Vous êtes sur la page 1sur 65

IT Audit

Methodologies

IT Audit Methodologies

IT Audit Methodoloies

IT Audit Methodologies

CobiT

BS 7799 - Code of Practice (CoP)

BSI - IT Baseline Protection Manual

ITSEC

Common Criteria (CC)

IT Audit Methodoloies

IT Audit Methodologies - URLs

CobiT:

www.isaca.org

BS7799: www.bsi.org.uk/disc/

BSI:

ITSEC: www.itsec.gov.uk

CC:

www.bsi.bund.de/gshb/english/menue.htm
csrc.nist.gov/cc/

IT Audit Methodoloies

Main Areas of Use

IT Audits

Risk Analysis

Health Checks (Security Benchmarking)

Security Concepts

Security Manuals / Handbooks

IT Audit Methodoloies

Security Definition

Confidentiality

Integrity

Correctness

Completeness

Availability

IT Audit Methodoloies

CobiT

Governance, Control & Audit for IT

Developed by ISACA

Releases

CobiT 1: 1996

32 Processes

271 Control Objectives

CobiT 2: 1998

34 Processes

302 Control Objectives

IT Audit Methodoloies

CobiT - Model for IT Governance

36 Control models used as basis:

Business control models (e.g. COSO)

IT control models (e.g. DTIs CoP)

CobiT control model covers:

Security (Confidentiality, Integrity, Availability)

Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information)

IT Resources (Data, Application Systems, Technology, Facilities, People)

IT Audit Methodoloies

CobiT - Framework

IT Audit Methodoloies

CobiT - Structure

4 Domains

PO - Planning & Organisation

AI - Acquisition & Implementation

6 processes (high-level control objectives)

DS - Delivery & Support

11 processes (high-level control objectives)

13 processes (high-level control objectives)

M - Monitoring

4 processes (high-level control objectives)

IT Audit Methodoloies

PO - Planning and Organisation

PO 1

Define a Strategic IT Plan

PO 2

Define the Information Architecture

PO 3

Determine the Technological Direction

PO 4

Define the IT Organisation and Relationships

PO 5

Manage the IT Investment

PO 6

Communicate Management Aims and Direction

PO 7

Manage Human Resources

PO 8

Ensure Compliance with External Requirements

PO 9

Assess Risks

PO 10

Manage Projects

PO 11

Manage Quality

IT Audit Methodoloies

AI - Acquisition and Implementation

AI 1

Identify Solutions

AI 2

Acquire and Maintain Application Software

AI 3

Acquire and Maintain Technology Architecture

AI 4

Develop and Maintain IT Procedures

AI 5

Install and Accredit Systems

AI 6

Manage Changes

IT Audit Methodoloies

DS - Delivery and Support

DS 1

Define Service Levels

DS 8

Assist and Advise IT Customers

DS 2

Manage Third-Party Services

DS 9

Manage the Configuration

DS 3

Manage Performance and


Capacity

DS 10

Manage Problems and Incidents

DS 11

Manage Data

DS 12

Manage Facilities

DS 13

Manage Operations

DS 4

Ensure Continuous Service

DS 5

Ensure Systems Security

DS 6

Identify and Attribute Costs

DS 7

Educate and Train Users

IT Audit Methodoloies

M - Monitoring

M1

Monitor the Processes

M2

Assess Internal Control Adequacy

M3

Obtain Independent Assurance

M4

Provide for Independent Audit

IT Audit Methodoloies

CobiT - IT Process Matrix


Information Criteria
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability

IT Resources
People
Applications
Technology
Facilities
Data

IT Processes
Microsoft Excel-T abelle

IT Audit Methodoloies

CobiT - Summary

Mainly used for IT audits, incl. security aspects

No detailed evaluation methodology described

Developed by international organisation (ISACA)

Up-to-date: Version 2 released in 1998

Only high-level control objectives described

Detailed IT control measures are not documented

Not very user friendly - learning curve!

Evaluation results not shown in graphic form

IT Audit Methodoloies

CobiT - Summary

May be used for self assessments

Useful aid in implementing IT control systems

No suitable basis to write security handbooks

CobiT package from ISACA: $ 100.--

3 parts freely downloadable from ISACA site

Software available from Methodware Ltd., NZ (www.methodware.co.nz)

CobiT Advisor 2nd edition: US$ 600.--

IT Audit Methodoloies

BS 7799 - CoP

Code of Practice for Inform. Security Manag.

Developed by UK DTI, BSI: British Standard

Releases

CoP: 1993

BS 7799: Part 1: 1995

BS 7799: Part 2: 1998

Certification & Accreditation scheme (c:cure)

IT Audit Methodoloies

BS 7799 - Security Baseline Controls

10 control categories

32 control groups

109 security controls

10 security key controls

IT Audit Methodoloies

BS 7799 - Control Categories

Information security policy

Security organisation

Assets classification & control

Personnel security

Physical & environmental security

Computer & network management

IT Audit Methodoloies

BS 7799 - Control Categories

System access control

Systems development & maintenance

Business continuity planning

Compliance

IT Audit Methodoloies

BS7799 - 10 Key Controls

Information security policy document

Allocation of information security responsibilities

Information security education and training

Reporting of security incidents

Virus controls

IT Audit Methodoloies

BS7799 - 10 Key Controls

Business continuity planning process

Control of proprietary software copying

Safeguarding of organizational records

Data protection

Compliance with security policy

IT Audit Methodoloies

BS7799 - Summary

Main use: Security Concepts & Health Checks

No evaluation methodology described

British Standard, developed by UK DTI

Certification scheme in place (c:cure)

BS7799, Part1, 1995 is being revised in 1999

Lists 109 ready-to-use security controls

No detailed security measures described

Very user friendly - easy to learn

IT Audit Methodoloies

BS7799 - Summary

Evaluation results not shown in graphic form

May be used for self assessments

BS7799, Part1:

94.--

BS7799, Part2:

36.--

BSI Electronic book of Part 1: 190.-- + VAT

Several BS7799 c:cure publications from BSI

CoP-iT software from SMH, UK: 349+VAT (www.smhplc.com)

IT Audit Methodoloies

BSI (Bundesamt fr Sicherheit in der


Informationstechnik)

IT Baseline Protection Manual


(IT- Grundschutzhandbuch )

Developed by German BSI (GISA: German Information Security Agency)

Releases:

IT security manual: 1992

IT baseline protection manual: 1995

New versions (paper and CD-ROM): each year

IT Audit Methodoloies

BSI - Approach

IT Audit Methodoloies

BSI - Approach

Used to determine IT security measures for medium-level protection requirements

Straight forward approach since detailed risk analysis is not performed

Based on generic & platform specific security requirements detailed protection


measures are constructed using given building blocks

List of assembled security measures may be used to establish or enhance baseline


protection

IT Audit Methodoloies

BSI - Structure

IT security measures

7 areas

34 modules (building blocks)

Safeguards catalogue

6 categories of security measures

Threats catalogue

5 categories of threats

IT Audit Methodoloies

BSI - Security Measures (Modules)

Protection for generic components

Infrastructure

Non-networked systems

LANs

Data transfer systems

Telecommunications

Other IT components

IT Audit Methodoloies

BSI - Generic Components


3.1
3.2
3.3
3.4

Organisation
Personnel
Contingency Planning
Data Protection

IT Audit Methodoloies

BSI - Infrastructure

4.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.4
4.5

Buildings
Cabling
Rooms
Office
Server Room
Storage Media Archives
Technical Infrastructure Room
Protective cabinets
Home working place

IT Audit Methodoloies

BSI - Non-Networked Systems

5.1
5.2
5.3
5.4
5.5
5.6
5.99

DOS PC (Single User)


UNIX System
Laptop
DOS PC (multiuser)
Non-networked Windows NT computer
PC with Windows 95
Stand-alone IT systems

IT Audit Methodoloies

BSI - LANs

6.1
6.2
6.3
6.4
6.5
6.6
6.7

Server-Based Network
Networked Unix Systems
Peer-to-Peer Network
Windows NT network
Novell Netware 3.x
Novell Netware version 4.x
Heterogeneous networks

IT Audit Methodoloies

BSI - Data Transfer Systems


7.1
7.2
7.3
7.4

Data Carrier Exchange


Modem
Firewall
E-mail

IT Audit Methodoloies

BSI - Telecommunications
8.1
8.2
8.3
8.4

Telecommunication system
Fax Machine
Telephone Answering Machine
LAN integration of an IT system via ISDN

IT Audit Methodoloies

BSI - Other IT Components


9.1
9.2
9.3

Standard Software
Databases
Telecommuting

IT Audit Methodoloies

BSI - Module Data Protection (3.4)


Threats - Technical failure:
T 4.13 Loss of stored data
Security Measures - Contingency planning:
S 6.36 Stipulating a minimum data protection concept
S 6.37 Documenting data protection procedures
S 6.33 Development of a data protection concept (optional)
S 6.34 Determining the factors influencing data protection (optional)
S 6.35 Stipulating data protection procedures (optional)
S 6.41 Training data reconstruction
Security Measures - Organisation:
S 2.41 Employees' commitment to data protection
S 2.137 Procurement of a suitable data backup system

IT Audit Methodoloies

BSI - Safeguards (420 safeguards)

S1 - Infrastructure( 45 safeguards)

S2 - Organisation (153 safeguards)

S3 - Personnel

S4 - Hardware & Software ( 83 safeguards)

S5 - Communications

S6 - Contingency Planning ( 55 safeguards)

( 22 safeguards)
( 62 safeguards)

IT Audit Methodoloies

BSI - S1-Infrastructure (45 safeguards)

S 1.7
S 1.10
S 1.17
S 1.18
S 1.27
S 1.28
S 1.36

Hand-held fire extinguishers


Use of safety doors
Entrance control service
Intruder and fire detection devices
Air conditioning
Local uninterruptible power supply [UPS]
Safekeeping of data carriers before and after

dispatch

IT Audit Methodoloies

BSI - Security Threats (209 threats)

T1 - Force Majeure (10 threats)

T2 - Organisational Shortcomings (58 threats)

T3 - Human Errors (31 threats)

T4 - Technical Failure (32 threats)

T5 - Deliberate acts (78 threats)

IT Audit Methodoloies

BSI - T3-Human Errors

T 3.1
T 3.3
T 3.6
T 3.9
T 3.12
T 3.16
T 3.24
T 3.25

(31 threats)

Loss of data confidentiality/integrity as a result of IT user error


Non-compliance with IT security measures
Threat posed by cleaning staff or outside staff
Incorrect management of the IT system
Loss of storage media during transfer
Incorrect administration of site and data access rights
Inadvertent manipulation of data
Negligent deletion of objects

IT Audit Methodoloies

BSI - Summary

Main use: Security concepts & manuals

No evaluation methodology described

Developed by German BSI (GISA)

Updated version released each year

Lists 209 threats & 420 security measures

34 modules cover generic & platform specific security requirements

IT Audit Methodoloies

BSI - Summary

User friendly with a lot of security details

Not suitable for security risk analysis

Results of security coverage not shown in graphic form

Manual in HTML format on BSI web server

Manual in Winword format on CD-ROM


(first CD free, additional CDs cost DM 50.-- each)

Paper copy of manual: DM 118.--

Software BSI Tool (only in German): DM 515.--

IT Audit Methodoloies

ITSEC, Common Criteria

ITSEC: IT Security Evaluation Criteria

Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange
Book)

Releases

ITSEC: 1991

ITSEM: 1993 (IT Security Evaluation Manual)

UK IT Security Evaluation & Certification scheme: 1994

IT Audit Methodoloies

ITSEC, Common Criteria

Common Criteria (CC)

Developed by USA, EC: based on ITSEC

ISO International Standard

Releases

CC 1.0: 1996

CC 2.0: 1998

ISO IS 15408: 1999

IT Audit Methodoloies

ITSEC - Methodology

Based on systematic, documented approach for security evaluations of systems &


products

Open ended with regard to defined set of security objectives

ITSEC Functionality classes; e.g. FC-C2

CC protection profiles

Evaluation steps:

Definition of functionality

Assurance: confidence in functionality

IT Audit Methodoloies

ITSEC - Functionality

Security objectives (Why)

Risk analysis (Threats, Countermeasures)

Security policy

Security enforcing functions (What)

technical & non-technical

Security mechanisms (How)

Evaluation levels

IT Audit Methodoloies

ITSEC - Assurance

Goal: Confidence in functions & mechanisms

Correctness

Construction (development process & environment)

Operation (process & environment)

Effectiveness

Suitability analysis

Strength of mechanism analysis

Vulnerabilities (construction & operation)

IT Audit Methodoloies

CC - Security Concept

IT Audit Methodoloies

CC - Evaluation Goal

IT Audit Methodoloies

CC - Documentation
CC Part 3

Assurance Requirements

CC Part 2

Functional Requirements

CC Part 1

Introduction and Model


Introduction to

Approach

Terms and Model


Requirements for

Protection Profiles (PP)


and Security Targets (ST)

Functional Classes
Functional Families
Functional

Components

Detailed Requirements

Assurance Classes
Assurance Families
Assurance Components
Detailed Requirements
Evaluation Assurance

Levels (EAL)

IT Audit Methodoloies

CC - Security Requirements
Functional Requirements

Assurance Requirements

for defining security behavior of the

for establishing confidence in Security

IT product or system:
implemented requirements
become security functions

Functions:
correctness of implementation
effectiveness in satisfying
objectives

IT Audit Methodoloies

CC - Security Functional Classes


Class

Name

FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FRU
FTA
FTP

Audit
Communications
Cryptographic Support
User Data Protection
Identification & Authentication
Security Management
Privacy
Protection of TOE Security Functions
Resource Utilization
TOE (Target Of Evaluation) Access
Trusted Path / Channels

IT Audit Methodoloies

CC - Security Assurance Classes


Class

Name

ACM
ADO
ADV
AGD
ALC
ATE
AVA
APE
ASE
AMA

Configuration Management

Delivery & Operation


Development
Guidance Documents
Life Cycle Support
Tests
Vulnerability Assessment
Protection Profile Evaluation
Security Target Evaluation
Maintenance of Assurance

IT Audit Methodoloies

CC - Eval. Assurance Levels (EALs)


EAL

Name

EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7

Functionally Tested
Structurally Tested
Methodically Tested & Checked
Methodically Designed, Tested & Reviewed
Semiformally Designed & Tested
Semiformally Verified Design & Tested
Formally Verified Design & Tested

*TCSEC = Trusted Computer Security Evaluation Criteria --Orange Book

*TCSEC
C1
C2
B1
B2
B3
A1

IT Audit Methodoloies

ITSEC, CC - Summary

Used primarily for security evaluations and not for generalized IT audits

Defines evaluation methodology

Based on International Standard (ISO 15408)

Certification scheme in place

Updated & enhanced on a yearly basis

Includes extensible standard sets of security requirements (Protection Profile libraries)

IT Audit Methodoloies

Comparison of Methods - Criteria

Standardisation

Independence

Certifiability

Applicability in practice

Adaptability

IT Audit Methodoloies

Comparison of Methods - Criteria

Extent of Scope

Presentation of Results

Efficiency

Update frequency

Ease of Use

IT Audit Methodoloies

Comparison of Methods - Results


Standardisation
Independence
Certifyability
Applicability in practice
Adaptability
Extent of Scope
Presentation of Results
Efficiency
Update frequency
Ease of Use

CobiT

BS 7799

BSI

3.4
3.3
2.7
2.8
3.3
3.1
1.9
3.0
3.1
2.3

3.3
3.6
3.3
3.0
2.8
2.9
2.2
2.8
2.4
2.7

3.1
3.5
3.0
3.1
3.3
2.7
2.6
3.0
3.4
2.8

ITSEC/CC
3.9
3.9
3.7
2.5
3.0
2.6
1.7
2.5
2.8
2.0

Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger

IT Audit Methodoloies

CobiT - Assessment

IT Audit Methodoloies

BS 7799 - Assessment

IT Audit Methodoloies

BSI - Assessment

IT Audit Methodoloies

ITSEC/CC - Assessment

IT Audit Methodoloies

Use of Methods for IT Audits

CobiT: Audit method for all IT processes

ITSEC, CC: Systematic approach for evaluations

BS7799, BSI: List of detailed security measures to be used as best practice


documentation

Detailed audit plans, checklists, tools for technical audits (operating systems, LANs,
etc.)

What is needed in addition:

Audit concept (general aspects, infrastructure audits, application audits)

Herzlichen Dank
fr Ihr Interesse an
IT Audit Methodologies