Auditing Framework
Download
Report
Transcript Auditing Framework
Part 2- An IT Auditing
Framework
Why do how our systems work matter?
Why do how we manage our systems
matter?
How can systems harm a unit’s ability to
accomplish its goals?
What are you hoping to obtain
from these courses?
Foundations of System
Controls
System Control’s Foundation
Blocks
Data Security Database
IT Dependent Manual
Controls
Physical Security
Data Security Operating System
Application Security
Network Security
Job Scheduling and
Management
Change Management
Application Controls
(Automated)
Proposed Foundation Strategy
IT Dependent Manual
Controls
Application Security
Application Controls
(Automated)
Job Scheduling and
Management
Change Management
Data Security Operating System
Data Security Database
Network Security
Physical Security
System Control Pyramid
IT
Dependent Application
Manual Controls Controls
(Automated)
IT General
Controls
Application
Security
Job Scheduling
and Management
Change
Management
Data Security Operating System
Data Security Database
Network Security
Physical Security
High Level Control
Framework
IT General Control Definition
IT
General Controls (ITGCs) - Provide assurance
that IT-Dependent and Application Controls can be
relied upon
Include controls over the IT environment, computer
operations, access to applications and data
(security), and program changes
Strong ITGC -Prevention and
Detection Controls
Prevention controls stop inappropriate items from
occurring
New user approval process
Strong password controls
Access termination process
Detection controls identify inappropriate items that
can then be corrected
Periodic Access Review
Strong ITGC Determination
Not all textbook controls must be designed and
operating effectively to address significant risks and
provide a strong ITGC environment
Business Process Controls
Automated (Application) Controls
IT Dependent Manual Controls
(Purely) Manual Control
ITGC Controls and the
Application's House
Sufficient Controls
must act in concert
Consider securing an
application like a
house
ITGC Controls and the
Application’s House
How does a front door
protect your house?
What are the Key
Components?
ITGC Controls and the
Application's House
How (My) Front Door Failed
Burglar smashed
the window on the
door and accessed
the dead bolt lever
Subsequently
battered the door
handle lock until the
frame caved in
How (Application’s) Front
Door Could Fail
Internal hacker exploits
a vulnerability in the
Operating System
Vulnerability used to
disable application
controls
Hacker later uses a
“brute force” attack to
gain access via the
network and embezzle
from the University
Compensating Control Detection
For my house’s –
A camera
For a server –
Intrusion monitor
that monitors OS
activity
Where Should an Audit Start
Where do you believe an audit should start?
What initial items should be confirmed?
IT in the Control Universe
Summary
Strong ITGCs provide assurance that effective
system related controls may be relied upon
ITGCs build upon each other
Not all textbook controls are always required
ITGCs include both Preventative and Detective
controls
System related controls include application
(automated) and IT-dependent (system supported)
controls
(Purely) Manual Controls do
not require system review
Future discussion items
1. Evaluating Code Change Management
Processes
2. Evaluating Disaster Recovery Preparations
3. Evaluating Server Configurations/Security
4. Evaluating Network Concerns and Intrusion
Risks
5. Evaluating Workstation Management
Future discussion items
6. Evaluating Application Design, Controls, and
Integration with the Business Processes
7. Evaluating IT strategies – Strategic vs. Tactical
issues
8. Strategies used to build the overall IT audit
plan for the department
9. Looking at IT governance frameworks -Cobit