Part 2- An IT Auditing Framework * 07/16/96 Part 2- An IT Auditing Framework Why do how our systems work matter? Why do how we manage our systems matter? How can systems harm a unit’s ability to accomplish its goals? *

What are you hoping to obtain from these courses? Intro questions What skills are you seeking for completing audits? What skills are you seeking to further your understanding and/or help your career? Example: Familiarize all auditors with general IT Audit concepts and audit steps Enable general auditors to feel more comfortable with IT and IT Audit terminology to provide future audit and career opportunities Show correlation between IT audit steps and the use of IT Template bridge

Foundations of System Controls Lego Blocks Introduction Groups build what they believe is the proper structural sound foundation for controls

System Control’s Foundation Blocks IT Dependent Manual Controls Application Controls (Automated) Job Scheduling and Management Application Security Network Security Change Management Data Security - Database Operating System Physical Security Lego Blocks Introduction Blocks are jumbled with labels. Groups build what they believe is the proper structural sound foundation for controls

Proposed Foundation Strategy IT Dependent Manual Controls Application Controls (Automated) Job Scheduling and Management Application Security Network Security Change Management Data Security - Database Operating System Physical Security Note Physical Security and Network Security argument may be inverted. There is not a single “correct” answer -With movement to cloud technology Network Security may be shifting to the key stone position in our infrastructure -Each block ties to a component of the IT Bridge

System Control Pyramid Network Security Data Security - Database Operating System Change Management Application Security IT Dependent Manual Controls Application Controls (Automated) Staffing Workstation Configuration Disaster Recovery Equipment Management IT General Controls Job Scheduling and Management Physical Security See each foundational control as stacking. Creates Control Dependency Difficulty exists on how to breakdown IT Environment controls (yellow) as they touch/support all ITGCs but are not exactly part of the control foundation

High Level Control Framework Framework provides higher level view of the relationship between business process and IT controls Note that the blue section ties to the area below the line on the above pyramid Note the green section ties to application controls and IT Dependent controls above the ITGC line in the above pyramid

IT General Control Definition * 07/16/96 IT General Control Definition IT General Controls (ITGCs) - Provide assurance that IT-Dependent and Application Controls can be relied upon Include controls over the IT environment, computer operations, access to applications and data (security), and program changes Note most of IT bridge is to cover system ITGCs *

Strong ITGC -Prevention and Detection Controls * Strong ITGC -Prevention and Detection Controls 07/16/96 Prevention controls stop inappropriate items from occurring New user approval process Strong password controls Access termination process Detection controls identify inappropriate items that can then be corrected Periodic Access Review *

Strong ITGC Determination Not all textbook controls must be designed and operating effectively to address significant risks and provide a strong ITGC environment In previous slide if a weak termination process existed this could be compensated for by a frequent strong periodic review. However strong new user, password, and other preventative ITGCs would still be required or require other compensating controls if applicable

Business Process Controls Automated (Application) Controls IT Dependent Manual Controls (Purely) Manual Control Ask for Automated control , IT Dependent Controls then Purely Manual Control examples. Draw Conclusions on the controls Note determination of strong business process controls same as ITGCs – not all required and sometimes overlap can occur

ITGC Controls and the Application's House * ITGC Controls and the Application's House 07/16/96 Sufficient Controls must act in concert Consider securing an application like a house *

ITGC Controls and the Application’s House * ITGC Controls and the Application’s House 07/16/96 How does a front door protect your house? What are the Key Components? Door Frame Door Door Hinges Door Handle Dead Bolt Door Handle Lock *

ITGC Controls and the Application's House House = Application with business processes Door Frame = Physical - Network Door = Data Security - Operating Systems and Database Door Hinges = Job Scheduling Management Door Handle/Metal Casing = Application Security Dead Bolt = Application Controls Door Handle Lock = IT Dependent Manual Controls Tool Box = Code Change Management

How (My) Front Door Failed * 07/16/96 How (My) Front Door Failed Burglar smashed the window on the door and accessed the dead bolt lever Subsequently battered the door handle lock until the frame caved in *

How (Application’s) Front Door Could Fail * 07/16/96 How (Application’s) Front Door Could Fail Internal hacker exploits a vulnerability in the Operating System Vulnerability used to disable application controls Hacker later uses a “brute force” attack to gain access via the network and embezzle from the University *

Compensating Control - Detection For my house’s – A camera For a server –Intrusion monitor that monitors OS activity OS activity monitoring = intrusion monitoring Neither of these controls prevent a breach. They only detect the breech so that the issue can be resolved. Monitoring Camera was added to my living room with inappropriate activity alerts Similar monitoring of Operating System activity could be implemented and reviewed by management

Where Should an Audit Start Where do you believe an audit should start? What initial items should be confirmed? Application or IT Dependent controls must first be identified to confirm further review of IT general controls should occur.

IT in the Control Universe Summary * 07/16/96 IT in the Control Universe Summary Strong ITGCs provide assurance that effective system related controls may be relied upon ITGCs build upon each other Not all textbook controls are always required ITGCs include both Preventative and Detective controls System related controls include application (automated) and IT-dependent (system supported) controls (Purely) Manual Controls do not require system review *

Future discussion items * 07/16/96 Future discussion items Evaluating Code Change Management Processes Evaluating Disaster Recovery Preparations Evaluating Server Configurations/Security Evaluating Network Concerns and Intrusion Risks Evaluating Workstation Management How should we modify our plans for future discussion items? *

Future discussion items * 07/16/96 Future discussion items Evaluating Application Design, Controls, and Integration with the Business Processes Evaluating IT strategies – Strategic vs. Tactical issues Strategies used to build the overall IT audit plan for the department Looking at IT governance frameworks -Cobit *