Transcript Audit Considerations of Outsourcing

Session 10 - Management
Considerations of Outsourcing
• Risk and accountability are not outsourced
with services
• In most cases, risk increases as the
organization receiving service has less
direct control
EECS4482 2015
Amanagement Considerations of
Outsourcing
• Control risk will further increase if service
provider in turn outsources
• Many controls are impractical to be
duplicated or compensated for with inhouse procedures
EECS4482 2015
20 Questions
• Has management clearly defined its
operational, technical and financial
objectives?
• Has management considered how the
organization will be affected by the loss of
skills or intellectual capital?
EECS4482 2015
20 Questions
• Does management monitor the service
provider’s expertise, size, financial health,
culture, operational capability and
experience?
• Does the user organization have the core
competency, capacity, tools and policies to
evaluate and manage the quality of service?
EECS4482 2015
20 Questions
• Is management confident in the
effectiveness of the service provider’s
internal controls?
• Is management satisfied with effective risk
mitigation mechanisms related to
information protection, business continuity,
change control and regulatory compliance?
EECS4482 2015
20 Questions
• If the outsourced services are provided by a
supplier that is located in or subject to foreign law,
has management mitigated the risks related to the
economic, cultural and political backdrop, the
technical sophistication, and the legal profile of
the foreign jurisdiction?
• The U. S. Patriot Act requires U. S. companies to
turn over info to the U. S. Government upon a
legal request.
EECS4482 2015
20 Questions
• Are actual and attempted security
violations, operations problems and control
breakdowns promptly recorded and reported
by the service provider?
• Does the service provider maintain adequate
business continuity and disaster recovery
plans?
EECS4482 2015
20 Questions
• Do contingency plans exist that can be
activated when the service provider fails to
continue providing service?
• Does the contract describe the significant
terms of arrangement including the level of
service to be provided and legal
obligations?
EECS4482 2015
20 Questions
• Are the roles and responsibilities defined and
understood by both parties?
• Does the organization have rights to audit?
• Can management impose control requirements in
the event the service provider offers services to a
competitor, changes key personnel, or engage
third parties to help deliver the services?
EECS4482 2015
20 Questions
• Do effective accountabilities and processes
exist to monitor and manage the
relationship with the service provider?
• Has management considered the issues and
disputes that remain unresolved with the
service provider and the impediments to
their resolution?
EECS4482 2015
20 Questions
• Are objective and reliable performance
measures defined?
• Has the service provider been able to
consistently meet expectations?
EECS4482 2015
20 Questions
• Is management able to respond to situations
where the service provider fails to meet
service delivery expectations?
• Does management ensure the correctness of
billings under the agreement?
EECS4482 2015
Conclusion
• Information systems auditing is increasingly
important in light of Sarbanes-Oxley and
the Investor’s Confidence Rule.
• Outsourcing is on the rise and it increases
the audit risk.
EECS4482 2015
OUTSOURCING OPTIONS
• Big selling point for offshore outsourcing
“inexpensive good work”
EECS4482 2015
OUTSOURCING OPTIONS
EECS4482 2015
OFFSHORE OUTSOURCING
• Three categories of outsourcing countries: leaders, up-and-comers,
rookies
EECS4482 2015
The Leaders
•
•
•
•
•
Canada
India
Ireland
Israel
Philippines
EECS4482 2015
The Leaders
• Canada
EECS4482 2015
The Leaders
• India
EECS4482 2015
The Leaders
• Ireland
EECS4482 2015
The Leaders
• Israel
EECS4482 2015
The Leaders
• Philippines
EECS4482 2015
The Up-and-Comers
•
•
•
•
•
•
Brazil
China
Malaysia
Mexico
Russia
South Africa
EECS4482 2015
The Up-and-Comers
• Brazil
EECS4482 2015
The Up-and-Comers
• China
EECS4482 2015
The Up-and-Comers
• Malaysia
EECS4482 2015
The Up-and-Comers
• Mexico
EECS4482 2015
The Up-and-Comers
• Russia
EECS4482 2015
The Up-and-Comers
• South Africa
EECS4482 2015
Operating System
• A big program written in low level language
that bridges applications, database
management systems and the central
processing unit.
• It directly controls the allocation of
hardware resources like memory.
• Common commercial OS include Windows,
variants of Unix, OS X for Mac Book and
EECS4482 2015
Z/OS for IBM mainframes.
OS Confiruation
• Controlled by a system administrator. A
system administrator has full control of a
computer and must therefore be closely
monitored by management, think of
Snowden.
• Organizations should have a standard blue
print for each OS to ensure consistency.
EECS4482 2015
OS Configuration
• Standard blueprint should minimize the
enabling of ports and services.
• A port is like a common mail gateway to
facilitate standardize transmission of
Internet or intranet data, e.g., port 80 for
browsing.
• A service is a utility program of an OS that
supports common applications.
EECS4482 2015
System Administrator Control
• Careful screening before hiring, e.g.,
criminal record check, psychology test.
• Rotation of duties among servers.
• Segregation of duties, e.g.., an SA must not
also be a DBA.
• Use vendor supplied tools to generate
reports on SA activities for frequent
management review.
EECS4482 2015
User Control
• General users should not be given root
access to the operating system.
• General users should not be given
administrative privilege to their computers
so that they cannot change OS setting and
cannot install programs.
• This helps to prevent virus spreading,
copyright infringement and hacking.
EECS4482 2015
Patching
• Computers should be set to check for
patches and download them automatically.
For example, my home computer is set to
check Microsoft for patches every time it is
shut down. If a patch is available, it will be
installed before the shut down.
EECS4482 2015
Patching
• Organizations should procure patching tools
to check for updates from OS vendors, test
the updates and then automatically
distribute the updates to servers,
workstations and laptops.
• Patching should also apply to organization
owned smart phones.
• Devices should be checked by the
EECS4482
2015 up to date patches
organization network
for
Patching
• A patch is a fix from an operating system
vendor to cover a security hole used by
hackers.
• A security hole is also called a
vulnerability, it is made up of a service,
port, combination thereof, or the way some
services can be combined to achieve
successful hacking.
EECS4482 2015
Access Control
• Access control lists (ACL) can be set up in
an OS to restrict access by applications and
those users who have direct access an OS.
• An ACL will define the subject
(application), object (data and OS services
etc.) and the type of access (read, write,
delete).
• Most business users access don’t need
EECS4482
direct access to the
OS.2015
Operating System Access Controls
Differences between operating systems in
terms of access controls mainly have to do
with authentication, authorization and
logging.
EECS4482 2015
Browser Security
•
•
Ordinary users without local
administration privilege can change
browser security and privacy settings. This
means more monitoring and education are
required.
The web usage policy should indicate
what options should not be turned on.
EECS4482 2015
Modern OS Security Features
• Anti-virus software, firewall and full hard
drive encryption now come standard with
commercial PC operating systems.
EECS4482 2015
Windows Action Center
• It allows the user to schedule Windows
updates so that updates will be downloaded
and implemented automatically.
Organizations usually disable this function
and instead, let the domain controller
(server) oversee this function.
EECS4482 2015
Windows Action Center
• Locking down users to prevent them from
installing programs.
• Defining user access rights as guest, folder owner,
administrator (full access), and
specific user (requiring logon account).
• Defining access control lists for folders and files.
EECS4482 2015
Windows Action Center
• Data Execution Prevention feature that prevents
buffer overflow by marking certain memory pages
intended for data as non-executable. This feature
is turned on by default in Windows XP and later
versions of Windows.
• Protected Media Path to protect digital rights
management through denying access of
digitally righted material by unauthorized
applications. This prevents the copying of
programs that can only be executed.
EECS4482 2015
Active Directory
This hierarchical access authentication and authorization
structure has replaced the function of the primary domain
controllers and backup domain controllers in
authentication and authorization. It has the following
features:
• Central location for network administration and security
• Information security and single sign-on for user access to
networked resources
• The ability to scale up or down easily
• Standardizing access to application data
• Synchronization of directory updates across servers
EECS4482 2015
Password Salting
• Most operating systems add a bit string to
the raw password before hashing to make it
difficult to crack.
• Unix uses a 12 bit random salt each time a
password is created or changed.
• Windows salts passwords only for offline
access to compensate for the lack of Active
Directory authentication.
EECS4482 2015
File Permissions on Critical Files
• Unix controls access to files, programs, and all
other resources via file permissions.
• Unix permission are controlled by three
categories: Owner, Group, and World
• Each category has the ability to either READ,
WRITE, and/or EXECUTE Unix files or resources
• Ex. –rwxr-x--x
EECS4482 2015
Syslog
• The syslog utility allows systems
administrators to log various events
occurring on the Unix system.
• If Syslog is configured correctly, Unix can
log many security events without the use of
a third party plug-in.
EECS4482 2015
Mainframe Operating System
z/OS has weaker security than Windows and
Unix because its predecessors, Multiple
Virtual Storage and Virtual Memory, were
developed well before the Internet and not
designed to mitigate the risk of hacking.
RACF should be installed to provide
commercial grade security for Z series
servers.
EECS4482 2015
Resource Access Control Facility
(RACF)
• RACF provides user authentication, resource
access control, security logging and audit
reporting. It is much more granular than operating
system security. For example, it makes available
254 security levels (labels) that can be assigned to
each resource object. A label indicates the users or
objects that can access a resource and how. A
resource object may be a data table (file), a
program, a workstation, an ATM or another
network device. The type of access may be read,
write, delete.
EECS4482 2015
RACF
• Each user has a profile that controls that
user in terms of access allowed and binds
the user to security policies like password
change frequency, password length. A user
may also be restricted by day of week and
time of day.
• An administrator has full access. An
“auditor” in RACF has full read access,
including generating
reports
on access,
EECS4482
2015
Conclusion
•
•
•
•
•
PC and PC based server security continues to be improved by their vendors.
Recently made available features include full hard disk encryption, application
firewall and integrated malicious software features including anti-virus.
In security, the weakest link is people, including people’s commitment to
defining strong policies and complying with policies.
Organizations should have tight operating system images for desktops and
servers across the enterprise to comply with their policies.
User access rights should be limited to their job functions and users should not
be given administrator privilege to their desktops and laptops. System
administrators should be controlled with thorough reference check, criminal
record check before hiring and periodically thereafter, rotation of duties among
servers, limiting the servers they support, limiting their other duties and
regular management review of the system logs using software products to turn
system logs into meaningful management reports.
EECS4482 2015