UNIVERSITI TEKNOLOGI MALAYSIA
81310 SKUDAI, JOHOR
MCSH2413
IT SECURITY AUDIT & ASSESSMENT
Security Auditing & Assessment in India
LECTURER’S NAME : DR. SITI HAJAR OTHMAN
Student Name : Shahbaaz Mohammed Hayat Chaki
(MCS171004 )
Date of Submission: 21st November 2017
1|Page
Table of Contents
Requirements / Questions asked: ........................................................................................................... 3
Stages of Audit ........................................................................................................................................ 4
Scope ................................................................................................................................................... 4
Planning .............................................................................................................................................. 5
Procedure, Roles, and Responsibilities ........................................................................................... 6
Fieldwork............................................................................................................................................. 6
Physical Security.............................................................................................................................. 7
Identification, Authentication, and Access ..................................................................................... 8
Analysis ............................................................................................................................................... 9
Reporting ............................................................................................................................................ 9
Audit Closure......................................................................................................................................... 11
Non-compliance Sign-off................................................................................................................... 11
Compliance Audit Report Closure ..................................................................................................... 11
References ............................................................................................................................................ 12
2|Page
Information & Requirements to perform security audits for organizations in
India
Requirements / Questions asked:

Should be a register Organization .

Should have a register with Income Tax Department, Minister of Organization affairs
& various government agency ( Depending on the business type )

Are the frameworks required to be accessible 24 x 7? Numerous e-business
frameworks are required to have 99.99%– or more accessibility since they are
utilized by clients everywhere throughout the world.

What are the entrance prerequisites? Is access to frameworks/information confined
inside the organization to senior administration? Are clients/business
accomplices/contenders enabled access to any piece of the framework (particularly
for e-business frameworks)?

What number of clients utilize the framework all things considered and at top
circumstances?

What amount of information is not used?

Are there legitimate necessities to store information for a specific timeframe?

Are there lawful prerequisites to shield information from intruders?

How sensitive is the information? How gravely would it influence business if
contenders or different intruder approached that information or annihilated the
information?

How delicate is simply the framework? How serious would it influence business for
an unapproved client to access diverse parts of the framework?

What type of organization is it?
3|Page
Stages of Audit
Scope
At this stage, the Auditor decides the fundamental range/s of center for the review
and any zones that are expressly out-of-scope, construct ordinarily in light of an
underlying danger based evaluation in addition to exchange with the individuals who
charged the AUDIT review. Data sources, incorporate general research on the
business and the association, past AUDIT and maybe other review reports, and
AUDIT archives, for example, the Statement of Applicability, Risk Treatment Plan and
AUDIT Policy.
The AUDIT reviewers ought to guarantee that the extension 'bodes well' in
connection with the association. The review extension ought to typically coordinate
the extent of the AUDIT being guaranteed. For instance, vast associations with
numerous divisions or specialty units may have isolate AUDIT's, a comprehensive
endeavor wide AUDIT, or some blend of neighborhood and incorporated AUDIT. On
the off chance that the AUDIT affirmation is for the whole association, the Auditor
may need to survey the AUDIT in operation at all or if nothing else a delegate test of
business areas, for example, the home office and a determination of discrete
specialty units picked by the examiners.
The evaluators should consider data security dangers and controls related with data
channels to different elements (associations, specialty units and so on.) That fall
outside the extent of the AUDIT, for instance checking the ampleness of data
security-related conditions in Service Level Agreements or contracts with IT benefit
providers. This procedure ought to be less demanding where the out-of-scope
elements have been confirmed consistent with Audits.
Amid the pre-review overview, the AUDIT examiners distinguish and in a perfect
world reach the primary partners in the AUDIT, for example, the administrator/s,
security modelers, AUDIT engineers, AUDIT implementers and other compelling
figures, for example, the CIO and CEO, accepting the open door to ask for related
documentation and so forth that will be checked on amid the review. The
association typically chooses at least one review "escorts", people who oversee
guaranteeing that the Auditor can move openly about the association and quickly
discover the general population, data and so forth important to direct their work,
and go about as administration contact focuses.
4|Page
The essential yield of this stage is a concurred AUDIT review scope, sanction,
engagement letter or comparable. Contact records and other preparatory archives
are additionally acquired and the review records are opened to contain
documentation (review working papers, confirm, reports and so on.) emerging from
the review. (Chris Davis, 2011)
Planning
The general AUDIT extension is separated into more noteworthy detail, normally by
producing an AUDIT review workplan/agenda (please observe the reference sections
for two non specific cases).
Note: the non specific case workplan/agendas provided with this rule are not
planned to be utilized without due thought and adjustment. This paper is simply a
general rule. It is foreseen that Auditor will ordinarily create a custom
workplan/agenda mirroring the particular extension and size of the specific AUDIT
being reviewed, considering any data security necessities that are as of now obvious
at this stage, (for example, data security important laws, controls and measures that
are known to apply to comparable associations in the business). Likewise, the review
workplan/agenda might be altered throughout the review if already overlooked
ranges of concern become known.
The general planning and resourcing of the review is arranged and concurred by
administration of both the association being inspected and the AUDIT Auditor, as a
review design. Ordinary undertaking arranging methods, (for example, GANTT
graphs) are ordinarily utilized.
Review designs recognize and put wide limits around the rest of the periods of the
review. It is basic to influence preparatory appointments for the formal review to
report/dialog meeting to enable members to plan their participation.
Review designs regularly likewise incorporate "checkpoints", that is particular open
doors for the evaluators to give casual between time updates to their administration
contacts including preparatory warning of any watched irregularities or potential
individualities and so on. Interval refreshes likewise give chances to the examiners to
raise any worries over restricted access to data or individuals, and for administration
to raise any worries over the idea of the review work. While the reviewers are
fundamentally autonomous of the association, they should set up a level of trust and
a helpful workplace so as to draw in adequately and get the data important to
review the AUDIT.
At long last, the planning of essential review work components might be resolved,
especially with a specific end goal to organize viewpoints that are accepted to speak
5|Page
to the most serious dangers to the association if the AUDIT are observed to be
lacking.
The yield of this stage is the (redone) review workplan/agenda and a review design
concurred with administration. (Anne Kohnke, 2016)
Procedure, Roles, and Responsibilities
This is a region that is very regularly completely neglected in security reviews.
Reviewers regularly concentrate on the physical and specialized parts of security and
neglect to guarantee that appropriate systems are set up, have been composed
down, and are being taken after. However it can be the key piece , if missing, makes
the greatest risk to security.
Ensure that strategies are set up to guarantee that evaluating and following is
utilized viably. A few frameworks will be required to log more than others (for lawful
or operational reasons), yet the base reviewing that ought to be done should log
which login endeavours have fizzled and which IP address they originate from.
Are methods set up to guarantee that review logs of framework action are
consistently considered for indications of noxious plan, (for example, rehashed failed
logins)? Who does these systems, and how regularly? Is it accurate to say that they
are viable?
Is there an approach that guarantees that passwords are not effectively speculated?
For instance, is it required that passwords be eight characters in length and comprise
of a blend of numbers and letters? Does the framework constrain clients to change
passwords routinely?
The best infection checking programming on the planet won't be ready to adapt to
an infection that is new to the point that no "counteractant" has yet been
composed. Are strategies set up for what ought to be done if an infection flare-up is
found? Should all mail servers be brought down in such a projection? Maybe all Web
servers, as well? A significant number of the most deadly late infections utilize
VBScript to keep in touch with themselves onto Web pages and into messages, so
this might be a thought. (Gallegos, 1999)
Fieldwork
Amid the hands on work stage, review confirm is accumulated by the reviewer/s
working deliberately through the workplan or agenda, for instance talking with staff,
6|Page
chiefs and different partners related with the AUDIT, exploring AUDIT archives,
printouts and information (counting records of AUDIT exercises, for example,
security log surveys), watching AUDIT forms in real life and checking framework
security arrangements and so forth. Review tests are performed to approve the
confirmation as it is accumulated. Review work papers are readied, reporting the
tests performed.
The initial segment of the hands on work normally includes a documentation survey.
The evaluator peruses and makes notes about documentation identifying with and
emerging from the AUDIT, (for example, the Statement of Applicability, Risk
Treatment Plan, AUDIT arrangement and so forth.). The documentation includes
review confirm, with the review notes being review working papers.
Discoveries from the documentation survey regularly show the requirement for
particular review tests to decide how intently the AUDIT as presently executed takes
after the documentation, and also testing the general level of consistence and
testing propriety of the documentation in connection to ISO/IEC 27001. The
aftereffects of the review tests are ordinarily recorded in agendas, for example,
those gave in Appendix An and Appendix B.
Specialized consistence tests might be important to check that IT frameworks are
designed as per the association's data security approaches, principles and rules.
Mechanized arrangement checking and powerlessness appraisal instruments may
accelerate the rate at which specialized consistence checks are performed however
conceivably present their own security issues that should be taken into account*.
The yield of this stage is an aggregation of review working papers and confirmation
in the review documents. (Moeller, 2010)
Physical Security
In looking at physical security, the Auditor ought to be worried about where the
framework is physically found and which physical areas it can be gotten to from.
For most frameworks, it is sensible to store the information server and Web server
equipment in an aerated and cooled room that has no windows and that isn't
effectively gotten to (ideally with get to controlled by some sort of security card
peruse or keycode section framework). For more basic frameworks, it might likewise
be vital to vet the holders of such security cards or change the keycode used to go
into the server room routinely.
Contingent on the level of security required, it might be important to watch that
security protects are utilized to prepare for Intruders (and that they—and the
7|Page
organization they work for—are dependable and solid and have been subjected to a
police check).
For frameworks with high accessibility prerequisites and large amounts of business
criticality, it is urgent to guarantee that the entire framework is copied off site if
there should be an occurrence of debacle, so the entire framework can be changed
to the next site if there should be an occurrence of a lamentable episode, for
example, a fire, a seismic tremor (a considerably greater stress for me when I
worked in Wellington, New Zealand, than it is presently I am in London!), a bomb, or
even a plane colliding with the building (pitiful however it is that we do need to
consider such outcomes).
Ensure that this "failover site" is similarly as secure as the principle site (difficult
when such a site is overseen by an outsider that deals with an incredible number of
"failover destinations" for various organizations!). It is likewise critical to watch that
this copy framework truly could adapt if there should be an occurrence of
catastrophe. For instance, a customer of mine spent a considerable measure of cash
copying his Web website, Web server programming and equipment, and database
server (utilizing replication) at his failover webpage. Notwithstanding, the Web
server at the failover webpage utilized a similar Internet specialist organization as
the primary Web server. When one was not accessible because of an issue with his
ISP, nor was the other!
Watch that the entire engineering is copied—including the web server equipment
and programming, the database server programming (and equipment, if isolate from
the Web server equipment), the information (through replication or oversaw
reinforcements and re-establishes at normal interims), the system, the switches, the
centers, any firewalls. (Ken E. Sigler, 2016)
Identification, Authentication, and Access
In looking at physical security, the inspector ought to be worried about where the
framework is physically found and which physical areas it can be gotten to from.
For most frameworks, it is sensible to store the information server and Web server
equipment in an aerated and cooled room that has no windows and that isn't
effectively gotten to (ideally with get to controlled by some sort of security card
peruse or keycode section framework). For more basic frameworks, it might likewise
be vital to vet the holders of such security cards or change the keycode used to go
into the server room routinely.
Contingent on the level of security required, it might be important to watch that
security protects are utilized to prepare for intruders (and that they—and the
8|Page
organization they work for—are dependable and solid and have been subjected to a
police check).
For frameworks with high accessibility prerequisites and large amounts of business
criticality, it is urgent to guarantee that the entire framework is copied off site if
there should be an occurrence of debacle, so the entire framework can be changed
to the next site if there should be an occurrence of a lamentable episode, for
example, a fire, a seismic tremor (a considerably greater stress for me when I
worked in Wellington, New Zealand, than it is presently I am in London!), a bomb, or
even a plane colliding with the building (pitiful however it is that we do need to
consider such outcomes).
Ensure that this "failover site" is similarly as secure as the principle site (difficult
when such a site is overseen by an outsider that deals with an incredible number of
"failover destinations" for various organizations!). It is likewise critical to watch that
this copy framework truly could adapt if there should be an occurrence of
catastrophe. For instance, a customer of mine spent a considerable measure of cash
copying his Web website, Web server programming and equipment, and database
server (utilizing replication) at his failover webpage. Notwithstanding, the Web
server at the failover webpage utilized a similar Internet specialist organization as
the primary Web server. When one was not accessible because of an issue with his
ISP, nor was the other!
Watch that the entire engineering is copied—including the web server equipment
and programming, the database server programming (and equipment, if isolate from
the Web server equipment), the information (through replication or oversaw
reinforcements and re-establishes at normal interims), the system, the switches, the
centers, any firewalls, et cetera. (Ken E. Sigler, 2016)
Analysis
The gathered review prove is dealt with and documented, explored and inspected in
connection to the dangers and control goals. Here and there examination recognizes
holes in the confirmation or shows the requirement for extra review tests, in which
case advance hands on work might be performed unless planned time and assets
have been depleted. In any case, organizing review exercises by hazard infers that
the most vital zones ought to have been secured as of now.
Reporting
Revealing is an imperative piece of the review procedure, and an included subprocess without anyone else's input:
9|Page
An average AUDIT review report contains the accompanying components, some of
which might be part into indices or isolate archives:
•
Title and presentation naming the association and clearing up the extension,
goals, time of scope and the nature, timing and degree of the review work
performed.
•
An official outline demonstrating the key review discoveries, a short
examination and editorial, and a general conclusion.
•
The expected report beneficiaries in addition to (since the substance might
be secret) proper record characterization or confinements on dissemination.
•
An layout of the Auditor' accreditations, review strategies and so forth.
•
Detailed review discoveries and investigation, at times with separates from
the supporting proof in the review records where this assistants perception.
•
The review conclusions and suggestions, maybe at first introduced as
conditional proposition to be talked about with administration and inevitably joined
as concurred activity designs relying upon nearby practices;
•
A formal explanation by the evaluators of any reservations, capabilities,
scope confinements or different admonitions regarding the review.
•
Depending on typical review rehearses, administration might be welcome to
give a short editorial or formal reaction, tolerating the aftereffects of the review and
focusing on any concurred activities.
It is vital that there is adequate, fitting review confirmation to help the outcomes
revealed. Review's quality confirmation forms in this way guarantee 'everything
reportable is accounted for and everything revealed is reportable', regularly in light
of a survey of the review document by a senior reviewer. The wording of the draft
review report is checked to guarantee clarity, evading equivocalness and
unsupported explanations. At the point when endorsed by review administration for
course, the draft review report is typically introduced to and talked about with
administration. Additionally cycles of audit and amendment of the report may
happen until the point when it is settled. Conclusion regularly includes
administration focusing on the activity design.
Not with standing the formal review proposals identifying with any major nonconformance, evaluators in some cases give review perceptions on minor nonconformance and other counsel, for example potential process changes or great
practice recommendations from their involvement with different associations. These
10 | P a g e
could conceivably be a piece of the formal review report, depending on the
organization .
Audit Closure
When all the vital Corrective Action has been checked by the Auditor and observed to be acceptable,
the Audit can be formally "close off / sign out " and this will include the following Activities :
Non-compliance Sign-off
In the phase of the Follow-up Audit, the Auditor checks the Corrective Action that has been
executed for each Non-consistence / Non-compliance finding the first Audit. The points of interest of
how the Corrective Action has been executed / implemented and whether it has been viable are
then recorded at the base of the Non-consistence / Non-compliance Record. Once the Auditor is
happy & satisfied with these discoveries / findings , The Non-consistence / Non-compliance Record
is signed off by the Auditor and the Data Protection Representative. (ozturan, n.d.)
Compliance Audit Report Closure
Once the Non-consistence / Non-compliance Records related with an Audit have been signed off as
said in "Non-compliance Sign-off" over, The base segment of the Compliance Audit Report can be
signed off by the Auditor and the Data Protection Representative. This will at that point formally
close the Audit. (ozturan, n.d.)
11 | P a g e
References
Anne Kohnke, . S. (2016). The Complete Guide to Cybersecurity Risks and Controls (Internal Audit and
IT Audit).
Chris Davis, . S. (2011). IT Auditing Using Controls to Protect Information Assets. McGraw-Hill
Education.
Gallegos, F. (1999). Information Technology Control and Audit.
Ken E. Sigler, . J. (2016). Securing an IT Organization through Governance, Risk Management, and
Audit (Internal Audit and IT Audit).
Moeller, R. R. (2010). IT Audit, Control, and Security.
ozturan. (n.d.). Guide to Data Protection Audit -Step By Step. Retrieved from Guide to Data
Protection Audit:
https://www.cmpe.boun.edu.tr/~ozturan/etm555/dataaudit/html/steps/followup/closure.h
tm
12 | P a g e