UNIVERSITI TEKNOLOGI MALAYSIA 81310 SKUDAI, JOHOR MCSH2413 IT SECURITY AUDIT & ASSESSMENT Security Auditing & Assessment in India LECTURER’S NAME : DR. SITI HAJAR OTHMAN Student Name : Shahbaaz Mohammed Hayat Chaki (MCS171004 ) Date of Submission: 21st November 2017 1|Page Table of Contents Requirements / Questions asked: ........................................................................................................... 3 Stages of Audit ........................................................................................................................................ 4 Scope ................................................................................................................................................... 4 Planning .............................................................................................................................................. 5 Procedure, Roles, and Responsibilities ........................................................................................... 6 Fieldwork............................................................................................................................................. 6 Physical Security.............................................................................................................................. 7 Identification, Authentication, and Access ..................................................................................... 8 Analysis ............................................................................................................................................... 9 Reporting ............................................................................................................................................ 9 Audit Closure......................................................................................................................................... 11 Non-compliance Sign-off................................................................................................................... 11 Compliance Audit Report Closure ..................................................................................................... 11 References ............................................................................................................................................ 12 2|Page Information & Requirements to perform security audits for organizations in India Requirements / Questions asked: Should be a register Organization . Should have a register with Income Tax Department, Minister of Organization affairs & various government agency ( Depending on the business type ) Are the frameworks required to be accessible 24 x 7? Numerous e-business frameworks are required to have 99.99%– or more accessibility since they are utilized by clients everywhere throughout the world. What are the entrance prerequisites? Is access to frameworks/information confined inside the organization to senior administration? Are clients/business accomplices/contenders enabled access to any piece of the framework (particularly for e-business frameworks)? What number of clients utilize the framework all things considered and at top circumstances? What amount of information is not used? Are there legitimate necessities to store information for a specific timeframe? Are there lawful prerequisites to shield information from intruders? How sensitive is the information? How gravely would it influence business if contenders or different intruder approached that information or annihilated the information? How delicate is simply the framework? How serious would it influence business for an unapproved client to access diverse parts of the framework? What type of organization is it? 3|Page Stages of Audit Scope At this stage, the Auditor decides the fundamental range/s of center for the review and any zones that are expressly out-of-scope, construct ordinarily in light of an underlying danger based evaluation in addition to exchange with the individuals who charged the AUDIT review. Data sources, incorporate general research on the business and the association, past AUDIT and maybe other review reports, and AUDIT archives, for example, the Statement of Applicability, Risk Treatment Plan and AUDIT Policy. The AUDIT reviewers ought to guarantee that the extension 'bodes well' in connection with the association. The review extension ought to typically coordinate the extent of the AUDIT being guaranteed. For instance, vast associations with numerous divisions or specialty units may have isolate AUDIT's, a comprehensive endeavor wide AUDIT, or some blend of neighborhood and incorporated AUDIT. On the off chance that the AUDIT affirmation is for the whole association, the Auditor may need to survey the AUDIT in operation at all or if nothing else a delegate test of business areas, for example, the home office and a determination of discrete specialty units picked by the examiners. The evaluators should consider data security dangers and controls related with data channels to different elements (associations, specialty units and so on.) That fall outside the extent of the AUDIT, for instance checking the ampleness of data security-related conditions in Service Level Agreements or contracts with IT benefit providers. This procedure ought to be less demanding where the out-of-scope elements have been confirmed consistent with Audits. Amid the pre-review overview, the AUDIT examiners distinguish and in a perfect world reach the primary partners in the AUDIT, for example, the administrator/s, security modelers, AUDIT engineers, AUDIT implementers and other compelling figures, for example, the CIO and CEO, accepting the open door to ask for related documentation and so forth that will be checked on amid the review. The association typically chooses at least one review "escorts", people who oversee guaranteeing that the Auditor can move openly about the association and quickly discover the general population, data and so forth important to direct their work, and go about as administration contact focuses. 4|Page The essential yield of this stage is a concurred AUDIT review scope, sanction, engagement letter or comparable. Contact records and other preparatory archives are additionally acquired and the review records are opened to contain documentation (review working papers, confirm, reports and so on.) emerging from the review. (Chris Davis, 2011) Planning The general AUDIT extension is separated into more noteworthy detail, normally by producing an AUDIT review workplan/agenda (please observe the reference sections for two non specific cases). Note: the non specific case workplan/agendas provided with this rule are not planned to be utilized without due thought and adjustment. This paper is simply a general rule. It is foreseen that Auditor will ordinarily create a custom workplan/agenda mirroring the particular extension and size of the specific AUDIT being reviewed, considering any data security necessities that are as of now obvious at this stage, (for example, data security important laws, controls and measures that are known to apply to comparable associations in the business). Likewise, the review workplan/agenda might be altered throughout the review if already overlooked ranges of concern become known. The general planning and resourcing of the review is arranged and concurred by administration of both the association being inspected and the AUDIT Auditor, as a review design. Ordinary undertaking arranging methods, (for example, GANTT graphs) are ordinarily utilized. Review designs recognize and put wide limits around the rest of the periods of the review. It is basic to influence preparatory appointments for the formal review to report/dialog meeting to enable members to plan their participation. Review designs regularly likewise incorporate "checkpoints", that is particular open doors for the evaluators to give casual between time updates to their administration contacts including preparatory warning of any watched irregularities or potential individualities and so on. Interval refreshes likewise give chances to the examiners to raise any worries over restricted access to data or individuals, and for administration to raise any worries over the idea of the review work. While the reviewers are fundamentally autonomous of the association, they should set up a level of trust and a helpful workplace so as to draw in adequately and get the data important to review the AUDIT. At long last, the planning of essential review work components might be resolved, especially with a specific end goal to organize viewpoints that are accepted to speak 5|Page to the most serious dangers to the association if the AUDIT are observed to be lacking. The yield of this stage is the (redone) review workplan/agenda and a review design concurred with administration. (Anne Kohnke, 2016) Procedure, Roles, and Responsibilities This is a region that is very regularly completely neglected in security reviews. Reviewers regularly concentrate on the physical and specialized parts of security and neglect to guarantee that appropriate systems are set up, have been composed down, and are being taken after. However it can be the key piece , if missing, makes the greatest risk to security. Ensure that strategies are set up to guarantee that evaluating and following is utilized viably. A few frameworks will be required to log more than others (for lawful or operational reasons), yet the base reviewing that ought to be done should log which login endeavours have fizzled and which IP address they originate from. Are methods set up to guarantee that review logs of framework action are consistently considered for indications of noxious plan, (for example, rehashed failed logins)? Who does these systems, and how regularly? Is it accurate to say that they are viable? Is there an approach that guarantees that passwords are not effectively speculated? For instance, is it required that passwords be eight characters in length and comprise of a blend of numbers and letters? Does the framework constrain clients to change passwords routinely? The best infection checking programming on the planet won't be ready to adapt to an infection that is new to the point that no "counteractant" has yet been composed. Are strategies set up for what ought to be done if an infection flare-up is found? Should all mail servers be brought down in such a projection? Maybe all Web servers, as well? A significant number of the most deadly late infections utilize VBScript to keep in touch with themselves onto Web pages and into messages, so this might be a thought. (Gallegos, 1999) Fieldwork Amid the hands on work stage, review confirm is accumulated by the reviewer/s working deliberately through the workplan or agenda, for instance talking with staff, 6|Page chiefs and different partners related with the AUDIT, exploring AUDIT archives, printouts and information (counting records of AUDIT exercises, for example, security log surveys), watching AUDIT forms in real life and checking framework security arrangements and so forth. Review tests are performed to approve the confirmation as it is accumulated. Review work papers are readied, reporting the tests performed. The initial segment of the hands on work normally includes a documentation survey. The evaluator peruses and makes notes about documentation identifying with and emerging from the AUDIT, (for example, the Statement of Applicability, Risk Treatment Plan, AUDIT arrangement and so forth.). The documentation includes review confirm, with the review notes being review working papers. Discoveries from the documentation survey regularly show the requirement for particular review tests to decide how intently the AUDIT as presently executed takes after the documentation, and also testing the general level of consistence and testing propriety of the documentation in connection to ISO/IEC 27001. The aftereffects of the review tests are ordinarily recorded in agendas, for example, those gave in Appendix An and Appendix B. Specialized consistence tests might be important to check that IT frameworks are designed as per the association's data security approaches, principles and rules. Mechanized arrangement checking and powerlessness appraisal instruments may accelerate the rate at which specialized consistence checks are performed however conceivably present their own security issues that should be taken into account*. The yield of this stage is an aggregation of review working papers and confirmation in the review documents. (Moeller, 2010) Physical Security In looking at physical security, the Auditor ought to be worried about where the framework is physically found and which physical areas it can be gotten to from. For most frameworks, it is sensible to store the information server and Web server equipment in an aerated and cooled room that has no windows and that isn't effectively gotten to (ideally with get to controlled by some sort of security card peruse or keycode section framework). For more basic frameworks, it might likewise be vital to vet the holders of such security cards or change the keycode used to go into the server room routinely. Contingent on the level of security required, it might be important to watch that security protects are utilized to prepare for Intruders (and that they—and the 7|Page organization they work for—are dependable and solid and have been subjected to a police check). For frameworks with high accessibility prerequisites and large amounts of business criticality, it is urgent to guarantee that the entire framework is copied off site if there should be an occurrence of debacle, so the entire framework can be changed to the next site if there should be an occurrence of a lamentable episode, for example, a fire, a seismic tremor (a considerably greater stress for me when I worked in Wellington, New Zealand, than it is presently I am in London!), a bomb, or even a plane colliding with the building (pitiful however it is that we do need to consider such outcomes). Ensure that this "failover site" is similarly as secure as the principle site (difficult when such a site is overseen by an outsider that deals with an incredible number of "failover destinations" for various organizations!). It is likewise critical to watch that this copy framework truly could adapt if there should be an occurrence of catastrophe. For instance, a customer of mine spent a considerable measure of cash copying his Web website, Web server programming and equipment, and database server (utilizing replication) at his failover webpage. Notwithstanding, the Web server at the failover webpage utilized a similar Internet specialist organization as the primary Web server. When one was not accessible because of an issue with his ISP, nor was the other! Watch that the entire engineering is copied—including the web server equipment and programming, the database server programming (and equipment, if isolate from the Web server equipment), the information (through replication or oversaw reinforcements and re-establishes at normal interims), the system, the switches, the centers, any firewalls. (Ken E. Sigler, 2016) Identification, Authentication, and Access In looking at physical security, the inspector ought to be worried about where the framework is physically found and which physical areas it can be gotten to from. For most frameworks, it is sensible to store the information server and Web server equipment in an aerated and cooled room that has no windows and that isn't effectively gotten to (ideally with get to controlled by some sort of security card peruse or keycode section framework). For more basic frameworks, it might likewise be vital to vet the holders of such security cards or change the keycode used to go into the server room routinely. Contingent on the level of security required, it might be important to watch that security protects are utilized to prepare for intruders (and that they—and the 8|Page organization they work for—are dependable and solid and have been subjected to a police check). For frameworks with high accessibility prerequisites and large amounts of business criticality, it is urgent to guarantee that the entire framework is copied off site if there should be an occurrence of debacle, so the entire framework can be changed to the next site if there should be an occurrence of a lamentable episode, for example, a fire, a seismic tremor (a considerably greater stress for me when I worked in Wellington, New Zealand, than it is presently I am in London!), a bomb, or even a plane colliding with the building (pitiful however it is that we do need to consider such outcomes). Ensure that this "failover site" is similarly as secure as the principle site (difficult when such a site is overseen by an outsider that deals with an incredible number of "failover destinations" for various organizations!). It is likewise critical to watch that this copy framework truly could adapt if there should be an occurrence of catastrophe. For instance, a customer of mine spent a considerable measure of cash copying his Web website, Web server programming and equipment, and database server (utilizing replication) at his failover webpage. Notwithstanding, the Web server at the failover webpage utilized a similar Internet specialist organization as the primary Web server. When one was not accessible because of an issue with his ISP, nor was the other! Watch that the entire engineering is copied—including the web server equipment and programming, the database server programming (and equipment, if isolate from the Web server equipment), the information (through replication or oversaw reinforcements and re-establishes at normal interims), the system, the switches, the centers, any firewalls, et cetera. (Ken E. Sigler, 2016) Analysis The gathered review prove is dealt with and documented, explored and inspected in connection to the dangers and control goals. Here and there examination recognizes holes in the confirmation or shows the requirement for extra review tests, in which case advance hands on work might be performed unless planned time and assets have been depleted. In any case, organizing review exercises by hazard infers that the most vital zones ought to have been secured as of now. Reporting Revealing is an imperative piece of the review procedure, and an included subprocess without anyone else's input: 9|Page An average AUDIT review report contains the accompanying components, some of which might be part into indices or isolate archives: • Title and presentation naming the association and clearing up the extension, goals, time of scope and the nature, timing and degree of the review work performed. • An official outline demonstrating the key review discoveries, a short examination and editorial, and a general conclusion. • The expected report beneficiaries in addition to (since the substance might be secret) proper record characterization or confinements on dissemination. • An layout of the Auditor' accreditations, review strategies and so forth. • Detailed review discoveries and investigation, at times with separates from the supporting proof in the review records where this assistants perception. • The review conclusions and suggestions, maybe at first introduced as conditional proposition to be talked about with administration and inevitably joined as concurred activity designs relying upon nearby practices; • A formal explanation by the evaluators of any reservations, capabilities, scope confinements or different admonitions regarding the review. • Depending on typical review rehearses, administration might be welcome to give a short editorial or formal reaction, tolerating the aftereffects of the review and focusing on any concurred activities. It is vital that there is adequate, fitting review confirmation to help the outcomes revealed. Review's quality confirmation forms in this way guarantee 'everything reportable is accounted for and everything revealed is reportable', regularly in light of a survey of the review document by a senior reviewer. The wording of the draft review report is checked to guarantee clarity, evading equivocalness and unsupported explanations. At the point when endorsed by review administration for course, the draft review report is typically introduced to and talked about with administration. Additionally cycles of audit and amendment of the report may happen until the point when it is settled. Conclusion regularly includes administration focusing on the activity design. Not with standing the formal review proposals identifying with any major nonconformance, evaluators in some cases give review perceptions on minor nonconformance and other counsel, for example potential process changes or great practice recommendations from their involvement with different associations. These 10 | P a g e could conceivably be a piece of the formal review report, depending on the organization . Audit Closure When all the vital Corrective Action has been checked by the Auditor and observed to be acceptable, the Audit can be formally "close off / sign out " and this will include the following Activities : Non-compliance Sign-off In the phase of the Follow-up Audit, the Auditor checks the Corrective Action that has been executed for each Non-consistence / Non-compliance finding the first Audit. The points of interest of how the Corrective Action has been executed / implemented and whether it has been viable are then recorded at the base of the Non-consistence / Non-compliance Record. Once the Auditor is happy & satisfied with these discoveries / findings , The Non-consistence / Non-compliance Record is signed off by the Auditor and the Data Protection Representative. (ozturan, n.d.) Compliance Audit Report Closure Once the Non-consistence / Non-compliance Records related with an Audit have been signed off as said in "Non-compliance Sign-off" over, The base segment of the Compliance Audit Report can be signed off by the Auditor and the Data Protection Representative. This will at that point formally close the Audit. (ozturan, n.d.) 11 | P a g e References Anne Kohnke, . S. (2016). The Complete Guide to Cybersecurity Risks and Controls (Internal Audit and IT Audit). Chris Davis, . S. (2011). IT Auditing Using Controls to Protect Information Assets. McGraw-Hill Education. Gallegos, F. (1999). Information Technology Control and Audit. Ken E. Sigler, . J. (2016). Securing an IT Organization through Governance, Risk Management, and Audit (Internal Audit and IT Audit). Moeller, R. R. (2010). IT Audit, Control, and Security. ozturan. (n.d.). Guide to Data Protection Audit -Step By Step. Retrieved from Guide to Data Protection Audit: https://www.cmpe.boun.edu.tr/~ozturan/etm555/dataaudit/html/steps/followup/closure.h tm 12 | P a g e