- 1. IT Security Audit of Information Systems M. Imran Ameerally
Project Manager IT Security Unit Ministry of Information
andCommunication Technology 22 April 2010
2. Agenda
- Types of Audits Conducted
- Overview of Audit Findings
3. About IT Security Unit (I)
-
- Toimplement Government policies with regar dsto IT
Security
-
- To assist Ministries/Departments in the implementation of
security standards
-
- To disseminate information on IT security
-
- To carry out security audits
4. About IT Security Unit (II)
- Strategic Activity Areas for IT Security Unit :
-
- ISO Information Security Standards
-
- IT Security Audits of Government Systems
-
- Security Awareness and Promotion
-
- Develop Security Policies and Guidelines
-
- Advisory Service to Ministries and Departments on IT
Security
5. Types of Audits Conducted (I)
- ISO/IEC 27001 Internal audits
-
- Part of certification process
- Information Security Assessments
-
- Complete or Partial to know security posture of the
organisation
- Outsourced Security Audits
6. Types of Audits Conducted (II)
-
- Target : Ministries and Departments with IT Infrastructure
ofbasic to medium complexity
-
- Scope : Key components of the IT infrastructure
-
-
- Servers and Network devices
-
-
- Representative sample of PCs in use at the organisation
7. Types of Audits Conducted (III)
-
-
- Conducted by IT Security Unit staff
-
-
- Use of an Industry standard Vulnerability Assessment
Toolset
-
-
- Report on vulnerabilities identified and recommendations
-
-
- Recommendations implemented byMinistries/Departments
8. Types of Audits Conducted (IV)
-
- Target :Highly complex and criticalInformation Systemsof the
Government
-
- Auditsundertaken by consultants following a tendering
exercise
-
- IT Security Unit manages the project
-
- Post Audit Implementation Committeeset up with various
stakeholders to implement audit recommendations
9. Companies Division Audit
- Outsourced Audit conducted by external consultants inDecember
2008
-
- Includeall componentsof the Information System: application
software, middleware, database, operating system, hardware and
network infrastructure
-
- All interfacesto/from remote applications
10. Audit Tasks (I)
-
- Identify vulnerabilities of the information system and rate
them in terms of risk level (e.g. High, Medium and Low)
-
- Perform checks regarding:
-
-
- Adequacy of logical security controls to protect data from
unauthorised access
-
-
- Effectiveness of all interfaces with remote applications
11. Audit Tasks (II)
-
-
- Adequacy of input, processing, and output controls to ensure
data integrity
-
-
- Adequacy of physical access controls for the Information
System
-
-
- Determine areas that may be susceptible to fraud and assess the
adequacy of related controls
-
-
- Assess the availability and performance of the Information
System and the mechanism used for their monitoring
12. Audit Tasks (III)
-
-
- Assessment of all applicable domains/control as listed in
ISO/IEC 27001
-
- Propose measures to address each vulnerability identified
together with the implementation timeframe and related cost
estimates through a risk mitigation strategy
-
-
- Technical or operational measures
13. Audit Tasks (IV)
-
- Elaborate a Security Policy for the Information System which
includes ISO/IEC 27001 controls
-
- Elaborate an IT Contingency Plan (ITCP) for the Information
System
14. Audit Tasks (V)
-
- Provide a transfer of knowledge gained from the IT Security
Audit to selected staff
-
- Allow technical IT staff to be fully acquainted with the tools
used for the audit and the methodology applied
-
- A standard small-scale sample application utilized with
hands-on usage of auditing tools and techniques followed by
analysis and interpretation of the results
15. Audit Deliverables (I)
- Audit deliverables to be submitted at the end of each phase of
the Audit
-
- Phase 1 Planning the Audit
-
- Phase 2 Performing the Audit Work
-
- Phase 3 Reporting Audit Results
16. Audit Deliverables (II)
- Phase 1 Planning the Audit
-
- Inception Report which include the following:
-
-
- Agreed methodology to be used for assessing the risk areas and
conducting the audit
-
-
- Detailed workplan for conducting tasks 1 to 5
-
-
- Approach to be used for providing the transfer of
knowledge
17. Audit Deliverables (III)
- Phase 2 Performing the Audit Work
-
- Draft Audit report which include the following:
-
-
- Methodology used for assessing the risk areas and conducting
the audit
-
-
- Tests performed and tools/software that have been used during
the exercise
-
-
- Weaknesses found and areas of risks identified with clear
indication on the severity
18. Audit Deliverables (IV)
-
-
- Time bound corrective action proposed (short and long term)
with procurement details (i.e. specifications and cost estimates)
where applicable
-
-
- Draft Security Policy for the Information System
-
-
- Draft IT Contingency plan for the Information System
-
- Weekly status meetings to review findings
19. Audit Deliverables (V)
- Phase 2 Reporting Audit Results
-
- Final IT Security Audit report which contain all reportable
issues (findings)
-
- Report must be comprehensive and include the following
information:
-
-
- Executive Summary, detailing the significant issues (findings)
and a high level corrective action plan
-
-
- Scope of the IT Security Audit
20. Audit Deliverables (VI)
-
-
- Methodology used for assessing the risk areas and conducting
the audit
-
-
- Tests performed and tools/software that have been used during
the exercise
-
-
- Audit results which address the audit objectives, including
detailed information on weaknesses found and areas of risks
identified with clear indication on the severity of the
findings
21. Audit Deliverables (VII)
-
-
- Time bound corrective action proposed (short and long term)
with procurement details (i.e. specifications and cost estimates)
where applicable including recommendation ofmeasures to strengthen
the security of the Information System
-
-
- Final Security Policy document for the Information System
-
-
- Final IT Contingency plan
22. Overview of Audit Findings (I)
- Findings broken into 3 categories
-
- Network and System Security
Severity Rating Basis of giving severity rating Recommended
timeframe to fix High Privileged access or severely impact system
operation Immediate Medium Hacker may gain limited user or network
level access Within 1 month Low Minimal possibility for hacker to
again access to resources Within 6 months 23. Overview of Audit
Findings (II)
-
- Configuration of Application Server to be strengthened
-
- Input validation to be implemented for all data input
-
- Do not allow simultaneous logins of same user
24. Overview of Audit Findings (III)
- Network and System Security
-
- Hardening of Operating System
-
- Enable auditing on systems
-
- Strengthen entry controls in high security area
25. Benefits of the Audit (I)
- Health checkof the Information System from asecurity
perspective:
-
- Physical, Network and Application levels
- Security policyendorsedby top management of CD that provides a
framework for implementing security procedures and guidelines
26. Benefits of the Audit (II)
- Availability of an IT Contingency Plan that should be
followedin case of IT failure/disruption
- Physical Securitystrengthenedand physical access control
implemented
27. Benefits of the Audit (III)
- Post Audit Implementation Committee
-
- Corrective Action Planelaborated
-
- Cross functional team of different stakeholders set up to
monitor, review, maintain andcontinuouslyimprove the information
system
-
- Several working sessions held where implementation of audit
recommendations is closelymonitored
28. Benefits of the Audit (IV)
-
- Enhancedsecurity postureof the Information System
-
- Information System isless vulnerable
-
- Aprocessis in place to identify vulnerabilities, reduce
threats, manage risks and act in case Information System is
impacted
29.
