Auditing Corporate
Information Security
John R. Robles
Tuesday, November 1, 2005
Email: jrobles@coqui.net
Tel: 787-647-396
Auditing Corporate Information
Security
 Steps





in the Information Security Audit
Plan
Gather data
Analyze and test
Conclude
Report findings
Auditing Corporate Information
Security
 Federal
Financial Institutions Examination
Council (FFIEC)





Federal Reserve System
Federal Deposit Insurance Corporation
(FDIC)
National Credit Union Administration (NCUA)
Office of the Comptroller of the Currency
(OCC), and
The Office of Thrift Supervision (OTS)
Auditing Corporate Information
Security

Information Systems Security Standards based on:



FFIEC Information Technology
Examination Handbook
http://www.ffiec.gov/ffiecinfobase/
Audit areas include:
•
•
•
•
•
•
•
•
•
•
•
•
Audit
Business Continuity Planning
Development and Acquisition
E-Banking
FedLine
Information Security
Management
Operations
Outsourcing Technology Services
Retail Payment Systems
Supervision of Technology Service Providers
Wholesale Payment system
Auditing Corporate Information
Security

INFORMATION SECURITY WORKPROGRAM
EXAMINATION OBJECTIVE:
Assess the quantity of risk and the effectiveness
of the institution’s risk management processes
as they relate to the security measures instituted
to ensure confidentiality,
integrity, and
availability of information and to instill
accountability for actions taken on the
institution’s systems.
Auditing Corporate Information
Security


The objectives and procedures are divided into Tier 1
and Tier II:
Tier I assesses


Tier II provides


additional verification where risk warrants it.
Tier I and Tier II are intended


an institution’s process for identifying and managing risks.
to be a tool set examiners will use when selecting examination
procedures for their particular examination.
Examiners should use these procedures as necessary to
support examination objectives.
Auditing Corporate Information
Security
 Tier

1 Audit Objectives
Objective 1: Determine the appropriate scope
for the examination
 Quantity

Objective 2: Determine the complexity of the
institution’s information security environment.
 Quality

of Risk
of Risk Management
Objective 3: Determine the adequacy of the
risk assessment process.
Auditing Corporate Information
Security
 Objective
4: Evaluate the adequacy of
security policies relative to the risk to the
institution.
 Objective 5: Evaluate the security-related
controls embedded in vendor
management.
 Objective 6: Determine the adequacy of
security testing.
Auditing Corporate Information
Security
 Objective
7: Evaluate the effectiveness of
enterprise-wide security administration.
 Conclusions
 Objective 8: Discuss corrective action and
communicate findings.
Auditing Corporate Information
Security
 Tier







2 Controls
Access Rights Administration
Authentication
Network Security
Host Security
User Equipment Security
Physical Security
Personnel Security
Auditing Corporate Information
Security
 Tier







2 Controls (Continued)
Application Security
Software Development and Acquisition
Business Continuity Security
Intrusion Detection and Response
Service Provider Oversight Security
Encryption Security
Data Security
Auditing Corporate Information
Security

Audit to Information Security Standards used by
the Information Security department

ISO 17799 – world wide standard
• http://www.iso.org/iso/en/prodsservices/popstds/informationsecurity.html




Cobit – High Level Standard, www.isaca.org
Industry specific – HIPAA Final Security Standards
Industry Specific – FFIEC Standard
NIST
Auditing Corporate Information
Security

ISO 17799 - This is essentially the set of security
controls: the measures and safeguards for
potential implementation. In volume it is the main
body of the overall 'standard set' itself.
1. Security Policy
2. Security Organization
Information Security Infrastructure
Security and Third Party Access
Outsourcing
Auditing Corporate Information
Security
3. Asset Classification and Control
Accountability for assets
Information Classification
4. Personnel Security
Security in Job Definition and Resourcing
User Training
Responding to Security Incidents and
Malfunctions
5. Physical and Environmental Security
Secure Areas
Equipment Security
General Controls
Auditing Corporate Information
Security
6. Communications and Operations
Management
Operational Procedures and Responsibility
System Planning and Acceptance
Protection Against Malicious Software
Housekeeping
Network Management
Media Handling and Security
Exchanges of Information and Software
Auditing Corporate Information
Security
7. Access Control
Business Requirement for Access Control
User Access Management
User Responsibilities
Network Access Control
Operating System Access Control
Application Access Management
Monitoring System Access and Use
Mobile Computing and Telenetworking
Auditing Corporate Information
Security
8. System Development and Maintenance
Security Requirements of Systems
Security in Application Systems
Cryptographic Controls
Security of System Files
Security in Development and Support
Processes
9. Business Continuity Management
Aspects of Business Continuity Management
10. Compliance
Compliance with Legal Requirements
Reviews of Security Policy and Technical
Compliance
System Audit Considerations
Auditing Corporate Information
Security

COBIT—IT Control Framework


Four (4) IT Domains and 34 Processes
PLAN AND ORGANISE











PO1—Define a strategic IT plan
PO2—Define the information architecture
PO3—Determine the technological direction
PO4—Define the IT organization and relationships
PO5—Manage the IT investment
PO6—Communicate management aims and direction
PO7—Manage human resources
PO8—Ensure compliance with external requirements
PO9—Assess risks
PO10—Manage projects
PO11—Manage quality
Auditing Corporate Information
Security

ACQUIRE AND IMPLEMENT







AI1—Identify automated solutions
AI2—Acquire and maintain application software
AI3—Acquire and maintain technology infrastructure
AI4—Develop and maintain procedures
AI5—Install and accredit systems
AI6—Manage changes
M4—Provide for independent audit
Auditing Corporate Information
Security

DELIVER AND SUPPORT













DS1—Define and manage service levels
DS2—Manage third-party services
DS3—Manage performance and capacity
DS4—Ensure continuous service
DS5—Ensure systems security
DS6—Identify and allocate costs
DS7—Educate and train users
DS8—Assist and advise customers
DS9—Manage the configuration
DS10—Manage problems and incidents
DS11—Manage data
DS12—Manage facilities
DS13—Manage operations
Auditing Corporate Information
Security
 MONITOR AND



EVALUATE
M1—Monitor the processes
M2—Assess internal control adequacy
M3—Obtain independent assurance
Auditing Corporate Information
Security
 Test
Controls
 Document Findings
 Prepare Report and present
recommendations to management
Auditing Corporate Information
Security
Thank You!
John R. Robles
Email: jrobles@coqui.net
Tel: 787-647-396
http://home.coqui.net/jrobles