Computer Audit Basics – 2
Auditing the Infrastructure
and Operations
Ross Palmer
MIIA; FIIA; CISA; MBCS
Computer Audit Manager, Hogg Robinson plc
ross.palmer@hrplc.co.uk
1.
A Definition of Risk
The potential that a given threat will exploit
vulnerabilities of an asset or group of assets to cause
loss or damage to those assets.
Guidelines for the Management of IT Security (International Standards
Organisation)
Something bad WILL happen
Something good WON’T happen
8.
A Definition of Risk
Management
The co-ordinated activities that direct and control an
organisation with regard to risk
ISO17799 - Information Security Management Systems — Specification
• Risk Identification
• Prioritisation (Impact x Likelihood)
• Treatment of inherent risk
• Treatment of residual risk
9.
Information Processing Objectives
10.
Definitions: Confidentiality
Prevention of disclosure of sensitive information
resources to unauthorised individuals or
organisations
Failure to achieve this may result in:
 Loss of competitive advantage
 Loss of business
 Fraud (unauthorised diversion of goods or funds)
 Damage to customer or shareholder confidence, image and/or
reputation
 Breach of statutory, regulatory or contractual obligations
 Damaging effect on staff motivation or morale
11.
Definitions: Integrity
Prevention of accidental corruption, deliberate
unauthorised manipulation, or inaccurate entry
and/or processing of business information
resources
Failure to achieve this may result in:
 All of the foregoing for “Confidentiality”
 Incorrect or inappropriate management decisions
 Disruption of business activity
12.
Definitions: Availability
Prevention of business information stored in or
processed by systems becoming lost or unavailable
for an extended period
Failure to achieve this may result in:
 Difficulty in recovering from backlogs of processing
 Additional costs
 Loss of business
 Damage to customer or shareholder confidence, image and/or
reputation
 Breach of statutory, regulatory or contractual obligations
13.
Definitions: Effectiveness
Maximising the conformance of outputs from an
activity to a specification or need
(Meaning: “Doing the right things”)
Failure to achieve this may result in:
 Processes not in accordance with business requirements
 Breach of contract or SLA
 Legal proceedings
14.
Definitions: Efficiency
Optimising the ratio of inputs to outputs for an
activity.
(Meaning: “Doing things right”)
Failure to achieve this may result in:
 Wasted processing resources
 Loss of profits
 Difficult systems maintenance
15.
Definitions: Economy
Minimising the cost of the inputs to an activity or the
resources needed to deliver a service
(Meaning: “Doing things cheap”)
Failure to achieve this may result in:
 Additional, unnecessary costs
 Imprudent management
 Loss of business
 Enforced cost-cutting (redundancies; skills loss; etc.)
16.
Definitions: Compliance
Avoidance of breaches of any criminal and civil law,
statutory, regulatory or contractual obligations and
of any security requirements.
Failure to achieve this may result in:
 Civil or criminal lawsuits (corporate/individual)
 Invocation of contractual penalties
 Inability of the Board to implement corporate governance protocols
18.
A Hierarchy of Internal Control
Internal controls can be categorised into the following
1. Preventive Controls – (“before
the fact”)
hierarchy:

The most important control type since, if 100% effective (which it never
is), none of the others would be necessary – physical barriers, passwords
 Healthcare analogy: Prophylactics (e.g. immunisation programmes)
2. Detective Controls – (“after the fact”)
 If a preventive mechanism fails, this is the first type of control necessary
to identify this fact prior to correction – audit trails, monitoring
 Healthcare analogy: Diagnoses (e.g. check-ups; ECGs)
3. Corrective Controls – (“before or after the fact”)

This type of control is designed to correct a problem – change control,
overrides
 Healthcare analogy: Surgery (e.g. heart by-pass; tumour excision)
4. Deterrent Controls – (“instead of the fact”)

Designed to advise against certain forms of action – security policy,
logon warning
 Healthcare analogy: Government Health Warnings (e.g. tobacco;
20.
alcohol)
Typical IT Organisational
Infrastructure
Audit
Committee
Board
Internal
Audit
Marketing
Projects
Data
Mgt
Sales
IT
Directorate
Finance
Quality
Assurance
Operations
Security
Admin
Media
Library
Job Control
21.
Human
Resources
Database
Admin
Control
Group
Network
Mgt
Let’s take it from the top ….
You can’t operate in a vacuum. If nobody at the top of the organisational
infrastructure is going to take control seriously, then it is highly likely that
others will not do so.
At risk of teaching granny to suck eggs, here are some top-level
essentials to consider:
1.
2.
3.
4.
5.
6.
7.
Strategy
Risk Appetite
Planning (short/long term)
Monitoring & Control
Organisational Structure
Policies & Standards
Classification of Information
23.
High-Level Essentials (1)
Strategy
1.
2.
3.
4.
Does the IT Department have formalised objectives?
•
Obtain notes of departmental planning meetings
•
Get inside IT Directorate’s world and regular forums (“fora”?)
Do they map on to the needs of the organisation?
Caveat
•
Obtain minutes of Board Meetings
Do not secondguess or
•
Review public-facing websites
question
Who has determined/approved them?
business or IT
•
Review attendance and actions arising from minutes
strategies
Have they been prioritised on the basis of risk?
•
Ask for and inspect the risk register
•
Review regularity of risk register maintenance
24.
High-Level Essentials (2)
Risk Appetite
1.
2.
3.
Is there a rolling programme of risk management within the IT Dept?
•
Review risk register/reports for appropriate participation
•
Look for a business focus for risks
Is there a defined risk assessment model?
•
Review adequacy of identification (e.g. brainstorming; right
people)
•
Review process of risk scoring (e.g. as a product of business
impact and likelihood) and prioritisation
Are “high” risks treated appropriately?
•
Look for evidence of appropriate treatment (if any) – see next slide
Caveat
Do not second-guess
or question the risks
identified or their
25.
scoring
STRATEGIES FOR TREATING RISKS
(TRAP)
Terminate the activity being undertaken which
generates risk
Terminate Reduce
Pass on
Accept
Reduce the risk by introducing new or enhancing
existing controls
Accept the risk where existing controls are felt to
be adequate
Pass on the risk to another party – usually
through insurance or redefining responsibility
26.
High-Level Essentials (3)
Planning
1.
Has an IT Planning/Steering Committee been established?
•
2.
Look for evidence of formal establishment and duties, e.g. charter,
minutes
Does it comprise appropriate membership?
Caveat
•
From documentation, look for representation from business
Do not management, IT and the user base
second•
The chairperson should be suitably appointed from the Board or
guess or senior management (i.e. who understands the business and
question technology needs)
3. Are long and short term plans maintained?
plans
•
Review output from the planning committee, looking for “hard” (1 – 3
months) and “soft” (3 months – 2 years) plans/reviews/approvals for
IT
•
Look for planning reviews as high on a regular meeting agenda
•
Plans should reflect budgets,27.
skill pools, “the market place”
High-Level Essentials (4)
Monitoring & Control
Definitions (from the Institute of Internal Auditors):
Monitoring: Encompasses supervising,
observing and testing activities and appropriately
reporting to responsible individuals. Monitoring
provides an ongoing verification of progress
toward the achievement of objectives and goals.
1.
2.
Control: Any action taken by management, the board, and
other parties to enhance risk management and increase the
likelihood that established objectives and goals will be
achieved. Management plans, organises, and directs the
performance of sufficient actions to provide reasonable
assurance that objectives and goals will be achieved
Are the activities of the IT Dept monitored against plans and objectives?
•
Obtain evidence of SLAs, processing schedules, tolerances,
quality standards, etc
•
Establish the means by which such targets are monitored
Are control measures implemented to restore deviations from plans?
•
Review Planning/Steering Committee minutes for change
requirements
•
Review related change records for completeness
28.
High-Level Essentials (5)
Organisational Infrastructure
1.
Does the IT Department have a formalised structure?
•
2.
3.
Obtain and review up-to-date organisation charts and job
descriptions
Does the IT Dept organisation provide for commitment and capability?
•
Look for appointments to the Board (e.g. IT Director) or other
“clout”
•
Look for chain of reporting throughout the IT Dept to this position
Have IT Dept duties been effectively segregated?
Duties – for
2 definitions:
•
ReviewSegregation
organisationofstructure
obvious compromises
A method for reducing the risk of accidental or
deliberate system misuse. Separating the management
or execution of certain duties or areas of
responsibility, in order to reduce opportunities for
unauthorised modification or misuse of information
or services, should be considered. (ISO17799)
A basic control that prevents or detects errors and irregularities
by assigning responsibility for initiating transactions, recording
transactions and custody of assets to separate individuals.
Commonly used in large IT organizations so that no single
person is in a position to introduce fraudulent or malicious code
without detection. (ISACA)
30.
Segregation of Duties
(per CISA Manual)
31.
High-Level Essentials (6)
Policies & Standards
1.
Does the organisation have an IT security policy in place?
•
2.
Does this policy address key security issues?
•
3.
Review the processes for creation, approval, review, maintenance,
distribution and understanding
Obtain an up-to-date copy and look for content governing:

IT Systems (incl. Internet/Email) access & security incidents

Data Protection

Unauthorised software (installation, copyright)

Care and (mis)use of equipment
Are technology standards formally defined and available?
•
Establish and review configuration standards, operating
instructions, etc.
32.
High-Level Essentials (7)
Classification of Information
1.
2.
Does the enterprise apply a system of information classification?
•
Look for a documented standard for information classification
•
Establish its availability to staff and how it is communicated
Does it address criticality, sensitivity and availability of data?
•
3.
Ensure the classification scheme takes account of:

Business impact of a loss of confidentiality, integrity or
availability

Sensitivity of information processed, stored or transmitted
(electronic and paper)

Identified risks particular to the installation
Do all classified systems and data have an owner?
•
Seek documentation (e.g. inventory) specifying data/data type
ownership, classification approval, data access criteria, last review
date
35.
THE OPERATIONS ENVIRONMENT
- BASIC REQUIREMENTS
What does an operational environment need to make it
function? :

Achievement of realistic service targets

Run in accordance with sound and sensible disciplines – security,
safety, efficiency, good humour, etc.

Ability to identify incidents
ones)

Ability to resolve or escalate incidents

Ability to respond to changes
(but not necessarily adverse
37.
THE OPERATIONS ENVIRONMENT
- SESSION FEEDBACK
The following were the first 5 spontaneous responses from the
September 7th session audience (good effort) to the question “What does an Operations department do?”:
 Schedule jobs
 Process jobs
 Data maintenance
 System maintenance
 Back-ups
37.
THE OPERATIONS ENVIRONMENT
13 CRITICAL FACTORS TO CONSIDER
People (and contractors)
Media Handling
Operating Procedures
Back-ups and Restoration
Contingency Planning
Change Management
Operator Logs
Problem Management
System Maintenance
Security
Network Management
Outsourcing Operations
Corporate Governance
38.
THE OPERATIONS ENVIRONMENT
1. PEOPLE (and contractors)
Personnel who run the computer installation should:
1. have the necessary skills to run the operations competently
2. be in sufficient numbers to provide absentee cover, shift
patterns and segregation of essential tasks
3. have their responsibilities clearly defined in job descriptions
4. be provided with adequate training to maintain knowledge
5. be screened for suitability and should sign confidentiality
agreements
6. have the ability and commitment to work under normal, peak,
exceptional and emergency conditions
7. have their motivation and morale maintained
39.
THE OPERATIONS ENVIRONMENT
2. OPERATING PROCEDURES
50-year employment
“a British
company”
1945 - 2000 by
Operations
functionsprofile
and of
staff
should
be supported
100%
documented procedures that overcome “Organisational
90%
Amnesia”
“ORGANISATIONAL
AMNESIA” arises from:
80%
(Percentage of managers with at least 6-year tenure)
70%Recall
“ORGANISATIONAL MEMORY” is:
of memory selectively (through “defensive reasoning”)
60%Resignations when employees leave to join other organisations
 The institution-specific knowledge accrued from experience
50%Redundancies
40%
 An intellectual asset unique to each organisation
 Retirement of key individuals
30%
 The most important constituent of any institution’s durability
 Rotation of staff
20%
10%
So, companies cannot benefit from tried and tested
experiences,
resulting
(from
Arnold in:
Kransdorff, Business Historian)
• reinventing
the1970
wheel
1945 1950
1955 1960 1965
1975 1980 1985 1990 1995 2000
• repeating mistakes (there go those “R”s again)
41.
THE OPERATIONS ENVIRONMENT
2. OPERATING PROCEDURES
Operations functions and staff should be supported by
documented procedures that overcome “Organisational
1. are comprehensive, available
(butand
protected,
Amnesia”
that: especially for use of
system utilities), approved, periodically reviewed, clear and
unambiguous
2. specify start-up, shut-down, back-up, restart and recovery
routines
3. are subject to formal change/version control
4. specify scheduling requirements (e.g. earliest job start and latest
job completion times) and interdependencies with other systems
5. clearly explain how to deal with specific error messages or other
exceptional conditions (including third-party supplier software)
6. provide support contacts for unexpected difficulties
7. include mandatory safety factors
42.
THE OPERATIONS ENVIRONMENT
3. MEDIA HANDLING (1)
Damage to/loss of information assets, unauthorised access
or business interruptions can be minimised through:
1. Media library and information storage/handling procedures,
responsibilities and access controls specified, formalised and
allocated
2. Media library inventory and discrepancy reporting/resolution
3. Minimising/encrypting external labelling …
4. … but labelling with the correct security classification …
5. … and standardised retention periods with storage criteria (e.g. write
permit devices) …
6. … and data ownership (not custody)
7. Provision of secure and environmentally sound physical storage
44.
THE OPERATIONS ENVIRONMENT
3. MEDIA HANDLING (2)
8. Continued data integrity mechanisms (e.g. version control,
output validation) to minimise fraud and humna error
9. Secure, segregated access to system documentation (e.g.
system descriptions, operating procedures, run authorisations,
data entities)
10. Restricted printer destinations
11. Minimised copies of sensitive output (“need to know” basis)
12. Secure disposal of redundant media:

Up to 10x over-writing of electronic media

Physical destruction (very therapeutic !) of hard drives, CDs,
etc.

Secure shredding/incineration of sensitive printout

Secure contracts for media disposal
45.
THE OPERATIONS ENVIRONMENT
4. BACK-UPS AND RESTORATION (1)
The ability to recover from data loss or corruption can be
optimised by:
1. Formalisation of a media (data and software) back-up and
restoration strategy. The strategy must anticipate failure at any
point in the processing cycle.
2. Taking software back-up copies (considering intellectual
property rights and escrow agreements, where appropriate)
together with updates, upgrades, patches, service packs,
documentation, etc.
3. Transporting and storing software back-ups securely and
appropriately (e.g. physically secure in an off-site fire-safe, at a
location where fast retrieval can be achieved).
4. Taking critical data back-ups regularly (possibly more than once
a day) on a cyclical basis agreed by the business data owner (as
opposed to custodian)
46.
THE OPERATIONS ENVIRONMENT
4. BACK-UPS AND RESTORATION (2)
Typical data back-up cycle:
1. Create and label daily backup media (e.g. DLT cartridge (<35Gb ); Diskette
(<1.4Mb), make incremental copies of changed data and transfer securely to
offsite store
O
DAY-1
DAY-1
F
D
B/UP
DAY-1
B/UP
DATA
F
A
S
T
DAY-2
DAY-2
DAY-2
B/UP
B/UP
I
A
DATA
T
DAY-3
DAY-3
E
DAY-3
C
B/UP
B/UP
DATA
E
DAY-4
S
N
DAY-4
DAY-4
B/UP
B/UP
T
T
DATA
O
R
DAY-5
DAY-5
DAY-5
R
B/UP
E
B/UP
DATA
E
47.
THE OPERATIONS ENVIRONMENT
4. BACK-UPS AND RESTORATION (2)
Typical data back-up cycle:
2. Create and label weekly backup media and make full copies of data and
transfer securely to offsite store
D
A
T
A
WEEK-1
DATA
WK-1
B/UP
WK-1
B/UP
DAY-1
B/UP
DAY-2
B/UP
DAY-3
B/UP
C
E
N
T
R
E
DAY-4
B/UP
DAY-5
B/UP
48.
O
F
F
S
I
T
E
S
T
O
R
E
THE OPERATIONS ENVIRONMENT
4. BACK-UPS AND RESTORATION (2)
Typical data back-up cycle:
2. Create and label weekly backup media and make full copies of data and
transfer securely to offsite store
D
A
T
A
C
E
N
T
R
E
WEEK-1
DATA
WEEK-2
DATA
WEEK-3
DATA
WEEK-4
DATA
WEEK-5
DATA
WK-5
B/UP
WK-1
B/UP
DAY-1
B/UP
WK-2
B/UP
DAY-2
B/UP
WK-3
B/UP
DAY-3
B/UP
WK-4
B/UP
DAY-4
B/UP
WK-5
B/UP
49.
DAY-5
B/UP
O
F
F
S
I
T
E
S
T
O
R
E
THE OPERATIONS ENVIRONMENT
4. BACK-UPS AND RESTORATION (3)
6. Backing up masterfiles, databases, transaction files, parameter
settings and system documentation on-site and off-site
7. Formalisation of off-site storage facilities, i.e. receipt procedure, log
of media locations, write-permit devices, dual check of tapes to be
re-used
8. Suitable data archive storage conditions, e.g. humidity, fire/flood
hazards
9. Periodic sample testing of data back-ups for “readability” and
observance of media manufacturer’s “shelf life” recommendations
10. A clear and protected window of opportunity for data back-ups to
complete
11. The use of checkpoints during processing, to minimise the need for
complete re-starts or restorations
12. Segregating the security privilege permitting recovery from other
data processing/programming tasks
50.
13. Awareness of statutory, etc. requirements, e.g. DPA; Inland Revenue
THE OPERATIONS ENVIRONMENT
5. CONTINGENCY PLANNING
Interruptions to business activities can be minimised and
critical business processes protected from major failures or
disasters by:
1. Formalising the requirement for a business continuity facility within
the organisation driven by the business (not by IT)
2. Involvement of Operations personnel in the Business Impact
Analysis
3. Location of the Business Continuity Plan (Operations), Disaster
Recovery and Crisis Management Procedures in secure, on-site and
off-site locations
4. Operations representation in the organisation’s Crisis Response
Team
5. Operations involvement in testing, feedback and review of plans
51.
THE OPERATIONS ENVIRONMENT
6. CHANGE MANAGEMENT
Unauthorised or erroneous changes to software are
minimised in the Operations environment by:
1. Organisational change controls being formalised, approved and
maintained
2. Ensuring only the current, tested, approved version handed over from
developers is promoted to live and only by authorised personnel
3. Operations Dept. being involved in change management and testing,
where appropriate, e.g. capacity planning, volume testing,
performance monitoring
4. Controls over emergency changes, e.g. emergency passwords
controlled by the shift manager and change formalisation at the
earliest opportunity
5. Strong controls, e.g. dual control, over use of powerful utilities for
one-time record changes
6. Regular back-ups of program libraries
and recoverability testing
52.
THE OPERATIONS ENVIRONMENT
7. PROBLEM MANAGEMENT
The effects of problems and security incidents are minimised
through:
1. A standard procedure for reporting and logging software malfunctions
2. A reliable means of communicating incidents, symptoms, causes and
resolutions to the support personnel
3. Clear and concise documentation to identify known (expected)
program errors, e.g. error codes, validation exception reports, job
“abends” (abnormal endings)
4. Up to date and step-by-step instructions to rectify expected errors,
including contact numbers of technical support (and software
vendors, if appropriate) for further information
5. Resolving and learning (“post facto” analysis) from incidents
6. Effective training for Operations work and concepts
53.
THE OPERATIONS ENVIRONMENT
8. OPERATOR LOGS
The integrity and availability of information processing
services are maintained through:
1. Operating procedures clearly identifying the logs that need to be kept
2. Internal review of operator logs and satisfactory resolution of faults,
ensuring that security has not been compromised (this will require
definition and understanding by Operations management)
3. All shift changes, carry-over operations and special requirements
being recorded
4. Archiving of operator logs (manually and electronically) such that
they can be identified and retrieved when required
55.
THE OPERATIONS ENVIRONMENT
9. SYSTEM MAINTENANCE
Continued availability and integrity of systems can be
1. Formalising
enhanced
by: a cyclical schedule of maintenance tasks with
accountability for their performance
2. Carrying out regular approved and specified back-ups (described
earlier)
3. Optimising system performance through secure use of appropriate
utilities, e.g. off-line file compression; disk defragmentation
4. Following approved equipment manufacturer’s prescribed
maintenance regime, e.g. regular cleaning of drive mechanisms, air
filters and printers
5. Effective service warranties and supplier contracts
6. Realistic Service Level Agreements (SLAs)/contracts
7. Maintaining a record of percentage “up-time” against SLA
8. Fostering a sense of teamwork with other departments, including
56.
socially
THE OPERATIONS ENVIRONMENT
10. NETWORK MANAGEMENT
Integrity, security and availability of networks and applications
can
be enhanced
through:
1. Organisational segregation
of Network
Management responsibility
from Operations (where possible)
2. Additional dual-control of Network Management and Operations
(where not possible) – alternative preventive mechanism against
conspiracy, minimising the need for trust
3. Activity monitoring (where not possible) - alternative detective
mechanism against conspiracy
4. On-screen warnings about unauthorised network access, including by
Operations - alternative deterrent mechanism
58.
THE OPERATIONS ENVIRONMENT
11. OUTSOURCING OPERATIONS
When the responsibility for information processing has been
outsourced to another organisation, security of information can be
enhanced
by:
1. Ensuring
that information resources processed are only in the custody
of the third party and that data ownership is clear and formalised
2. Establishing contracts between both organisations specifying
responsibility for:

Performance criteria

System availability

Security of information – logical/physical controls

Integrity testing

Penalty clauses/defaults

Rights to audit
59.
THE OPERATIONS ENVIRONMENT
12. SECURITY
Security within the Operations environment can be optimised
by: to systems and data
1. Enforcing logical access restrictions

Segregation of access, e.g. between media library and job control

Authorised levels of security profile, changes and monitoring
2. Enforcing physical access restrictions to systems and data

Perimeter/internal security, e.g. security guards; card access/time
zones
3. Enforcing environmental security measures

Environmental controls – humidity, fire/flood precautions

Restrictions on smoking and food/drink consumption

Power back-ups, cabling and telecommunications
60.
THE OPERATIONS ENVIRONMENT
13. CORPORATE GOVERNANCE
Corporate governance responsibilities have increased through:
1.
2.
Progressive requirements and guidance:

Rutteman – directors’ reporting guidance (1994)

Hampel – financial controls, listed companies (1998)

Cadbury – financial controls guidance (1999)
Combined Code/Turnbull (2000):

3.
Higgs/Smith (2003):

4.
Need to report on review of effectiveness of system of financial,
operational and compliance internal controls and risk management
Non-executive directors and audit committee responsibilities
Sarbanes-Oxley (U.S.2004)

Law enforcement, rather than regulation
61.
MORE INFORMATION ……
“Using information from another source is plagiarism.
Using information from a number of sources is
research …..”
The presenter’s own experiences and opinions in this session have been
complemented by references from a variety of sources including:
• Information Security Forum ( www.securityforum.org )
• Information Systems Audit and Control Association ( www.isaca.org )
• IT Governance Institute ( www.itgi.org )
• Information Technology – Code of Practice for Information Security
Management ( www.bsi-global.com )
• Institute of Internal Auditors – UK & Ireland ( www.iia.org.uk )
• IT Information Library ( www.itilpeople.com )
• European Corporate Governance Institute ( www.ecgi.org )
• Guidance for NHS Board members – Information Management &
Technology (thanks to Tim Moynihan for this subsequent link)
(www.nhsia.nhs.uk/nhid/pages/resource_informatics/IMT_guidance_bookl
et.pdf )
62.