Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.
-
Upload
vernon-stewart -
Category
Documents
-
view
215 -
download
0
Transcript of Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.
![Page 1: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/1.jpg)
Presented by:
Brandon McAndrew
Jordan Schafer
Keith Edwards
IT Audit Automation
![Page 2: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/2.jpg)
• Overview of scripting languages• Demonstrations
IT Audit Automation
![Page 3: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/3.jpg)
• A type of programming language• Interprets and automates the
execution of tasks
Script Language
![Page 4: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/4.jpg)
Examples
1. Bash – UNIX or UNIX-like operating systems
2. Visual Basic – Microsoft Office Applications
3. ACLScript – Audit Command Language (ACL) Analytics
Script Language
![Page 5: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/5.jpg)
When to use scripts?
1. If repetitive tasks need to be completed
2. If a large number of sample items need to be reviewed
3. If similar reviews will be conducted in the future
Script Language
![Page 6: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/6.jpg)
Items to consider before writing a script
1. What do you need the script to do?
2. What criteria will be used for tests?
3. How will source data be obtained?
Script Language
![Page 7: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/7.jpg)
You don’t always need a formal programming background to write and use scripts!
Script Language
![Page 8: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/8.jpg)
Web searches and help files are a great starting place.
Script Language
![Page 9: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/9.jpg)
Demonstration
![Page 10: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/10.jpg)
Demonstration
![Page 11: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/11.jpg)
Demonstration
![Page 12: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/12.jpg)
Demonstration
![Page 13: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/13.jpg)
Demonstration
![Page 14: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/14.jpg)
Demonstration
![Page 15: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/15.jpg)
Demonstration
![Page 16: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/16.jpg)
Demonstration
![Page 17: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/17.jpg)
When not to use scripts?
1. When source data will be provided in an inconsistent format
2. When there is no positive cost benefit
3. When resource limitations become a barrier
Script Language
![Page 18: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/18.jpg)
Risks when using scripts
1. Errors in scripting logic producing improper results
2. Could prompt auditors to jump to faulty conclusions
3. Costs could exceed benefits
Script Language
![Page 19: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/19.jpg)
Questions And Answers
(3 Minutes)
![Page 20: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/20.jpg)
Illustration:Oracle
![Page 21: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/21.jpg)
Summary - Oracle Illustration
1. Obtain an understanding
2. Establish criteria
3. Identify tables
4. Request files
5. Design import script
6. Design testing script
7. Design export script
8. Design master script
![Page 22: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/22.jpg)
Handout – “Oracle Example Script”
![Page 23: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/23.jpg)
Identify the database and version V$Version
Obtain An Understanding
![Page 24: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/24.jpg)
CIS benchmarks Policies and
procedures Determine the
most restrictive
Obtain Criteria
?
![Page 25: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/25.jpg)
DBA_Users DBA_Profiles DBA_Parameters
Identifying Tables DBA_RolePrivs DBA_TabPrivs DBA_SysPrivs
![Page 26: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/26.jpg)
Request files Easiest format
Data Gathering
![Page 27: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/27.jpg)
Perform manually Import scripts Comments Perform reconciliations
Designing Scripts Step 1 -Formatting
![Page 28: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/28.jpg)
Add comments Define the fields Use established criteria to create tests
Direct tests Indirect tests
Other information (Criteria reference)
Designing Scripts Step 2 - Testing
![Page 29: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/29.jpg)
Defining Fields
![Page 30: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/30.jpg)
Direct TestsInput “Not In Compliance” in the virtual field V_COMPLIANCE if “Failed Login Attempts” is greater than 5 or set to “Unlimited” and is not “DEFAULT.”
![Page 31: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/31.jpg)
Indirect Tests/ Other Information
![Page 32: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/32.jpg)
Export script Perform manually Follow up on all items
Step 3 Output & Overview
![Page 33: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/33.jpg)
Master Script Create 1 script that controls all other scripts
Identifies which scripts are ran Sets overall variables Identifies outputs
![Page 34: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/34.jpg)
![Page 35: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/35.jpg)
Questions And Answers
(3 Minutes)
![Page 36: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/36.jpg)
Statewide UNIX Security Controls
Illustration
![Page 37: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/37.jpg)
Summary – UNIX Illustration• Selecting audit criteria and defining tests
• Visual Basic
• Writing a data gathering script • Solaris operating system
• Automating testing in ACL• Importing criteria and source files
![Page 38: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/38.jpg)
Background• UNIX is a multiuser and multitasking operating
system
• Various open source and commercial variations
• Automation for data gathering and data analytics
![Page 39: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/39.jpg)
Audit Criteria & Defining Tests• Selecting audit criteria
• Defining the tests applicable to the operating system• Separate criteria and tests per operating system
• Making audit criteria variable• Simple and efficient changes
• Visual Basic
![Page 40: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/40.jpg)
Demonstration
![Page 41: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/41.jpg)
Data Gathering• Selecting a script language
• Using audit criteria
• Other sources of information
• Testing commands and reviewing results
![Page 42: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/42.jpg)
Demonstration
![Page 43: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/43.jpg)
Data Gathering – Continued• Commenting and formatting your scripts
• Determine the need for multiple scripts
• Thoroughly test the final scripts• Ensure auditee cooperation
• Request auditee review the script
• Make scripts simple or complex• Ensure uniformity
• Allow for efficient adjustments
![Page 44: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/44.jpg)
Demonstration
![Page 45: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/45.jpg)
• Importing data • Audit criteria (Visual Basic)
• Data gathering results (source files from server)
• Creating control scripts• Dialog boxes for users of the scripts
• Allow the user to determine tests ran and outputs generated
• Using variables and adding pertinent information
Data Analysis – ACL
![Page 46: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/46.jpg)
Demonstration
![Page 47: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/47.jpg)
Testing & Results - ACL• Testing Scripts
• Base script logic on audit criteria
• Thoroughly test
• Results• Export necessary information
• Manually review results and make conclusions
• Perform normal testing procedures with script outputs
![Page 48: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/48.jpg)
Demonstration
![Page 49: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/49.jpg)
Concluding Thoughts• Putting it all together
• Lessons learned
• Impact on IT audits
![Page 50: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/50.jpg)
fin.
![Page 51: Presented by: Brandon McAndrew Jordan Schafer Keith Edwards IT Audit Automation.](https://reader034.fdocuments.in/reader034/viewer/2022052701/56649e935503460f94b98aa6/html5/thumbnails/51.jpg)
Contact Information• Brandon McAndrew – [email protected]
• Jordan Schafer – [email protected]
• Keith Edwards – [email protected]