Running Head: CASE STUDY – ITAUDIT Bellevue University CIS411-T301 Assessments and Audits Case Study – IT Audit Kurt Clark April 19, 2014 1 CASE STUDY – IT AUDIT 2 Case Study - IT Audit The Case Study provides information about the information technology (IT) environment of the architecture firm Dalton, Walton & Carlton, Inc. An IT audit should be completed to determine if the current security structure matches the security policy of the firm. The IT audit will include creating the audit universe and expanding upon what will occur within the six audit stages. Audit Universe The firm has had computers stolen and data lost. The data loss can be the reason the firm has lost a contract from their largest customer. The data loss could be attributed to either the stolen systems or the ability of employees to access data which they were not authorized. The audit universe will focus on the loss of equipment and data. The physical security of systems and the user authentication and authorization to access data will be the main concentration of the audit. Planning The audit will start with a survey of the locations and interview employees to obtain a layout of the items which need to be audited. The interviews will provide input on the current controls which are in place to prevent the loss of equipment and data. Once the physical survey and interviews are completed, research will be completed to create checklists to guide the auditors through the audit. The checklist could be created by the audit team or standardized audit checklist could be used for the audit. A start date and timeframe for completion of the audit will be setup with the customer once the research and checklists are completed. CASE STUDY – IT AUDIT 3 Fieldwork and documentation The checklists and information derived from the planning phase are used to complete this phase of the audit. To complete the checklists, the auditor will talk with the employees, use software or hardware tools and monitor the employees. The physical security discussions will encompass how vendors and visitor are monitored while on the premises. The auditor will take up a position at each location and monitor how non-employees move around the location, if they access systems without authorization and if they are escorted or not. The user authentication and authorization audit will start with the procedures which are in place to add, modify or delete users and how passwords are reset. As with the physical security portion, the auditor will monitor the IT staff to see if they follow the procedures and if the procedures. The auditor will also use software to look for passwords which have not been changed according to policy and if allowed the auditor could run software against the password hashes to determine if passwords are still set to the default password. All of the auditor’s discussions and actions will be documented for future review and verification if required. Issue discovery and validation As part of the fieldwork, the auditor will be identifying any potential issue which would be reportable. Each issue must be verified or validated and determined if they would be a true risk before it can become a reportable item. The auditor may find out during the physical security discussion that vendors are allowed to move around the building without an escort. To verify this issue, the auditor could monitor the activities of the vendors as they come into the building. Similarly the auditor may monitor the vendor to see if they start accessing an employee’s system without authorization. Checking the group policies in the Active Directory could provide information on who has access to confidential data. If the issues are determined to CASE STUDY – IT AUDIT 4 be a true risk and valid then they would be documented with the validation process. Providing validated issues with the customer when they are found could help accelerate the next stage and build a good working relationship with the customer. Solution development If issues or deficits are identified in the previous stages, then solutions need to be determined which correspond to the deficits. Discussing the findings as the audit moves forward with customer is the best means to create solutions. Bringing the customer into the solution creation helps to prevent blindsiding them with solutions which may not fit their environment. And, the auditor and customer would be able to provide a better solution if they work together. It would be a good idea to look for solutions with the customer when an issue is validated. It is possible the customer may have a control in place, which was not shared with the auditor. An Escort policy may be on the books, but has not been followed in years and it needs to be resurrected. In another view, the solution could be implemented quickly and easily, which would provide the required control much earlier in the audit process. If passwords are found to still be set to the default reset password, setting up the users to change their password upon the next login attempt would a quick resolution to this issue. Setting up a policy to use random reset passwords in the future would easily correct the long term default password issue. If vendors are accessing employee’s unlocked systems, then creating a leave and lock policy would be quick and easy to complete. Solutions should meet the risk, but not cost more than the equipment or data is valued. Report drafting and issuance The documentation created in the previous stages will be used to create the audit report. CASE STUDY – IT AUDIT 5 The audit report will discuss the scope or audit universe, identify any issues or deficiencies identified, controls currently in place and solutions for the identified deficiencies. Setting up the report to identify the positive items found in the audit, as well as the issues found with the solutions will provide the customer with hope versus dread. The report will be submitted to the customer for review and comment prior to final submission. The customer’s comments may be added to the report if they do not detract from the findings and add value to the report. All corrective actions need to have a date of completion, which should be worked out with the customer to make sure the dates are within reach. When the final report is produced it should be issued to the customer based on the contract or level of management who requested the audit. It would be beneficial to customer relations, if it was possible to supply the report to the IT staff who will managing the corrective action. Issue tracking Once the report is issued to the customer, the issues identified in the report need to be monitored for corrective action. The auditor should not wait till the due date to check on the corrective actions. The auditor should perform periodic checks to see if the corrective actions will meet the security measures required for the issue. If the corrective actions are taking longer than originally thought, then an extension could be used to provide additional time. The only problem with extension is they cannot go on forever.