1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September

11

Horwath International Copyright 2006 Crowe Chizek and Company LLC

1

IT Audits – Understanding the StandardsIllinois Digital Government Summit

September 15, 2008

Presented by

Doug Tinch, Illinois Office of Internal Audit

Steve Gerschoffer, Crowe Horwath

22


2

Agenda

• Understanding the Standards:• What is at risk?• Auditing Standards• Scope of IT Audits• Pre / Post Implementation Audits• Risk Assessment• Questions?

33


3

DISCLAIMER

Any opinions expressed by Steve and/or Doug (even though they are usually correct) are their own and do not reflect the official positions of either the State of Illinois Office of Internal Audit or Crowe Horwath.

44


4

Highlights of 12th Annual CSI Survey– source CSI Survey 2007

• Average annual loss reported was $350,424 – highest average loss since 2004, up from $168,000 last year

• 194 responses reported total losses of $66,930,950, up from $52,494,290 (for 313 respondents) in 2006

• 132 of 454 respondents have cyber insurance policies

• The top 3 attacks detected were insider abuse of net access, virus, and laptop/mobile device theft

• Viruses was the leading cause of losses for the last seven years – financial fraud overtook it in 2007

55


5

Top 5 Losses by Type of Attack – source CSI Survey 2007

$3,881,150

$5,685,000

$6,875,000

$8,391,800

$21,124,750

$0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000

Laptop or mobilehardware theft

Theft of confidentialdata, from all causes

but mobile device theft

System penetration byoutsider

Virus (Worms/Spyware)

Financial Fraud

Dollar Amount of Losses by Type

194 Respondents

66


6

Current Landscape – Costs of a Breach

• Ponemon Institute Study (November 2007) found that the total cost of a data breach averaged $198 per lost customer record• Detection and escalation - $9• Notification - $15• Response and actions taken - $46• Lost business - $128

77


7

Current Landscape – Causes of a Breach

From Ponemon Institute, 2007 Annual Study: U.S. Cost of a Data BreachUnderstanding Financial Impact, Customer Turnover, and Preventative Solutions

88


8

Standards. . . .

What is FCIAA?Fiscal Control and Internal Auditing Act

(30 ILCS 10/)

Article 1. General Provisions – Section 1002 – CEO of “every State agency is responsible for

effectively and efficiently managing the agency and estab- lishing and maintaining an effective system of internal control.”

99


9

Fiscal Control and Internal Auditing Act

(30 ILCS 10/)

Article 3. Fiscal Controls – “All State agencies shall establish and maintain a system, or

systems, of internal and fiscal administrative controls, which shall provide assurance that:…”

1010


10

Fiscal Control and Internal Auditing Act

(30 ILCS 10/)

Article 2. Internal Auditing – establishes a program of internal auditing, qualifications of chief

internal auditor, and internal auditing program require- ments. Section 2003 (a) (3) mandates: “Reviews of the design of major new electronic data processing systems and major modifications of those systems before their installation to ensure the systems provide for adequate audit trails and accountability.”

1111


11

WARNING

IF A PRE-IMPLEMENTATION AUDIT IS REQUIRED, AND IS NOT TIMELY PERFORMED, THE OFFICE OF THE AUDITOR GENERAL WILL ISSUE TWO (2) FINDINGS. THE AGENCY WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT HAVING AN AUDIT COMPLETED BEFORE IMPLEMEN-TATION, AND THE IOIA WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT PERFORMING THE AUDIT.

1212


12

Standard Scope of an IT Audit

• IS General Controls• Management and Organization• Development and Acquisition• On-Line Security (Core Application Systems)• Business Contingency Planning• Physical Security • Computer Operations• Outsourced Technology Service Providers

1313


13


Network Security Assessment• Methodology

• ‘Good Guy’ Approach• Standard Scope

• Policies and Procedures (Security, Incident Response, etc)• Anti-Virus Standards• Workstation Security Review• Network Architecture• Network Operating System Security Review

• Windows • Novell• Unix

1414


14


Network Security Assessment• Voice Over IP• Database Security• Mobile Device Security• Web Server Security• Email Server Security• Etc…

1515


15

Internal Penetration Assessment

Internal Penetration Assessment• Methodology

• ‘Bad Guy’ Approach• Disgruntled Internal Employee, Unauthorized Individual with Internal

Network Access

• Standard Scope• Technical Assessment• Physical Social Engineering• Document Disposal

1616


16

Internal Penetration Assessment

Firewall

Internet

Mainframe

Application Servers

Modems/Remote Access Systems

File and Print Servers

User Population

Internet Accessible Systems

Internal Attacker

1717


17

External Penetration Assessment

External Penetration Assessment• Methodology

• ‘Bad Guy’ Approach• External Hacker

• Standard Scope• Technical Assessment• Phone Social Engineering• Email Social Engineering• Phone Sweep

1818


18

Firewall

Internet

Mainframe

Application Servers

Modems/Remote Access Systems

File and Print Servers

User Population

Internet Accessible Systems

External Penetration Assessment

External Attacker

1919


19

SAS 70 (Statement on Accounting Standards – No. 70)Types of SAS 70’s

• Level I, Report on Controls Placed in Operation

• Level II, Report on Controls Placed in Operation & Tests of Operating

Effectiveness

2020


20

What Is Evaluated During SAS 70 Audit?• A typical SAS 70 Report includes

o General Controlso Application Controlso Process Controls

•Organization and Administration•Application Maintenance•Documentation•Computer Operations•Hardware and System Software•On-Line Security•Physical Security•Back-up and Contingency Planning•e-Business Policies and Procedures

2121


21

SAS 70 – User Control Considerations

User Control Considerations• Controls which the User Organization should

consider but that the Service Provider either:• Can not do,• Does not take responsibility for, or• Is not cost effective.

2222


22

Pre-Implementation Audit Process

The Risk Assessment Process

• Document request

1) RFP (Request for Proposal)

2) Project Charter

3) Design Documents

4) System Objectives

5) Cost/Benefit Analysis

6) Project Time-line

2323


23



• Management Interview

1) Management synopsis of the project.

2) Details of the project and changes (if any) in time- lines, scope, funding, resources etc. that

may not be reflected in original documentation.

3) Any other relevant information that germane to the project.

2424


24



• IOIA Determination

1) Determination by auditor

2) Review by Supervisor

3) Review by Manager

4) Review by Chief Internal Auditor

5) Issuance of Determination Letter to Agency Director

2525


25


The Audit

• Audit Program

1) Audit Trails and Accountability

2) Functionality

2626


26


The Audit

• Test Matrix1) Audit Trails and Accountability a) Logging b) Access controls c) Transmission security d) Application controls (third party hosting) e) Disaster recovery/business continuity2) Functionality a) With business rules (tech and non-tech) b) User expectations and needs

2727


27


The Audit

• Testing1) Part of User Acceptance Testing Team (UAT)

2) Access to Change (Bug) Control

3) Notify Program Manager of failures immediately

4) Follow-up to determine that all “bugs” are closed

5) Final acceptance by all appropriate parties

2828


28


The Audit

• Review and Approval Process1) Informal pre-Letter issuance conference with

management.

2) IOIA Review and Letter issuance to Director prior to implementation

3) Draft report issuance to Director. Formal exit conference if required

4) Agency responses to draft, included verbatim in final report to Director.

5) Subsequent Recommendation follow-up.

2929


29

Questions?