Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit...
-
Upload
owen-sherman -
Category
Documents
-
view
216 -
download
0
Transcript of Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit...
Information Technology Information Technology Audit ProcessAudit Process
Business Practices Business Practices SeminarSeminar
Paul Toffenetti, CISAPaul Toffenetti, CISAInternal AuditInternal Audit
29 February 200829 February 2008
Overview
• What is Internal Audit• IT Audit Process• Common IT Audit Observations• So What Should We Do• Questions
Authority and Policies
What is Internal Audit?
Internal auditing is an independent, objective assurance and advisory activity designed to add value and improve an organization’s operations.
Internal Audit helps organizations accomplish their objectives by evaluating business risk and controls and where appropriate, offer recommendations to improve risk management and governance processes.
Audit ProcessAudit Process
Planning
Testing
Reporting
Follow-up
PlanningPlanning
• Annual Risk AssessmentAnnual Risk Assessment• Preliminary Audit PlanPreliminary Audit Plan• Board of Visitors ApprovalBoard of Visitors Approval• Notification and Request for InformationNotification and Request for Information• Understand Your Risks and ControlsUnderstand Your Risks and Controls• Opening ConferenceOpening Conference
TestingTesting
• SecuritySecurity• Backup & RecoveryBackup & Recovery• Resource ManagementResource Management• Web SiteWeb Site
Security TestingSecurity TestingRemote Vulnerability ScansRemote Vulnerability Scans
ServersServers
PrintersPrinters
RoutersRouters
WorkstationsWorkstations
LaptopsLaptops
If it’s on the network If it’s on the network we scan it!we scan it!
Nmap & NessusNmap & Nessus
Security TestingSecurity TestingOn-Site, Follow-up Vulnerability Tests On-Site, Follow-up Vulnerability Tests
Workstations Laptops Servers
We Test Computers That May Have Security Vulnerabilities!We Test Computers That May Have Security Vulnerabilities!
WinAudit
MSBA CIS Tools & Benchmarks
Backup & Recovery TestingBackup & Recovery Testing
You Must Have Effective Controls to Backup & RecoverYou Must Have Effective Controls to Backup & Recover
““Critical Data”Critical Data”
Resource Management Resource Management TestingTesting
Computer Hardware & SoftwareComputer Hardware & Software
Procurement through SurplusProcurement through Surplus
Web Site Testing
• University Relations Web Guidelines & Procedures• Web Development Best Practices• Content Recommendations• Templates
• Privacy Statement (Policy 7030)• Web Server & Application Security
ReportingReportingObservationsObservations
When Unexpected Results are NotedWhen Unexpected Results are Noted
We Solicit Your CommentsWe Solicit Your Comments
ReportingReportingRecommendationsRecommendations
We May Recommend OpportunitiesWe May Recommend Opportunities
To Improve Your ControlsTo Improve Your Controls
ReportingReportingManagement Action PlansManagement Action Plans
YouYou Develop Plans, Schedules, and Develop Plans, Schedules, and PrioritiesPriorities
To Implement SolutionsTo Implement Solutions
ReportingReporting
A Final Report is Sent A Final Report is Sent
to to
The Board of VisitorsThe Board of Visitors
Follow-UpFollow-Up
• Follow-Up Actions are Based on Follow-Up Actions are Based on Your “Management Action Plan”Your “Management Action Plan”
• Progress is Monitored Progress is Monitored • Some Re-Testing May be Some Re-Testing May be
NecessaryNecessary• Board of Visitors is UpdatedBoard of Visitors is Updated• Audit is closedAudit is closed
Common Audit ObservationsCommon Audit Observations
Weak Security SettingsWeak Security Settings
Windows Operating SystemWindows Operating System
Common Audit ObservationsCommon Audit Observations
Missing Security Patches Missing Security Patches
Operating Systems Operating Systems
ApplicationsApplications
DatabasesDatabases
Common Audit ObservationsCommon Audit Observations
Misconfigured Anti-Malware ToolsMisconfigured Anti-Malware Tools
Out-of-Date Threat SignaturesOut-of-Date Threat SignaturesScans Not ScheduledScans Not Scheduled
Common Audit ObservationsCommon Audit Observations
Inadequate Access ControlsInadequate Access Controls
Weak Passwords & File PermissionsWeak Passwords & File Permissions
Common Audit ObservationsCommon Audit Observations
Open Communication PortsOpen Communication Ports
The Hacker’s Point of EntryThe Hacker’s Point of Entry
Common Audit Common Audit ObservationsObservations
““The System Administrator’s Dilemma”The System Administrator’s Dilemma”
How Much Risk is How Much Risk is Senior ManagementSenior Management Willing to Accept?Willing to Accept?
SecurityConvenience
So What Should We Do?
• Harden Security Settings• Keep Everything Patched• Install and Use Anti-Malware Tools• Enforce Strong Passwords• Close or Filter Communication Ports• Test Your Systems• Support Your System Administrator!
QuestionsQuestions““Success Redefined”Success Redefined”