Audit of IT infrastructureHardware, Network and Telecommunications Devices

What is IT Audit

• Examination of the controls within an Information technology (IT) infrastructure.

• Process of collecting and evaluating evidence of an organization's IT infrastructure.

• Understanding and evaluating each control.• Assess compliance.• Substantiate the risk of controls not being met.

Why IT Audit?

• Ensuring servers to be properly configured for both efficiency and security.

• Looking for hardware specific productivity drains.• Obtain an asset listing of all hardware.• Looking for causes of frequent problems.• Ensuring backup systems are adequate,

monitored, tested regularly.• Determining risks to information assets.• Assessing controls in order to reduce or mitigate

these risks.

Objectives of IT Audit?

• Continuity (consistent reliability and availability

of system -- back-up and ability to recover)

• Management and Maintenance (additions,

change procedures, upgrades, and

documentation)

• Security (appropriate physical and logical access

to network devices and hosts)

Perspectives of IS Audit

ISACA - CobiT

• Generally applicable and accepted international standard for good practices for IT controls

• based on ISACA’s existing Control Objectives • three specific audiences

• management, • users, and • auditors.

ISACA - CobiT• provides detailed Audit Guidelines for auditors to follow in

performing information systems audits • Audit Guidelines provide a complementary tool to enable

the easy application of the Framework and Control Objectives within audit activities

• objectives of auditing1. provide management with reasonable assurance that control

objectives are being met2. where there are significant control weaknesses, to substantiate

the resulting risks3. Advise management on corrective actions needed

ISO:IEC 27001 2005

• International Organisation for Standardization• International Electrotechnical Commission

• Provided a model for • Establishing• Implementing• Operating• Monitoring• Reviewing and• Improving

– Information Security Management System

ISO:IEC 27001 2005

• PDCA model– Plan Establish ISMS– Do Implement and Operate– Check Monitor and Review– Act Maintain and improve

ISO:IEC 27001 2005

• Control Objectives– Control

• The policies, procedures, practices and organisational structures designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented or detected and corrected

– Control Objective• A statement of the desired result or purpose to be achieved by

implementing control practices in a particular IT activity

ISO:IEC 27001 2005

A.5 Security policy

A.5.1 Information security policyObjective: To provide management direction and support for information security in accordance with

business requirements and relevant laws and regulations.

A.5.1.1Information security

policy document

ControlAn information security policy document has been approved

by management, and published and communicated to all employees and relevant external parties. The latest version of this document is available for all employees on the ABC Company’s internal network.

A.5.1.2Review of the

information security policy

ControlThe information security policy is being reviewed at planned

intervals or if significant changes occur to ensure its continuing suitability, adequacy, and effectiveness.

ISO:IEC 27001 2005

A.7 Asset management

A.7.1 Responsibility for assets

Objective: To achieve and maintain appropriate protection of organizational assets.

A.7.1.1 Inventory of assets

ControlAll assets are clearly identified and an inventory of all-important assets

drawn up and maintained. The Classification of Assets is as per the guidelines laid out in Procedure on Risk Assessment. Rules of classification take asset value and importance into account. A list of assets including the owner and relevant details is kept with the respective functional departments. Additional asset details are maintained by the Admin Department for the purposes of audit and keeping track of assets.

A.7.1.2 Ownership of assetsControlAll information and assets associated with information processing

facilities are ‘owned’ by a designated part of the organization.

A.7.1.3 Acceptable use of assets

ControlRules for the acceptable use of information and assets associated with

information processing facilities are identified, documented, and implemented.

Information Systems Hardware Infrastructure

Auditing Hardware

• Hardware asset listing (for your accounting/budgeting and equipment lifecycle planning).

• Analysis of Environmental conditions for equipment including heat and power protection.

• Network design analysis and network diagram (improves support response times with your IT provider).

• Report on appropriateness of hardware in all PC-based equipment (and how that impacts performance).

Auditing Hardware• Report on server hardware appropriateness, performance, levels of

redundancy (and any associated risks).• Analysis of Server configuration (and any areas not done properly

and if/why they are important).• Security Analysis on multiple levels.• Backup systems hardware, software, data sets, disaster

readiness and risks.

ISO:IEC 27001 2005

A.9.2.3 Cabling securityControlPower and telecommunications cabling carrying data or supporting information services are protected from interception or damage.

A.9.2.4 Equipment maintenanceControlEquipment are correctly maintained to ensure its continued availability and integrity.

A.10.6 Network security managementObjective: To ensure the protection of information in networks and the protection of the supporting infrastructure.

A.10.6.1 Network controls

ControlNetworks are adequately managed and controlled, in order to be protected from threats, and to maintain security for the systems and applications using the network, including information in transit.

A.10.6.2 Security of network services

ControlSecurity features, service levels, and management requirements of all network services are identified and included in any network services agreement, whether these services are provided in-house or outsourced.

A.11.4 Network access controlObjective: To prevent unauthorized access to networked services.

A.11.4.1 Policy on use of network servicesUsers shall only be provided with access to the

services that they have been specifically authorized to use.

A.11.4.2User authentication for external

connectionsAppropriate authentication methods shall be used to

control access by remote users.

A.11.4.3Equipment identification in the

network

Automatic equipment identification is considered as a means to authenticate connections from specific locations and equipment.

A.11.4.4Remote diagnostic and

configuration port protectionPhysical and logical access to diagnostic and

configuration ports shall be controlled.

A.11.4.5 Segregation in networksGroups of information services, users, and information

systems are segregated on networks.

A.11.4.6 Network connection control

For shared networks, especially those extending across the organization’s boundaries, the capability of users to connect to the network shall be restricted, in line with the access control policy and requirements of the business applications

A.11.4.7 Network routing control

Routing controls are implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications.

Information Systems Network & Telecommunication Infrastructure

Auditing Networks

Network Vulnerabilities & Controls

Auditing Networks

• Review network policies and procedures• Review network diagrams (layer 1 & 2), design, and walk-

through, list of network equipment and IP address list• Verify diagrams with Ping and Trace Route• Review utilization, trouble reports & helpdesk procedures

Auditing Networks

• Probe systems (Netscan tools and Portscanner)• Interview network vendors, users, and network technicians• Review software settings on network equipment• Inspect computer room and network locations• Evaluate back-up and operational procedures• Identify the paths and equipment used to navigate the

network • Identify TCP/IP infrastructure areas of concern

Auditing Networks

• Break into manageable pieces• Every network is different and the components and risks must

be fully understood• Identify risks and prioritize• Dedicate more upfront planning • RELAX !! It’s not that bad !

Routers

• Inappropriate addresses or dangerous protocols accessing hosts/servers

• Inappropriate addresses conducting router maintenance

• Unauthenticated or trusted services used for maintenance

• Damaged router/network device configuration

Routers

• Failed upgrades or changes• Not capturing network events• Default passwords and clear text passwords

transmitted over the network• No console password

Firewalls

• Network Address Translation• Intrusion Detection Systems (IDS)• Virtual Private Networks (VPN)• Demilitarised Zone (DMZ)• Proxy Server

Firewalls

• Obtain Firewall Security policy• Identify the services• Identify logging procedure• Identify configuration management process

Firewall

• Review• Authentication controls• DMZ• Procedure for Device administration• Procedure to review the logs• Risk Management procedure• Physical access control to firewall

Telecommunication Audit

Telecommunication Audit

• Assessment of an organization’s telecommunication environment.

• Telecom Audit defines the act of conducting a review, examination and reconciliation of– Telecom– Wireless– Network customer service records– Invoicing – Contract agreements in order to ensure the accuracy of budgetary forecasting.

Telecommunication Audit

Communications equipment such as • PBX's• Voice mail systems• IVRs• Telephone lines• Leased linesare assessed to determine if they meet current

business requirements and if possible alternate solutions should be considered.