SAMPLE - Information Technology Internal Security Audit
Phase 1
- Definitions
- Business Plan – Policy (Security) Audit
- Business Plan – Standards (Security)
Audit
- Policy – Standards (Security) Audit
- Infrastructure – Standards/Data
(Security) Audit
- Guidelines – Data (Security) Audit
- Users/Clients – Data (Security) Audit
- Recommended Course of Action
Definitions
The definition of Information
Security applied in this audit, is the standard definition:
- Confidentiality – Ensuring that information is not accessed by unauthorized persons
- Integrity – Ensuring that information is not altered by unauthorized persons in a way that is not detectable by authorized users
- Authentication – Ensuring that users are the persons they claim to be
Degree of Risk
Where estimates of
the actual probabilities of the threats are unavailable, there are three
degrees of risk probability:
- Low – Only actual intent to incur the risk AND active measures to
compromise the security system would cause a security violation. The security systems in question conform
to industry standards AND during their normal function would not allow the
security violation NOR would regular user activity cause security to be
compromised. The remedy for low probability of risk
does not fall within the purview of this organization.
- Medium – Although the system in place would
allow a security violation, the regular use of that system would NOT. Security is compromised ONLY if the user
deviates from regular procedures for that system.
The remedy for medium probability of risk is to apply the
appropriate security measures to the SYSTEM. Alternatively, the cost of the risk can
be transferred to the actual violators of the procedure.
- High – The system does not prohibit security to be compromised AND the user, during the regular course of activity can allow security to be compromised. Past history would indicate the violation has happened before. The remedy for high probability of risk is to put in the appropriate security measures as well as define the terms of proper use, so as to not expose the system to the vulnerability.
Three concepts that require definition for a threat risk assessment are:
1)
Asset:
A resource, process, or system that has value to the organization
2) Threat: Any circumstance or event than has an adverse impact on that asset.
3) Vulnerability: The likelihood of that asset being compromised by that particular threat.
Risk to an Asset from that Threat is defined as the product of the value of the Asset and the Vulnerability
The impact of the compromise is consistent with XYZ existing Information Management policy
Definition of Impact Terms
Term |
Impact |
Low |
Will have little or no impact on the critical functions and services of the Society. |
Moderate |
May impact on some of the critical functions and services of the Society. Society can continue to function in a reduced capacity. |
High |
Will have severe impact on the critical functions and services of the Society. Society will not continue functioning unless business resumption plan is implemented. |
Finally, risk has been categorized into three areas
1) Operational –services as defined by the business plan may be compromised
2) Financial – there will be a financial impact
3) Legal – there is a risk to either not meeting legal obligations or breaking the law
Business Plan – Policy (Security) Audit
In the absence of a business plan, a security audit of the
policy is not possible. Only an audit of
the policy was performed
The purpose of the policy document
1.
Define how the goals defined by the business
plan will be met
§
Which business objects i.e. data systems,
infrastructure systems
2.
Define how the principles espoused by the
organization will be imposed
3.
Define which business unit is responsible using
the objects to meet the business goals
2)
The policy defines seven data system standards
1.
Collective Bargaining
System (CBS)
2.
DocuShare
3.
Finance Information
System
4.
Finance Information
System – Disability Benefits Plan (DBP)
5.
Human Resources
Information System
6.
Payroll Information
System
7.
STATIS
IT Audit
Constraints
- Define the system
i.
Technology,
scope, lifecycle, requirements
- Define the purpose of the system
- Define which Business Unit is the owner
of the system
Information
System |
Documented |
System |
Purpose |
Business Unit |
Collective Bargaining System (CBS) |
Yes |
Undefined |
Defined |
Defined |
DocuShare |
Yes |
Undefined |
Defined |
Defined |
Finance Information System |
Yes |
Undefined |
Defined |
Defined |
Finance Information System – Disability Benefits Plan
(DBP) |
Yes |
Undefined |
Defined |
Defined |
Human Resources Information
System |
Yes |
Defined |
Defined |
Defined |
Payroll Information System |
Yes |
Defined |
Defined |
Defined |
STATIS |
Yes |
Defined |
Defined |
Defined |
Data base
management Systems |
No |
Undefined/ Unaddressed |
Undefined/ Unaddressed |
Undefined/ Unaddressed |
Telephone Systems |
Yes |
Undefined |
Defined |
Defined |
Mail Systems |
Yes |
Defined |
Defined |
Defined |
Internet Access |
Yes |
Defined |
Defined |
Defined |
FlowPort |
Yes |
Undefined |
Define |
Defined |
CAFT |
Yes |
Undefined |
Defined |
Defined |
INSYNC |
Yes |
Undefined |
Defined |
Defined |
Web Survey |
Yes |
Undefined |
Defined |
Defined |
Website |
Yes |
Undefined |
Defined |
Defined |
Accpac |
Yes |
Undefined |
Defined |
defined |
Notes:
*Many of the
critical database systems do not have system requirements defined.
*The information
policy and procedures manual covers the two areas without a clear definition of
the standards (middle step).
Clarification in this area will add clarity to future IT (security)
audits.
Without a clear
valuation from the business plan, expected loss, hence risk is difficult to
calculate. Also absent are availability
requirements. This information is
inferred based upon the existing solutions.
The assumption being made is that the requirements do not exceed that of
an organization of this nature, hence standard industry solutions are deemed
acceptable at mitigating the risk.
Business Plan – Standards (Security) Audit
No formal
documentation exists to cover this area, so no formal audit was performed.
The purpose of the
standards document is to define
1.
Define how the business objects will be
deployed.
2.
Define the service levels that can be expected
and the requirements that must be in place in order to meet them.
3.
Define which business unit is responsible for
designing, implementing and enforcing the standards and guidelines (procedures)
Given the lack of formal documents, an Implied Standard has
been surmised and security vulnerabilities measured against it.
Policy – Standards (Security) Audit
IT Audit
Constraints
1)
Define
the IT control
2)
Does
the control conform to industry best practices
3) Is the control documented in the manual
Based upon the requirements of the business, these practices have been identified
|
IT Control |
Best Practice |
Manual |
Network Operating System (security |
Windows Server 2000/2003 |
Yes |
No |
Application Availability |
Hardware servers |
Yes |
No |
Database |
SQL and Pervasive |
Yes |
No |
Security |
ISA |
Yes |
No |
Data practices |
Defined procedures |
No |
No |
|
|
|
|
Two security vulnerabilities have been identified under clause 2.3 Access to Database
“providing access to the STATIS_query (read-only) database for performing ad-hoc queries using Microsoft Access.”
There is no guideline clearly stating that black box databases should
not be made (nor are these entities identified). There is a risk that data from these black
boxes can deviate from the main body
“If you are working with a committee, you may provide information about committee members to the Chairperson of the Committee.”
A confidentiality or a data definition concern arises here. Should a member give an unlisted number for contact purposes but NOT authorize us to distribute it, it may subject the organization to violation of privacy rights.
Infrastructure – Standards/Data (Security) Audit
Information Technology Infrastructure
The infrastructure was analyzed from three aspects; the physical configuration and the logical/data configuration, and maintenance activity
Physical
Infrastructure
Only a cursory assessment of the physical instructure was made since requirements were not clearly defined.
The three areas taken under consideration were Servers, Desktops, and Network Infrastructure
Servers
The chart below outlines the deployment of applications across the existing servers. The PowerEdge series of servers are consistent with highly available server technological typical of similar or more sensitive organizations.
Note: A precautionary note, the Financespare-xp and XYZ-ISA machines
In : Auditting