5.4 it security audit (mauritius)
-
Upload
corporate-registers-forum -
Category
Business
-
view
1.856 -
download
2
description
Transcript of 5.4 it security audit (mauritius)
- 1. IT Security Audit of Information Systems M. Imran Ameerally Project Manager IT Security Unit Ministry of Information andCommunication Technology 22 April 2010
2. Agenda
- About IT Security Unit
- Types of Audits Conducted
- Companies Division Audit
- Audit Tasks
- Audit Deliverables
- Overview of Audit Findings
- Benefits of the Audit
3. About IT Security Unit (I)
- Objectives
-
- Toimplement Government policies with regar dsto IT Security
-
- To assist Ministries/Departments in the implementation of security standards
-
- To disseminate information on IT security
-
- To carry out security audits
4. About IT Security Unit (II)
- Strategic Activity Areas for IT Security Unit :
-
- ISO Information Security Standards
-
- IT Security Audits of Government Systems
-
- Security Awareness and Promotion
-
- Develop Security Policies and Guidelines
-
- Advisory Service to Ministries and Departments on IT Security
5. Types of Audits Conducted (I)
- ISO/IEC 27001 Internal audits
-
- Part of certification process
- Information Security Assessments
-
- Complete or Partial to know security posture of the organisation
- In House Security Audits
- Outsourced Security Audits
6. Types of Audits Conducted (II)
- In House Security Audits
-
- Target : Ministries and Departments with IT Infrastructure ofbasic to medium complexity
-
- Scope : Key components of the IT infrastructure
-
-
- Servers and Network devices
-
-
-
- Representative sample of PCs in use at the organisation
-
7. Types of Audits Conducted (III)
- In House Security Audits
-
- Approach
-
-
- Conducted by IT Security Unit staff
-
-
-
- Use of an Industry standard Vulnerability Assessment Toolset
-
-
- Outcome
-
-
- Report on vulnerabilities identified and recommendations
-
-
-
- Recommendations implemented byMinistries/Departments
-
8. Types of Audits Conducted (IV)
- Outsourced Audits
-
- Target :Highly complex and criticalInformation Systemsof the Government
-
- Auditsundertaken by consultants following a tendering exercise
-
- IT Security Unit manages the project
-
- Post Audit Implementation Committeeset up with various stakeholders to implement audit recommendations
9. Companies Division Audit
- Outsourced Audit conducted by external consultants inDecember 2008
- Scope
-
- Includeall componentsof the Information System: application software, middleware, database, operating system, hardware and network infrastructure
-
- All interfacesto/from remote applications
10. Audit Tasks (I)
- Task 1
-
- Identify vulnerabilities of the information system and rate them in terms of risk level (e.g. High, Medium and Low)
-
- Perform checks regarding:
-
-
- Adequacy of logical security controls to protect data from unauthorised access
-
-
-
- Effectiveness of all interfaces with remote applications
-
11. Audit Tasks (II)
-
-
- Adequacy of input, processing, and output controls to ensure data integrity
-
-
-
- Adequacy of physical access controls for the Information System
-
-
-
- Determine areas that may be susceptible to fraud and assess the adequacy of related controls
-
-
-
- Assess the availability and performance of the Information System and the mechanism used for their monitoring
-
12. Audit Tasks (III)
-
-
- Assessment of all applicable domains/control as listed in ISO/IEC 27001
-
- Task 2
-
- Propose measures to address each vulnerability identified together with the implementation timeframe and related cost estimates through a risk mitigation strategy
-
-
- Technical or operational measures
-
13. Audit Tasks (IV)
- Task 3
-
- Elaborate a Security Policy for the Information System which includes ISO/IEC 27001 controls
- Task 4
-
- Elaborate an IT Contingency Plan (ITCP) for the Information System
14. Audit Tasks (V)
- Task 5
-
- Provide a transfer of knowledge gained from the IT Security Audit to selected staff
-
- Allow technical IT staff to be fully acquainted with the tools used for the audit and the methodology applied
-
- A standard small-scale sample application utilized with hands-on usage of auditing tools and techniques followed by analysis and interpretation of the results
15. Audit Deliverables (I)
- Audit deliverables to be submitted at the end of each phase of the Audit
- Audit broken in 3 phases
-
- Phase 1 Planning the Audit
-
- Phase 2 Performing the Audit Work
-
- Phase 3 Reporting Audit Results
16. Audit Deliverables (II)
- Phase 1 Planning the Audit
-
- Inception Report which include the following:
-
-
- Agreed methodology to be used for assessing the risk areas and conducting the audit
-
-
-
- Detailed workplan for conducting tasks 1 to 5
-
-
-
- Approach to be used for providing the transfer of knowledge
-
17. Audit Deliverables (III)
- Phase 2 Performing the Audit Work
-
- Draft Audit report which include the following:
-
-
- Methodology used for assessing the risk areas and conducting the audit
-
-
-
- Tests performed and tools/software that have been used during the exercise
-
-
-
- Weaknesses found and areas of risks identified with clear indication on the severity
-
18. Audit Deliverables (IV)
-
-
- Time bound corrective action proposed (short and long term) with procurement details (i.e. specifications and cost estimates) where applicable
-
-
-
- Draft Security Policy for the Information System
-
-
-
- Draft IT Contingency plan for the Information System
-
-
- Weekly status meetings to review findings
19. Audit Deliverables (V)
- Phase 2 Reporting Audit Results
-
- Final IT Security Audit report which contain all reportable issues (findings)
-
- Report must be comprehensive and include the following information:
-
-
- Executive Summary, detailing the significant issues (findings) and a high level corrective action plan
-
-
-
- Scope of the IT Security Audit
-
-
-
- Objectives
-
20. Audit Deliverables (VI)
-
-
- Methodology used for assessing the risk areas and conducting the audit
-
-
-
- Tests performed and tools/software that have been used during the exercise
-
-
-
- Audit results which address the audit objectives, including detailed information on weaknesses found and areas of risks identified with clear indication on the severity of the findings
-
21. Audit Deliverables (VII)
-
-
- Time bound corrective action proposed (short and long term) with procurement details (i.e. specifications and cost estimates) where applicable including recommendation ofmeasures to strengthen the security of the Information System
-
-
-
- Final Security Policy document for the Information System
-
-
-
- Final IT Contingency plan
-
22. Overview of Audit Findings (I)
- Findings broken into 3 categories
-
- Application Security
-
- Network and System Security
-
- Physical Security
Severity Rating Basis of giving severity rating Recommended timeframe to fix High Privileged access or severely impact system operation Immediate Medium Hacker may gain limited user or network level access Within 1 month Low Minimal possibility for hacker to again access to resources Within 6 months 23. Overview of Audit Findings (II)
- Some examples
- Application Security
-
- Configuration of Application Server to be strengthened
-
- Input validation to be implemented for all data input
-
- Define user access roles
-
- Do not allow simultaneous logins of same user
24. Overview of Audit Findings (III)
- Network and System Security
-
- Use of strong passwords
-
- Hardening of Operating System
-
- Use of a legal banner
-
- Enable auditing on systems
- Physical Security
-
- Strengthen entry controls in high security area
25. Benefits of the Audit (I)
- Health checkof the Information System from asecurity perspective:
-
- Physical, Network and Application levels
- Security policyendorsedby top management of CD that provides a framework for implementing security procedures and guidelines
26. Benefits of the Audit (II)
- Availability of an IT Contingency Plan that should be followedin case of IT failure/disruption
-
- Documented procedures
- Physical Securitystrengthenedand physical access control implemented
27. Benefits of the Audit (III)
- Post Audit Implementation Committee
-
- Corrective Action Planelaborated
-
- Cross functional team of different stakeholders set up to monitor, review, maintain andcontinuouslyimprove the information system
-
- Several working sessions held where implementation of audit recommendations is closelymonitored
28. Benefits of the Audit (IV)
- Ultimately
-
- Enhancedsecurity postureof the Information System
-
- Information System isless vulnerable
-
- Aprocessis in place to identify vulnerabilities, reduce threats, manage risks and act in case Information System is impacted
29.
- Thank you