Practical Implementation of Automated Assessment Tools for the IT Auditor

1. Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet Security

2. Agenda • IT Audit and assessment testing background • Audit and assessment planning Issues • Challenges to conducting the IT audit • Benefits of automated assessment tools • Examples of automated assessment tools • Automated assessment tools and compliance • Questions and Open Forum

3. IT Audit and assessment testing background • Requirements to fulfill internal and external control reviews • Compliance with federal, local, state and industry regulatory acts • Detect, prevent and deter misuse, abuse or exposure of or to systems and data • Identify and remediate system, process or control weaknesses • Determine adequate design and effectiveness of critical business processes • Reduce overall true business risk to information systems and data

4. Audit and assessment planning issues • Integrated audit versus IT Audit • Time required of the audit and operational staff to conduct the audit • Testing methodology (e.g., manual versus automated) • Findings classification/determination • Communication/reporting of findings

5. Challenges to conducting the IT audit • IT Auditors need to determine the impact of the systems being assessed during the course of the audit (Relevance and Criticality) • Determining the audit approach (manual/checklist) versus (automated/scripted) • Since information is available electronically and not necessarily in hardcopy, the traditional methods used to gather and evaluate information may not be sufficient. • Some IT Audits require an advanced level of technical skills or in-depth understanding of systems (e.g., operating systems, applications, databases, etc.) • IT Auditors need a deeper understanding of general computer controls (including the use of automated assessment tools) and the potential impact such controls may have on the audit approach • Disparate reports, non-integration of systems logs and/or history

6. Challenges to conducting the IT audit (Continued) • Areas most difficult for the IT Auditor to assess include: • Access Controls (Firewall Rules, ACL’s) • Change Management (adds, changes, deletes) • Segregation of Duties • User or system account access to data • Location of critical data (applications/databases/storage) • Data Discovery (at-rest, in-motion) • Some IT Audits are extremely resource intensive and require significant IT interaction

7. Benefits of automated assessment tools • Help overcome issues associated with manual testing of systems and processes • Most tools are quick to run and require less interaction with IT and business staff • Provide autonomy and flexibility to the audit approach • Yield more detailed information than what could have been acquired manually • Many reports are written in non-technical language so that most IT Auditors could understand and use the information regardless of technical skill set • Reduce audit costs while increasing the audit coverage and quality of value-added recommendations • Helps to rapidly identify “high, critical or most vulnerable” risk areas sooner to maximize remediation timeframes • Illustrate risks and priorities to IT and business units alike

8. Examples of automated assessment tools

9. Vulnerability Assessment - Nessus http://www.nessus.org/demos/index.php?view=demo_videos

10. Data Discovery - Vontu • Allows an IT Auditor to search for and identify “critical” data within information processing systems (Servers, Desktops, Workstations, Databases, Storage) • Provides the ability to remediate found data (Move, Erase, Quarantine) • Gives the IT Auditor a means to which expand or reduce the scope of an audit based on findings • Justifies the IT Auditor’s findings of remediation after validation of the discovered “critical data” • Empowers the IT Auditor to be a “business enabler” when making recommendations to internal controls or business processes

11. Firewall Reviews - Firemon • Enables the IT Auditor to quickly review firewall changes using automation • Facilitates the IT Auditor to detect potential issues before they arise • Gives a quick view of actual risks to firewall rules • Enables the IT Auditor to maintain continual analysis and impact

12. Segregation of Duties – Benefits • Reduces the labor intensive task of manually reviewing user access to systems and data • Expedites the testing process for user access reviews • Analyze controls at specific transaction levels • Quick and easy to understand reporting on potential conflicts • Helps IT Auditors to better understand both defined and undefined roles within the organization • Reduces the overall likelihood of risk and fraud

13. Segregation of Duties – Product Platforms • Oracle – Built-in tools • SAP – Versa, Business Intelligence, Firefighter, ECC 6.0 • Excel Spreadsheets – ComplyXL

14. Automated assessment tools and compliance • Payment Card Industry Data Security Standard • Health Insurance Portability and Account ability Act • Sarbanes-Oxley Act 2002 • Gramm-Leach Bliley Act

15. Frameworks • International Standards Organization 27001/2 • CoBIT • COSO • OCTAVE • NIST

16. Open Discussion