
M1 M2 M3 M4
Monitor the Processes Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit
IT Audit Methodoloies
IT Processes
IT Audit Methodoloies
CobiT - Summary
Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998
IT Audit Methodoloies
CobiT - Summary
May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.--
US$ 600.--
IT Audit Methodoloies
BS 7799 - CoP
Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases
CoP: 1993
IT Audit Methodoloies
10 control categories 32 control groups 109 security controls 10 security key controls
IT Audit Methodoloies
Information security policy Security organisation Assets classification & control Personnel security
IT Audit Methodoloies
System access control Systems development & maintenance Business continuity planning Compliance
IT Audit Methodoloies
Information security policy document Allocation of information security responsibilities Information security education and training Reporting of security incidents
Virus controls
IT Audit Methodoloies
Business continuity planning process Control of proprietary software copying Safeguarding of organizational records Data protection
IT Audit Methodoloies
BS7799 - Summary
Main use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure)
IT Audit Methodoloies
BS7799 - Summary
Evaluation results not shown in graphic form May be used for self assessments BS7799, Part1: BS7799, Part2: 94.- 36.--
190.-- + VAT
Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK: 349+VAT (www.smhplc.com)
IT Audit Methodoloies
IT security manual:
IT Audit Methodoloies
BSI - Approach
IT Audit Methodoloies
BSI - Approach
Used to determine IT security measures for medium-level protection requirements Straight forward approach since detailed risk analysis is not performed Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks
List of assembled security measures may be used to establish or enhance baseline protection
IT Audit Methodoloies
BSI - Structure
IT security measures
Safeguards catalogue
Threats catalogue
IT Audit Methodoloies
IT Audit Methodoloies
IT Audit Methodoloies
BSI - Infrastructure
4.3.2
4.3.3 4.3.4 4.4 4.5
Server Room
Storage Media Archives Technical Infrastructure Room Protective cabinets Home working place
IT Audit Methodoloies
5.5
5.6 5.99
IT Audit Methodoloies
BSI - LANs
6.5
6.6 6.7
IT Audit Methodoloies
IT Audit Methodoloies
BSI - Telecommunications
Telecommunication system Fax Machine Telephone Answering Machine LAN integration of an IT system via ISDN
IT Audit Methodoloies
IT Audit Methodoloies
Technical failure: Loss of stored data Contingency planning: Stipulating a minimum data protection concept Documenting data protection procedures Development of a data protection concept (optional) Determining the factors influencing data protection (optional) Stipulating data protection procedures (optional) Training data reconstruction Organisation: Employees' commitment to data protection Procurement of a suitable data backup system
IT Audit Methodoloies
( 45 (153
S5 - Communications ( 62 safeguards)
S6 - Contingency Planning ( 55 safeguards)
IT Audit Methodoloies
Hand-held fire extinguishers Use of safety doors Entrance control service Intruder and fire detection devices
S 1.27
S 1.28 S 1.36
Air conditioning
Local uninterruptible power supply [UPS] Safekeeping of data carriers before and after dispatch
IT Audit Methodoloies
threats)
IT Audit Methodoloies
(31 threats)
user error
Loss of data confidentiality/integrity as a result of IT Non-compliance with IT security measures Threat posed by cleaning staff or outside staff Incorrect management of the IT system
T 3.12
T 3.16 T 3.24 T 3.25
IT Audit Methodoloies
BSI - Summary
Main use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year
IT Audit Methodoloies
BSI - Summary
User friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in graphic form Manual in HTML format on BSI web server
IT Audit Methodoloies
ITSEC: IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange
Book)
Releases
ITSEC: 1991
ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification scheme: 1994
IT Audit Methodoloies
Common Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases
CC 1.0: 1996
CC 2.0: 1998 ISO IS 15408: 1999
IT Audit Methodoloies
ITSEC - Methodology
Based on systematic, documented approach for security evaluations of systems & products Open ended with regard to defined set of security objectives
CC protection profiles
Definition of functionality Assurance: confidence in functionality
Evaluation steps:
IT Audit Methodoloies
ITSEC - Functionality
IT Audit Methodoloies
ITSEC - Assurance
Construction (development process & environment) Operation (process & environment) Suitability analysis Strength of mechanism analysis Vulnerabilities (construction & operation)
Effectiveness
IT Audit Methodoloies
CC - Security Concept
IT Audit Methodoloies
CC - Evaluation Goal
IT Audit Methodoloies
CC - Documentation
CC Part 3 CC Part 2 CC Part 1
Introduction and Model
Introduction to
Assurance Requirements
Assurance Classes Assurance Families Assurance Components
Functional Requirements
Functional Classes Functional Families Functional
Detailed Requirements
Evaluation Assurance
Approach
Components
Detailed Requirements
Levels (EAL)
IT Audit Methodoloies
CC - Security Requirements
Functional Requirements
for defining security behavior of the
Assurance Requirements
for establishing confidence in Security
IT Audit Methodoloies
Name
Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels
IT Audit Methodoloies
Name
Configuration Management
Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance
IT Audit Methodoloies
Name
Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested
*TCSEC
C1 C2 B1 B2 B3 A1
IT Audit Methodoloies
ITSEC, CC - Summary
Used primarily for security evaluations and not for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place
IT Audit Methodoloies
Adaptability
IT Audit Methodoloies
Ease of Use
IT Audit Methodoloies
BSI
3.1 3.5 3.0 3.1 3.3 2.7 2.6 3.0 3.4 2.8
ITSEC/CC
3.9 3.9 3.7 2.5 3.0 2.6 1.7 2.5 2.8 2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger
IT Audit Methodoloies
CobiT - Assessment
IT Audit Methodoloies
BS 7799 - Assessment
IT Audit Methodoloies
BSI - Assessment
IT Audit Methodoloies
ITSEC/CC - Assessment
IT Audit Methodoloies
CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures to be used as best practice documentation
Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.)
What is needed in addition: