Add to collection(s) Add to saved
  1. No category
Uploaded by Kurt Clark

CIS411 Assignment6 Kurt Clark

advertisement 
Running Head: CASE STUDY – ITAUDIT
Bellevue University
CIS411-T301 Assessments and Audits
Case Study – IT Audit
Kurt Clark
April 19, 2014
1
CASE STUDY – IT AUDIT
2
Case Study - IT Audit
The Case Study provides information about the information technology (IT) environment
of the architecture firm Dalton, Walton & Carlton, Inc. An IT audit should be completed to
determine if the current security structure matches the security policy of the firm. The IT audit
will include creating the audit universe and expanding upon what will occur within the six audit
stages.
Audit Universe
The firm has had computers stolen and data lost. The data loss can be the reason the firm
has lost a contract from their largest customer. The data loss could be attributed to either the
stolen systems or the ability of employees to access data which they were not authorized. The
audit universe will focus on the loss of equipment and data. The physical security of systems
and the user authentication and authorization to access data will be the main concentration of the
audit.
Planning
The audit will start with a survey of the locations and interview employees to obtain a
layout of the items which need to be audited. The interviews will provide input on the current
controls which are in place to prevent the loss of equipment and data. Once the physical survey
and interviews are completed, research will be completed to create checklists to guide the
auditors through the audit. The checklist could be created by the audit team or standardized
audit checklist could be used for the audit. A start date and timeframe for completion of the
audit will be setup with the customer once the research and checklists are completed.
CASE STUDY – IT AUDIT
3
Fieldwork and documentation
The checklists and information derived from the planning phase are used to complete this
phase of the audit. To complete the checklists, the auditor will talk with the employees, use
software or hardware tools and monitor the employees. The physical security discussions will
encompass how vendors and visitor are monitored while on the premises. The auditor will take
up a position at each location and monitor how non-employees move around the location, if they
access systems without authorization and if they are escorted or not. The user authentication
and authorization audit will start with the procedures which are in place to add, modify or delete
users and how passwords are reset. As with the physical security portion, the auditor will
monitor the IT staff to see if they follow the procedures and if the procedures. The auditor will
also use software to look for passwords which have not been changed according to policy and if
allowed the auditor could run software against the password hashes to determine if passwords are
still set to the default password. All of the auditor’s discussions and actions will be documented
for future review and verification if required.
Issue discovery and validation
As part of the fieldwork, the auditor will be identifying any potential issue which would
be reportable. Each issue must be verified or validated and determined if they would be a true
risk before it can become a reportable item. The auditor may find out during the physical
security discussion that vendors are allowed to move around the building without an escort. To
verify this issue, the auditor could monitor the activities of the vendors as they come into the
building. Similarly the auditor may monitor the vendor to see if they start accessing an
employee’s system without authorization. Checking the group policies in the Active Directory
could provide information on who has access to confidential data. If the issues are determined to
CASE STUDY – IT AUDIT
4
be a true risk and valid then they would be documented with the validation process. Providing
validated issues with the customer when they are found could help accelerate the next stage and
build a good working relationship with the customer.
Solution development
If issues or deficits are identified in the previous stages, then solutions need to be
determined which correspond to the deficits. Discussing the findings as the audit moves forward
with customer is the best means to create solutions. Bringing the customer into the solution
creation helps to prevent blindsiding them with solutions which may not fit their environment.
And, the auditor and customer would be able to provide a better solution if they work together.
It would be a good idea to look for solutions with the customer when an issue is validated. It is
possible the customer may have a control in place, which was not shared with the auditor. An
Escort policy may be on the books, but has not been followed in years and it needs to be
resurrected. In another view, the solution could be implemented quickly and easily, which
would provide the required control much earlier in the audit process. If passwords are found to
still be set to the default reset password, setting up the users to change their password upon the
next login attempt would a quick resolution to this issue. Setting up a policy to use random reset
passwords in the future would easily correct the long term default password issue. If vendors are
accessing employee’s unlocked systems, then creating a leave and lock policy would be quick
and easy to complete. Solutions should meet the risk, but not cost more than the equipment or
data is valued.
Report drafting and issuance
The documentation created in the previous stages will be used to create the audit report.
CASE STUDY – IT AUDIT
5
The audit report will discuss the scope or audit universe, identify any issues or deficiencies
identified, controls currently in place and solutions for the identified deficiencies. Setting up the
report to identify the positive items found in the audit, as well as the issues found with the
solutions will provide the customer with hope versus dread. The report will be submitted to the
customer for review and comment prior to final submission. The customer’s comments may be
added to the report if they do not detract from the findings and add value to the report. All
corrective actions need to have a date of completion, which should be worked out with the
customer to make sure the dates are within reach. When the final report is produced it should be
issued to the customer based on the contract or level of management who requested the audit. It
would be beneficial to customer relations, if it was possible to supply the report to the IT staff
who will managing the corrective action.
Issue tracking
Once the report is issued to the customer, the issues identified in the report need to be
monitored for corrective action. The auditor should not wait till the due date to check on the
corrective actions. The auditor should perform periodic checks to see if the corrective actions
will meet the security measures required for the issue. If the corrective actions are taking longer
than originally thought, then an extension could be used to provide additional time. The only
problem with extension is they cannot go on forever.
Related documents
Question: 1. If the auditor finds only one instance of... the auditor assume that this is an isolated instance? Why...
Question: 1. If the auditor finds only one instance of... the auditor assume that this is an isolated instance? Why...
Exercise Chapter 15
Exercise Chapter 15
New DOCX Document
New DOCX Document
Information System Audit Checklist A hardware review evaluates the structure of:
Information System Audit Checklist A hardware review evaluates the structure of:
Download
advertisement