Carol Who? - · PDF file• Disaster Recovery Planning ... • Disaster Recovery...
-
Upload
vuongkhuong -
Category
Documents
-
view
218 -
download
5
Transcript of Carol Who? - · PDF file• Disaster Recovery Planning ... • Disaster Recovery...
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
IT AUDITING:From The Ground Up
Carol Rapps CISA, CIA, CCSA, CRMA, GLIT, CFE, ACUA Faculty
[email protected] 210-458-4679
Mohammed (Ali) SubhaniCISA, CIA, CNE, ………[email protected]
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Carol Who?CISA, CIA, CCSA,CRMA, CFE, GLIT.....
30+ Years
Started on mainframes
Seen the rise and fall of email
Various Industries
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Ali Who?CIA, CISA, GSNA
10+ Years
Masters Accounting & Information Management
Special Interest is Data analytics
Professional Associations
President Elect TACUA
Board of IAA (not to be confused with IIA)
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Now You Know UsWho Are You & Why Are You Here? • Interview & Present
1. Why did you register for this class and what is your main goal for attending
2. Do you have a CISA or other IT related certification?
3. How long have you been performing IT Audits
4. How mature is your IT Audit function (start‐up<2 years, new=2‐5 yrs, moderate=5‐8 yrs, mature>8yrs)
5. Do you have an IT Audit Universe & standard risk assess methodology?
6. What are the top 3 IT audits on your current plan?
7. One fact about you that summarizes you as a person FUN….
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
RULES OF THE GAME(S)• MYTH or REALITY
– Honesty counts don’t make me audit your score
• KEY PRINCIPLES
• CASE STUDIES
• TERMINOLOGY / ACRONYM BINGO
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
AGENDADay 1
• Introductions (Carol)
• What is IT/IS, The Universe & Risk Assessment (Carol)
• IT Governance (Carol)
• Intro To Logical Security (Carol)– AD (Ali)
– UNIX (Carol)
– Oracle (Carol)
– Banner Student (Carol)
3/6/2017
Carol Rapps 3
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
AGENDADay 2
• Intro Application/Integrated Auditing (Carol)
• Elearn (Ali)
• Data Center (Physical Sec & Envir) (Carol)
• Intro to Networks (Ali)
• Intro to Operating Systems (Ali)
• Terminology Bingo (Both)
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
AGENDADay 3
• Data Analytics (Ali)
• Cloud Computing (Carol)
• Conclusion (Carol)
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
WHY ARE YOU HERE?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
WHY ARE YOU HERE?
This ought to be
good….
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
IT AUDIT(OR)• ISACA ‐ IT Audit is the process of collecting and evaluating evidence to determine
whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively, and uses resources efficiently.
• KEY TRAITS OF AN IT AUDITOR– Self‐motivated – Ability to dig into technical details without getting lost– Analytical skills (Critical Thinking)– Communication skills (tech to English, English to tech)– Ability to learn key concepts of technologies quickly– Willingness to not touch specific technology daily.
• KNOWLEDGE AN IT AUDITOR NEEDS– Knowledge of IT (business processes, operations, technical, facilities, etc...) – Knowledge of IS (business processes, operations, technical, etc… ) – Knowledge of the IT & IS Professional (Geeks)
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
UNDERSTANDING GEEKSBaseline article 2008 by Ericka Chickowsk
• Geeks are a “self‐selected” group• The nature of geek work is “different”• Power is “useless” on geeks• Geeks are more attached to the “technology” than they are to “you”.• Geeks are “judgmental”• Geeks are “introverted”• Failure is “normal” to geeks• Geeks at the keyboard “know more” about the technology than their
managers do.• Geeks are “goal‐oriented” not “task‐oriented”• IT creativity springs from the “environment” not “incentives”
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
WHAT DO THEY THINK OF AUDITORS?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
IT & IS Professionals can be managed just like other employees?
3/6/2017
Carol Rapps 3
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
“IT & IS” A BUSINESS SERVICE
• Objectives
• Governance, Processes/Operations, Infrastructure/Technical, Business Systems/Applications.
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
KEY PRINCIPLE
YOU CANNOT GOVERN, MANAGE OR SECURE (or Audit)
WHAT YOU DON’T KNOW YOU HAVE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
IT AUDIT UNIVERSE
3/6/2017
Carol Rapps 4
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
LEADERSHIP / GOVERNANCE / MANAGEMENT
Information Technology
• Organizational Management
• IT Asset Management
• IT Funding
• Program/ Project Mgmt
• Decentralized Computing Oversight & Governance
• IT Communications
Information Security
• Program/Org Management
• Data Ownership
• ISA Management
• Purchasing Security Reviews
• PCI‐DSS Compliance
• TAC202 Compliance
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
BUSINESS PROCESSES
Information Technology• Data Center Management• Change Management• Problem Management /
Customer Support• Job Scheduling• Backup & Recovery• Desktop Management• Student Computing Services
(Virtual Labs?)• Identity / Access Management • Disaster Recovery Planning
Information Security
• Incident Response & Reporting
• Security Reviews / Auditing
• E‐discovery
• Risk Assessment
• Disaster Recovery Planning
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
OPERATIONS/INFRASTRUCTUREThe Techie Stuff
Information Technology• OPERATING SYSTEM MANAGEMENT
– Windows– Unix / Linux– Virtual Environments
• NETWORK MANAGEMENT– Cisco– Juniper– Mgmt. Systems (TACACS, Brocade, etc..)
• STORAGE MANAGEMENT– Tape Management– Disk (SANS)
• DATABASE MANAGEMENT– Oracle– SQL
Information Security
• Vulnerabilities Management– Penetration Testing
– Malware Avoidance (anit‐virus)
– Patch Monitoring
• Network Monitoring
• Computer Forensics
• Firewall Management & Monitoring
• IDS / IPS
3/6/2017
Carol Rapps 5
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
IT & IS are not the same?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
BUSINESS SYSTEMS / APPLICATIONS• Facilities Mgmt (HVAC)
• Blackboard
• Ellucian Banner Student
• Early Alert System
• Global Advising
• Library Systems
• Cloud Academic Research Platform
• ERP / HR
• Grant Management
• Conflict of Interest
• Financial (PeopleSoft, BANNER)
• Effort Certification
• Parking
• Bookstore
• Cafeteria Mgmt Systems
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
EXAMPLE DOMAINSEDUCAUSE
• Admin/Mgmt
• IT Support Services
• Education Technology
• Research Computing Service
• Communications Infrastructure Services
• Enterprise Infrastructure Services
• Information Security
• Information Systems & Applications
• Other
COBIT• Evaluation, Direct, Monitor (EDM)
• Align, Plan, Organize (APO)
• Build, Acquire, Implement (BAI)
• Deliver, Service, Support (DSS)
• Monitor, Evaluate, Assess
3/6/2017
Carol Rapps 6
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
YOUR DOMAINS• Look At Your Organization and IT Org Chart
• Mine– IT Leadership & Governance
– IT Operations
– IT Infrastructure
– IS Leadership & Governance
– IS Operations
– Research Computing & Applications
– Academic Computing & Applications
– Business Computing & Applications
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
IT AUDIT UNIVERSE EXERCISEPart 1
• Template – How It Works– Columns– Creating Universe (think domains, categories, scope)– Risk Assessment Criteria– Roll‐up to Overall Audit Risk Assessment/Plan
• GET TO WORK (Fill in Template)– Auditable Areas/Processes (think domains, categories, scope management) – Risk Assess one domain/category per table (base on one university)
• Present ‐ 1 per table– Domain/Categories You Used– Risk for the one Domain/Category You Risk Assessed
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
BACK AT HOME• How & Where To Get Information To Complete Universe
– Other Risk Assessments– External Audits– Surveys Interviews– Brainstorming– Other Departments
• Planning Your Risk Assessment– Strategy– Meetings
• Questions/Comments/Complaints?
3/6/2017
Carol Rapps 7
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
I WILL HAVE TO CONTINUALLY UPDATE
MY IT UNIVERSE?
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
GOVERNANCE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
IT GOVERNANCEA set of processes, strategy, and culture by which theuniversity can make institutional IT decisions to minimizerisk, improve the use of limited resources and strategicallyposition the university.
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
GOVERNANCE RISKS• IT Position in University Culture / University Politics
• Uninformed decisions– strategic decisions made with incomplete/inaccurate info
– Non‐strategic decisions
• Communications (lack of)
• Providing Wrong Service (Not a Strategic Partner)
• Providing Poor Service
• Unable To Sustain What is Implemented
• New Technology Introduces Unwarranted or Unacceptable Risk
• Paying Too Much (not leveraging buying power)
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
BREAK IT DOWN(Simple English)
• WHERE DOES THE UNIVERSITY WANT TO GO?
• WHAT DOES THE UNIVERSITY HAVE?– (assets, resources, funding)
• WHAT DOES THE UNIVERSITY NEED?– (Academic, Research, Staff/Administration)
• ARE OBJECTIVES BEING MET?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
WHERE DOES THE UNIVERSITY WANT TO GO?AUDIT ENLIGHTENMENT
• Strategic Plans (University, IT, IS, Departmental)– Are they aligned?– Do they include IT components?– IT Requirements communicated to IT and Funded– Existing IT Operations to support needs?
• No Plans?– Management Interviews– Exec Committee Minutes– Web‐Sites– Mission / Goal Statements
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
WHAT DOES UNIVERSITY HAVE?Need To Know
• Hardware
• Software
• Outsourced
• Central IT Resources / Staffing
• IT Professionals Outside Central IT
• Current Known Risks
• IT Funding & Expenditures
Audit
• IT Asset Management
• IT Approval of IT Outsourced Services
• IT Staffing Skill Set & Training
• IT / IS Risk Assessments
• IT Funding
• Metrics
3/6/2017
Carol Rapps 3
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
WHAT DOES THE UNIVERSITY NEED?
CIO
• Gap Analysis (Want vs Have)– ID Technology Needed
• Current Infrastructure / Staff Support?
• Can be used to meet multiple objectives
– ID Funding Sources
– Prioritization
– Metrics
Audit
• Compare Budget to Need– Support infrastructure
– Support new initiatives
• Clear understanding of who pays for what and where the $ are coming from.
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ARE OBJECTIVES BEING MET?Objectives
• Maximize the value of IT investments while reducing risk
• Keep IT investments on track with the university goals
Audit
• IT Performance Metrics– Accountability divided between units
and central IT
– What is measured (Dashboards)
– What is reported
– Measurement Integrity
– Use of measurements in governance and management
• Interviews (didn’t I do this in the beginning?)
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
Any IT Auditor can audit IT Governance?
3/6/2017
Carol Rapps 4
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
REAL WORLD GOVERNANCE
RIGHT INDIVIDUALS HAVE THE RIGHT INFORMATION TO MAKE THE RIGHT DECISIONS AT THE
RIGHT TIME.
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
LOGICAL SECURITY• Identification & Authorization
– objective is to determine that the system employs methods to identify, validate and track individuals accessing or using the system that ensures individual accountability.
• Access Management– objective is to determine that the appropriate processes and security measures are in
place to ensure that access to information is only granted to authorized/known individuals for performing official UTSA tasks or services.
• Security Administration– objective is to determine that the area has established effective security techniques to
segregate security, administrator and application functionality, the enforcement of strong access management processes, and the ability to monitor access to help determine that the system has the ability to function unimpaired, free from deliberate or inadvertent unauthorized manipulation
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
CONCEPTS & TERMINOLOGY• Accounts / UserIDs / IDs = Unique symbol or character string used
by an information system to identify a specific user.
• Objects/Forms/Databases/Fields = Items to be secured
• Groups / Roles / Profiles / Class = Way to group IDs and permissions. They let you assign the same security permissions to large numbers of users in one operation
• Administrative Account / Root / Super User = A user account with full privileges on a computer
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
INFORMATION SECURITY LAYERS
• Network
• Host/Platform/ (OS)
• Applications
• Data (Databases)
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
KEY PRINCIPLE
“IS” = MOTHER OF ALL “IT” CONTROLS
3/6/2017
1
A U D IT IN G A C T IV ED IR E C T O R Y
A LI S U B H A N I , C IA , C I SA , G S N A
M A R C H 2 0 17
A C U A M I D - Y E A R
DE LIV E R Y
3/6/2017
2
3A D
servers, workstations, users, printers
authentication, authorization
W H AT IS AC TIV E DIR E CTOR Y ?
CE N TR AL LY M AN AG E D DAT AB AS Ewith information about AD objects such as :
C O M P U T E R
D IR E C T O R Y E X A M P L E S
O P E R A T I N G S Y S T E M V E R S I O N
L O G G E D I N T O
S E R V I C E P A C K L E V E L
L A S T T I M E T H E C O M P U T E R
D O M A I N
U SE R A C C O U N T
L A S T N A M E
F I R S T N A M E
L A S T L O G I N T I M E
G R O U P M E M B E R S H I P ( S )
P H O N E N U M B E R
A D F U N CT IO N A L ITY
Access Control
Security Policy appl icat ion
Aud i t ing
Data Protect ion
3/6/2017
3
O B J E C T SA D B A SICS
A S I N G LE ' E N T I TY ' A N D I T S
A TT R I B U T E S
E X A M P LE : S E R V E R S , U S E R A C C O U N T S ,
P R I N T E R S , S H A R E D D I R E C T O R I E S E T C
D O M A IN
A D B A SICS
B A S I C U N I T O F O R GA N I Z A T I O N A N D S E C U R I TY
O R GA N IZA T IO N A L U N IT A D
B A SIC S' C O N TA I N E R ' W I T H I N A D O M A I N W H I C H CA N
H O LD U S E R S , G R O U P S A N D C O M P U T E R S .
B E N E F IT S : B E T TE R O R GA N IZA T IO N
A S S I G N G R O U P P O LI C Y S E T T I N G S O R
A C C O U N T P E R M I S S I O N S
D E LE GA T I O N O F A D M I N I ST R A T I V E
R E S P O N S I B I L I T I E S CA N B E
R E S T R I C T E D T O PA R T I C U LA R O U ' S
3/6/2017
4
TR E E
A D B A SICS
M U LT I P LE D O M A I N SP A R E N TD O M A IN
CH IL DD O M A IN S
TR E E
A D B A SICS
C O N T I G U O U S
N A M E S PA C E
U T SY ST E M.E D U
U T D A L A S
. U T SY ST E M . E D UU TSA
. U T SY ST E M . E D U
T R U STS
A D B A SICS
A LLO W FO R S H A R I N G O F
N E T W O R K R E S O U R C E S
A C R O S S D O M A I N S
3/6/2017
5
T R U ST TY P E S
A D B A SICS
O N E - W A Y T R U ST
D O M A I N B T R U ST S D O M A I N A
D O M A I N A
D O M A I N B
T R U ST TY P E S
A D B A SICS
T W O - W A Y T R U S T
B O TH D O M A I N S T R U ST EA C H O TH E R
D O M A I N A
D O M A I N B
A CT IV ITY
A TR U STS
O R GAN IZAT IO N AL U N ITS( OU ' S )
N O N E O F TH E AB O V E
Organization of objects in the followingmanner is an example of which concept
in AD :
B
C
3/6/2017
6
A CT IV ITY
A PR IM AR Y DO M AI N
PA R E N T DO M AI N
SU PE R M O M DO M AI N
The domain that is created first is known
as the
B
C
D O M A INC O N T R O L L E R
A D B A SICSM O S T C R I T I CA L A D H A R D W A R E
A LLO W S H O ST S T O A C C E S S D O M A I N
R E S O U R C E S
ST O R E S U S E R A C C O U N T S
E N F O R C E S S E C U R I TY R E Q U I R E M E N T S
IMAGE SOURCE:http://www.mcmcse.com/
A D B A S I C S
GR OUP PO LICY
allows for security settings to be applied to resources in AD
IMAGE SOURCE:https://technet.microsoft.com/en-
us/library/gg416505.aspx
3/6/2017
7
A D B A S I C S
GR OUP PO LICY
default policy applied to domain
delegation to limit management of GPO to particular OU
IMAGE SOURCE:https://technet.microsoft.com/en-
us/library/gg416505.aspx
A D B A S I C S
GR OU P PO LICY IN H E R TAN CE
GPO's can be applied to multiple sets of machines, OU 's
order is domain , OU , and child OUs.
Group Policy applies GPOs from the top down , overwriting
settings along the way.
IMAGE SOURCE:https://technet.microsoft.com/en-
us/library/gg416505.aspx
3
AU DIT
STE PS TO
CON SIDE R
3/6/2017
8
A U D I T S T E P SS U R V E Y I N G T H E LA N D
Obta in l ist ing of servers and workstat ions .
Review the operat ing system , version and service packs in use.
Determine the locat ion where d o m a i n control lers are be ing main ta ined .
If DC's exist in locations w i t h poor physical controls ; evaluate use of read-only DC's
Evaluate whe the r the n u m b e r of DC's are in l ine w i t h your inst i tut ion 's risk appet i te .
A U D I T S T E P SP R O T E C T I N G T H E C R O W N J E W E L ( S ) - ( D C ' S )
Determine , i f d o m a i n control lers are physical ly instal led in ded icated secure racks or
cages tha t are separate f r o m the general server popu la t ion .
Evaluate whe the r volumes in the d o m a i n control ler servers are protec ted via BitLocker
Drive Encrypt ion .
Determine the process for ' lock ing d o wn ' DC u p o n ini t ia l bui ld .
A U D I T S T E P SP R O T E C T I N G T H E C R O W N J E W E L ( S ) - ( D C ' S )
Determine use of app l ica t ion whi te l is t ing too l to conf igure services and appl icat ions
tha t are perm i t ted to run on d o m a i n control lers (DC's)
A l low RDP connect ions only f r o m author ized users and systems .
Restr ict in ternet browser usage on DC's. No browsers m u s t be instal led .
3/6/2017
9
A U D I T S T E P SP R O T E C T I N G T H E C R O W N J E W E L ( S ) - ( D C ' S )
Best practices detai ls a t - https : / / technet .microsof t .com /en-us /windows -server -
docs / identi ty/ad-ds /plan /secur i ty-best-practices /secur ing-domain-control lers-against-
at tack
AU DIT STE PSU S E R S , P R I V I LE G E S , A N D G P O
Evaluate the users tha t are current ly active and ensure indiv iduals are current ly
aff i l iated w i t h the ins t i tu t ion
Evaluate g roup membersh ip of the fo l lowing groups at a m i n i m u m :
Enterprise Admins , Domain Admins ,Administrators , Schema Admins , Accoun t
Operators , A l lowed RODC Password Repl icat ion Group
ht tps : / / technet .microsof t .com /en -us /windows -server -docs / ident i ty /ad -
ds /plan /securi ty-best-pract ices /appendix-b- -priv i leged-accounts-and-groups- in-
active-directory
AU DIT STE PSU S E R S , P R I V I LE G E S , A N D G P O
Interv iew technical staff t o de te rm ine fi le shares where conf ident ia l da ta is retained .
Validate tha t 'everyone ' group and 'authent ica ted users' group d o n o t have privileges
t o shares w i t h conf ident ia l data
3/6/2017
10
AU DIT STE PSU S E R S , P R I V I LE G E S , A N D G P O
Gain an unders tand ing of GPO's tha t be ing enforced . Analyze tha t the appropr iate
controls are be ing enforced
Pay at tent ion to GPO inher i tance b lock
AU DIT STE PSLO G G I N G
Ensure h igh risk activities are be ing logged , inqui re abou t fo l lowing at m i n i m u m :
User Accoun t Changes
Password Resets by Admin is t ra tor
Securi ty Group Membersh ip Changes
Logons by a Single User f r o m Mul t ip le Endpoin ts
Group Policy Changes
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
UNIX/LINUX?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
etc/passwd Filecat /etc/passwd
1. Username2. Password: An “x” or “*” character indicates that encrypted
password is stored in /etc/shadow file. Except Linux “*” disables direct logins to an acct.
3. User ID (UID): internal numerical user id.4. Group ID (GID): The primary group ID (stored in /etc/group file)5. User ID Info: The comment field. 6. Home directory path where user will be in when they log in. 7. Command/shell path
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
1. User name : It is your login name 2. Password: It your encrypted password. The password should be minimum 6‐8 characters
long including special characters/digits 3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last
changed 4. Minimum: The minimum number of days required between password changes i.e. the
number of days left before the user is allowed to change his/her password 5. Maximum: The maximum number of days the password is valid (after that user is forced to
change his/her password) 6. Warn : The number of days before password is to expire that user is warned that his/her
password must be changed 7. Inactive : The number of days after password expires that account is disabled 8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying
when the login may no longer be used
/cat /etc/shadow
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
etc/group Filecat /etc/group
1. Groupname
2. password (x means stored in shadow file, * means there is not password
3. GID (numerical group ID)
4. Membership (comma separate list of users in the group)
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
File / Directory Permissionsls –l<directory>
drwxr‐xr‐x 8 chip xyzrrr 102 Oct 6 2006 evidence
1 2 3 4 5 6 7 8
1. dash ("‐") = file, "d" = directory, “l” = link 2. Permissions
a. 1‐3 = owner's permissions.b. 4‐6 = group permissions.c. 7‐9 = world/anyone permissions
3. Indicates the levels of directories.4. indicates the owner (Username) of the file. 5. indicates the group (Groupname) to which this file belongs. 6. Indicates the file's size. Will change, depending upon the size of the file.7. Indicates the date and time the file was modified. Will change when file modified. 8. Indicates the name of your actual file.
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
More On Permissions
The three actions you can perform on a file/directory:– read (view the file
– write (create, edit or delete)
– execute (run a script/program or enter a directory)
3/6/2017
Carol Rapps 3
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Yes, here is an exampledrwxr‐xr‐x 3 chip blue 102 Oct 6 2006 evidence
• This is a directory; the owner (chip) can read, write and execute the file; folks in the “blue” group can read and execute the file (not write to it); and everyone else on the system can read and execute the file (not write to it)
‐rw‐r‐‐r‐‐ 1 pest green 50417 Sep 15 2006 fink_Read Me.pdf
• This is a regular file; the owner (pest) can read and write (not execute) the file; folks in the “green” group can only read the file; and everyone else on the system can only read the file.
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
KEY PRINCIPLE
Rule of Least Access Should Always Be Applied
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Exercise File/Directory Permissions
1. drwxr‐xr‐x 3 finger system 102 Oct 6 2006 evidence2. ‐rw‐r‐‐r‐‐ 1 joy holiday 50417 Sep 15 2006 fink_Read Me.pdf3. ‐rw‐r‐‐r‐‐ 1 boss green 0 Dec 22 2007 first.dd4. ‐rw‐r‐‐r‐‐ 1 fred orange 58 Sep 15 2006 hello.c5. ‐rw‐r‐‐r‐‐ 1 sarah Infra 3690 Jul 5 2007 Installed6. ‐rw‐‐‐‐‐‐‐ 1 raul Web 30208 Sep 19 2007 installmw.xex7. ‐rw‐r‐‐r‐‐ 1 laura AF 222918 Sep 16 2006 list8. ‐rw‐r‐‐r‐‐ 1 printer Infra 3642 Aug 31 16:18 outdated9. ‐rw‐r‐‐r‐‐ 1 root chip 499 May 22 2007 ports10. drwxr‐xr‐x 4 root dev 136 Dec 14 2006 programs
A. Who has access to what? B. Based on access what do you think is in the directory or type of file it is?C. Any questions you would ask about the access?
3/6/2017
Carol Rapps 4
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
What to Review
• Operating system files
• Database System files
• Any application files
• Anything else that “the business” indicates are critical
• “root” access – do not forget to ask about (sudo, su) there are logs
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ORACLE• Detailed Audit Program will be provided
– Audit Test Objective
– Background
– Risk
– Test (sometimes multiple options)
– Potential Recommendation
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ORACLETop Authentication Items to Look at 1st Review
• Default Passwords on delivered accounts
– View DBA_USERS_WITH_DEFPWD
• Individual Accountability
– Table SYS.DBA_USERS
• Profile Settings
– Password & Resource Parameters
– Table SYS.DBA_PROFILES
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ORACLETop Access Items to Look at 1st Review
• Privileged User IDs– V$pwfile_users
• User Privileges– DBA_ROLE_PRIVS describes the roles granted to all users and roles in the database– DBA_SYS_PRIVS ‐ describes system privileges granted to users and roles. This view does not display the USERNAME
column– DBA_COL_PRIVS ‐ describes all column object grants in the database.– DBA_TAB_PRIVS ‐ describes all object grants in the database.– USER_TAB_PRIVS ‐ describes the object grants for which the current user is the object owner, grantor, or grantee. Its
columns are the same as those in DBA_TAB_PRIVS– ALL_TAB_PRIVS – describes objects for which the current user is the object owner, grantor or grantee AND object
grants for which an enabled role or PUBLIC is the grantee
• Public Role– Request the DB Public Table Grant Report from DBA
• Oracle Special Users (SYS, SYSTEM)– Who knows the password?
• DBA Role• Data Access by 3rd Party Software (backend)
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ORACLETop Config & Ops Items to Look at 1st Review
• Segregated Environments
– Separate prod, test & development environments
• Trusts/DBLinks
– SYS.DBA_DB_LINKS
• Intialization Parameters
– Init<sid>.ora
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
KEY PRINCIPLE
IF YOU DON’T NEED IT,
DON’T KEEP IT,
YOU MAY LOSE IT
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
BANNER ACCESS• Application Security Tables
– GURUCLS
– GURUOBJ
– GURUTAB
– GOBEACC
• Oracle Table
– SYS.DBA_USERS
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
GURUCLS•Provides Classes and the assigned Users
• Fields GURUCLS_USERID: end user
GURUCLS_CLASS_CODE: Banner Class
GURUCLS_ACTIVITY_DATE: last date record was changed
GURUCLS_USER_ID : who made the change
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
GURUOBJ• Provides Classes and the assigned Objects
• Fields GURUOBJ_OBJECT: Banner form, table, report, etc.
GURUOBJ_ROLE : Privileges assigned
GURUCLS_USERID : end user or Class
GURUOBJ_ACTIVITY_DATE: last date record was changed
GURUOBJ_USER_ID: who made the change
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
GOBEACC• Matches Users to Oracle IDs• Fields
• GOBEACC_PIDM: end user unique identifier• GOBEACC_USERNAME: Oracle ID used to access Banner
AND
• SYS.DBA_USERS– Use to see account status in oracle (i.e. is it locked)
JOIN to SPRIDEN to identify name of User
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
3 HIGH RISK OBJECTSBanner Student
• SPAPERS – SSN’s
• SPAIDEN ‐ SSN’s
• SHAINST – Change grades
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
APPLICATIONS / BUSINESS SYSTEMS
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
KEY PRINCIPLE
GARBAGE IN
GARBAGE OUT
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
APPLICATION PROCESSINGObjective
• determine the following:– Data is entered into the application
correctly;
– Processed accurately;
– Errors are detected, corrected and reprocessed; and,
– Interface files and reports contain complete and accurate information.
Areas • Segregation of duties• Input / Edits / Integrity• Operations / Scheduling• Interfaces• Reports / Outputs
• Other to consider (no covering now)• Audit (Transactions) Trails• Documentation• Training• Backups• Change Management
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
Integrated auditing is adding an IT auditor
to every audit?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
What is Integrated Auditing? • Adding IT Auditor to every internal audit to look at IT Systems?
• Training Internal Auditor to look at IT Systems in every audit?
• Training one auditor to do every type of audit, operational, financial, IT, security, compliance?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
IIA ‐ Practice Guide Integrated AuditingJuly 2012
• Difference between Integrated and Non‐integrated Audit Approach– An integrated audit differs from a non‐integrated audit in terms of scope and overall
complexity
• Complexity Directly Related to Broader Nature of Integrated Audit Requires:
– Use of Multiple Audit Techniques
– Increased use of external resources or increased knowledge of staff
– Enhanced project management skills
– Balanced approach to risk identification & ratings
– Increased oversight & creativity by the auditor
– Changes to current staffing model
3/6/2017
Carol Rapps 3
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Where To Do Integrated Auditing Operational Audits / Application Audits:
Financial Audit / Application Audit
Physical Security / Access Controls
Governance / Mgmt / IT Processes
Technical Audits - NO
1
U N D E R S T A N D I N G Y O U R B L A C K B O A R D L E A R N T M
E N V I R O N M E N T S O T H A T Y O U C A N A U D I T I T E F F E C T I V E L Y
IA COUNCIL
Objectives & Agenda
After attending this presentation, participants will:
1. Provide a general understanding of the architecture that may be in place
2. Identify key functions within the application.
3. Understand how integrations are set up.
4. Introduce Building Blocks, and the risks that come along with their implementation.
5. Identify potential areas of concern that an audit team should be mindful of related to the Learn environment.
6. Identify controls that can be implemented to enhance the overall security of the environment.
Introduction
What is eLearning?
Why/How Did We Audit It?
Blackboard’s Use Within UT System
Application Overview
Access Controls
Application Inherent Weaknesses
Intro to Controls
Results: Value Added
2
April 2015IA Council
What is eLearning / Distance Learning?3
Use of electronic technology to offer course material
April 2015IA Council
2
Why We Audited the eLearning Application?
March 6, 2017TeamMate User Forum 2009
4
eLearning
Provost
Info Resources
Compliance Training
Registrar
Faculty
Students
Risky Process?5
April 2015IA Council
Annual Audit Plan – IT Risk Assessment6
ActivitiesControls* 1 2 3 4 5
Policies HH TAC 202 HM UTS 165 Security Policy HMIT Security Policies and Procedures MH I/R Policies and Procedures
Standards HMSystems Development Process MH
Application Development Standards MH Data Definitions MH
Documentation Requirements for Applications MM Configuration Management
Organization and Management HH I/R Planning and Governance HM Change Management HM Risk Assessment HMProject Management and Quality Assurance MH Organization Structure
Physical and Environmental Controls HH Backup and Recovery HM Data Centers MH Cloud ComputingInformation Resources HM Unix HM Networking HM Active Directory MM Web Services MM Email
Systems Development Controls HMSystems Development Controls HM
Application Maintenance Processes HM
Vendor Review Process and Purchased Software
Application-Based Controls HM Gemini (HR/Finance) HM eLearning/Blackboard HM OnBase HL Orion (Student) MM Comet Cards
IT Security HH Encryption HH Identity Management HM
Access Controls: Firewall/Intrusion Prevention and Detection System HM Patch Management HM Vulnerability Assessment
April 2015IA Council
3
Use of Blackboard within UT System7
Academic Institutions
UT Arlington
UT Austin Tranisitioning to Canvas August 31
UT Brownsville
UT Dallas
UT El Paso
UT Pan American
UT Permian Basin
UT Rio GrandeValley
?
UT San Antonio
UT Tyler
Health Institutions
The University of Texas Southwestern Medical Center
utsouthwestern.mrooms3.net
The University of Texas Medical Branch at Galveston
The University of Texas Health Science Center at Houston
The University of Texas Health Science Center at San Antonio
The University of Texas MD Anderson Cancer Center
?
The University of Texas Health Science Center at Tyler
?
April 2015IA Council
The Audit…How Did We Get Started?
Audit Objective:
To ensure adequate controls existed over the application to ensure compliance…effectiveness and efficiency…reliability
and integrity of information…safeguarding of assets.
Planning
Interviews
Review of Blackboard contract
TAC 202, UTS 165, FERPA
Blackboard user manuals, documents
8
April 2015IA Council
eLearning/Blackboard Risk Assessment9
Governance Operations Access Management
Compliance
Policies & procedures
Building Block Management
Passwords FERPA
SystemDevelopment & Maintenance
DatabaseConfiguration & Management
Access controls Confidential Data
ChangeManagement
Encryption TAC 202, UTS165
Logs: Monitoring, Maintenance, and Retention
April 2015IA Council
4
How Do You Audit Blackboard Learn?10
Application Overview
Access Controls
Inherent Weaknesses
Introduction to Controls
April 2015IA Council
11
Application Overview
April 2015IA Council
Architecture/Hardware
April 2015IA Council
12 Load Balanced Configuration:
BENEFITS
Typical high performance/ high availability
configuration
Scale as environment grows
1. Web/ App Server
2. Collaboration Server
3. File System Server (Content Storage)
4. Database Server
5
Architecture(less common)13
No redundancy Suitable for development or test
environments
April 2015IA Council
Architecture -considerations14
Ability to run on a Unix or a Windows Operating System.
Assess General Controls on the servers BEFORE assessing security around the application: Identify Administrators
Validate Services and Applications
Open Ports
Patching
Age of Hardware
April 2015IA Council
Key Processes15
Category Process
Authentication • Setup of authentication
Courses • Creating Courses• Course enrollments• Course Archive• Course bulk delete
Grading • Grading Schema• Grading
User / Role Creation
• Creating Users within the application
• Designing Roles• Assigning roles to
Users https://help.blackboard.com/
April 2015IA Council
6
Integrations16
Allow for automation of specific tasks .
Five types of integrations are available.
Type of integration used is based on the type of data format produced by the source Student Information System.
https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)
April 2015IA Council
Integration Setup Process17
1. User Name and Password Setup
Location: System Admin>Building Blocks> Data Integration> Student Information>Systems Integrations
sample
April 2015IA Council
Integrations –Data Transfer
18
https://www.youtube.com/watch?v=IE5eWBzz9aw
CURL- A utility to transfer data from one location to the other.
Sample CURL File Clear text password
April 2015IA Council
7
19
Integrations –Flow
April 2015IA Council
20
Integration –Logging
https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/120_System_Integration/006_Student_Information_System_(SIS)/SIS_Framework_Overview
April 2015IA Council
21
• Document data flow from SIS into Blackboard
• Access to setup and inactivate integrations
• Access to integration password within the application (PATH: System Admin > Data Integration> Integration Password) OR > Data Integration>Student Information System Integrations>’edit’)
• Determine the location where the CURL file is saved
• Determine if appropriate to limit integration process to be only initiated from an authorized site/IP address.
• Review integration logs.
Integration –Suggested Audit Procedures
April 2015IA Council
8
22
• Extend functionality of the application.
• Developed both by BlackBoard and third party developers.
• Have access to user data that is being maintained within the application.
• Permissions are ‘setup’ at the time a building block is installed.
• Critical that a process is in place for review of BB privileges prior to installation.
• Building blocks require periodic updates that are installed separately from the application service packs.
Building Blocks (BB)
April 2015IA Council
23
Building Blocks
April 2015IA Council
24
• Security privileges for BB’s can also be reviewed via ‘bb-manifest.xml’.
• One bb-manifest file for each BB that has been installed.
Building Blocks
• <permission type="java.io.FilePermission" name="lt;lt;ALL FILESgt;gt;" actions=“read,write"/>
https://help.blackboard.com/en-us/Learn/9.1_2014_04/Administrator/080_Developer_Resources/020_Develop/000_Building_Blocks/005_Building_Blocks_and_Java_Permissions
WILD CARD
NOTATION
April 2015IA Council
9
25
Building Blocks
MENU PATH: BUILDING BLOCKS>INSTALLED TOOLS>Global settings
Global Configuration Setting
List of Installed Building Blocks
MENU PATH: System Admin>Building Blocks>Building Blocks>Installed Tools
April 2015IA Council
26
Administrative Building Blocks
LoginAs - http://projects.oscelot.org/gf/project/loginas/
Allow individuals with access to login as another users within the application without knowing the
other users password.
Designed to assist administrators with troubleshooting, but opportunity for abuse.
Effectively allows for impersonation as another user.
April 2015IA Council
27
Administrative Building Blocks
LOGIN AS
APPLICATION PATH: System Admin>Building Blocks>Building Blocks>Installed Tools>LOGIN AS Configuration
April 2015IA Council
10
28
Administrative Building Blocks
April 2015IA Council
29
Administrative Building Blocks
Impersonate - http://projects.oscelot.org/gf/project/impersonate/frs/
Another BB similar to LoginAS
APPLICATION PATH: System Admin> Tools and Utilities
April 2015IA Council
30
Building Blocks- Suggested Audit Procedures
Generate a listing of BB’s that are installed;
evaluate there is a strong business need
Ensure all BB’s are up to date
Review BB permissions
Evaluate process for approval/review of BB’s
permissions prior to installation
Ensure access to the administrative BB’s (such as
Login AS) is restricted
Review audit logs for administrative BB’s to determine if they are being misused
April 2015IA Council
11
31
Access Controls
April 2015IA Council
32
INSTITUIONAL HIERARCHY
Organize users, courses and organizations
Delegate administration
Flexibility on ‘power’ of administrative privileges
Texas Tier 1 University
Richardson Campus
Admin user FOX
Dallas Campus
School of Engineering
Admin User Romo
School of Business
Admin user Nash Accounting
Course Creator user
Ali
Admin user Mickey
Finance
Denton Campus
Spring Courses
Admin user Mike
Fall Course
Admin user Steve
Course Creator user
FOX
APPLICATION PATH: System Admin>Institutional Hierarchy
April 2015IA Council
33
TYPES OF ROLES
System Roles
• Control the administrative privileges assigned to a user.
Course and Organization Roles:
• Control access to the content and tools within a course or organization. Each user is assigned a role for each course or organization in which they participate.
• For example, a user with a role of Teaching Assistant in one course can have a role of Student in another course.
Institution Roles
• Control what brands, tabs, and modules users see when they log in to Blackboard Learn.
• Institution roles also grant or deny access to Content Collection files and folders.
April 2015IA Council
12
34
TYPES OF ROLES
System Roles
• System Administrator
• System Support• Course
Administrator• User
Administrator• Support
Course and Organization
Roles:
• Instructor • Teaching
Assistant• Course Builder• Grader• Student
Institution Roles
• Faculty• Staff• Alumni
April 2015IA Council
35
INSTITUIONAL HEIRARCHY
March 2015TACUA Conference 2015
INSTITUIONAL ROLE
COURSE ROLE
36
PRIVILEGE REVIEW
Vendor Master Role Spreadsheet
https://help.blackboard.com/@api/deki/files/77249/Administrator_Privilege_Descriptions.xlsApril 2015IA Council
13
37
PRIVILEGE REVIEW
System Roles
• In the Administrator Panel in the Users section, click Course/Organization Roles.
• On the System Roles page, access the role's contextual menu.
• Click Privileges.• Click Show All.• Highlight both columns, and
copy.• Open up excel and use paste as
text to get a listing of all the privileges that are allowed within the role.
• Repeat for all the course roles.
Course and Organization Roles:
• In the Administrator Panel in the Users section, click Course/Organization Roles.
• On the Course/Organization Roles page, access the role's contextual menu.
• Click Privileges.• Click Show All.• Highlight both columns, and
copy.• Open up excel and use paste as
text to get a listing of all the privileges that are allowed within the role.
• Repeat for all the course roles.
April 2015IA Council
38
USER ROLE ASSIGNMENTS
SYSTEM ROLE
•SELECT users.user_id, users.lastname, users.firstname,•CASE • WHEN system_role = 'Y' THEN 'Community Administrator'
• WHEN system_role = 'C' THEN 'Course Administrator'• WHEN system_role = 'Course_Coordinator_Bb' THEN 'Courser Coordinator Bb'
• WHEN system_role = 'Z' THEN 'System Administrator'• WHEN system_role = 'H' THEN 'System Support'• WHEN system_role = 'S' THEN 'System Support II'• WHEN system_role = 'A' THEN 'User Administrator'• WHEN system_role = 'N' THEN 'None'• WHEN system_role = 'O' THEN 'Observer' • ELSE 'Undefined'•END as Role•FROM users•order by user_id;
Course Roles
•SELECT cm.course_id, users.user_id, users.lastname, users.firstname,users.batch_uid,
•CASE • WHEN course_role = 'B' THEN 'Course Builder'• WHEN course_role = 'E' THEN 'Course Guest'• WHEN course_role = 'G' THEN 'Grader'• WHEN course_role = 'I' THEN 'UG Teaching Intern'• WHEN course_role = 'P' THEN 'Instructor'• WHEN course_role = 'S' THEN 'Student'• WHEN course_role = 'T' THEN 'Teaching Assistant'• WHEN course_role = 'Inc' THEN 'Incomplete'• WHEN course_role = 'CCta' THEN 'Course Coordinator'• WHEN course_role = 'PU' THEN 'Portfolio User'• WHEN course_role = 'U' THEN 'Guest'• WHEN course_role = 'v' THEN 'Visitor'• ELSE 'Undefined'•END as Role•FROM course_main cm, course_users cu, course_roles cr, users
•where cu.crsmain_pk1 = cm.pk1 and cr.course_role = cu.role and cu.users_pk1 = users.pk1 and cm.course_id like '2142%' and cm.available_ind = 'Y'
April 2015IA Council
39
*Some CRITICAL AREAS to CONTROL
PATH FUNCTIONALITY RISK
System Admin>Building Blocks>Authentication
Ability to setup and disable authentication against a directory service
If a user inactivates the authentication service that is utilized by user essentially all non local users are locked out.
System Admin>BuildingBlocks>Data Integration
Ability to setup and disable integrations , and setup and view the integration password
System Admin>Tools and Utilities> System Logs>
Set the frequency and timing of log rotation
Log frequency can be set to 0 days meaning no logs will be retained.
System Admin>Tools and Utilities> Logs>
Ability to view and purge logs
Users with update access can purge the logs.
April 2015IA Council
14
40
*Some CRITICAL AREAS to CONTROL
PATH FUNCTIONALITY RISK
System Admin>Security>Privileges
Ability to modify privileges that are being provided by each role
Ability to modify role privileges is not restricted.
System Admin>Security>Safe HTML Filter
Ability to enable/disable filtering of ‘unsafe’ HTML
SystemAdmin>Courses>Course Settings>Default Grading Schema
Allows to setup the configuration that turns exam scores into grade letter equivalent, example 90=A80=B
Bulk Delete
Batch enroll/quick enroll
April 2015IA Council
41
*CRITICAL DIRECTORIES
Blackboard Learn includes a set of system administration tools that must be run from the command line.
blackboard_home/tools/admin
blackboard/apps/bbcms/bin
https://help.blackboard.com/en-us/Learn/9.1 SP 12 and SP 13/Administrator/150 System Management/050 Command Line Tools
April 2015IA Council
42
DEFAULT APPLICATION ACCOUNTS
1. Administrator- The account has full Blackboard Learn administrator privileges.
2. root_admin- The account has full administrative privileges.
April 2015IA Council
15
43
ACCESS CONTROLS SUGGESTED PROCEDURES
Role Design; confirm ‘critical/sensitive’ privileges are only provided to privileged roles .
Ensure roles are attached in line an individual’s job responsibilities
Data analysis; query listing of faculty members and course enrollments from Student System and join with data from Blackboard to identify potential ‘issues’
Validate access to critical directories is restricted
Determine if default application accounts are enabled; who has access to them (aware of password)
April 2015IA Council
44
ACCESS CONTROL – SUGGESTED PROCEDURES
Role Design; confirm ‘critical/sensitive’ privileges are only provided to privileged roles
Ensure roles are attached in line an individual’s job responsibilities
Data analysis; query listing of faculty members and course enrollments from Student System and join with data from Blackboard to identify potential ‘issues’
Validate access to critical directories is restricted
Determine if default application accounts are enabled; who has access to them (aware of password)
April 2015IA Council
45
INHERENT WEAKNESSES
April 2015IA Council
16
VIRUS DETECTION46
Does not support anti-virus scanning on files uploaded by
users into the system. “This feature is on the Blackboard Learn Product Security Roadmap. Any statements about
future expectations, plans and prospects for Blackboard represent the Company’s views as of
January 1, 2013. Actual results may differ materially as a result of various important
factors. The Company anticipates that subsequent events and developments will cause the
Company’s views to change. However, while the Company may elect to update these
statements at some point in the future, the Company specifically disclaims any obligation
to do so.”
Ensure management is aware of the risk of malicious files
being delivered through Learn.
Virus detection critical on machines that are utilized by
faculty, TA’s and admin staff.
https://help.blackboard.com/en-us/Learn/9.1_SP_12_and_SP_13/Administrator/050_Security/000_Key_Security_Features/040_System_and_Information_IntegrityApril 2015IA Council
LOCKOUT RECOVERY
Vendor offers an ‘Emergency One-time Login URL Tool’ which allows for creation of a temporary session for any user account.
Located in blackboard/tools/admin/ folder.
Script name AuthenticationOneTimeLogin.sh|bat
47
https://help.blackboard.com/en-us/Learn/9.1_SP_10_and_SP_11/Administrator/070_Authentication/Recovering_From_a_Lockout_or_Bad_Configuration
April 2015IA Council
INTRO TO CONTROLS48
April 2015IA Council
17
CONTROLS
SSL functionality
Choice on where encryption is enabled
49
Location: System Admin>>Security and Integration>SSL Choice
April 2015IA Council
GRADING SECURITY50
Location: System Admin>COURSES>COURSE SETTINGS>Grading Security Settings
April 2015IA Council
GRADING SECURITY51
Location: System Admin>COURSES>COURSE SETTINGS> Default Grading Schemas
April 2015IA Council
18
Blackboard allows limits to be setup for courses.
Reporting capability available to identify courses that may be close to or over the threshold.
COURSE SIZE52
Location: System Admin>SYSTEM REPORTING>DISK USAGE
April 2015IA Council
AUDIT RESULTS: VALUE ADDED
1. FERPA Data
2. Integration Security
3. System and Information Integrity
4. Database Controls
5. Authentication Controls
6. Building Blocks
7. User Access Management
8. Operational Efficiency
9. Audit Logging
10. Policies & Procedures
53
April 2015IA Council
Ali Subhani
CISA, CIA, GSNA
Ali Subhani
CISA, CIA, GSNA
Toni Stephens
CPA, CIA, CRMA
Toni Stephens
CPA, CIA, CRMA
972-883-2540
972-883-4876
CONTACT INFORMATION54
April 2015IA Council
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
DATA CENTERShttps://www.google.com/about/datacenters/gallery/#/
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
KEY PRINCIPLE
Bad Data Center
=
Bad Infrastructure
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
GOOD
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
BAD
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
UGLY
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
PHYSICAL SECURITY
KEYSCOMBINATIONS
CARD ACCESS
GUARDSCAMERAS
ALARMSVISITORS
LOG
AFTERHOURS
3/6/2017
Carol Rapps 3
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ENVIRONMENTAL CONTROLS
Type text here
FIRE
ELECTRICAL AC / HEAT
HOUSEKEEPING WATER
MAINTENANCE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ELECTRICAL
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
TRANSFORMERMore than meets the eyes
3/6/2017
Carol Rapps 4
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
UPS
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
GENERATOR
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
EMERGENCY SHUTOFF• Need emergency power off (EPO) button
• Located near all exits – clear plastic safety cover
3/6/2017
Carol Rapps 5
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ENVIRONMENTAL CONTROLS
Type text here
FIRE
ELECTRICAL AC / HEAT
HOUSEKEEPING WATER
MAINTENANCE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
OH NO THERE IS A FIRE IN THEDATA CENTER
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
HALON / INERT GAS
3/6/2017
Carol Rapps 6
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
SPRINKLERS
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ENVIRONMENTAL CONTROLS
Type text here
FIRE
ELECTRICAL AC / HEAT
HOUSEKEEPING WATER
MAINTENANCE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
AIR CONDITIONING
3/6/2017
Carol Rapps 7
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
AIR CONDITIONING
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ENVIRONMENTAL CONTROLS
Type text here
FIRE
ELECTRICAL AC / HEAT
HOUSEKEEPING WATER
MAINTENANCE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
WATER
3/6/2017
Carol Rapps 8
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ENVIRONMENTAL CONTROLS
Type text here
FIRE
ELECTRICAL AC / HEAT
HOUSEKEEPING WATER
MAINTENANCE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MAINTENANCE
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
ENVIRONMENTAL CONTROLS
Type text here
FIRE
ELECTRICAL AC / HEAT
HOUSEKEEPING WATER
MAINTENANCE
3/6/2017
Carol Rapps 9
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
HOUSEKEEPING
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
EXERCISES• Walkthrough
• AC
• Generator
3/6/2017
1
A U D IT IN G N E T W O R K S
A LI S U B H A N I , C IA , C I SA , G S N A
M A R C H 2 0 17
A C U A M I D - Y E A R
2
Key Terminology
Key Concepts
Audit Steps to Consider
AG E N DA
W H AT IS AN E TW OR K ?
3/6/2017
2
3
W H AT IS A N E TW OR K ?
A group of computers or other devices (printers ,
storage ) l inked together to facil itate sharing of
resources.
N E T W O R K TY P E S
connects ne twork devices over
a relatively short distance.
spans a physical area larger than a LAN;
operated and managed by one entity.
spans a large physical distance; geographical ly
disbursed.
LA N
M A N
W A N
SW IT C H E SC R IT IC A L
H A R D W A R EU S E D T O C O N N E C T M U LT I P LE D E V I C E S O N T H E
SA M E N E T W O R K
S E R V E S A S A C O N T R O LLE R , A LLO W I N G T H E
V A R I O U S D E V I C E S T O S H A R E I N F O R M A T I O N A N D
TA LK T O EA C H O T H E R .
3/6/2017
3
R O U T E R SC R IT IC A L
H A R D W A R E
U S E D TO TI E M U LT I P LE N E T W O R K S
T O G E T H E R .
U S E D T O C O N N E C T Y O U R N E T W O R K E D
C O M P U T E R S T O T H E I N T E R N E T A N D
T H E R E B Y S H A R E A N I N T E R N E T C O N N E C T I O N A
M O N G M A N Y U S E R S .
R O U T E R S A C T A S ' A D I S P A T C H E R ' ,
C H O O S I N G T H E B E ST R O U T E F O R Y O U R I N
F O R M A T I O N T O T R A V E L S O T H A T Y O U R E
C E I V E I T Q U I C K LY .
F IR E W A L LC R IT IC A L
H A R D W A R EA D E V I C E C O N F I G U R E D T O P E R M I T O R
D E N Y , A LL C O M P U T E R T R A F F I C B E T W E E N
D I F F E R E N T S E C U R I TY D O M A I N S B A S E D
U P O N A S E T O F R U LE S
R U LE S TA K E O N E O F T W O A P P R O A C H E S : P
E R M I T A LL B Y D E FA U LT
S P E C I F I C R U LE S T H A T D E N Y A C C E S S R
E ST R I C T A LL B Y D E FA U LT
S P E C I F I C R U LE S T H A T P E R M I T A C C E S S
T Y P E S O F F IR E W A L L C R IT IC A L
H A R D W A R EA D E V I C E C O N F I G U R E D T O P E R M I T O R
D E N Y , A LL C O M P U T E R T R A F F I C B E T W E E N
D I F F E R E N T S E C U R I TY D O M A I N S B A S E D
U P O N A S E T O F R U LE S
3/6/2017
4
IP A D D R E SS
T E R M IN O L O GY
D E V I C EN U M E R I C I D E N T I F I E R F O R E A C H
A TTA C H E D T O T H E N E T W O R K
E X A M P LE :
7 2 .16 . 2 5 4 .1 ( I P V 4 ) , O R
2 0 0 1:D B 8 :0 :12 3 4 :0 :5 6 7 :8 :1 ( I P V 6 )
E X T E R N A L I P V S . I N T E R N A L I P A D D R E S S
S U B N E T - A N I D E N T I F I A B LE S E PA R A T E P O R T I O N
O F A N O R GA N I Z A T I O N ' S N E T W O R K . TY P I CA LLY , A S
U B N E T M A Y R E P R E S E N T A LL T H E M A C H I N E S A T O N E
G E O G R A P H I C LO CA T I O N , I N O N E B U I LD I N G , O R A D
E PA R T M E N T ,
M A C A D D R E SS
T E R M IN O L O GY
U N I Q U E S E R I A L N U M B E R B U R N E D I N T O
E T H E R N E T A D A P T E R S T O I D E N T I F Y T H E
N E T W O R K CA R D F R O M O T H E R S .
CA N B E U T I L I Z E D T O O N LY A LLO W D E V I C E S
T H A T H A V E B E E N A U T H O R I Z E D T O C O N N E C T T O T
H E N E T W O R K
N E FA R I O U S U S E - CA N B E U S E D T O T R A C K U S E R
A C T I V I TY
F IN D IN G IP /M A C
T E R M IN O L O GY
3/6/2017
5
B R IN GIN G IT A LL T O GE T H E R
A CT IV IT Y
W O R K I N A T EA M A N D D E T E R M I N E T H E I P
A D D R E S S A N D M A C A D D R E S S A S S I G N E D T O T
H E LA P T O P Y O U A R E U S I N G
O P E N U P A B R O W S E R A N D N A V I GA T E T O
W H A T I S M Y I P .C O M .
N O T E D O W N T H E I P A D D R E S S Y O U H A V E
B E E N A S S I G N E D ; D O E S I T M A T C H W I T H T H E
I P A D D R E S S Y O U SA W I N S T E P 1 A B O V E ?
W H A T W O U LD E X P LA I N F O R T H E
D I F F E R E N C E ?
SO U R CE
T E R M IN O L O GY
A N O R I G I N A T I O N P O I N T F O R D A TA
D E ST IN A T IO NT H E E N D I N G P O I N T F O R D A TA
P A CK E T S
T E R M IN O L O GY
A F O R M A TT E D B LO C K O F D A TA U S E D I N A
C O M P U T E R N E T W O R K
H T T P S : / / Y O U T U . B E / T P J U C 4 B B Z O 0 ?T = 12 S
3/6/2017
6
A CT IV ITY
open u p c o m m a n d prompt :
1.Type p ing google .com
2. W hat address d id you send packets to?
3 . H o w many packets d id you send?
T E R M IN O L O GY
DN SA S Y S T E M F O R C O N V E R T I N G H O S T N A M E S A
N D D O M A I N N A M E S I N T O I P A D D R E S S E S
C : \ >N S LO O K U P G O O G LE . C O M
S E R V E R :
A D D R E S S :
14 .S U B - 6 9 - 7 8 - 9 6 .M Y V Z W .C O M
6 9 .7 8 .9 6 .14
N O N - A U T H O R I TA T I V E A N S W E R :
N A M E : G O O G LE .C O M
A D D R E S S E S : 6 4 .2 3 3 .18 7 .9 9 , 7 2 .14 .2 0 7 . 9 9 ,
6 4 .2 3 3 .16 7 .9 9
A U D I T S T E P SN E T W O R K D I A G R A M
physical d iag ram - Ident i fy h o w ne twork devices are connected
Logical d iag ram - describe f l ow of in format ion and segregation of cri t ical areas/assets
of the ne twork f r o m the general network .
Ident i fy hardware tha t cou ld be single po in t of failure; discuss w i t h management .
3/6/2017
7
A U D I T S T E P SI N V E N T O R Y N E T W O R K D E V I C E SCompi le a list of cri t ical ne twork devices, along w i t h the m o d e l # and pa tch informat ion.
Ident i fy the user accounts tha t current ly exist on the devices; ensure only active
employees have access
Ensure no generic accounts exist
Ensure patches are appl ied.
A U D I T S T E P SR E M O T E A C C E S SEvaluate remote access in to the ne twork ; de te rm ine if controls such as two- fac tor
authent ica t ion are in place
Determine whe ther remote admin is t ra t ion of ne twork devices f r o m outs ide the
ne twork isenabled.
A U D I T S T E P SC R I T I C A L N E T W O R K A C T I V I TY
Inquire wh a t activ i ty is be ing logged? w h o is moni tor ing? how? frequency?
Inquire if any mon i to r i ng in place to detec t data sets leaving the network?
Firewal l rule rev iew
3/6/2017
8
A U D I T S T E P SF I R E W A L L R U L E R E V I E W T I P S
Verify tha t the rules are needed (driven by a business need)
Verify tha t the rules m a k e sense
Verify tha t the rules are used and rev iewed for relevancy
Verify there is a change process for rule updates
A U D I T S T E P SF I R E W A L L R U L E R E V I E W T I P S
A U D I T S T E P SO P E N S H A R EShareScan - ht tps: //www.mcafee.com/us/downloads/free-tools/ index.aspx
identi f ies open shares on the internal network .
3/6/2017
1
O P E R A T IN G SY ST E M S
A LI S U B H A N I , C IA , C I SA , G S N A
M A R C H 2 0 17
A C U A M I D ‐ Y E A R
2
What is an O/S
OS Types
Function of an O/S
Audit Considerations for O/S
AG E N DA
W H AT IS ANOPE R AT IN G SY STE M ?
An operat ing system is the program
that , after be ing initially loaded in to th3e
compu te r by a boo t program , manages
all the other programs on the
compu te r
Midd le Man ‐ ‐ ‐ in the m i d d l e of
everything
This is the interface be tween the user
and the c o m p u t i n g components like
printers , disks and USB devices
3/6/2017
2
M Y T H O R R E A L ITY
All operat ing systems are no t the same?
3
O /S TY PE S
3
U N IX V S . W IN DOW S?
Capabil i ty to only
'enable ' funct ional i ty
tha t is required
Less frequent pa tch ing
Enhanced security due
to smaller at tack vector
Functionali ty enabled by
defaul t consistent ; less flexible
t o 't u rn in g off ' fun ct ion alit y
tha t is no t required
More f requent patch ing
3/6/2017
3
MYTH or REALITY
All operating systems are not the same?
O /S FU N CTION SIN TE R AC TIO N S B E TW E E N U SE R & CO M PU TE R
Doing stuff
Pr int ing stuff
Saving stuff
Moving stuff a round
Looking at stuff (Web )
Creating n e w stuff
Delet ing stuff
Encrypt ing stuff
H AN D LE S TH E CO M PU TE R “ IN TE R N AL S ”
3
Memory
Disk usage
Network usage
Processes
Enforce the security
W H A T D O I
L O O K A T
A S A N
IT A U D IT O R ?
C O N F ID E N T IA L IT YW H E R E C A N I L O G I N ?
W H A T C A N I S E E ?
W H A T CA N I D O ?
IN T E GR IT YW H A T C A N I C H A N G E ?
W H A T C A N I D E L E T E ?
L O G G I N G C O N S I D E R A T I O N S
A V A IL A B IL IT YM A I N T A I N I N G H A R D W A R E
P A T C H I N G
R E S O U R C E M A N A G E M E N T
3/6/2017
4
A CT IV ITY
open u p c o m m a n d prompt :
1.Type p ing google .com
2. W hat address d id you send packets to?
3 . H o w many packets d id you send?
C O M M O N R E V I E W A R E A S
Verify “high” risk conf igurat ion sett ings (example : password cont ro l sett ings )
Verify services runn ing have leg i t imate business need
Verify tha t the latest OS main tenance (patches ) are app l ied (or scheduled )
Verify tha t appropr iate change m a n a g e m e n t is be ing fo l lowed
Verify proper segregation of dut ies is be ing fo l lowed
Review w h o has elevated or administrat ive access
Review w h o has access to the data
Verity anti ‐virus / malware protec t ion
TERMINOLOGY / ACRONYM BINGO
3/6/2017
1
Improving Your Data Analysis Program 1
Agenda
Introduction Benefits and ChallengesRoadmapReal World Examples
2
Introduction
BackgroundPeopleSoft IDEAStaffing
3
7 departmental users
2 Designated Champions
3/6/2017
2
Data Analysis Definition
Data analytics is defined as the process of inspecting, cleaning, transforming, and modeling data with the goal of highlighting useful information, suggesting conclusions, and supporting decision making.
4
Source: Pune University, Vishwakarma Institute of Technology
Points of Contention
BenefitsMore Comprehensive AssuranceEfficiencyReporting
Challenges Time TrainingData
5
Use of Analytics6
SOURCE : PWC 2013 State of the Internal Audit Profession Study
3/6/2017
3
Use of Analytics7
SOURCE : PWC 2013 State of the Internal Audit Profession Study
Plan to expand use of data analytics but do not have a well developed plan
69 %
Data analytics are used regularly
Are we failing our stakeholders?8
SOURCE : PWC 2015 State of the Internal Audit Profession Study
Roadmap9
Vision Structure Data Pull Methodology Talking to IT
Standard Query Language
(SQL) BasicsFinding DataDeveloping a
ProcessReady to Start
3/6/2017
4
Vision
Agree on what is most important Formal discussion with CAE
10
Structure
Define a structureDesignated Analytics Champion within the
department? OR
Each Project Manager expected to lead analytics? Identify key contacts for each source systemGet access to data dictionary if it exists
11
Data Pull Methodology
How are you going to pull Data from source systems?
From within the application?From the database?Open Database Connectivity (ODBC) ?Relying on auditee to give you a file
12
3/6/2017
5
Data Pull: Application13
Benefit Challenge
No additional licensing cost Normally results limited to a certain maximum number of records
Auditors do no not have to structure SQL themselves
Can potentially ‘burden’ application server
Results dependent on access
Data Pull: Database14
Benefit Challenge
Free form ability to structure SQL allows more flexibility
Additional licensing cost
No limitation on number of records that are pulled in
Initial buy in from IT to get read-only access to databases.
Learning curve if unfamiliar with SQL
Data Pull: ODBC15
Benefit Challenge
Data imported directly into data analytics tool
Limited to tables exist within the database.
No query to create; easiest Need to get IT to create custom views for each unique need
No cost generally
3/6/2017
6
Talking to IT
Schedule a discussion Request read-only accessProduction Vs. Test EnvironmentSecurity of data
16
Roadmap17
Vision Structure Data Pull Methodology Talking to IT
Standard Query Language
(SQL) BasicsFinding DataDeveloping a
ProcessReady to Start
What is SQL?
Structured Query Language Language utilized for getting information from and
updating a database.Can get complex ……….. BUT3-4 main sections normally for our purposes
18
3/6/2017
7
SQL Basics19
SQL STATEMENT ‘ SECTION BRIEF DESCRIPTION
SELECT Defines the fields that will be displayed within the results
FROM identifies tables where fields are stored within the database
WHERE specifies limiting criteria (if any)
GROUP BY
ORDER BY
Groups information
Used for sorting
Sample Query20
SELECTA.EMPLID, A. DEPT, B.ADDRESS, B.ZIPCODE
FROMPS_Employee A, PS_BIO B
WHEREA.EMPLID=B.EMPLOYEEAND A.EMPLID=123456789
Identify PeopleSoft Page with Data 21
3/6/2017
8
Finding Data PeopleSoft
CTRL+SHIFT+J
22
Finding Data PeopleSoft
Query Table PSPNLFIELD
23
SELECT PNLNAME,LABEL_ID,LBLTEXT,RECNAME,FIELDNAME FROM PSPNLFIELDWHERE PNLNAME='JOB_DATA3'
Finding Data PeopleSoft
Result
24
PeopleSoft Page Database Values
3/6/2017
9
Finding Data Banner
Go to the form with the informationMove cursor to field you are interested inHelp menu >Dynamic Help Query
25
Developing Data Analytics Process26
Understand Business Process
Understand How Business Process Data Stored in ERP
‘Interesting’ questions can
you answer with the data?
Pull Data
Validate you have right
sources BEFORE beginning
analysis
Engagement: Procure to Pay27
Source: “Automating the Audit” Price Waters House Coopers July 2010
3/6/2017
10
Engagement: Procure to Pay28
Source: “Automating the Audit” Price Waters House Coopers July 2010
Engagement: Procure to Pay29
Source: “Automating the Audit” Price Waters House Coopers July 2010
How do I start?
“Quick Wins” to gain confidence Identify critical processes/areas for reviewRinse/Wash/Repeat
30
3/6/2017
11
Purchasing Card Analysis
Starting Approach Identify Cardholders and their transactionsReview monthly limitsDetermine the average expense amount
31
Purchasing Card Analysis
Intermediate Approach Identify possible split purchasesPerform analysis on MCC codesDetermine if Cardholder is active employee
32
Purchasing Card Analysis
Advanced ApproachHigh Risks Activities (holiday travel, luxury purchases)Keyword SearchCredit Limit UtilizationAutomation
33
3/6/2017
12
Keywords34
Keyword Script35
(@Isini(""Barney"", Merchant_Name )
@IsiniIt searches for the occurrence of a specified string or piece of text in a Character field, Date field, or string.
Syntax@Isini(String1, String2)
Keyword Script36
(@Isini(""Barney"", Merchant_Name) .OR. @Isini(""Bergdorf Goodman"", Merchant_Name ).OR. @Isini(""Dicks"", Merchant_Name ).OR. @Isini(""Dillards"", Merchant_Name ).OR. @Isini(""JCPenny"", Merchant_Name ).OR. @Isini(""Lord & Taylor"", Merchant_Name ).OR. @Isini(""Macy"", Merchant_Name ).OR. @Isini(""Neiman Marcus"", Merchant_Name ).OR. @Isini(""Nordstrom"", Merchant_Name ).OR. @Isini(""Saks Fifth"", Merchant_Name ).OR. @Isini(""Sears"", Merchant_Name ).OR. @Isini(""Von Maur"", Merchant_Name ))
3/6/2017
13
Purchasing Card Tests Developed
Consistent purchases at same vendor by one cardholderWeekend purchases International purchasesDormant CardsPurchasing Trends
37
Live Demonstration38
Example 2: Return to Title IV Audit
Audit Objective: To ensure that institution was fully complying with R2TIV regulations.
Return of financial aid funds when a recipient ceases to be enrolled prior to the end of a payment period or period of enrollment.
39
3/6/2017
14
Requirements
The Institution Must: Determine date of student’s withdrawal Calculate percent of period completed Determine amount earned by applying percent completed to total of
amounts disbursed and amounts that could have been disbursed Return unearned funds to Title IV programs, or pay student post-
withdrawal disbursement Determine Title IV overpayment, if any
40
Withdrawals
Withdrawal Date Date student began the formal withdrawal process or notified… Mid-point, if no notification Date of illness, accident, etc. Beginning of an approved LOA if student does not return Last date at an academically-related activity
41
Calculation42
3/6/2017
15
Student System Background43
SQL
SELECT A.EMPLID,A.AID_YEAR,A.BGT_ITEM_CATEGORY,A.STRM,A. BUDGET_ITEM_AMOUNT ,B.TOT_TIV_AID_RTRN,B.INST_CHRG_BOARD,B.INST_CHRG_OTHER,B.INST_CHRG_TUIT_FEE , B.RTRN_TIV_CAL_PCT
FROM PS_STDNT_BGT_AD_VW A , PS_STDNT_RTN_TIV B
WHERE A.EMPLID=B.EMPLID AND A.AID_YEAR=B.AID_YEAR AND A.STRM=B.STRM
44
Test Performed
Validate accuracy of calculationVerified completeness of calculations Timeliness of calculation Timeliness of returns
45
3/6/2017
16
Value Added
Highlighted progress department made in achieving compliance with regulations
Institution able to return money to the respective programs without being penalized during a federal review
Random sampling would not have been able to identify all potential students with compliance issues
46
Example 3: Executive Travel Background
Audit Objective: To ensure that executive travel expenses made by executives, or on behalf of executives, were in compliance with travel and entertainment policies and procedures
Our Process –Corporate Travel Planners (CTP) booking for flights, hotels, and car rentals, Citibank Purchasing Card expenses, Expense Reimbursements issued after travel
Critical Data Elements: Source Data
47
Key Takeaways48
Talk to your CAE
Designate Data Analytics Champion(s)
Data Pull Methodology
IT Access
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
THE CLOUD
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
?• Level Set on What is “Cloud”
• Understand why risks are different in the Cloud
• What can Internal Audit do?
• Understand how a Service Organization Control (SOC) report maps back to your organization’s specific risks
• Identify requirements that Internal Auditors should be engaging with cloud service providers early on in their organization’s procurement/design phase
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Cloud Computing
Permission to use granted by CloudTweeks.com
3/6/2017
Carol Rapps 2
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
IT Audit
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Cloud Computing
IT CAPABILITIES PROVIDED BY THE CLOUD ARE CHARACTERIZED BY:
• Usually pay as you use, can be subscription
• Geographic independence
• Shared physical infrastructure not visible to the customer
• On demand allocation of resources
• Provided over the internet • Highly scalable
The National Institute of Standards and Technology (NIST) defines cloud computing as a model for enabling “…… convenient, on‐demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction”
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Service Models & Responsibilities
3/6/2017
Carol Rapps 3
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Service Model & Responsibilities
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Deployment Models & Uses
Deployment Model Description
Private Cloud • Operated solely for an organization• May be managed by the organization or a third party • May exist on or off premise
Public Cloud • Made available to the general public• Owned by an organization selling cloud services
Hybrid Cloud • A composition of two or more clouds (private, community or public) that remain unique entities, but are bound together by standardized or proprietary technology that enables data and application portability (e.g. cloud bursting for load balancing between clouds).
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Service Levels
Service Level Description
Unmanaged Cloud • Managed by the organization• Organization is responsible for the environment
architecture, build, and ongoing operations• May be public or private cloud
Managed Cloud • Managed by a third party• Assists with the environment architecture and build• Manages ongoing operations such as configuration
management and backups• Maybe public or private cloud
3/6/2017
Carol Rapps 4
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Benefits to the Business• Manage costs – Utility model (pay as you go)
• Accelerated deployment
• Maximize performance
• Highly scalable
• Leverage external operational expertise
• Enables university to focus on core competencies
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Why Things are Different in the Cloud
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
How Cloud Threats are Different
3/6/2017
Carol Rapps 5
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Identify / Discover
• What are the “sanctioned services” at your organization? (Inventory)
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Monitor and Response
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
SOC Reports
• Service Provider Control: “Backup software is used to schedule and perform backups on customer servers.”
• Customer Responsibilities:– Identify data to be backed up– Provide backup schedule and update as necessary– Ensure backup is rotated/sent off‐site if desired
SOC reports do not eliminate CUSTOMER RESPONSIBILITIES
3/6/2017
Carol Rapps 6
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Top Cloud Threats• Data Breaches• Data Loss• Account Hijacking• Insecure APIs• Denial of Service• Malicious Insiders• Abuse of Cloud Computing• Shared Technology Issues• Insufficient Due Diligence
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
The CIO Controls IT
https://insight.utsa.edu/Account/Login.aspx
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Next Evolution• Internal Audit involvement in Procurement Process
– Validation of business case
– Right to Audit Clause and/or SSAE 16
– Impact of regulation on data security
– Stability/viability of service providers
– Contractual data protection responsibilities and related clauses
– SLA (including security breach escalation protocol)
– Ask for CSP transparency to provide near real‐time access that addresses auditing requirements
3/6/2017
Carol Rapps 7
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Next Evolution(per Carol)
• Need third party to collect self‐report data to look at all these vendors (i.e. 3Pass)
• Need third party to do some non‐evasive ethical hacking research on these vendors – providing a dashboard that we can monitor (i.e. scorecard)
• Clearly Defined:– Inventory– Data Backups & Locations– Recovery if Provider goes Bellyup– Incident handling processes and reporting– Data Security Admin Processes
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
Additional Resources• Cloud Security Alliance – Comprehensive Cloud Control Matrix (CCM) framework covering 16 domains
• Helps identify Service Provider responsibilities vs Customer responsibilities
• Maps to many common frameworks including: – COBIT 5.0
– NIST SP800‐53 Rev 3 Appendix J
– ISO/IEC 27001: 2013
– HIPAA
– PCI DSS v3
3/6/2017
Carol Rapps 1
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
BACK AT HOME• Build Your Audit Universe• Risk Assessment
– Do Not Forget – EMERGING RISKS
• IT Audit Skills Assessment• Training Needs
– Outside– Self‐Study
• Outside Resources– Partnering with…… / On The Job Training
• FIRST AUDIT YOU WILL PERFORM?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
You can learn IT Auditing in 2 ½ days?
Carol Rapps CIA, CISA, CCSA, CRMA, CFE, GLIT
MYTH or REALITY
SCORING
Who is the winner?
How Many Key Principles?