Role of SAIs in promoting and audit of IT security

1. Role of SAIs in promoting and audit of IT security Presented by: NaweedullahAman Supreme Audit Office, Afghanistan

2. Table of contents • Introduction and background 3 • Practical experience in auditing IT security 10 • Integrating IT security in IT audit 14 • Methodology 18 • Tools and techniques 22 • Lessons learned 24 • Role of SAI in promoting audit of security of IS 25 • Next steps 28 Supreme Audit Office, Afghanistan

3. Introduction and backgroundHistory and mandate of the SAO • Supreme Audit Office (SAO) was established in 1945 (1324) as Control and Audit Office and has subsequently undergone a series of changes in law, names, reporting lines over the years. • The SAO derives its mandate from the current audit law enacted in 1392/2013 in the light of provision of Articles 50, 75 and 98 of the Afghan Constitution for protection of Public properties. • As per SAO Audit Law, Article 2, SAO is mandated to audit all financial and accounting activities and performance of entities. Article 15(2) of the Law requires that an audit entities is responsible for providing electronic data and information systems to audit. As such, the mandate of SAO for IT audit is derived from the overall mandate provided to the SAO to conduct audits including IT systems (ISSAI 5300, A.4]. Supreme Audit Office, Afghanistan

4. Introduction and backgroundSAO’s organizational structure, size and IT audit department • The SAO has a size of about 503 staff in total, led by the Auditor General, supported by two Deputy Auditors General, 19 Directors and 213 professional staff • The head office of the SAO is located in Kabul with 4 regional offices. • SAO mainly performs financial audit, performance audit, compliance audits and recently started performing IT audits. • The IT audit department is a young newly created department after presidential approval was received in last quarter of 2018. • It is headed by an IT audit manager, with 4 staff members, and one international consultant, reporting to the Operational Deputy Auditor General • To date, SAO IT audit department has performed about four Information system audit and IT security audit engagements including Ministry of Finance’s AFMIS and SIGTAS GRP systems and M-Power Grid system of Power Utility (a corporation) of the Government. • We are maximizing training, professional certification and development opportunities to build capacity in IT audit and grow the department with support from IDI/INTOSAI and the World Bank. Supreme Audit Office, Afghanistan

5. SAO follows? Is this what we follow exactly as per our policy?Definitions according to INTOSAI GUID 5300 • An examination and review of IT systems and related controls to gain assurance or identify violations of the principles of legality, efficiency, economy and effectiveness of the IT system . Supreme Audit Office, Afghanistan

6. SAO follows? Are they part of our guidelines?Standards and guidelines for IT Audit • Existing ISSAI standards • ISSAI 5300 - Guidelines on IT Audit • ISSAI 5310- Information System Security Review Methodology • WGITA-IDI handbook • ISSAI Exposure drafts • GUID 5100 Guidance on audit of information systems • GUID 5101 Guidance on audit of security of information systems • Other relevant international and best practice standards • COBIT 5 • NIST cyber security framework Supreme Audit Office, Afghanistan

7. Key developments in IT within the Government agencies • Governance, Legal and Regulatory • E-government strategy developed by MoICT • National Cyber Security Strategy of Afghanistan (NCSA) – 2014 with a Cyber emergency response team (AFCERT.) • Cyber Crime Code Signed into Law on 20 June 2017 • Draft Electronic Transactions and Electronic Signatures Act • National ICT POLICY FOR AFGHANISTAN - A digital agenda for development and social change 2018-2022 • Technology advancements for e-government • Digitalization of state institutions with ongoing implementation of the Government Resource Planning system by MoICT • Upgrading of the Afghanistan Financial Management System (AFMIS), A FreeBalance application, for Treasury department of the Ministry of Finance • Standard Integrated Government Tax Administration System (SIGTAS) • ASYCUDA for customs revenue department of ministry of finance • Human Resource Management Information System (HRMIS) • Higher Education Management Information System (HEMIS)  • Mobile salary payments (at pilot stage) • National ID project and e-passport projects in ministry of interior Supreme Audit Office, Afghanistan

8. Key developments in the SAO in IT Audit • In the pipeline • Procurement and implementation of a state of the art Audit Management Information System (AMIS) for the SAO. • Using of CAATs for data analyse Supreme Audit Office, Afghanistan

9. Understanding the cyber security threat • Governments are seeing cybersecurity as a top risk, underscored by recent headlines and increased government and regulatory focus • The hacking of Afghan National Security Council’s website on 26th November 2016 is a clear indication of Afghanistan facing cyber threats. • Subsequently, the Cyber Crime Code Signed into Law on 20 June 2017 • According to the EY Global information security survey 2018-19 • Overall, 92% of organizations (public and private sector) are concerned about their information security function in key areas. • Resources are a key issue: 30% of organizations are struggling with skills shortages, while 25% cite budget constraints. Supreme Audit Office, Afghanistan

10. What are the riskiest security vulnerabilities?(source EY Report) Vulnerabilities with the most increased risk exposure over the past 12 months 34% of organizations see careless/unaware employees as the biggest vulnerability 53% Have no program – or an obsolete one – for one or more of the following: • Threat intelligence • Vulnerability identification • Breach detection • Incidence response • Data protection • Identity and access management Source: Ernst & Young Global Information Security Survey 2018-19 Supreme Audit Office, Afghanistan

11. Audit Observations • Deficient /missing/ outdated polices, standards, and procedures; a need for more robust oversight • Incomplete process documentation: Outdated, inaccurate process narratives or flow charts • Controls gaps: Identified lack of controls procedures • Segregation of duties: Noted conflicts of interest, lack of segregation • Carelessness, lack of security awareness and use of obsolete or unlicensed technologies Security Gaps Our practical experience -Triggers that indicate gaps in security posture at the auditee Triggers Data loss Cyber Attack Significant government changes Compliance: Changes in laws or regulations IT leadership changes Fraud/corruption: Identification of fraudulent activities within the government Supreme Audit Office, Afghanistan

12. Our practical experience -Common IT audit findings from the AFMIS IT audits performed by SAO • Governance, organisation and strategy • Continued complexity of legal and regulatory requirements • Inadequate implementation of IT security policies and procedures, national cyber security laws and strategies • Entity level security strategy not aligned to business objectives or lack of defined strategy • Government unaware of existing security incidents or limited ability to detect • Government has not adapted to emerging risks around mobile, cloud and social • Reactive versus proactive security in government entities • Spend is not optimized or inefficient in the area of security. The cost of managing security and demonstrating / sustaining compliance seems excessive • Security awareness program is limited, lacking sponsorship from the topor does not exist • Business continuity policies do not exist • Change management policies and procedures are lacking • Systems Development Lifecycle methodology not being followed and documented and does not include security focused toll gates. • Use of unlicensed (cracked) software versions • Inconsistent patch management Patch levels found to be inadequate in the software installations • Lack of segregation between test and production environments, with test environments missing in some instances • Insecure configurations • When new services are deployed, they are not configured to operate in a secure manner. Over 60% of the issues found within the IT Audit are directly related to configuration deficiencies that results in the leakage of information and increased attack surface area for malicious attackers. Supreme Audit Office, Afghanistan

13. Our practical experience - Common IT audit findings from the AFMIS IT audits performed by SAO • Inadequate identity and access management processes • Weak application controls leading to data integrity issues • Weak password controls coupled with users having excessive or inappropriate access • Difficult and time-consuming to complete access reviews hence not performed at all • Linking access requirements to job functions is ad hocand access rights not removed upon job change or termination • Limited enforcement of segregation of duties policies • Lack of knowledge on who has access to privileged accounts and their passwords are not changed on a routine basis • Security positions are not appropriately filled; internal technical skills lacking • In house security team does not have the expertise to manage information security • No defined primary person in charge of security & risk • Security is driven by compliance • Security compliance is not being monitored and evaluated • Assessments are compliance focused and do not evaluate the true security posture of the organization. Supreme Audit Office, Afghanistan

14. Our practical experience - strategic recommendations to address audit findings • Review, update and enforce security policies • Security awareness training for government employees • Review application versions and patch levels • Regular vulnerability scanning with tools such as Nessus recommended • Review and enhance network and application security architecture • internal networks are compartmentalized into security zones to quarantine attacks • conduct regular, periodic infrastructure attack and penetration assessments • Develop minimum baseline standards to harden the configuration of servers • Local administrative accounts should be disabled on workstations • Turn off all unnecessary services • Perform regular password audits to assess: • Password hardening procedures are employed for all users, administrators, applications and servers • Passwords are stored securely across the network, including workstations, active directory, and databases Supreme Audit Office, Afghanistan

15. How does SAO perform audit of security of information system beyond normal IT audit? • Evaluate the government entity’s security-related people, process and technology capabilities against best practice standards • When performing logical access testing as part of IT general controls review for the audit of the information system, the IT auditors: • Obtain the password policy and walkthrough applications to confirm adequacy of password controls • Test password capabilities against real-life scenarios by subjecting password files to password cracking software to test strength of passwords, • SAO adopts a two pronged approach • Security program management maturity assessment and results from audit of information system combined with scenario-based technical testing (audit of security of IS) such as: • External penetration testing to simulate external attacks • Internal penetration testing to simulate rogue or malicious employees Supreme Audit Office, Afghanistan

16. IT environment – a practical approach to integrating audit of security into IT audit and financial audit engagement – SAO’s experiment Objective of control: Misstatement in the financial statements Financial statement assertions – significant accounts e.g. revenue, expenditure Planning and risk identification (e.g. Existence, completeness, valuation, rights and obligations, presentation and disclosure) Entity level control assessment Flow of transactions Audit of security– confirms design effectiveness: “Could it work?” andOperational Effectiveness: “Did it work?” (Initiate, authorize, process, record, report) Penetration testing Application controls (e.g. Configurable and non configurable) IT dependent manual controls Manual controls Electronic audit evidence IT general controls • Identify • Protect • Detect • Respond • Recover (e.g. Change management, Logical Access Security, IT operations) Walk-throughs and control testing Audit (IT/CAATS Enabler – AMIS e.g. IDEA, Teammate) Revenue cycle Procurement and accounts payable AFMIS/Free Balance Financial reporting, Treasury Disbursement applications ASYCUDA (Customs) HRMIS Payroll applications SIGTAS, (Tax/Revenue) Expenditure/Cash disbursement Example of business sub-cycles Payroll Financial statement close process • Electronic audit evidence Substantive testing/ analytics Supreme Audit Office, Afghanistan • Financial statement audit (Nature, timing and extent)

17. Why are IT General Controls Important for the SAO and government? • IT General Controls are essential to protect government IT assets, customers and sensitive information; demonstrate safe, efficient and ethical behavior; and preserve brand, reputation and trust. • Without effective IT General Controls, reliance on IT systems may not be possible thus leading to some of the following situations: • Cyber security risks are not mitigated • IT internal control environment and governance can be compromised at the government entity • Government can’t rely on application controls in the AFMIS hence limited assurance on financial statements generated from computer applications • Significant deficiencies / material weaknesses reported by SAO to the PAC • Inefficient audit - a lot of time spent by SAO auditors preforming substantive/detailed tests rather than relying on effectiveness of IT general controls and performing limited risk based tests to gain assurance Supreme Audit Office, Afghanistan

18. IT General Controls focus areas for SAO Entity Level Controls Laws, Polices, Procedures, Organization Structures NOTE: The above IT control objectives are based on recognized IT control models including COBIT, COSO, INTOSAI WGITA handbook Supreme Audit Office, Afghanistan

19. Information Security Assessment Methodology: SAO Experiment Business strategy alignment Statutory Compliance Laws, Regulations, Polices and Standards Governance and Structure of Information Security Process & Operational practices Technical Security Architecture Security Awareness Audit scope Security of Information Assets Security monitoring Identity and access management Business Continuity /DRP management Software Application Controls security Network and Communications Security People Security Threat & vulnerability management Backup process Server Host security Data protection Secure SDLC Problem& Incident management Physical security 3rd party management Functional operation Protection of IT Resiliency Data infrastructure System Events Security Alerts Audit trails and Logs Monitoring Metrics and reporting Supreme Audit Office, Afghanistan

20. Establishing the scope for a cyber security audit within the audit universe • The key challenge for SAO is including cyber security audit within the IT audit universe. • This can be approached by • Performing external and internal attack and penetration tests by independent security firms, where in house capability is lacking as is the case at SAO • Just analyzing the individual components from the definition of Cybersecurity, “ the body of technologies, processes and practices designed to protect networks, computers, programs and data from attack, damage or unauthorized access”, an auditor can relate these components to existing IT Infrastructure audits that are typically listed as standalone audits within the Audit Universe. • The most common IT Infrastructure audits which relate directly to the which scope should be included within a Cyber-security audit include: • Data Privacy Audits, Vulnerability and Threat Management Audits, Network Security Audits, Data Access Audits, Operating System Domain/Server Audits and certain aspects of an IT Governance Audit. Supreme Audit Office, Afghanistan

21. The security audits that make an impact Supreme Audit Office, Afghanistan

22. Minimum audit skills for the team members • The IT audit and assurance professional must have an understanding of security and controls. • The IT auditor must perform the necessary research to understand the underlying technologies used in cybersecurity to identify, protect, detect and respond to cyber threats and attacks. • The auditor should have sufficient functional and business knowledge to assess alignment with the business strategy. • Professionals holding the CISA certification should comply with ITAF standard 1006 Proficiency • All SAO security audit personnel should have at least one security certification • Certified Information Systems Auditor (CISA) • Certified Information Security Manager (CISM) • Certified Information System Security Professional (CISSP) • Certified Ethical Hacker (CEH) • Microsoft Certified Professional (MCP) • Cisco Certified Network Associate (CCNA) • Certified Protection Professional (CPP) • ISO 27001 Lead Auditor Skills gap at SAO currently being managed by outsourcing to an international consultant to train and professionalize the IT auditors Supreme Audit Office, Afghanistan

23. Sample security maturity assessment tool • Information Security management maturity assessment result using ISACA’s Information security management audit/assurance program Supreme Audit Office, Afghanistan

24. Sample security assessment tools – Applied in SAO audits • SAO has also used the Kali Linux penetration testing distribution that mirrors our methodology, allowing us to quickly and methodically collect relevant data during a technical security audit. This toolset is a collection of public and commercial tools, allowing flexibility and customisation for each engagement. • Security testing tools such as Nessus professional vulnerability scanner and the Metasploit exploitation framework are available in Kali Linux. • The Kali Linux toolset contains web server assessment tools that enables our team to perform checks against AFMIS web servers based on the platform used. • It also contains network-focused penetration testing tools. These are used to test whether Internet-facing servers, or services running on those servers, are vulnerable to remote exploits that may result in unauthorised access, information leakage, or denial-of-service attacks. Supreme Audit Office, Afghanistan

25. Lessons learnedMandate and role of SAI in promoting, strengthening and audit of cyber risk • Special mandate for IT audit needs to be specified with SAO audit laws because there are challenges in obtaining electronic audit evidence from government and outsourced partners • Protocols and policies for integration with other audit types need to be established and embedded within the audit methodology • SAIs can promote information security by making good and practical recommendations to government in audit reports and following up to ensure implementation • For instance, SAO strives to make government aware that information security can be improved by: • A clear understanding of current state to enable risk-based security decisions • Having security strategy aligned with government needs • Focusing on the areas that pose the most risk in the audit • Effectively managing security inside and outside • Optimizing spend of managing information security risk • Enabling cost-effective and sustainable security program management Supreme Audit Office, Afghanistan

26. Lessons learned Role of SAI in promoting, strengthening and audit of cyber risk • Cyber risks continue to grow in frequency, variety, and the potential harm they can cause to government businesses, their partners, and their customers. • Afghanistan government takes these risks seriously, but more can be done, both to combat the dangers and to keep government leaders apprised of cybersecurity preparedness. • SAO has a critical role in helping the government in the ongoing battle of managing cyber threats, both by providing an independent assessment of existing and needed controls, and helping the government leaders understand and address the diverse risks of the digital world. Supreme Audit Office, Afghanistan

27. Lessons learned SAO role and audit considerations Supreme Audit Office, Afghanistan

28. Lessons learnedSAO role and audit considerations Supreme Audit Office, Afghanistan

29. Next stepsKey priorities for SAO to grow capacity and support areas from INTOSAI community • People • Recruit, train and professionalize/certify more IT auditors to build capacity to conduct IT audits and audit in IT environment • Increase skill set in data analytics, information and cyber security audit • Process • Revamp of the audit methodology to promote integrated audits of IT with financial audit, performance audit and compliance audit in line with INTOSAI standards • Increased IT audit coverage year on year • Technology • Implementation of audit management information system Supreme Audit Office, Afghanistan