Information Technology Information Technology Audit ProcessAudit Process

Business Practices Business Practices SeminarSeminar

Paul Toffenetti, CISAPaul Toffenetti, CISAInternal AuditInternal Audit

29 February 200829 February 2008

Overview

• What is Internal Audit• IT Audit Process• Common IT Audit Observations• So What Should We Do• Questions

Authority and Policies

What is Internal Audit?

Internal auditing is an independent, objective assurance and advisory activity designed to add value and improve an organization’s operations.

Internal Audit helps organizations accomplish their objectives by evaluating business risk and controls and where appropriate, offer recommendations to improve risk management and governance processes.

Audit ProcessAudit Process

Planning

Testing

Reporting

Follow-up

PlanningPlanning

• Annual Risk AssessmentAnnual Risk Assessment• Preliminary Audit PlanPreliminary Audit Plan• Board of Visitors ApprovalBoard of Visitors Approval• Notification and Request for InformationNotification and Request for Information• Understand Your Risks and ControlsUnderstand Your Risks and Controls• Opening ConferenceOpening Conference

TestingTesting

• SecuritySecurity• Backup & RecoveryBackup & Recovery• Resource ManagementResource Management• Web SiteWeb Site

Security TestingSecurity TestingRemote Vulnerability ScansRemote Vulnerability Scans

ServersServers

PrintersPrinters

RoutersRouters

WorkstationsWorkstations

LaptopsLaptops

If it’s on the network If it’s on the network we scan it!we scan it!

Nmap & NessusNmap & Nessus

Security TestingSecurity TestingOn-Site, Follow-up Vulnerability Tests On-Site, Follow-up Vulnerability Tests

Workstations Laptops Servers

We Test Computers That May Have Security Vulnerabilities!We Test Computers That May Have Security Vulnerabilities!

WinAudit

MSBA CIS Tools & Benchmarks

Backup & Recovery TestingBackup & Recovery Testing

You Must Have Effective Controls to Backup & RecoverYou Must Have Effective Controls to Backup & Recover

““Critical Data”Critical Data”

Resource Management Resource Management TestingTesting

Computer Hardware & SoftwareComputer Hardware & Software

Procurement through SurplusProcurement through Surplus

Web Site Testing

• University Relations Web Guidelines & Procedures• Web Development Best Practices• Content Recommendations• Templates

• Privacy Statement (Policy 7030)• Web Server & Application Security

ReportingReportingObservationsObservations

When Unexpected Results are NotedWhen Unexpected Results are Noted

We Solicit Your CommentsWe Solicit Your Comments

ReportingReportingRecommendationsRecommendations

We May Recommend OpportunitiesWe May Recommend Opportunities

To Improve Your ControlsTo Improve Your Controls

ReportingReportingManagement Action PlansManagement Action Plans

YouYou Develop Plans, Schedules, and Develop Plans, Schedules, and PrioritiesPriorities

To Implement SolutionsTo Implement Solutions

ReportingReporting

A Final Report is Sent A Final Report is Sent

to to

The Board of VisitorsThe Board of Visitors

Follow-UpFollow-Up

• Follow-Up Actions are Based on Follow-Up Actions are Based on Your “Management Action Plan”Your “Management Action Plan”

• Progress is Monitored Progress is Monitored • Some Re-Testing May be Some Re-Testing May be

NecessaryNecessary• Board of Visitors is UpdatedBoard of Visitors is Updated• Audit is closedAudit is closed

Common Audit ObservationsCommon Audit Observations

Weak Security SettingsWeak Security Settings

Windows Operating SystemWindows Operating System

Common Audit ObservationsCommon Audit Observations

Missing Security Patches Missing Security Patches

Operating Systems Operating Systems

ApplicationsApplications

DatabasesDatabases

Common Audit ObservationsCommon Audit Observations

Misconfigured Anti-Malware ToolsMisconfigured Anti-Malware Tools

Out-of-Date Threat SignaturesOut-of-Date Threat SignaturesScans Not ScheduledScans Not Scheduled

Common Audit ObservationsCommon Audit Observations

Inadequate Access ControlsInadequate Access Controls

Weak Passwords & File PermissionsWeak Passwords & File Permissions

Common Audit ObservationsCommon Audit Observations

Open Communication PortsOpen Communication Ports

The Hacker’s Point of EntryThe Hacker’s Point of Entry

Common Audit Common Audit ObservationsObservations

““The System Administrator’s Dilemma”The System Administrator’s Dilemma”

How Much Risk is How Much Risk is Senior ManagementSenior Management Willing to Accept?Willing to Accept?

SecurityConvenience

So What Should We Do?

• Harden Security Settings• Keep Everything Patched• Install and Use Anti-Malware Tools• Enforce Strong Passwords• Close or Filter Communication Ports• Test Your Systems• Support Your System Administrator!

QuestionsQuestions““Success Redefined”Success Redefined”