practical implementation of automated assessment tools for the it auditor n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Practical Implementation of Automated Assessment Tools for the IT Auditor PowerPoint Presentation
Download Presentation
Practical Implementation of Automated Assessment Tools for the IT Auditor

Loading in 2 Seconds...

  share
play fullscreen
1 / 16
tyrone

Practical Implementation of Automated Assessment Tools for the IT Auditor - PowerPoint PPT Presentation

121 Views
Download Presentation
Practical Implementation of Automated Assessment Tools for the IT Auditor
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Practical Implementation of Automated Assessment Tools for the IT Auditor John A. Otte, CISSP, CISA, CFE, EnCE, MSIA Director, Strategic Services FishNet Security

  2. Agenda • IT Audit and assessment testing background • Audit and assessment planning Issues • Challenges to conducting the IT audit • Benefits of automated assessment tools • Examples of automated assessment tools • Automated assessment tools and compliance • Questions and Open Forum

  3. IT Audit and assessment testing background • Requirements to fulfill internal and external control reviews • Compliance with federal, local, state and industry regulatory acts • Detect, prevent and deter misuse, abuse or exposure of or to systems and data • Identify and remediate system, process or control weaknesses • Determine adequate design and effectiveness of critical business processes • Reduce overall true business risk to information systems and data

  4. Audit and assessment planning issues • Integrated audit versus IT Audit • Time required of the audit and operational staff to conduct the audit • Testing methodology (e.g., manual versus automated) • Findings classification/determination • Communication/reporting of findings

  5. Challenges to conducting the IT audit • IT Auditors need to determine the impact of the systems being assessed during the course of the audit (Relevance and Criticality) • Determining the audit approach (manual/checklist) versus (automated/scripted) • Since information is available electronically and not necessarily in hardcopy, the traditional methods used to gather and evaluate information may not be sufficient. • Some IT Audits require an advanced level of technical skills or in-depth understanding of systems (e.g., operating systems, applications, databases, etc.) • IT Auditors need a deeper understanding of general computer controls (including the use of automated assessment tools) and the potential impact such controls may have on the audit approach • Disparate reports, non-integration of systems logs and/or history

  6. Challenges to conducting the IT audit (Continued) • Areas most difficult for the IT Auditor to assess include: • Access Controls (Firewall Rules, ACL’s) • Change Management (adds, changes, deletes) • Segregation of Duties • User or system account access to data • Location of critical data (applications/databases/storage) • Data Discovery (at-rest, in-motion) • Some IT Audits are extremely resource intensive and require significant IT interaction

  7. Benefits of automated assessment tools • Help overcome issues associated with manual testing of systems and processes • Most tools are quick to run and require less interaction with IT and business staff • Provide autonomy and flexibility to the audit approach • Yield more detailed information than what could have been acquired manually • Many reports are written in non-technical language so that most IT Auditors could understand and use the information regardless of technical skill set • Reduce audit costs while increasing the audit coverage and quality of value-added recommendations • Helps to rapidly identify “high, critical or most vulnerable” risk areas sooner to maximize remediation timeframes • Illustrate risks and priorities to IT and business units alike

  8. Examples of automated assessment tools

  9. Vulnerability Assessment - Nessus http://www.nessus.org/demos/index.php?view=demo_videos

  10. Data Discovery - Vontu • Allows an IT Auditor to search for and identify “critical” data within information processing systems (Servers, Desktops, Workstations, Databases, Storage) • Provides the ability to remediate found data (Move, Erase, Quarantine) • Gives the IT Auditor a means to which expand or reduce the scope of an audit based on findings • Justifies the IT Auditor’s findings of remediation after validation of the discovered “critical data” • Empowers the IT Auditor to be a “business enabler” when making recommendations to internal controls or business processes

  11. Firewall Reviews - Firemon • Enables the IT Auditor to quickly review firewall changes using automation • Facilitates the IT Auditor to detect potential issues before they arise • Gives a quick view of actual risks to firewall rules • Enables the IT Auditor to maintain continual analysis and impact

  12. Segregation of Duties – Benefits • Reduces the labor intensive task of manually reviewing user access to systems and data • Expedites the testing process for user access reviews • Analyze controls at specific transaction levels • Quick and easy to understand reporting on potential conflicts • Helps IT Auditors to better understand both defined and undefined roles within the organization • Reduces the overall likelihood of risk and fraud

  13. Segregation of Duties – Product Platforms • Oracle – Built-in tools • SAP – Versa, Business Intelligence, Firefighter, ECC 6.0 • Excel Spreadsheets – ComplyXL

  14. Automated assessment tools and compliance • Payment Card Industry Data Security Standard • Health Insurance Portability and Account ability Act • Sarbanes-Oxley Act 2002 • Gramm-Leach Bliley Act

  15. Frameworks • International Standards Organization 27001/2 • CoBIT • COSO • OCTAVE • NIST

  16. Open Discussion