Loading in 2 Seconds...
Loading in 2 Seconds...
Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet Security
Agenda • IT Audit and assessment testing background • Audit and assessment planning Issues • Challenges to conducting the IT audit • Benefits of automated assessment tools • Examples of automated assessment tools • Automated assessment tools and compliance • Questions and Open Forum
IT Audit and assessment testing background • Requirements to fulfill internal and external control reviews • Compliance with federal, local, state and industry regulatory acts • Detect, prevent and deter misuse, abuse or exposure of or to systems and data • Identify and remediate system, process or control weaknesses • Determine adequate design and effectiveness of critical business processes • Reduce overall true business risk to information systems and data
Audit and assessment planning issues • Integrated audit versus IT Audit • Time required of the audit and operational staff to conduct the audit • Testing methodology (e.g., manual versus automated) • Findings classification/determination • Communication/reporting of findings
Challenges to conducting the IT audit • IT Auditors need to determine the impact of the systems being assessed during the course of the audit (Relevance and Criticality) • Determining the audit approach (manual/checklist) versus (automated/scripted) • Since information is available electronically and not necessarily in hardcopy, the traditional methods used to gather and evaluate information may not be sufficient. • Some IT Audits require an advanced level of technical skills or in-depth understanding of systems (e.g., operating systems, applications, databases, etc.) • IT Auditors need a deeper understanding of general computer controls (including the use of automated assessment tools) and the potential impact such controls may have on the audit approach • Disparate reports, non-integration of systems logs and/or history
Challenges to conducting the IT audit (Continued) • Areas most difficult for the IT Auditor to assess include: • Access Controls (Firewall Rules, ACL’s) • Change Management (adds, changes, deletes) • Segregation of Duties • User or system account access to data • Location of critical data (applications/databases/storage) • Data Discovery (at-rest, in-motion) • Some IT Audits are extremely resource intensive and require significant IT interaction
Benefits of automated assessment tools • Help overcome issues associated with manual testing of systems and processes • Most tools are quick to run and require less interaction with IT and business staff • Provide autonomy and flexibility to the audit approach • Yield more detailed information than what could have been acquired manually • Many reports are written in non-technical language so that most IT Auditors could understand and use the information regardless of technical skill set • Reduce audit costs while increasing the audit coverage and quality of value-added recommendations • Helps to rapidly identify “high, critical or most vulnerable” risk areas sooner to maximize remediation timeframes • Illustrate risks and priorities to IT and business units alike
Vulnerability Assessment - Nessus http://www.nessus.org/demos/index.php?view=demo_videos
Data Discovery - Vontu • Allows an IT Auditor to search for and identify “critical” data within information processing systems (Servers, Desktops, Workstations, Databases, Storage) • Provides the ability to remediate found data (Move, Erase, Quarantine) • Gives the IT Auditor a means to which expand or reduce the scope of an audit based on findings • Justifies the IT Auditor’s findings of remediation after validation of the discovered “critical data” • Empowers the IT Auditor to be a “business enabler” when making recommendations to internal controls or business processes
Firewall Reviews - Firemon • Enables the IT Auditor to quickly review firewall changes using automation • Facilitates the IT Auditor to detect potential issues before they arise • Gives a quick view of actual risks to firewall rules • Enables the IT Auditor to maintain continual analysis and impact
Segregation of Duties – Benefits • Reduces the labor intensive task of manually reviewing user access to systems and data • Expedites the testing process for user access reviews • Analyze controls at specific transaction levels • Quick and easy to understand reporting on potential conflicts • Helps IT Auditors to better understand both defined and undefined roles within the organization • Reduces the overall likelihood of risk and fraud
Segregation of Duties – Product Platforms • Oracle – Built-in tools • SAP – Versa, Business Intelligence, Firefighter, ECC 6.0 • Excel Spreadsheets – ComplyXL
Automated assessment tools and compliance • Payment Card Industry Data Security Standard • Health Insurance Portability and Account ability Act • Sarbanes-Oxley Act 2002 • Gramm-Leach Bliley Act
Frameworks • International Standards Organization 27001/2 • CoBIT • COSO • OCTAVE • NIST