
IT Audit Methodoloies
IT Audit Methodologies


CobiT
 BS 7799 - Code of Practice (CoP)
 BSI - IT Baseline Protection Manual
 ITSEC
 Common Criteria (CC)

IT Audit Methodoloies

 CobiT:www.isaca.org
 BS7799: www.bsi.org.uk/disc/
 BSI: www.bsi.bund.de/gshb/english/menue.htm
 ITSEC:www.itsec.gov.uk
 CC: csrc.nist.gov/cc/

IT Audit Methodoloies

 IT Audits
 Risk Analysis
 Health Checks (Security Benchmarking)
 Security Concepts
 Security Manuals / Handbooks

IT Audit Methodoloies

 Confidentiality
 Integrity
 Correctness
 Completeness
 Availability

IT Audit Methodoloies

 Governance, Control & Audit for IT
 Developed by ISACA
 Releases
 CobiT 1: 1996


32 Processes
271 Control Objectives
 CobiT 2: 1998


34 Processes
302 Control Objectives

IT Audit Methodoloies

 36 Control models used as basis:
 Business control models (e.g. COSO)
 IT control models (e.g. DTI‘s CoP)
 CobiT control model covers:
 Security (Confidentiality, Integrity, Availability)
 Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of
Information)
 IT Resources (Data, Application Systems, Technology, Facilities,
People)

IT Audit Methodoloies


IT Audit Methodoloies

 4 Domains
 PO - Planning & Organisation
 11 processes (high-level control objectives)
 AI - Acquisition & Implementation
 6 processes (high-level control objectives)
 DS - Delivery & Support
 13 processes (high-level control objectives)
 M - Monitoring
 4 processes (high-level control objectives)

IT Audit Methodoloies












PO 1 Define a Strategic IT Plan
PO 2 Define the Information Architecture
PO 3 Determine the Technological Direction
PO 4 Define the IT Organisation and Relationships
PO 5 Manage the IT Investment
PO 6 Communicate Management Aims and Direction
PO 7 Manage Human Resources
PO 8 Ensure Compliance with External Requirements
PO 9 Assess Risks
PO 10 Manage Projects
PO 11 Manage Quality

IT Audit Methodoloies

AI - Acquisition and Implementation
 AI 1 Identify Solutions
 AI 2 Acquire and Maintain Application Software
 AI 3 Acquire and Maintain Technology Architecture
 AI 4 Develop and Maintain IT Procedures
 AI 5 Install and Accredit Systems
 AI 6 Manage Changes

IT Audit Methodoloies








DS 1 Define Service Levels
DS 2 Manage Third-Party Services
DS 3 Manage Performance and


DS 8 Assist and Advise IT Customers
DS 9 Manage the Configuration
 DS 10 Manage Problems and Incidents
Capacity
 DS 11 Manage Data
DS 4 Ensure Continuous Service
DS 5 Ensure Systems Security
DS 6 Identify and Attribute Costs
DS 7 Educate and Train Users


DS 12 Manage Facilities
DS 13 Manage Operations

IT Audit Methodoloies

 M 1 Monitor the Processes
 M 2 Assess Internal Control Adequacy
 M 3 Obtain Independent Assurance
 M 4 Provide for Independent Audit

IT Audit Methodoloies

Information
Criteria





Effectiveness
Efficiency
Confidentiality
Integrity
Availability


Compliance
Reliability
IT Resources

People


Applications
Technology


Facilities
Data
IT Processes

IT Audit Methodoloies

 Mainly used for IT audits, incl. security aspects
 No detailed evaluation methodology described
 Developed by international organisation (ISACA)
 Up-to-date: Version 2 released in 1998
 Only high-level control objectives described
 Detailed IT control measures are not documented
 Not very user friendly - learning curve!
 Evaluation results not shown in graphic form

IT Audit Methodoloies

 May be used for self assessments
 Useful aid in implementing IT control systems
 No suitable basis to write security handbooks
 CobiT package from ISACA: $ 100.--
 3 parts freely downloadable from ISACA site
 Software available from Methodware Ltd., NZ
(www.methodware.co.nz)
 CobiT Advisor 2nd edition: US$ 600.--

IT Audit Methodoloies

 Code of Practice for Inform. Security Manag.
 Developed by UK DTI, BSI: British Standard
 Releases
 CoP: 1993
 BS 7799: Part 1: 1995
 BS 7799: Part 2: 1998
 Certification & Accreditation scheme (c:cure)

IT Audit Methodoloies

BS 7799 - Security Baseline Controls
 10 control categories
 32 control groups
 109 security controls
 10 security key controls

IT Audit Methodoloies

 Information security policy
 Security organisation
 Assets classification & control
 Personnel security
 Physical & environmental security
 Computer & network management

IT Audit Methodoloies

 System access control
 Systems development & maintenance
 Business continuity planning
 Compliance

IT Audit Methodoloies

 Information security policy document
 Allocation of information security responsibilities
 Information security education and training
 Reporting of security incidents
 Virus controls

IT Audit Methodoloies

 Business continuity planning process
 Control of proprietary software copying
 Safeguarding of organizational records
 Data protection
 Compliance with security policy

IT Audit Methodoloies

 Main use: Security Concepts & Health Checks
 No evaluation methodology described
 British Standard, developed by UK DTI
 Certification scheme in place (c:cure)
 BS7799, Part1, 1995 is being revised in 1999
 Lists 109 ready-to-use security controls
 No detailed security measures described
 Very user friendly - easy to learn

IT Audit Methodoloies

 Evaluation results not shown in graphic form
 May be used for self assessments
 BS7799, Part1: £ 94.--
 BS7799, Part2: £ 36.--
 BSI Electronic book of Part 1: £ 190.-- + VAT
 Several BS7799 c:cure publications from BSI
 CoP-iT software from SMH, UK: £349+VAT
(www.smhplc.com)

IT Audit Methodoloies

BSI (Bundesamt für Sicherheit in der
Informationstechnik)
 IT Baseline Protection Manual
(IT- Grundschutzhandbuch )
 Developed by German BSI (GISA: German Information
Security Agency)
 Releases:
 IT security manual: 1992
 IT baseline protection manual: 1995
 New versions (paper and CD-ROM): each year

IT Audit Methodoloies


IT Audit Methodoloies

 Used to determine IT security measures for medium-level protection requirements
 Straight forward approach since detailed risk analysis is not performed
 Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks
 List of assembled security measures may be used to establish or enhance baseline protection

IT Audit Methodoloies

 IT security measures
 7 areas
 34 modules (building blocks)
 Safeguards catalogue
 6 categories of security measures
 Threats catalogue
 5 categories of threats

IT Audit Methodoloies

(Modules)
 Protection for generic components
 Infrastructure
 Non-networked systems
 LANs
 Data transfer systems
 Telecommunications
 Other IT components

IT Audit Methodoloies

 3.1
Organisation
 3.2
Personnel
 3.3
Contingency Planning
 3.4
Data Protection

IT Audit Methodoloies


4.1
Buildings
 4.2
Cabling
 4.3
Rooms
 4.3.1
Office
 4.3.2
Server Room
 4.3.3
Storage Media Archives
 4.3.4
Technical Infrastructure Room
 4.4
Protective cabinets
 4.5
Home working place

IT Audit Methodoloies

 5.1
DOS PC (Single User)
 5.2
UNIX System
 5.3
Laptop
 5.4
DOS PC (multiuser)
 5.5
Non-networked Windows NT computer
 5.6
PC with Windows 95
 5.99
Stand-alone IT systems

IT Audit Methodoloies

 6.1
Server-Based Network
 6.2
Networked Unix Systems
 6.3
Peer-to-Peer Network
 6.4
Windows NT network
 6.5
Novell Netware 3.x
 6.6
Novell Netware version 4.x
 6.7
Heterogeneous networks

IT Audit Methodoloies

 7.1
Data Carrier Exchange
 7.2
Modem
 7.3
Firewall
 7.4
E-mail

IT Audit Methodoloies

 8.1
Telecommunication system
 8.2
Fax Machine
 8.3
Telephone Answering Machine
 8.4
LAN integration of an IT system via ISDN

IT Audit Methodoloies

 9.1
Standard Software
 9.2
Databases
 9.3
Telecommuting

IT Audit Methodoloies


Threats - Technical failure:

 T 4.13
Loss of stored data
Security Measures - Contingency planning:






S 6.36
Stipulating a minimum data protection concept
S 6.37
Documenting data protection procedures
S 6.33
Development of a data protection concept (optional)
S 6.34
Determining the factors influencing data protection
(optional)
S 6.35
Stipulating data protection procedures (optional)
 S 6.41
Training data reconstruction
Security Measures - Organisation:


S 2.41
Employees' commitment to data protection

IT Audit Methodoloies
S 2.137
Procurement of a suitable data backup system

(420 safeguards)
 S1 - Infrastructure ( 45 safeguards)
 S2 - Organisation (153 safeguards)
 S3 - Personnel ( 22 safeguards)
 S4 - Hardware & Software ( 83 safeguards)
 S5 - Communications ( 62 safeguards)
 S6 - Contingency Planning ( 55 safeguards)

IT Audit Methodoloies

 S 1.7
Hand-held fire extinguishers
 S 1.10 Use of safety doors
 S 1.17 Entrance control service
 S 1.18 Intruder and fire detection devices
 S 1.27 Air conditioning
 S 1.28 Local uninterruptible power supply [UPS]
 S 1.36 Safekeeping of data carriers before and after dispatch

IT Audit Methodoloies

 T1 - Force Majeure (10 threats)
 T2 - Organisational Shortcomings (58 threats)
 T3 - Human Errors (31 threats)
 T4 - Technical Failure (32 threats)
 T5 - Deliberate acts (78 threats)

IT Audit Methodoloies

(31 threats)
 T 3.1
Loss of data confidentiality/integrity as a result of IT user error
 T 3.3 Non-compliance with IT security measures
 T 3.6 Threat posed by cleaning staff or outside staff
 T 3.9 Incorrect management of the IT system
 T 3.12 Loss of storage media during transfer
 T 3.16 Incorrect administration of site and data access rights
 T 3.24 Inadvertent manipulation of data
 T 3.25 Negligent deletion of objects

IT Audit Methodoloies

 Main use: Security concepts & manuals
 No evaluation methodology described
 Developed by German BSI (GISA)
 Updated version released each year
 Lists 209 threats & 420 security measures
 34 modules cover generic & platform specific security requirements

IT Audit Methodoloies

 User friendly with a lot of security details
 Not suitable for security risk analysis
 Results of security coverage not shown in graphic form
 Manual in HTML format on BSI web server
 Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
 Paper copy of manual:
DM 118.--
 Software ‚BSI Tool‘
(only in German)
:
DM 515.--

IT Audit Methodoloies

 ITSEC: IT Security Evaluation Criteria
 Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book)
 Releases
 ITSEC: 1991
 ITSEM: 1993 (IT Security Evaluation Manual)
 UK IT Security Evaluation & Certification scheme: 1994

IT Audit Methodoloies

 Common Criteria (CC)
 Developed by USA, EC: based on ITSEC
 ISO International Standard
 Releases
 CC 1.0: 1996
 CC 2.0: 1998
 ISO IS 15408: 1999

IT Audit Methodoloies

 Based on systematic, documented approach for security evaluations of systems & products
 Open ended with regard to defined set of security objectives
 ITSEC Functionality classes; e.g. FC-C2
 CC protection profiles
 Evaluation steps:
 Definition of functionality
 Assurance: confidence in functionality

IT Audit Methodoloies

 Security objectives (Why)
 Risk analysis (Threats, Countermeasures)
 Security policy
 Security enforcing functions (What)
 technical & non-technical
 Security mechanisms (How)
 Evaluation levels

IT Audit Methodoloies

 Goal: Confidence in functions & mechanisms
 Correctness
 Construction (development process & environment)
 Operation (process & environment)
 Effectiveness
 Suitability analysis
 Strength of mechanism analysis
 Vulnerabilities (construction & operation)

IT Audit Methodoloies


IT Audit Methodoloies


IT Audit Methodoloies

CC Part 1
Introduction and Model
 Introduction to
Approach
 Terms and Model
 Requirements for
Protection Profiles (PP) and Security Targets (ST)
CC Part 2
Functional Requirements
 Functional Classes
 Functional Families
 Functional
Components
 Detailed Requirements
CC Part 3
Assurance Requirements
 Assurance Classes
 Assurance Families
 Assurance Components
 Detailed Requirements
 Evaluation Assurance
Levels (EAL)

IT Audit Methodoloies

Functional Requirements
 for defining security behavior of the
IT product or system:

 implemented requirements become security functions
Assurance Requirements
 for establishing confidence in Security
Functions:
 correctness of implementation
 effectiveness in satisfying objectives

IT Audit Methodoloies

Class
FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FRU
FTA
FTP
Name
Audit
Communications
Cryptographic Support
User Data Protection
Identification & Authentication
Security Management
Privacy
Protection of TOE Security Functions
Resource Utilization
TOE (Target Of Evaluation) Access
Trusted Path / Channels

IT Audit Methodoloies

Class
ACM
ADO
ADV
AGD
ALC
ATE
AVA
APE
ASE
AMA
Name
Configuration Management
Delivery & Operation
Development
Guidance Documents
Life Cycle Support
Tests
Vulnerability Assessment
Protection Profile Evaluation
Security Target Evaluation
Maintenance of Assurance

IT Audit Methodoloies

EAL
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
Name
Functionally Tested
Structurally Tested
Methodically Tested & Checked
Methodically Designed, Tested & Reviewed
Semiformally Designed & Tested
Semiformally Verified Design & Tested
Formally Verified Design & Tested
*TCSEC
C1
C2
B1
B2
B3
A1
*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”

IT Audit Methodoloies

 Used primarily for security evaluations and not for generalized IT audits
 Defines evaluation methodology
 Based on International Standard (ISO 15408)
 Certification scheme in place
 Updated & enhanced on a yearly basis
 Includes extensible standard sets of security requirements
(Protection Profile libraries)

IT Audit Methodoloies

Comparison of Methods - Criteria
 Standardisation
 Independence
 Certifiability
 Applicability in practice
 Adaptability

IT Audit Methodoloies

Comparison of Methods - Criteria
 Extent of Scope
 Presentation of Results
 Efficiency
 Update frequency
 Ease of Use

IT Audit Methodoloies

Comparison of Methods - Results
Standardisation
Independence
Certifyability
Applicability in practice
Adaptability
Extent of Scope
Presentation of Results
Efficiency
Update frequency
Ease of Use
CobiT
3.4
3.3
2.7
2.8
3.3
3.1
1.9
3.0
3.1
2.3
BS 7799
3.3
3.6
3.3
3.0
2.8
2.9
2.2
2.8
2.4
2.7
BSI
3.1
3.5
3.0
3.1
3.3
2.7
2.6
3.0
3.4
2.8
ITSEC /CC
3.9
3.9
3.7
2.5
3.0
2.6
1.7
2.5
2.8
2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger

IT Audit Methodoloies


IT Audit Methodoloies


IT Audit Methodoloies


IT Audit Methodoloies


IT Audit Methodoloies

 CobiT: Audit method for all IT processes
 ITSEC, CC: Systematic approach for evaluations
 BS7799, BSI: List of detailed security measures to be used as best practice documentation
 Detailed audit plans, checklists, tools for technical audits
(operating systems, LANs, etc.)
 What is needed in addition:

Audit concept (general aspects, infrastructure audits, application audits)

IT Audit Methodoloies