Kevin Savoy, CPA, CISA, CISSP

1
IT Audit
Kevin Savoy, CPA, CISA, CISSP Director of
Information Technology Audits
2
Agenda

• Why IT audit exists
• Management's responsibilities
• Laws and Standards
• Audit planning
• Types of Audits
• Tools and Audit programs
• Final product

3
Why IT auditors exist

• For much the same reasons that financial auditors
  exist.
• To give assurance to stakeholders (customers,
  business partners, investors, employees,
  management) that an organization is properly
  collecting, recording, processing, and reporting
  information pertinent to the organization
  mission.
• IT auditors evaluate the more technical aspects
  of providing assurance.

4
Internal Audit versus External Audit

• Internal auditors work for the entity they are
  auditing. In most cases they report to the Board
  directly, but may have lines to operational
  management for day to day activities. I work for
  UVA Internal Audit and am a State employee.
• External auditors work for an independent entity
  such as the Auditor of Public Accounts (State
  Auditors) or an accounting firm.

5
Internal Audit versus External Audit

• Usually an entity such as UVA is audited by an
  external auditor once a year but audited by their
  internal audit department all year long.
• Internal audit more focused on operations while
  external auditors more focused on reliability of
  financial numbers reported to the Commonwealth.
• The Auditor of Public Accounts creates a large
  compendium of all financial numbers for the
  Comprehensive Annual Financial Report (CAFR)

6
Internal Audit versus External Audit

• Internal Audit also does more special
  investigations (Fraud, Inappropriate Use of
  Resources, aiding police investigations etc.)
• Both Internal and External may have IT auditors
• At UVA I meet with the Auditor of Public Accounts
  IT Auditor to make sure we are not overlapping
  audit areas. We usually can rely on each others
  work.

7
Who is an IT auditor?

• Usually we prefer someone with a business and
  information technology background.
• Should be highly IT savvy with past IT
  operational experience.
• Prefer that they are Certified Information
  Systems Auditors (CISA) or Certified Information
  System Security Professional (CISSP)
• Should have accounting and/or information
  technology bachelor degree if not an advanced
  degree.

8
Management Responsibilities

• The premier step to securing what you have is to
  list what you have and why you want it secure in
  the first place. (Many people skip this step for
  some reason)
• A farmer who grows corn along a roadside knows
  that some people are going to swipe an ear of
  corn every now and then. He has decided not to
  secure his corn..

9
Management Responsibilities

• Wal-Mart on the other hand does not like people
  walking away with items.
• Most business entities feel the same way about
  their systems. They do not want trespassers or
  data compromised. Period.
• In a perfect world you could secure everything.
  In the real world you must devote time and money
  in a prioritized fashion.

10
Management Responsibilities

• Entities must perform a Risk Assessment and
  Business Impact Analysis periodically to rank
  from greatest to least the criticality of data
  and processes. (notice I did not say systems)
• It is best to list data/processes, then hardware
  they reside on ( Many people mistakenly
  come at it from the hardware side)

11
Management Responsibilities

• They then must brainstorm to determine the
  threats to vulnerabilities to the data and
  processes and risks if a vulnerability is
  exploited (Risk Based Approach).
• Armed with the list of vulnerabilities an entity
  should be able to point to established controls
  that offset the threat to a possible
  vulnerability.

12
Common Vulnerabilities

• Environmental (storms, fire, flood, earthquake,
  loss of power)
• Intentional physical destruction (hammer to your
  servers)
• Compromise of data (deletion, change of, or
  viewing of data or programs from an insider or
  via the Internet)
• Denial of service (interrupt normal business by
  effecting hardware or communications)
• Virus

13
Controls

• Are policies, standards, and procedures.
• These should be written
• In many environments I find that they are not!

14
Controls

• You or anyone with authorization should be able
  to look at a list of vulnerabilities mapped to
  controls (specific policy, standard or procedure)
• Applying controls in any other fashion tends to
  be ad hoc, resulting in gaps of coverage.

15
Layered Defense

• Just like on the battlefield the name of the game
  is to put many obstacles in the path of your
  enemy.
• Your goal is to make your systems just not worth
  the time and aggravation to compromise.
• This means that your neighbor may not be so
  lucky, but with some controls you may make it
  harder for even they to be compromised.

16
Control Layers

• Physical (locks, reports)
• Operating system (UNIX, NT, Mainframe)
• Database ( Oracle, DB2)
• Application (Payroll, GL, Peoplesoft)
• Network (Firewall, router, VPN)
• If you are not a big technologist you should at
  least see that someone has thought out controls
  for the 5 layers.

17
Sample control objective only authorized users
have access vulnerability and controls map

• My router drops telnet and ftp traffic
• My firewall screens outside traffic
• My Unix payroll file permissions is secure
• My database admin rights are tight
• My application access password policy is tight-my
  screens are assigned to users by job function
• I review logs of activity

18
IT Audit in a Nutshell

• IT audit determines whether or not controls are
  in place and functioning properly.
• The need for controls has been NOW codified in
  many state and federal acts and standards.
• This has made the job of the IT auditor often
  easier and sometimes harder.

19
State Security Requirements for Higher Education

• State agencies and those Higher Educations that
  have not restructured past Level 2 must adhere to
  IT Information Security Standard (Sec 501-01)
  from VITA
• UVA, Tech, and William and Mary (Level 3 schools)
  are using the International Organization for
  Standardization (ISO 27002)
• VCU (Level 3) using a modified Sec 501

20
State Audit Requirements (ITRM Standard
SEC502-00)

• Level 1 and 2 Higher Educations and other
  Commonwealth agencies must annually provide the
  Virginia Information Technology Agency (VITA) a
  schedule of their IT audits (that are done by
  APA, or Internal Audit, or outside firm)
• Quarterly these same entities must report to VITA
  the IT audits performed and findings and a
  corrective action plan. Also must report the
  status of correcting prior findings.

21
State Audit Requirements for level 3 schools

• Must in essence audit to whatever security
  standard they have chosen in their agreement with
  the State.
• Do not have to report to VITA.

22
Other Laws

• HIPAA, FERPA, PCI have security control
  requirements as well
• We audit to these standards as well.

23
How is an Audit planned?

• I take the ISO 27002 and map all attributes to
  audits that I will perform over a 3 year cycle. I
  start with the systems that are most important
  such as student system, finance and HR. At the
  end of the cycle it starts all over again?
• In any given 3 year cycle I may get coverage on a
  particular attribute differently than I did the
  previous cycle just to mix things up.

24
(No Transcript)
25
The Audit

• Plan audit based on risks
• Entrance meeting with auditee to discuss audit
• Perform preplanned audit steps (audit program)
• Conclude
• Draft report to schools, departments with issues
• Final report to senior management and board
• Follow-up on issues next year or sooner

26
Sample UNIX Audit Program Step

• 3- PASSWORD FILE
•  
• Obtain the /etc/passwd file
• Determine that only one account has a UID of 0,
  that the Administrators SU to or
• Determine that there are multiple UIDs of 0,
  one for each Superuser to track accountability.
  In this case each Superuser should have
  another account that is non-root capable for
  work not requiring root access.
• Determine that a secure secondary password or
  shadow password file is used.
• Determine that all shadow accounts are passworded
  or disabled.
• Determine that application users are not given a
  shell (Unix prompt),
• Inquire from the systems Administrator who the
  Superusers are (those that know the root
  password)
• Determine that only a few users know the
  Superuser password (A review of the SU log would
  indicate who knows the Superuser password
  although be aware that someone could know the
  root password and not use SU.).
•  
• Confidentiality, Integrity, and Availability (C,
  D, and E)

27
Tools Used

• Network scanners
• Operating system scanners
• Our own SQL scripts
• And more..

28
How to make an audit as painless as possible

• Know that an IT security audit is required. You
  have not been targeted (in most cases).
• Meet with the auditors for an entrance meeting
• Keep an open dialog with the auditors
• Know that the sooner we gather information the
  sooner we can leave you in peace.

29
How auditors try to make it easier for you

• Realize that we are often a drain on your
  resources
• Schedule as best as possible our work around your
  busiest times of the year
• Keep you informed as we go along to diminish
  misunderstandings of your operations
• The majority of us like to think we make positive
  changes. Our mission believe it or not is not to
  get people in trouble.

30
Use Audit up front

• It is always a good idea to include audit in
  project management or other decisions.
• Audit can not make management decisions but can
  guide you so that we do not have issues later
  down the road

31
Contact Info

• Kevin Savoy savoy_at_virginia.edu