IT Infrastructure Audit Compliance, Term Paper Example
Words: 2768Term Paper
IT Audit Scope, Goals and Frequency
Prior to performing any network audit, the scope is recognized by the audit charter. Likewise, the primary objective is to foresee the impact of directional changes and their implementation on the Information Technology function. However, for reaching success, it is vital for the business to understand auditor’s role. Moreover, IT auditors facilitate the organization for aligning business goals with IT applications along with the assurance of system protection, system availability and system integrity. As the principle objective of an auditor is assurance, it is the responsibility of the management to ensure the types of controls that are operational where required. The role of an IS auditor has evolved with new advancements in technology. The information system cannot be considered only as a computing station, as it is comprised of many elements for facilitating business processes that will contribute to one of the business objectives. A committee comprising of senior managers is essential for conducting a formal audit, as this group involving stakeholders provide audit charter, scope, oversight issues, along with the project plan with tentative deadlines. The committee discusses and resolves issues that facilitate the audit process in a smooth way. Likewise, after the completion of audit evaluation, findings and suggestions are communicated via a presentation to the senior management for corrective actions. This methodology assures through understanding, as it enhances buy-in for recommendations from audit. Moreover, it also provides an extra channel for the auditors to review the raised issues. In the end, a report is made that already incorporates issues that were also discussed and debated comprehensively and hence, the effectiveness of the report enhances considerably.
Audit Critical Requirements
The most common vulnerability can be considered as the total strength. The first element for IS audit is the physical and environmental review. Likewise, this element incorporates physical security, supply of power, temperature control and other associated environmental factors. The second element is the system administration review, as it incorporates operating systems, system administration, procedures and compliance and database management and administration. The third element is the application software review. This review involves the processes associated with the payroll, invoicing, online customer order processing system, entity resource planning etc. however, review of complex and integrated application requires authorizations & access control, exception handling , and it travels within the application and controls and procedures. The fourth element will be the network security review that incorporates internal and external connectivity with the system, firewall, computer network security, access control list defined in routing devices, port scanning and detection of typical domains. The fifth element is the business continuity review. This review is critical and includes redundancy and maintenance of components such as hardware, software, backups, redundant WAN links, storage all documented and tested disaster recovery plan. The sixth element is the data integrity review that incorporates examination of live data for validating the appropriateness of controls and its impact of limitations. Likewise, this type of testing is conducted by using traditional auditing software and tools such as computer assisted audit techniques.
The directive 95/46/EC is applicable on automated and computerized data. For example, client information databases and data associated with non-automated filing systems. Moreover, the main purpose of this directive is to protect personal data privacy by associating certain guidelines that defines the credibility of process in the context of law. Moreover, the European Union also addressed the data privacy in the context of e-commerce by further balancing it with Directives 2002/58/EC on Privacy and Electronic and Communication (DPEC), in the context of computing personal data in the domain of electronic communications sector 9 wrapping computer personal data by communication mediums and services that is publicly available. However, ‘Art. 29’ suggested an expression on ‘comprehensive and consistent data protection framework’ in order to eliminate all the remaining concerns and to dominate European Union competence.
IT Security Risk Management
The PMBOK Guide defines the risk management plan “how project risk Management will be structured and performed on the project.” In addition, Risk management strategies include a number of details such as risk techniques according to the approved budget and timetable effects over the risk chasing events. The effects of risks may hit anyone anytime during the project and can be for short-term and long-term periods. Therefore, it is important to reduce risk successfully. In order to minimize risks, project managers must have good knowledge and comprehensive risk management plan. According to the Oracle White Paper, there is a homogeneous tactic for risk management and is defined as: “A collaborative risk identification process helps create buy-in on project assumptions and spreads awareness throughout the organization.” It is necessary to efficiently connect along with the project associates and stakeholders regarding the risks. Furthermore, new techniques and methodologies also have great impact as stated by the Oracle.
Michael D. Taylor’s Risk Management Approach
The Michael D. Taylor, master project manager and having over thirty years of engineering and project management experience conducts a new technique in order to integrate qualitative and quantitative investigation into risk preparation. In the University of California Extension in Silicon Valley, Taylor is the Project and Program Management Certificate director. In this approach, solutions are given on the basis of organized and suspicions that generates possible risks. However, the risk management plan must be wide-ranging. As mentioned by Taylor “many risk management plans address only foreseeable risks and fail to address the unforeseeable ones” Taylor, S. J., & Bogdan, R. (1998). The Taylor’s approach includes five step procedure mentioned below:
- Risk identification.
- Qualitative analysis.
- Quantitative analysis.
- Risk response planning.
- Risk monitoring and control.
In Taylor’s approach the qualitative and quantitative analyses are separated while in Oracle’s approach these procedures are included in general risk assessment phase. Taylor’s approach contains identify risks during initial procedure. In fact, this procedure is considered as the most typical step in risk management strategies. Moreover, according to the Taylor the procedure related to risk identification is a continuous task for project managers. A project manager uses several techniques such as,
- Analogous project comparisons
- Risk checklists
- Work breakdown structures
- Brainstorming techniques
- Ishikawa diagrams
- Affinity diagrams
- Risk breakdown structures.
These techniques are used for the risk mapping and determining the cause of risks. For the project managers, these techniques allow them to get focused on the project and the risks associated with the project. Also, these techniques provide good practical perceptibility for risk in project. The Taylor’s approach regarding qualitative analysis comes into limelight once the risk is identified. (Taylor & Bogdan, 1998) As mentioned by Taylor, “is always to be analyzed by the probability of the event occurring and the consequence if it does occur.” The risk must focus on the project’s schedule, cost, scope, and quality as mentioned by both Oracles’ approach.
What is Snort? It is defined as “An open source network intrusion detection system (NIDS) that is noted for its effectiveness. Developed by Martin Roesch, Snort can also be used just as a packet logger or packet sniffer” (Snort.2011). Initially, Snort was used as a packet sniffer tool, in order to analyze and detect data packets on the network. However, as the tool matures, it was transformed as an Intrusion detection system. Moreover, the architecture of Snort comprises of four components i.e. packet decoder, preprocessor, detection engine and module with the features of logging and alerts. The injection of Snort starts with the insertion of data packets via a network interface card along with the module named as ‘packet capture’. Likewise, the packet decoder determines the protocol of the packet. This process is conducted to check whether the protocol is matching the required proposal of protocols. However, in some cases, the packet decoder can construct a message if the packet header is abnormal or distorted, packet exceeds the size limit, parameters defining inappropriate protocols and vice versa. As per the scenario, Snort will facilitate the investigation team with the following features:
Snort will allow the investigation team to analyze in-depth network threats by detecting buffer overflows, port scanning, CGI attacks, SMB probing, NetBIOS requests and NMAP. Likewise, the team will also be able to construct new signatures, in order to detect weaknesses in the system. Moreover, the team will translate packets in a human readable form from the IP addresses. Furthermore, the tool will deploy a passive trap for recording the current network traffic.
A functional view of Snort is represented as Forensic investigators only have log files, audit trails and some physical evidences. However, any unusual activity in logs or audit trails indicates and provides sufficient information before a security breach takes place. Likewise, in order to evaluate live network traffic, a system is required to be configured on the network for monitoring live network traffic. Snort collects raw data packets from different network interfaces i.e. LAN, WAN, SLIP, PPP, VPN by deploying kernel named as ‘Libpcap’, in order to get prepared for preprocessing mechanism in the packet decoder. Likewise, the preprocessor modifies data packets prior to their way to the detection engine, in order to analyze them and generate alerts for any possible anomalies associated with headers of the packets. Likewise, the core function of a preprocessor is to prepare or shape the network traffic for applying rules that are applicable at the next stage that is detection engine. This is usually called as packet defragmentation. Moreover, Snort also provides opportunities for investigators to decode HTTP, re construct TCP streams that are used for eliminating attacks. The detection engine is based on time and operates in an extensive evidence collection mechanism. It is time- based because, if many rules are applied, the packet processing will consume time. In some cases, network transmission is too high and may result in packet drop. This will not make an investigation effective. The detection engine of Snort, stops’ processing, whenever, a rule is matched. According to the defined parameters of a specific rule, the detection engine will log the packet or else generate an alert. Consequently, before Snort generates an alert, it makes sure that all rules are matched. The next component of Snort known as the collection engine will collectivizes evidence from the hosts and networks that is an input for a forensic investigation team. However, the secondary data that can be used also as an input will probably the log files and audit trails which can be achieved from the applications.
Database auditing is a process for logging and monitoring the access and modification of database objects and resources. However, logging and monitoring applies to the operational databases along with the recollection of records that are accessible at the location where the required information can be extracted and analyzed. Database auditing is also known as data access monitoring, data monitoring and data activity monitoring. In order to secure data, stakeholder requirements incorporate security operations that are related to real time policies, security of audit trails, forensics and data mining. Moreover, compliance audit requirements for stakeholders include separation of duties, reports based on best practices, computerized controls. Similarly, Application and database requirements includes minor impact, change management and performance optimization. All these three requirements must be transparent and clearly visible within the organization. If we further divide database auditing, authorization auditing is defined as which employee has what permissions and access privileges. Access auditing includes, which employee did what and what he is assigned to do. Employees with data modification privileges can update insert and delete data, employees with read only access will only be able to use select function. In addition, duplication auditing checks, which data is duplicated and where. In order to perform database audit, there are several methods available. One method is to start the audit within the DBMS that will incorporate performance trace. The second method includes database audit that focuses on transaction log files, thirdly, auditing over the network will extract SQL request that are travelling along the network. Lastly, one audit focusses against DBMS to analyze vulnerabilities and non-compliance issues.
Regulations having Impact on Database security are defined below (Moeller,n.d ):
Database Security: Regulations that are application for database security includes PCI-DSS, BASEL II, FISMA, HIPAA, CMS and GLBA.
Changes to Data Definition Language (DDL): Likewise, these regulations define audit requirements for access to sensitive data. Regulations that are application for changes to Data Definition Language (DDL) include SOX, PCI-DSS, HIPAA, GLBA, BASEL II, NERC and NIST.
Changes to Data Manipulation Language (DML): Regulations that are application for changes to Data Manipulation Language (DML) include SOX, CMS and BASEL II.
Exceptions to Security: Regulations that are application for Exceptions to Security include SOX, PCI-DSS, BASEL II, FISMA, HIPAA, CMS, NERC and GLBA.
Changes to Data Control Language (DCL): Regulations that are application for changes to Data Control Language (DCL) include SOX, PCI-DSS, BASEL II, FISMA, HIPAA, CMS, NERC and GLBA.
In order to perform a database audit with SQL, there is a limitation and it can only be used with relational databases. However, relational databases are extensively used and maintained in organizations. Apart from the relational database, there are two other types of databases that are not compatible or inapplicable SQL, as an auditing tool. The first one is the network database that uses self-access methodology and is only accessible with proprietary protocols. The second one is the hierarchical database that is accessed by syntax almost similar to SQL but no assurance is available to access this type of database in a complex environment.
In order to perform database audit, structured query language (SQL) is incorporated, as an audit tool. SQL provides and facilitate the auditors with opportunities along with risks when testing a database. In order to perform a successful audit, auditors must calculate the risk and mitigate them by implementing alternative procedures. However, the server audit procedures define where the auditors must write the data. Moreover, audit test will be reliant on risk assessment along with a purpose for the type of test for the audit. If any auditor is not very much familiar and wants to learn SQL can enable a ‘starter’ database system for self- learning. Furthermore, SQL adds value in the auditor’s toolkit for performing an efficient and successful audit for a targeted database or system. In addition, SQL also minimizes the interaction of database administrators and support personnel for contribution.
IS Audit Policy
This policy applies to permanent, contractual employees and other workers at Systems Limited and ABC Systems.
- All relevant statutory, regulatory and contractual requirements and organization’s approach to meet these requirements shall be explicitly defined, documented and kept up to date in the operational guides and contracts with clients and third parties.
- All relevant security requirements, rules and procedures shall be defined and kept updated to regulate and establish an information management system across the organization.
- Relevant managers shall ensure that security policies and procedures within their area of responsibility are carried out correctly.
- Information systems shall be regularly monitored to verify compliance with the organizational security policies and procedures.
- Regular independent auditing shall be in place to ensure compliance against applicable laws, legal and contractual requirements and company policies.
- Any deviation or violation shall be noticed and appropriate action shall be taken.
- Measures shall be taken to ensure compliance with legislative, regulatory, and contractual requirements on use of material in respect of which there may be intellectual property rights and proprietary software products.
- Only Licensed or authorized Open Source software shall be used within the organization, the license shall be revised at appropriate time and user limit shall not be exceeded.
- All software shall be acquired from known and reputable dealers or direct from the manufacturing company.
- All legislative and regulatory amendments/updates shall be acquired by the company’s legal advisor or reputable source.
- Violation of any law or regulation shall be reported first to company’s legal advisor or a nominated person and then to the authorities.
- All acquired software shall not be used for any commercial purposes and shall not be transferred to others for any non-business activity.
- Important Business and Personal records and data shall be protected from loss, destruction and falsification, in accordance with legal, regularity, contractual and business requirements.
- All data and records shall be retained as per laws and contractual requirements.
- Use of cryptographic controls shall be enforced if required by agreements, laws and regulations.
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Management, C. O. A. U. S. D. E. P., Environment, B. I. C., Sciences, D. E. P., & Council, N. R. (2005). The owner’s role in project risk management National Academies Press.
Taylor, S. J., & Bogdan, R. (1998). Introduction to qualitative research methods: A guidebook and resource Wiley.
Snort.(2011). Computer Desktop Encyclopedia, , 1.
Moeller, n.d. R. R. Brink’s modern internal auditing: A common body of knowledge Wiley.
Time is precious
don’t waste it!