Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Investigation Conference
London
IT Auditing Fundamentals
4th November 2015
Welcome!
Charles Mansour Audit & Risk Service 2015
Me
Charles Mansour, CISA
35 Years in IT Audit & Risk
UK Customs 1980 - 1986
Banking and Financial Services 1986-2002
Audit & Risk Service 2002 2015
Past President of ISACA London Chapter
Involved with COBIT since 1993
Member of ISACA International Membership Board 20042007
Session Objectives
Provide you with an introduction to IT
auditing concepts and fundamentals
Agenda
IT Audit Background
Operating Systems and System Software
Database
Change Management
Systems Development
Networks
IT Audit Background
Oversight
Resources
Data
Authorisation
Charles Mansour Audit & Risk Service 2015
Processes
(and Change)
Security
Authorisation??
Storage
Business Processes
Data
Mail
SECURITY
Good News
The audit is more or less written down in CObIT 4.1 under
process PO1 (IT Strategic Direction), and
COBIT5 Process EDM01 (ensure governance framework
setting and maintenance.)
IT Governance?
Charles Mansour Audit & Risk Service 2015
Responsibilities
Business Process Owners are responsible for
Process achievement of business objectives
Identification of risks that impede achievement of business
objectives (including IT related risks)
Placement of controls that mitigate the risks
Responsibilities
IT has a custodianship or stewardship role over the
business assets under its care
Data
Programs
Example
In a police department processing system, there are two servers
One holds details of police officers uniform measurements and police car
servicing history
One holds the local criminal / suspect database connected to the national
crime database
CIO
Production
Operations
Performance/
Capacity Mgt
Prodn
Support
Networks/
Telecoms
Development
Legacy
Systems
Maintenance
Help Desk
New
Systems
Development
Research
Wide
Area Network
Testing
Teams
WEB / Internet
Local Area
Network
Developments
Support
General Controls
Address risks to the computing environment
e.g. unauthorised changes to the production environment
Application Controls
IT Infrastructure/General Controls
Data
Security
Physical
Security
Operating
System
Software
Program
Change Mgt
Disaster
Recovery
General
Controls
Environmental
Protection
Access
Controls
Operations
System
Development
Methodology
Telecommunications
Database
Administration
Charles Mansour Audit & Risk Service 2015
IT Main Areas
Operations Run and store
Operating systems and utilities
Database and database administration
Change Control
Development Build
Key development stages
Testing and migration into production
Communications Move
Network availability
Confidentiality
Integrity of traffic
Charles Mansour Audit & Risk Service 2015
Operating Systems
An operating system (OS) is software,
consisting of programs and data, that runs
on computers and manages the computer
hardware and provides common services
for efficient execution of various application
software
Stands between the computer and the
outside world
No OS No computing
Charles Mansour Audit & Risk Service 2015
How it Works
1. Electric current passes into the
computer
2. Bootstrap firmware (e.g. BIOS)
on a hard coded chip wakes
up, checks components are
connected (e.g. printers, disk
drives) and looks for an
operating system
3. Once located, the operating
system takes control and starts
to load settings (parameters)
Charles Mansour Audit & Risk Service 2015
Data Management
Resource Management
Job Management
Priority setting
System Software
The OS itself
Database Management Systems
Network OS
Utilities
Programs used for housekeeping called by the
OS when needed
Sort software
Data comparison
Query software
Printer file viewing / editing
Defragmenting
Data compression
Charles Mansour Audit & Risk Service 2015
IBM
z/OS
IBMz/OS
AMASPZAP(SUPERZAP)
(SUPERZAP)
z/OSAMASPZAP
IBM
z/OS
AMASPZAP
(SUPERZAP)
rm
UNIX
rmcommand
commandin
UNIX
rm
command
ininUNIX
Delete
command
inin
Windows
Explorer
Delete
command
Windows
Explorer
Delete
command
in
Windows
Explorer
Delete command in Windows Explorer
InInaalot
ofofcases,
once
theyre
gone,
theyre
gone
lot
theyre
gone,
theyre
gone
cases,
once
In a lot of cases, once theyre gone, theyre gone
Need to be kept in very well protected libraries
Need to
tobe
be kept
keptin
in very
very well
well protected
protected libraries
libraries
Need
Logs should record usage of very powerful
Recordof
of usage
usagefor
for very
very powerful
powerful utilities
utilities
utilities
Record
Uselesswithout
withoutmonitoring
monitoring
Useless
without
monitoring
Useless
Control
Now
IT Data Management
Process owners own programs and data
Programs reside in program libraries (outside the scope of this
session)
Data resides in a database
Managed on a day to day basis by IT
Enabled by system software components supporting
Data definition
Storage
Sharing
Processing
File management
Ultimate responsibility for data integrity rests with process owner
Charles Mansour Audit & Risk Service 2015
Database
Collection of detailed data about the organisation
held on magnetic media
Customers
Products
Personnel
Financials
Organises
Controls
Protects
Uses
Objectives
Maximise data organisation
Decrease access time
Provide security
Charles Mansour Audit & Risk Service 2015
Database
Portal into
the
Database
Database
Management
System controls the portal
Database Structures
Main structure in use today is the Relational
Database
Database consists of many tables (files) which are a
Collection of many rows (records) which are a
Collection of many columns (fields)
Relational Database
Rows
Customer 1
Customer 2
Database
Customer 3
Customer 9999999
Savings
Account
Columns
Customer No 1
Customer
Surname
Many
Loan
Accounts
First Name
Date of Birth
Address Line 1
Address Line 2
Loan a/c No
Many
Tables
Charles Mansour Audit & Risk Service 2015
Customer No 10059
Customer 10060.
Surname: Mansour
Customer 9999999
Index is Customer No
Database Risks
Risk
Control
Unauthorised activities by
Database Administrator
Unauthorised access to
database
Change Management
Security
Integrity
Availability
Of their information assets whilst in the custody of IT
Charles Mansour Audit & Risk Service 2015
Portal into
the Production
Environment
Process Owner controls the portal
Charles Mansour Audit & Risk Service 2015
THEORY
The only changes to the
Process Owners
software / data are those
instances when the
Process Owner decides
to lower the drawbridge
to allow them through
the portal into the
Production environment
Charles
Mansour
Audit
& Risk
Service
2015
Charles
Mansour
Audit
& Risk
Service
2012
System software
Hardware
Data
Any third party carrying out business on behalf of the
Process Owner (includes Cloud Service Providers)
Should apply to any unscheduled jobs that are run in the
production environment
Charles Mansour Audit & Risk Service 2015
Change
Request and
Analysis
Change
Prioritisation
Process Owner
Authorises
change
Users / IT staff
analyse change
with Business
Impact Analysis
CIO or IT Steering
Committee
authorise and
sign off change
Work instruction
issued to
programmer
Change
Development
Programmer
Checks out module
for
Code walkthrough
Compile into
Executable module
Link Edit
Charles
Mansour
Audit
& Risk
Service
2015
Charles
Mansour
Audit
& Risk
Service
2012
Change
Migration and
Quality Check
Migrate to QA
Library (Change
staff perform QA)
User Testing
Operability
Testing &
Change
Implementation
Operability testing
Operations notes and
documentation updated and
tested
Process Owner authorises
implementation prior to
migration to production
libraries
Change migrated into
production environment
Charles Mansour Audit & Risk Service 2015
Post
Implementation
Review
Process Owner verifies that
change complies with
request and is delivering
specified business benefit
Final sign off of change
53
Unauthorised Changes
Can be from
Use of powerful systems utilities
Emergency fixes
Developers active in production environment
Unintended default access privileges
Hackers
Social Engineering
Viruses
Emergency Changes
Can be one of two types
Fast Track changes
Known problem
Needs to be implemented quickly
Change passes through change management
steps, but more quickly
Still need to be tested prior to implementation
Emergency Changes
Unexpected Problem
3am - fix to get things working
Need to fix problem properly next day
Two approaches
backward migration Not recommended!
Leave changed production code in place
Make all other copies of program reflect the emergency change
Retrospective user sign off
Key Risks
Risk
Control
Uncoordinated changes
Unauthorised changes
57
Key Risks
Risk
Control
Systems Development
Programme
As above but consisting of a group of projects
closely linked together e.g.
Development of current account and savings account
using the same software package
Development Approaches
Build
Construct business solution in house
Buy
Acquire software solution from a third party
Project Governance
Project
Steering
Committee
Senior
Management
(Project
Champion)
Systems
Development
Project team
Project
Sponsor
User Project
Team
Process
Owner
Technical
Infrastructure
Team
Project
Manager
Subject
Matter
Experts
Finance, Security
etc.
Big Risk!
67
Charles Mansour Audit & Risk Service 2015
Client = Shipowner
Accepts the ship from the
Shipyard when happy that it has
been built to specification and
fully trialled (otherwise it
might sink!). Responsible for the
safety and profitability of the
ship throughout its working life
Development
Environment
Where systems are
designed, built and
tested
Initiation
Proof of Concept
Implementation
Planning
Key Control
Point
Requirements
Analysis
Development
(Inc. Procedures)
Design
70
Cost
$1 per Cobol
Line
Design
Build
Time
Charles Mansour Audit & Risk Service 2015
Implementation
Networks
Network Objectives
Point A
Point B
Network Devices
Dont forget!
They are all little computers with their own
Operating Systems
Programs
Parameters
Data stores
Connections
Network Devices
Dont forget!
They are all little computers with their own
Operating Systems
Programs
Parameters
Data stores
Connections
Firewall
Hub
Bridges
Router
Modems
Terminals
Printers
Most work
done by
the server
Client
displays
output
Most work
done by
the server
Client
formats &
displays
output
Application
processing
shared
between
Server &
Client
All
Application
work done
by
Client
Database
shared
between
client &
server
Network Auditing
EXTREMELY Complex
Focus should be on
Level of service (Availability)
Service Level Agreements
Confidentiality
Encryption
Integrity
Message validation techniques
Understanding
Auditing Focus
Auditing Focus
Establishing
Logical access controls over network usage
Physical and Environmental controls
Service Level Agreements with Business
Traffic Management
Availability of network in the event of failure of
any component
Network Change and Configuration Management
processes
Charles Mansour Audit & Risk Service 2015
Potential Problem
Most Wide Area Network connections are leased from
the national Telecoms provider, e.g. BT
This means that the national telecoms provider is a service
provider to the enterprise, like an outsource company
The enterprise has to satisfy itself that the KEY risks attaching to
information whilst it is under the control of the telecomms
provider are adequately addressed by their controls
e.g. is the service providers physical security over its servers and
routers adequate to protect the enterprises business information
in transit under its control
Many IT managers do not see this as an area that they have to do
anything about
Charles Mansour Audit & Risk Service 2015
IT Audit Background
Operating Systems and System Software
Database
Change Management
Systems Development
Networks
Any questions?
We are happy to answer any queries
My Contact Details
Charles Mansour Audit & Risk Service
Overall Lodge
Pound Lane
Hadleigh
Suffolk
IP7 5EQ
Tel: 01473 823406
Mob: 07799 604338
e-mail: charles.mansour@btinternet.com