IT Audit Methodologies CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC) iCorpCo 1 IT Audit Methodologies IT Audit Methodologies - URLs CobiT: BS7799: BSI: ITSEC: CC: iCorpCo www.isaca.org www.bsi.org.uk/disc/ www.bsi.bund.de/gshb/english/menue.htm www.itsec.gov.uk csrc.nist.gov/cc/ 2 IT Audit Methodologies Main Areas of Use IT Audits Risk Analysis Health Checks (Security Benchmarking) Security Concepts Security Manuals / Handbooks iCorpCo 3 IT Audit Methodologies Security Definition Confidentiality Integrity Correctness Completeness Availability iCorpCo 4 IT Audit Methodologies CobiT Governance, Control & Audit for IT Developed by ISACA Releases CobiT 1: 1996 32 Processes 271 Control Objectives CobiT 2: 1998 34 Processes 302 Control Objectives iCorpCo 5 IT Audit Methodologies CobiT - Model for IT Governance 36 Control models used as basis: Business control models (e.g. COSO) IT control models (e.g. DTI‘s CoP) CobiT control model covers: Security (Confidentiality, Integrity, Availability) Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) IT Resources (Data, Application Systems, Technology, Facilities, People) iCorpCo 6 IT Audit Methodologies CobiT - Framework iCorpCo 7 IT Audit Methodologies CobiT - Structure 4 Domains PO - Planning & Organisation 11 AI - Acquisition & Implementation 6 DS processes (high-level control objectives) - Delivery & Support 13 M processes (high-level control objectives) - Monitoring 4 iCorpCo processes (high-level control objectives) processes (high-level control objectives) 8 IT Audit Methodologies PO - Planning and Organisation PO 1 PO 2 PO 3 PO 4 PO 5 PO 6 PO 7 PO 8 PO 9 PO 10 PO 11 iCorpCo Define a Strategic IT Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships Manage the IT Investment Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality 9 IT Audit Methodologies AI - Acquisition and Implementation AI 1 Identify Solutions AI 2 AI 3 AI 4 AI 5 AI 6 Acquire and Maintain Application Software Acquire and Maintain Technology Architecture Develop and Maintain IT Procedures Install and Accredit Systems Manage Changes iCorpCo 10 IT Audit Methodologies DS - Delivery and Support DS 1 DS 2 DS 3 DS 4 DS 5 DS 6 DS 7 DS 8 DS 9 DS 10 DS 11 DS 12 DS 13 iCorpCo Define Service Levels Manage Third-Party Services Manage Performance and Capacity Ensure Continuous Service Ensure Systems Security Identify and Attribute Costs Educate and Train Users Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations 11 IT Audit Methodologies M - Monitoring M1 Monitor the Processes M2 M3 M4 Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit iCorpCo 12 IT Audit Methodologies CobiT - IT Process Matrix Information Criteria IT Resources Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability People Applications Technology Facilities Data IT Processes iCorpCo 13 IT Audit Methodologies CobiT - Summary Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998 Only high-level control objectives described Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form iCorpCo 14 IT Audit Methodologies CobiT - Summary May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.- 3 parts freely downloadable from ISACA site Software available from Methodware Ltd., NZ (www.methodware.co.nz) CobiT Advisor iCorpCo 2nd edition: 15 US$ 600.-IT Audit Methodologies BS 7799 - CoP Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases CoP: 1993 BS 7799: Part 1: 1995 BS 7799: Part 2: 1998 Certification & Accreditation scheme iCorpCo 16 (c:cure) IT Audit Methodologies BS 7799 - Security Baseline Controls 10 control categories 32 control groups 109 security controls 10 security key controls iCorpCo 17 IT Audit Methodologies BS 7799 - Control Categories Information security policy Security organisation Assets classification & control Personnel security Physical & environmental security Computer & network management iCorpCo 18 IT Audit Methodologies BS 7799 - Control Categories System access control Systems development & maintenance Business continuity planning Compliance iCorpCo 19 IT Audit Methodologies BS7799 - 10 Key Controls Information security policy document Allocation of information security responsibilities Information Reporting Virus iCorpCo security education and training of security incidents controls 20 IT Audit Methodologies BS7799 - 10 Key Controls Business Control continuity planning process of proprietary software copying Safeguarding Data protection Compliance iCorpCo of organizational records with security policy 21 IT Audit Methodologies BS7799 - Summary Main use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure) BS7799, Part1, 1995 is being revised in 1999 Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn iCorpCo 22 IT Audit Methodologies BS7799 - Summary Evaluation results not shown in graphic form May be used for self assessments BS7799, Part1: £ 94.- BS7799, Part2: £ 36.- BSI Electronic book of Part 1: £ 190.-- + VAT Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK: £349+VAT (www.smhplc.com) iCorpCo 23 IT Audit Methodologies BSI (Bundesamt für Sicherheit in der Informationstechnik) IT Baseline Protection Manual (IT- Grundschutzhandbuch ) Developed by German BSI (GISA: German Information Security Agency) Releases: IT security manual: 1992 IT baseline protection manual: 1995 New versions (paper and CD-ROM): each year iCorpCo 24 IT Audit Methodologies BSI - Approach iCorpCo 25 IT Audit Methodologies BSI - Approach Used to determine IT security measures for medium-level protection requirements Straight forward approach since detailed risk analysis is not performed Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks List of assembled security measures may be used to establish or enhance baseline protection iCorpCo 26 IT Audit Methodologies BSI - Structure IT security measures 7 areas 34 modules (building blocks) Safeguards 6 categories of security measures Threats 5 catalogue catalogue categories of threats iCorpCo 27 IT Audit Methodologies BSI - Security Measures (Modules) Protection for generic components Infrastructure Non-networked systems LANs Data transfer systems Telecommunications Other IT components iCorpCo 28 IT Audit Methodologies BSI - Generic Components 3.1 Organisation 3.2 Personnel 3.3 Contingency Planning 3.4 Data Protection iCorpCo 29 IT Audit Methodologies BSI - Infrastructure 4.1 Buildings 4.2 Cabling 4.3 Rooms 4.3.1 Office 4.3.2 Server Room 4.3.3 Storage Media Archives 4.3.4 Technical Infrastructure Room 4.4 Protective cabinets 4.5 Home working place iCorpCo 30 IT Audit Methodologies BSI - Non-Networked Systems 5.1 DOS PC (Single User) 5.2 UNIX System 5.3 Laptop 5.4 DOS PC (multiuser) 5.5 Non-networked Windows NT computer 5.6 PC with Windows 95 5.99 Stand-alone IT systems iCorpCo 31 IT Audit Methodologies BSI - LANs 6.1 Server-Based Network 6.2 Networked Unix Systems 6.3 Peer-to-Peer Network 6.4 Windows NT network 6.5 Novell Netware 3.x 6.6 Novell Netware version 4.x 6.7 Heterogeneous networks iCorpCo 32 IT Audit Methodologies BSI - Data Transfer Systems 7.1 Data Carrier Exchange 7.2 Modem 7.3 Firewall 7.4 E-mail iCorpCo 33 IT Audit Methodologies BSI - Telecommunications 8.1 Telecommunication system 8.2 Fax Machine 8.3 Telephone Answering Machine 8.4 LAN integration of an IT system via ISDN iCorpCo 34 IT Audit Methodologies BSI - Other IT Components 9.1 Standard Software 9.2 Databases 9.3 Telecommuting iCorpCo 35 IT Audit Methodologies BSI - Module „Data Protection“ (3.4) Threats - Technical failure: T 4.13 Loss of stored data Security Measures - Contingency planning: S 6.36 Stipulating a minimum data protection concept S 6.37 Documenting data protection procedures S 6.33 Development of a data protection concept (optional) S 6.34 Determining the factors influencing data protection (optional) S 6.35 Stipulating data protection procedures (optional) S 6.41 Training data reconstruction Security Measures - Organisation: S 2.41 Employees' commitment to data protection S 2.137Procurement of a suitable data backup system iCorpCo 36 IT Audit Methodologies BSI - Safeguards (420 safeguards) S1 - Infrastructure ( 45 safeguards) S2 - Organisation (153 safeguards) S3 - Personnel ( 22 safeguards) S4 - Hardware & Software ( 83 safeguards) S5 - Communications ( 62 safeguards) S6 - Contingency Planning ( 55 safeguards) iCorpCo 37 IT Audit Methodologies BSI - S1-Infrastructure (45 safeguards) S 1.7 S 1.10 Use of safety doors S 1.17 Entrance control service S 1.18 Intruder and fire detection devices S 1.27 Air conditioning S 1.28 Local uninterruptible power supply [UPS] S 1.36 Safekeeping of data carriers before and after dispatch iCorpCo Hand-held fire extinguishers 38 IT Audit Methodologies BSI - Security Threats (209 threats) T1 - Force Majeure (10 threats) T2 - Organisational Shortcomings (58 threats) T3 - Human Errors (31 threats) T4 - Technical Failure (32 threats) T5 - Deliberate acts (78 threats) iCorpCo 39 IT Audit Methodologies BSI - T3-Human Errors (31 threats) T 3.1 Loss of data confidentiality/integrity as a result of IT user error T 3.3 Non-compliance with IT security measures T 3.6 Threat posed by cleaning staff or outside staff T 3.9 Incorrect management of the IT system T 3.12 Loss of storage media during transfer T 3.16 Incorrect administration of site and data access rights T 3.24 Inadvertent manipulation of data T 3.25 Negligent deletion of objects iCorpCo 40 IT Audit Methodologies BSI - Summary Main use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year Lists 209 threats & 420 security measures 34 modules cover generic & platform specific security requirements iCorpCo 41 IT Audit Methodologies BSI - Summary User friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in graphic form Manual in HTML format on BSI web server Manual in Winword format on CD-ROM (first CD free, additional CDs cost DM 50.-- each) Paper copy of manual: DM 118.- Software ‚BSI Tool‘ (only in German): DM 515.-iCorpCo 42 IT Audit Methodologies ITSEC, Common Criteria ITSEC: IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange Book) Releases ITSEC: 1991 ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification scheme: 1994 iCorpCo 43 IT Audit Methodologies ITSEC, Common Criteria Common Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases CC 1.0: 1996 CC 2.0: 1998 ISO IS 15408: 1999 iCorpCo 44 IT Audit Methodologies ITSEC - Methodology Based on systematic, documented approach for security evaluations of systems & products Open ended with regard to defined set of security objectives ITSEC Functionality classes; e.g. FC-C2 CC protection profiles Evaluation steps: Definition of functionality Assurance: confidence in functionality iCorpCo 45 IT Audit Methodologies ITSEC - Functionality Security objectives (Why) Risk analysis (Threats, Countermeasures) Security policy Security enforcing functions (What) technical & non-technical Security mechanisms (How) Evaluation levels iCorpCo 46 IT Audit Methodologies ITSEC - Assurance Goal: Confidence in functions & mechanisms Correctness Construction (development process & environment) Operation (process & environment) Effectiveness Suitability analysis Strength of mechanism analysis Vulnerabilities (construction & operation) iCorpCo 47 IT Audit Methodologies CC - Security Concept iCorpCo 48 IT Audit Methodologies CC - Evaluation Goal iCorpCo 49 IT Audit Methodologies CC - Documentation CC Part 3 Assurance Requirements CC Part 2 * Assurance Classes Functional Requirements * Assurance Families CC Part 1 * Functional Classes Introduction and Model * Functional Families * Assurance Components * Introduction to Approach * Functional Components * Detailed Requirements * Terms and Model * Detailed Requirements * Evaluation Assurance Levels (EAL) * Requirements for Protection Profiles (PP) and Security Targets (ST) iCorpCo 50 IT Audit Methodologies CC - Security Requirements Functional Requirements Assurance Requirements - for defining security behavior of the IT product or system: • implemented requirements become security functions - for establishing confidence in Security Functions: • correctness of implementation • effectiveness in satisfying objectives iCorpCo 51 IT Audit Methodologies CC - Security Functional Classes Class Name FAU FCO FCS FDP FIA FMT FPR FPT FRU FTA FTP Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels iCorpCo 52 IT Audit Methodologies CC - Security Assurance Classes Class Name ACM ADO ADV AGD ALC ATE AVA APE ASE AMA Configuration Management Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance iCorpCo 53 IT Audit Methodologies CC - Eval. Assurance Levels (EALs) EAL Name EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested *TCSEC C1 C2 B1 B2 B3 A1 *TCSEC = “Trusted Computer Security Evaluation Criteria” --”Orange Book” iCorpCo 54 IT Audit Methodologies ITSEC, CC - Summary Used primarily for security evaluations and not for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place Updated & enhanced on a yearly basis Includes extensible standard sets of security requirements (Protection Profile libraries) iCorpCo 55 IT Audit Methodologies ITSEC, CC - Summary Allows to determine confidence level in planned resp. implemented security Evaluation results not shown in graphic form Not very user friendly - learning curve! Detailed documentation in electronic PDF format freely available on web server iCorpCo 56 IT Audit Methodologies Comparison of Methods - Criteria Standardisation Independence Certifiability Applicability in practice Adaptability iCorpCo 57 IT Audit Methodologies Comparison of Methods - Criteria Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use iCorpCo 58 IT Audit Methodologies Comparison of Methods - Results CobiT BS 7799 Standardisation 3.4 3.3 Independence 3.3 3.6 Certifyability 2.7 3.3 Applicability in practice 2.8 3.0 Adaptability 3.3 2.8 Extent of Scope 3.1 2.9 Presentation of Results 1.9 2.2 Efficiency 3.0 2.8 Update frequency 3.1 2.4 Ease of Use 2.3 2.7 BSI ITSEC/CC 3.1 3.9 3.5 3.9 3.0 3.7 3.1 2.5 3.3 3.0 2.7 2.6 2.6 1.7 3.0 2.5 3.4 2.8 2.8 2.0 Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC from H.P. Winiger iCorpCo 59 IT Audit Methodologies CobiT - Assessment iCorpCo 60 IT Audit Methodologies BS 7799 - Assessment iCorpCo 61 IT Audit Methodologies BSI - Assessment iCorpCo 62 IT Audit Methodologies ITSEC/CC - Assessment iCorpCo 63 IT Audit Methodologies Use of Methods for IT Audits CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures to be used as best practice documentation Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.) What is needed in addition: Audit concept (general aspects, infrastructure audits, application audits) iCorpCo 64 IT Audit Methodologies
© Copyright 2024