IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP)

IT Audit Methodologies
 CobiT
 BS
7799 - Code of Practice (CoP)
 BSI - IT Baseline Protection Manual
 ITSEC
 Common Criteria (CC)
iCorpCo
1
IT Audit Methodologies
IT Audit Methodologies - URLs
CobiT:
 BS7799:
 BSI:
 ITSEC:
 CC:

iCorpCo
www.isaca.org
www.bsi.org.uk/disc/
www.bsi.bund.de/gshb/english/menue.htm
www.itsec.gov.uk
csrc.nist.gov/cc/
2
IT Audit Methodologies
Main Areas of Use
 IT Audits
 Risk Analysis
 Health
Checks (Security Benchmarking)
 Security Concepts
 Security Manuals / Handbooks
iCorpCo
3
IT Audit Methodologies
Security Definition
 Confidentiality
 Integrity
 Correctness
 Completeness
 Availability
iCorpCo
4
IT Audit Methodologies
CobiT
 Governance,
Control & Audit for IT
 Developed by ISACA
 Releases
 CobiT
1: 1996
 32
Processes
 271 Control Objectives
 CobiT
2: 1998
 34
Processes
 302 Control Objectives
iCorpCo
5
IT Audit Methodologies
CobiT - Model for IT Governance
 36
Control models used as basis:
 Business
control models (e.g. COSO)
 IT control models (e.g. DTI‘s CoP)
 CobiT control
model covers:
 Security
(Confidentiality, Integrity, Availability)
 Fiduciary (Effectiveness, Efficiency, Compliance,
Reliability of Information)
 IT Resources (Data, Application Systems,
Technology, Facilities, People)
iCorpCo
6
IT Audit Methodologies
CobiT - Framework
iCorpCo
7
IT Audit Methodologies
CobiT - Structure
4
Domains
 PO
- Planning & Organisation
 11
 AI
- Acquisition & Implementation
6
 DS
processes (high-level control objectives)
- Delivery & Support
 13
M
processes (high-level control objectives)
- Monitoring
4
iCorpCo
processes (high-level control objectives)
processes (high-level control objectives)
8
IT Audit Methodologies
PO - Planning and Organisation











PO 1
PO 2
PO 3
PO 4
PO 5
PO 6
PO 7
PO 8
PO 9
PO 10
PO 11
iCorpCo
Define a Strategic IT Plan
Define the Information Architecture
Determine the Technological Direction
Define the IT Organisation and Relationships
Manage the IT Investment
Communicate Management Aims and Direction
Manage Human Resources
Ensure Compliance with External Requirements
Assess Risks
Manage Projects
Manage Quality
9
IT Audit Methodologies
AI - Acquisition and Implementation

AI 1
Identify Solutions

AI 2
AI 3
AI 4
AI 5
AI 6
Acquire and Maintain Application Software
Acquire and Maintain Technology Architecture
Develop and Maintain IT Procedures
Install and Accredit Systems
Manage Changes




iCorpCo
10
IT Audit Methodologies
DS - Delivery and Support













DS 1
DS 2
DS 3
DS 4
DS 5
DS 6
DS 7
DS 8
DS 9
DS 10
DS 11
DS 12
DS 13
iCorpCo
Define Service Levels
Manage Third-Party Services
Manage Performance and Capacity
Ensure Continuous Service
Ensure Systems Security
Identify and Attribute Costs
Educate and Train Users
Assist and Advise IT Customers
Manage the Configuration
Manage Problems and Incidents
Manage Data
Manage Facilities
Manage Operations
11
IT Audit Methodologies
M - Monitoring

M1
Monitor the Processes

M2
M3
M4
Assess Internal Control Adequacy
Obtain Independent Assurance
Provide for Independent Audit


iCorpCo
12
IT Audit Methodologies
CobiT - IT Process Matrix
Information Criteria







IT Resources
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability





People
Applications
Technology
Facilities
Data
IT Processes
iCorpCo
13
IT Audit Methodologies
CobiT - Summary
 Mainly
used for IT audits, incl. security aspects
 No detailed evaluation methodology described
 Developed by international organisation (ISACA)
 Up-to-date: Version 2 released in 1998
 Only high-level control objectives described
 Detailed IT control measures are not documented
 Not very user friendly - learning curve!
 Evaluation results not shown in graphic form
iCorpCo
14
IT Audit Methodologies
CobiT - Summary
 May
be used for self assessments
 Useful aid in implementing IT control systems
 No suitable basis to write security handbooks
 CobiT package from ISACA: $ 100.- 3 parts freely downloadable from ISACA site
 Software available from Methodware Ltd., NZ
(www.methodware.co.nz)
 CobiT Advisor
iCorpCo
2nd edition:
15
US$ 600.-IT Audit Methodologies
BS 7799 - CoP
 Code
of Practice for Inform. Security Manag.
 Developed by UK DTI, BSI: British Standard
 Releases
 CoP:
1993
 BS 7799: Part 1: 1995
 BS 7799: Part 2: 1998
 Certification & Accreditation scheme
iCorpCo
16
(c:cure)
IT Audit Methodologies
BS 7799 - Security Baseline Controls
 10
control categories
 32 control groups
 109 security controls
 10 security key controls
iCorpCo
17
IT Audit Methodologies
BS 7799 - Control Categories
 Information
security policy
 Security organisation
 Assets classification & control
 Personnel security
 Physical & environmental security
 Computer & network management
iCorpCo
18
IT Audit Methodologies
BS 7799 - Control Categories
 System
access control
 Systems development & maintenance
 Business continuity planning
 Compliance
iCorpCo
19
IT Audit Methodologies
BS7799 - 10 Key Controls
 Information
security policy document
 Allocation
of information security
responsibilities
 Information
 Reporting
 Virus
iCorpCo
security education and training
of security incidents
controls
20
IT Audit Methodologies
BS7799 - 10 Key Controls
 Business
 Control
continuity planning process
of proprietary software copying
 Safeguarding
 Data
protection
 Compliance
iCorpCo
of organizational records
with security policy
21
IT Audit Methodologies
BS7799 - Summary
 Main
use: Security Concepts & Health Checks
 No evaluation methodology described
 British Standard, developed by UK DTI
 Certification scheme in place (c:cure)
 BS7799, Part1, 1995 is being revised in 1999
 Lists 109 ready-to-use security controls
 No detailed security measures described
 Very user friendly - easy to learn
iCorpCo
22
IT Audit Methodologies
BS7799 - Summary
 Evaluation
results not shown in graphic form
 May be used for self assessments
 BS7799, Part1:
£ 94.- BS7799, Part2:
£ 36.- BSI Electronic book of Part 1: £ 190.-- + VAT
 Several BS7799 c:cure publications from BSI
 CoP-iT software from SMH, UK: £349+VAT
(www.smhplc.com)
iCorpCo
23
IT Audit Methodologies
BSI (Bundesamt für Sicherheit in der
Informationstechnik)
 IT
Baseline Protection Manual
(IT- Grundschutzhandbuch )
 Developed by German BSI (GISA: German
Information Security Agency)
 Releases:
 IT
security manual: 1992
 IT baseline protection manual:
1995
 New versions (paper and CD-ROM):
each year
iCorpCo
24
IT Audit Methodologies
BSI - Approach
iCorpCo
25
IT Audit Methodologies
BSI - Approach
 Used
to determine IT security measures for
medium-level protection requirements
 Straight forward approach since detailed risk
analysis is not performed
 Based on generic & platform specific security
requirements detailed protection measures are
constructed using given building blocks
 List of assembled security measures may be
used to establish or enhance baseline protection
iCorpCo
26
IT Audit Methodologies
BSI - Structure
 IT
security measures
7
areas
 34 modules (building blocks)
 Safeguards
6
categories of security measures
 Threats
5
catalogue
catalogue
categories of threats
iCorpCo
27
IT Audit Methodologies
BSI - Security Measures (Modules)
 Protection
for generic components
 Infrastructure
 Non-networked systems
 LANs
 Data transfer systems
 Telecommunications
 Other IT components
iCorpCo
28
IT Audit Methodologies
BSI - Generic Components

3.1
Organisation

3.2
Personnel

3.3
Contingency Planning

3.4
Data Protection
iCorpCo
29
IT Audit Methodologies
BSI - Infrastructure

4.1
Buildings

4.2
Cabling

4.3
Rooms

4.3.1
Office

4.3.2
Server Room

4.3.3
Storage Media Archives

4.3.4
Technical Infrastructure Room

4.4
Protective cabinets

4.5
Home working place
iCorpCo
30
IT Audit Methodologies
BSI - Non-Networked Systems

5.1
DOS PC (Single User)

5.2
UNIX System

5.3
Laptop

5.4
DOS PC (multiuser)

5.5
Non-networked Windows NT computer

5.6
PC with Windows 95

5.99
Stand-alone IT systems
iCorpCo
31
IT Audit Methodologies
BSI - LANs

6.1
Server-Based Network

6.2
Networked Unix Systems

6.3
Peer-to-Peer Network

6.4
Windows NT network

6.5
Novell Netware 3.x

6.6
Novell Netware version 4.x

6.7
Heterogeneous networks
iCorpCo
32
IT Audit Methodologies
BSI - Data Transfer Systems

7.1
Data Carrier Exchange

7.2
Modem

7.3
Firewall

7.4
E-mail
iCorpCo
33
IT Audit Methodologies
BSI - Telecommunications

8.1 Telecommunication system

8.2 Fax Machine

8.3 Telephone Answering Machine

8.4 LAN integration of an IT system via ISDN
iCorpCo
34
IT Audit Methodologies
BSI - Other IT Components

9.1
Standard Software

9.2
Databases

9.3
Telecommuting
iCorpCo
35
IT Audit Methodologies
BSI - Module „Data Protection“ (3.4)

Threats - Technical failure:

T 4.13 Loss of stored data
Security Measures - Contingency planning:

S 6.36 Stipulating a minimum data protection concept
 S 6.37 Documenting data protection procedures
 S 6.33 Development of a data protection concept (optional)
 S 6.34 Determining the factors influencing data protection (optional)
 S 6.35 Stipulating data protection procedures (optional)
 S 6.41 Training data reconstruction
Security Measures - Organisation:




S 2.41 Employees' commitment to data protection
S 2.137Procurement of a suitable data backup system
iCorpCo
36
IT Audit Methodologies
BSI - Safeguards (420 safeguards)
 S1
- Infrastructure ( 45 safeguards)
 S2 - Organisation (153 safeguards)
 S3 - Personnel
( 22 safeguards)
 S4 - Hardware & Software ( 83 safeguards)
 S5 - Communications
( 62 safeguards)
 S6 - Contingency Planning ( 55 safeguards)
iCorpCo
37
IT Audit Methodologies
BSI - S1-Infrastructure (45 safeguards)

S 1.7

S 1.10 Use of safety doors

S 1.17 Entrance control service

S 1.18 Intruder and fire detection devices

S 1.27 Air conditioning

S 1.28 Local uninterruptible power supply [UPS]

S 1.36 Safekeeping of data carriers before and after
dispatch
iCorpCo
Hand-held fire extinguishers
38
IT Audit Methodologies
BSI - Security Threats (209 threats)
 T1
- Force Majeure (10 threats)
 T2 - Organisational Shortcomings
(58
threats)
 T3 - Human Errors (31 threats)
 T4 - Technical Failure
(32 threats)
 T5 - Deliberate acts (78 threats)
iCorpCo
39
IT Audit Methodologies
BSI - T3-Human Errors
(31 threats)

T 3.1
Loss of data confidentiality/integrity as a result of IT
user error

T 3.3
Non-compliance with IT security measures

T 3.6
Threat posed by cleaning staff or outside staff

T 3.9
Incorrect management of the IT system

T 3.12 Loss of storage media during transfer

T 3.16 Incorrect administration of site and data access rights

T 3.24 Inadvertent manipulation of data

T 3.25 Negligent deletion of objects
iCorpCo
40
IT Audit Methodologies
BSI - Summary
 Main
use: Security concepts & manuals
 No evaluation methodology described
 Developed by German BSI (GISA)
 Updated version released each year
 Lists 209 threats & 420 security measures
 34 modules cover generic & platform specific
security requirements
iCorpCo
41
IT Audit Methodologies
BSI - Summary
 User
friendly with a lot of security details
 Not suitable for security risk analysis
 Results of security coverage not shown in
graphic form
 Manual in HTML format on BSI web server
 Manual in Winword format on CD-ROM
(first CD free, additional CDs cost DM 50.-- each)
 Paper
copy of manual: DM 118.- Software ‚BSI Tool‘ (only in German): DM 515.-iCorpCo
42
IT Audit Methodologies
ITSEC, Common Criteria
 ITSEC:
IT Security Evaluation Criteria
 Developed by UK, Germany, France, Netherl.
and based primarily on USA TCSEC (Orange Book)
 Releases
 ITSEC:
1991
 ITSEM: 1993 (IT Security Evaluation Manual)
 UK IT Security Evaluation & Certification
scheme: 1994
iCorpCo
43
IT Audit Methodologies
ITSEC, Common Criteria
 Common
Criteria (CC)
 Developed by USA, EC: based on ITSEC
 ISO International Standard
 Releases
 CC
1.0: 1996
 CC 2.0: 1998
 ISO IS 15408: 1999
iCorpCo
44
IT Audit Methodologies
ITSEC - Methodology
 Based
on systematic, documented approach for
security evaluations of systems & products
 Open ended with regard to defined set of
security objectives
 ITSEC
Functionality classes; e.g. FC-C2
 CC protection profiles
 Evaluation
steps:
 Definition
of functionality
 Assurance: confidence in functionality
iCorpCo
45
IT Audit Methodologies
ITSEC - Functionality
 Security
objectives (Why)
 Risk
analysis (Threats, Countermeasures)
 Security policy
 Security
enforcing functions (What)
 technical
& non-technical
 Security
mechanisms (How)
 Evaluation levels
iCorpCo
46
IT Audit Methodologies
ITSEC - Assurance
 Goal:
Confidence in functions & mechanisms
 Correctness
 Construction
(development process & environment)
 Operation (process & environment)
 Effectiveness
 Suitability
analysis
 Strength of mechanism analysis
 Vulnerabilities (construction & operation)
iCorpCo
47
IT Audit Methodologies
CC - Security Concept
iCorpCo
48
IT Audit Methodologies
CC - Evaluation Goal
iCorpCo
49
IT Audit Methodologies
CC - Documentation
CC Part 3
Assurance Requirements
CC Part 2
* Assurance Classes
Functional Requirements
* Assurance Families
CC Part 1
* Functional Classes
Introduction and Model
* Functional Families
* Assurance
Components
* Introduction to
Approach
* Functional
Components
* Detailed Requirements
* Terms and Model
* Detailed Requirements
* Evaluation Assurance
Levels (EAL)
* Requirements for
Protection Profiles (PP)
and Security Targets (ST)
iCorpCo
50
IT Audit Methodologies
CC - Security Requirements
Functional Requirements
Assurance Requirements
- for defining security behavior
of the IT product or system:
• implemented requirements
become security functions
- for establishing confidence in
Security Functions:
• correctness of implementation
• effectiveness in satisfying
objectives
iCorpCo
51
IT Audit Methodologies
CC - Security Functional
Classes
Class
Name
FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FRU
FTA
FTP
Audit
Communications
Cryptographic Support
User Data Protection
Identification & Authentication
Security Management
Privacy
Protection of TOE Security Functions
Resource Utilization
TOE (Target Of Evaluation) Access
Trusted Path / Channels
iCorpCo
52
IT Audit Methodologies
CC - Security Assurance
Classes
Class
Name
ACM
ADO
ADV
AGD
ALC
ATE
AVA
APE
ASE
AMA
Configuration Management
Delivery & Operation
Development
Guidance Documents
Life Cycle Support
Tests
Vulnerability Assessment
Protection Profile Evaluation
Security Target Evaluation
Maintenance of Assurance
iCorpCo
53
IT Audit Methodologies
CC - Eval. Assurance Levels
(EALs)
EAL
Name
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
Functionally Tested
Structurally Tested
Methodically Tested & Checked
Methodically Designed, Tested & Reviewed
Semiformally Designed & Tested
Semiformally Verified Design & Tested
Formally Verified Design & Tested
*TCSEC
C1
C2
B1
B2
B3
A1
*TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book”
iCorpCo
54
IT Audit Methodologies
ITSEC, CC - Summary
 Used
primarily for security evaluations and not
for generalized IT audits
 Defines evaluation methodology
 Based on International Standard (ISO 15408)
 Certification scheme in place
 Updated & enhanced on a yearly basis
 Includes extensible standard sets of security
requirements (Protection Profile libraries)
iCorpCo
55
IT Audit Methodologies
ITSEC, CC - Summary
 Allows
to determine confidence level in
planned resp. implemented security
 Evaluation results not shown in graphic form
 Not very user friendly - learning curve!
 Detailed documentation in electronic PDF
format freely available on web server
iCorpCo
56
IT Audit Methodologies
Comparison of Methods - Criteria
 Standardisation
 Independence
 Certifiability
 Applicability
in practice
 Adaptability
iCorpCo
57
IT Audit Methodologies
Comparison of Methods - Criteria
 Extent
of Scope
 Presentation of Results
 Efficiency
 Update frequency
 Ease of Use
iCorpCo
58
IT Audit Methodologies
Comparison of Methods - Results
CobiT BS 7799
Standardisation
3.4
3.3
Independence
3.3
3.6
Certifyability
2.7
3.3
Applicability in practice 2.8
3.0
Adaptability
3.3
2.8
Extent of Scope
3.1
2.9
Presentation of Results 1.9
2.2
Efficiency
3.0
2.8
Update frequency
3.1
2.4
Ease of Use
2.3
2.7
BSI ITSEC/CC
3.1
3.9
3.5
3.9
3.0
3.7
3.1
2.5
3.3
3.0
2.7
2.6
2.6
1.7
3.0
2.5
3.4
2.8
2.8
2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger
iCorpCo
59
IT Audit Methodologies
CobiT - Assessment
iCorpCo
60
IT Audit Methodologies
BS 7799 - Assessment
iCorpCo
61
IT Audit Methodologies
BSI - Assessment
iCorpCo
62
IT Audit Methodologies
ITSEC/CC - Assessment
iCorpCo
63
IT Audit Methodologies
Use of Methods for IT Audits
 CobiT: Audit
method for all IT processes
 ITSEC, CC: Systematic approach for evaluations
 BS7799, BSI: List of detailed security measures
to be used as best practice documentation
 Detailed audit plans, checklists, tools for
technical audits (operating systems, LANs, etc.)
 What is needed in addition:
 Audit
concept (general aspects, infrastructure audits,
application audits)
iCorpCo
64
IT Audit Methodologies