11
Horwath International Copyright 2006 Crowe Chizek and Company LLC
1
IT Audits – Understanding the StandardsIllinois Digital Government Summit
September 15, 2008
Presented by
Doug Tinch, Illinois Office of Internal Audit
Steve Gerschoffer, Crowe Horwath
22
Horwath International Copyright 2006 Crowe Chizek and Company LLC
2
Agenda
• Understanding the Standards:• What is at risk?• Auditing Standards• Scope of IT Audits• Pre / Post Implementation Audits• Risk Assessment• Questions?
33
Horwath International Copyright 2006 Crowe Chizek and Company LLC
3
DISCLAIMER
Any opinions expressed by Steve and/or Doug (even though they are usually correct) are their own and do not reflect the official positions of either the State of Illinois Office of Internal Audit or Crowe Horwath.
44
Horwath International Copyright 2006 Crowe Chizek and Company LLC
4
Highlights of 12th Annual CSI Survey– source CSI Survey 2007
• Average annual loss reported was $350,424 – highest average loss since 2004, up from $168,000 last year
• 194 responses reported total losses of $66,930,950, up from $52,494,290 (for 313 respondents) in 2006
• 132 of 454 respondents have cyber insurance policies
• The top 3 attacks detected were insider abuse of net access, virus, and laptop/mobile device theft
• Viruses was the leading cause of losses for the last seven years – financial fraud overtook it in 2007
55
Horwath International Copyright 2006 Crowe Chizek and Company LLC
5
Top 5 Losses by Type of Attack – source CSI Survey 2007
$3,881,150
$5,685,000
$6,875,000
$8,391,800
$21,124,750
$0 $5,000,000 $10,000,000 $15,000,000 $20,000,000 $25,000,000
Laptop or mobilehardware theft
Theft of confidentialdata, from all causes
but mobile device theft
System penetration byoutsider
Virus (Worms/Spyware)
Financial Fraud
Dollar Amount of Losses by Type
194 Respondents
66
Horwath International Copyright 2006 Crowe Chizek and Company LLC
6
Current Landscape – Costs of a Breach
• Ponemon Institute Study (November 2007) found that the total cost of a data breach averaged $198 per lost customer record• Detection and escalation - $9• Notification - $15• Response and actions taken - $46• Lost business - $128
77
Horwath International Copyright 2006 Crowe Chizek and Company LLC
7
Current Landscape – Causes of a Breach
From Ponemon Institute, 2007 Annual Study: U.S. Cost of a Data BreachUnderstanding Financial Impact, Customer Turnover, and Preventative Solutions
88
Horwath International Copyright 2006 Crowe Chizek and Company LLC
8
Standards. . . .
What is FCIAA?Fiscal Control and Internal Auditing Act
(30 ILCS 10/)
Article 1. General Provisions – Section 1002 – CEO of “every State agency is responsible for
effectively and efficiently managing the agency and estab- lishing and maintaining an effective system of internal control.”
99
Horwath International Copyright 2006 Crowe Chizek and Company LLC
9
Fiscal Control and Internal Auditing Act
(30 ILCS 10/)
Article 3. Fiscal Controls – “All State agencies shall establish and maintain a system, or
systems, of internal and fiscal administrative controls, which shall provide assurance that:…”
1010
Horwath International Copyright 2006 Crowe Chizek and Company LLC
10
Fiscal Control and Internal Auditing Act
(30 ILCS 10/)
Article 2. Internal Auditing – establishes a program of internal auditing, qualifications of chief
internal auditor, and internal auditing program require- ments. Section 2003 (a) (3) mandates: “Reviews of the design of major new electronic data processing systems and major modifications of those systems before their installation to ensure the systems provide for adequate audit trails and accountability.”
1111
Horwath International Copyright 2006 Crowe Chizek and Company LLC
11
WARNING
IF A PRE-IMPLEMENTATION AUDIT IS REQUIRED, AND IS NOT TIMELY PERFORMED, THE OFFICE OF THE AUDITOR GENERAL WILL ISSUE TWO (2) FINDINGS. THE AGENCY WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT HAVING AN AUDIT COMPLETED BEFORE IMPLEMEN-TATION, AND THE IOIA WILL RECEIVE A FINDING FOR NON-COMPLIANCE WITH STATE STATUTE FOR NOT PERFORMING THE AUDIT.
1212
Horwath International Copyright 2006 Crowe Chizek and Company LLC
12
Standard Scope of an IT Audit
• IS General Controls• Management and Organization• Development and Acquisition• On-Line Security (Core Application Systems)• Business Contingency Planning• Physical Security • Computer Operations• Outsourced Technology Service Providers
1313
Horwath International Copyright 2006 Crowe Chizek and Company LLC
13
Standard Scope of an IT Audit
Network Security Assessment• Methodology
• ‘Good Guy’ Approach• Standard Scope
• Policies and Procedures (Security, Incident Response, etc)• Anti-Virus Standards• Workstation Security Review• Network Architecture• Network Operating System Security Review
• Windows • Novell• Unix
1414
Horwath International Copyright 2006 Crowe Chizek and Company LLC
14
Standard Scope of an IT Audit
Network Security Assessment• Voice Over IP• Database Security• Mobile Device Security• Web Server Security• Email Server Security• Etc…
1515
Horwath International Copyright 2006 Crowe Chizek and Company LLC
15
Internal Penetration Assessment
Internal Penetration Assessment• Methodology
• ‘Bad Guy’ Approach• Disgruntled Internal Employee, Unauthorized Individual with Internal
Network Access
• Standard Scope• Technical Assessment• Physical Social Engineering• Document Disposal
1616
Horwath International Copyright 2006 Crowe Chizek and Company LLC
16
Internal Penetration Assessment
Firewall
Internet
Mainframe
Application Servers
Modems/Remote Access Systems
File and Print Servers
User Population
Internet Accessible Systems
Internal Attacker
1717
Horwath International Copyright 2006 Crowe Chizek and Company LLC
17
External Penetration Assessment
External Penetration Assessment• Methodology
• ‘Bad Guy’ Approach• External Hacker
• Standard Scope• Technical Assessment• Phone Social Engineering• Email Social Engineering• Phone Sweep
1818
Horwath International Copyright 2006 Crowe Chizek and Company LLC
18
Firewall
Internet
Mainframe
Application Servers
Modems/Remote Access Systems
File and Print Servers
User Population
Internet Accessible Systems
External Penetration Assessment
External Attacker
1919
Horwath International Copyright 2006 Crowe Chizek and Company LLC
19
SAS 70 (Statement on Accounting Standards – No. 70)Types of SAS 70’s
• Level I, Report on Controls Placed in Operation
• Level II, Report on Controls Placed in Operation & Tests of Operating
Effectiveness
2020
Horwath International Copyright 2006 Crowe Chizek and Company LLC
20
What Is Evaluated During SAS 70 Audit?• A typical SAS 70 Report includes
o General Controlso Application Controlso Process Controls
•Organization and Administration•Application Maintenance•Documentation•Computer Operations•Hardware and System Software•On-Line Security•Physical Security•Back-up and Contingency Planning•e-Business Policies and Procedures
2121
Horwath International Copyright 2006 Crowe Chizek and Company LLC
21
SAS 70 – User Control Considerations
User Control Considerations• Controls which the User Organization should
consider but that the Service Provider either:• Can not do,• Does not take responsibility for, or• Is not cost effective.
2222
Horwath International Copyright 2006 Crowe Chizek and Company LLC
22
Pre-Implementation Audit Process
The Risk Assessment Process
• Document request
1) RFP (Request for Proposal)
2) Project Charter
3) Design Documents
4) System Objectives
5) Cost/Benefit Analysis
6) Project Time-line
2323
Horwath International Copyright 2006 Crowe Chizek and Company LLC
23
Pre-Implementation Audit Process
The Risk Assessment Process
• Management Interview
1) Management synopsis of the project.
2) Details of the project and changes (if any) in time- lines, scope, funding, resources etc. that
may not be reflected in original documentation.
3) Any other relevant information that germane to the project.
2424
Horwath International Copyright 2006 Crowe Chizek and Company LLC
24
Pre-Implementation Audit Process
The Risk Assessment Process
• IOIA Determination
1) Determination by auditor
2) Review by Supervisor
3) Review by Manager
4) Review by Chief Internal Auditor
5) Issuance of Determination Letter to Agency Director
2525
Horwath International Copyright 2006 Crowe Chizek and Company LLC
25
Pre-Implementation Audit Process
The Audit
• Audit Program
1) Audit Trails and Accountability
2) Functionality
2626
Horwath International Copyright 2006 Crowe Chizek and Company LLC
26
Pre-Implementation Audit Process
The Audit
• Test Matrix1) Audit Trails and Accountability a) Logging b) Access controls c) Transmission security d) Application controls (third party hosting) e) Disaster recovery/business continuity2) Functionality a) With business rules (tech and non-tech) b) User expectations and needs
2727
Horwath International Copyright 2006 Crowe Chizek and Company LLC
27
Pre-Implementation Audit Process
The Audit
• Testing1) Part of User Acceptance Testing Team (UAT)
2) Access to Change (Bug) Control
3) Notify Program Manager of failures immediately
4) Follow-up to determine that all “bugs” are closed
5) Final acceptance by all appropriate parties
2828
Horwath International Copyright 2006 Crowe Chizek and Company LLC
28
Pre-Implementation Audit Process
The Audit
• Review and Approval Process1) Informal pre-Letter issuance conference with
management.
2) IOIA Review and Letter issuance to Director prior to implementation
3) Draft report issuance to Director. Formal exit conference if required
4) Agency responses to draft, included verbatim in final report to Director.
5) Subsequent Recommendation follow-up.
2929
Horwath International Copyright 2006 Crowe Chizek and Company LLC
29
Questions?