INFORMATION SECURITY INFORMATION SYSTEMS AUDITING

1
INFORMATION SECURITYINFORMATION SYSTEMS AUDITING

• Presented to
• University of Oklahoma
• College of Business MIS Department
• September 26, 2001

Presenter William R. Duffy Information
Systems Audit Manager
2
INFORMATION SECURITYWhat is it?

• Protecting a companys
• information
• or
• physical assets which can be diverted for gain,
  via penetration or manipulation of an information
  system

3
INFORMATION SECURITYWhat are we so worried about?
4
INFORMATION SECURITY
People
Information Assets
Policies
Products
Processes
Practices
5
INFORMATION SECURITYPolicies - What?
People
Information Assets
Products
Policies
Processes
Practices

• Broad statements, issued by the most senior
  management
• Articulate the objective
• Communicate expectations
• Establish consequences for violation
• Example
• Information Protection Policy
• Information is an asset and must be protected...
• Employees are expected to take reasonable steps
  to protect the corporations information...
• Violation of the policy is subject to
  disciplinary actions up to and including....

6
INFORMATION SECURITYPractices - How?
People
Information Assets
Products
Policies
Processes
Practices

• Detailed, specific instructions
• Can be technical in nature, e.g.,
• Unix platform configuration practices
• insert words from Unix doc
• Dial-in connectivity practices
• Two factor authentication is required for all
  dial-in connections...
• Can be process in nature, e.g.,
• Electronic Approval practices
• for high risk electronic approval (e.g.,
  payments) the approver should
• be re-prompted to enter their password -
  protecting against the risk of
• unattended workstations...
• Best Practices Should Do
• Required Practices Must Do!

7
INFORMATION SECURITYProcesses - How?
People
Information Assets
Products
Policies
Processes
Practices

• Methodologies that help people integrate
  Information Security into systems from the
  get-go. E.g.,
• Risk Analysis and Control Design processes to
  ensure that exposures are understood and
  addressed in systems development
• Payroll systems have controls built in to prevent
  the systems analysts from giving themselves a
  pay raise (bummer!)
• Processes which allow day-to-day operations to be
  carried out in a controlled manner. E.g.,
• Change Control processes ensure that changes to
  operating systems are tested prior to being put
  into production.
• Processes which allow day-to-day operations to be
  carried out in a controlled manner. E.g.,
• Change Control processes ensure that changes to
  operating systems are tested prior to being put
  into production.

8
INFORMATION SECURITYProducts - With?
People
Information Assets
Products
Policies
Processes
Practices

• Use of technology (hardware and software) that
  automate protection measures. Examples
• firewalls to protect internal networks from
  external intrusion
• intrusion detection software
• routers to isolate sensitive network segments
  from the general population
• software to control access to systems with
  powerful IDs (e.g.,Unix ROOT)
• use of virtual private networks (VPNs) to allow
  traffic to be protected as it traverses the
  internet
• Rapidly evolving fields - tools struggling to
  stay ahead of hacker devices
• With the growing complexity of todays
  business/network environment, automated tools are
  essential to manage threats

9
INFORMATION SECURITYPeople - Who?
People
Information Assets
Products
Policies
Processes
Practices

• People are the foundation of and fundamental
  threat to information security
• Foundation
• they understand and adhere to the policies
• they implement the practices
• they execute the processes
• they install and operate the products
• Automate everything you can - because people are
  just human!

• At the same time
• they get forgetful
• they get busy
• they get in financial trouble
• they get angry
• they get even

• Some tools
• awareness training and reminders
• technical training
• background checks
• sensitive position management
• segregation of duties

10
INFORMATION SECURITYSome Food for Thought...
TYPES OF BREACHES EXPERIENCED
Source Information Security Magazine - Annual
Information Security Industry Survey (June, 1998)
11
INFORMATION SYSTEMS AUDITINGWhat We Do

• Understand the relationship of business to the
  system
• Identify and analyze systems exposures for
  potential control concerns
• Test adequacy and effectiveness of systems
  control measures
• Provide recommendations to improve the systems
  controls environment

12
INFORMATION SYSTEMS AUDITINGHow We Do It

• Develop Audit Register of all IS exposure for
  Corporation
• Determine scope for review -- look at risk
  assess-ments for rating and new technology
• Establish IS budget (time and cost) for areas for
  review

13
INFORMATION SYSTEMS AUDITINGTheres More

• Develop and conduct audit programs for I.S.
  technology or processes -- get help from
  training, technical contacts, industry resources,
  peers
• ExxonMobil developed 30 Audit programs for
  platform applications

14
INFORMATION SYSTEMS AUDITINGTypical IS Areas for
Review in Audit Programs

• Security/criticality assessment
• System security
• Application security
• Data security
• Application change control
• Business continuity
• Telecommunications
• Physical and environmental

15
OVERVIEW OF IS AUDIT PROCESSAccess Control
16
OVERVIEW OF IS AUDIT PROCESSOperations
17
OVERVIEW OF IS AUDIT PROCESSSystems Software
18
OVERVIEW OF IS AUDIT PROCESSTelecommunications/Ne
tworks
19
OVERVIEW OF IS AUDIT PROCESSPhysical Security
20
OVERVIEW OF IS AUDIT PROCESSApplications
21
OVERVIEW OF IS AUDIT PROCESSManagement
22
OVERVIEW OF IS AUDIT PROCESSTechnology
23
Key IS Comments and Trends

• Exposures with Client/Server technology - Unix,
  NT, Windows 2000, AS400s
• Telecommunications (Internet, dial-up access)
• Exposures in third-party software
• Risk assessment - controls catalog
• Incomplete access reviews
• Powerful ID exposures