Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Audit and Penetration Testing What’s the difference and why should I care?

Published byVivien Perry Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Audit and Penetration Testing What’s the difference and why should I care?"— Presentation transcript:

1 IT Audit and Penetration Testing What’s the difference and why should I care?

2 Overview of IT Auditing Audit FocusReasons to AuditWorking with Auditors Maximizing Results Pre-Planning and Self Audits

3 What’s the goal? 1.Test control effectiveness – Is my control designed well? 2.Test control efficiency – Is my control working as designed? 3.Identify areas of risk

4 Audit Focus Business Process – Focus on how the business is run – May or may not involve IT systems IT Systems and Process – Focus on how IT manages the applications and infrastructure www.iconfinder.com

5 Reasons to Audit ComplianceSystem Discrepancy Process Assessment and Improvement

6 Compliance Audit Regulatory Industry Voluntary or Required

7 System Discrepancy Audit Financial accounting mismatch Missing or break in system logs Business Intelligence Reports don’t match financials

8 Process Audit Adherence to body of standards – National Institute of Standards and Technology (NIST) – International Organization for Standardization (ISO 27000, 9000) – Information Technology Infrastructure Library (ITIL) – Control Objectives for Information and Related Technology (CoBIT) Adherence to internal process or procedures

9 Typical audit phases Reporting Fieldwork Audit Scoping and Reporting of Self Identified Gaps Engagement Letter Announcement

10 Notification 1-6 months prior to engagement No details other than “We’re Coming” We will be there soon!

11 Engagement Letter Identify and meet with audit manager, lead and staff auditors Auditors present proposed audit scope for management review

12 Scoping Negotiate any proposed changes in audit scope Report Self Identified Gaps

13 Fieldwork Identify documented and undocumented controls Review control for effectiveness Test control for efficiency

14 Reporting Provide opinions on control effectiveness and efficiency Provide recommend changes or improvements

15 Benefits of IT Audits 1.Identify areas of risk that were previously unknown 2.Prioritize security expenditures 3.Safeguard shareholder value 4.Helps limit liability

16 Penetration Testing and Vulnerability Scanning

17 What’s the goal? 1.See if your people or systems can be “hacked” 2.See Goal #1

18 Types of Testing and Evaluation Passive vs. ActiveVulnerability Scans vs. Penetration TestingInternal vs. ExternalSocial Engineering

19 Passive Testing Passive – Report Only – Limited in depth of scan – Easy to automate – Considered safe scan

20 Active Testing – Attempts to exploit vulnerabilities – Uses context to build reports – Can be automated – Higher risk of system failures

21 Vulnerability Scanning Scan networks or host for vulnerabilities – Software Bugs – Missing Patches – Configuration Errors High False Positive Rates – Typically not context sensitive Typically Passive Scanning Needs Validation – Penetration testing – Manual configuration checks

22 Penetration Testing Validates reports of vulnerabilities Typically intrusive process Eliminates false positives Requires awareness and intelligence Dangerous to automate

23 Social Engineering Reconnaissance (Data mining, dumpster diving) Pre-texting Phone Calls Phishing Emails Unauthorized Facility Access Media Drops

24 Internal Testing ApplicationApplication ServerDatabaseOperating System

25 External Testing PenetrationInjectionData miningPrivilege elevationRedirection

26 Benefits of Testing Identify areas where hackers can gain a foothold Prioritize security projects and expenditures Prove due diligence for insurance and legal purposes Provide assurance for shareholders and executive management

27 Summary Audits are used to test control effectiveness and efficiency You must have existing policy and procedures for an audit to be effective. A gap analysis or risk assessment may be better for your first audit Penetration testing helps discover where controls are insufficient IT audits and penetration testing work together to validate security

28 Questions & Answers

Download ppt "IT Audit and Penetration Testing What’s the difference and why should I care?"

Similar presentations

AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.

AUDITING : AN OVERVIEW. Auditing defined It is a critical and systematic examination or review of accounting reports, documents, records, procedures and.
Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP +1-410-544-3435.

Assessments, Audits, and Penetration Tests, Oh My Ira Winkler, CISSP
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.
Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.

Sodexo.com Group Internal Audit. page 2 helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Security Controls – What Works

Security Controls – What Works
IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.

IS Security Control & Management. Overview n Why worry? n Sources, frequency and severity of problems n Risks to computerized vs. manual systems n Purpose.
1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.

1 1 Horwath InternationalCopyright 2006 Crowe Chizek and Company LLC 1 IT Audits – Understanding the Standards Illinois Digital Government Summit September.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Managing Risk in Information Systems Strategies for Mitigating Risk

Managing Risk in Information Systems Strategies for Mitigating Risk
Security Posture Assessment (SPA) Headquarters: Ofisgate Sdn Bhd (610820-A), 2-15 Jalan Jalil Perkasa 13 Aked Esplanad, Bukit Jalil, 57000 Kuala Lumpur,

Security Posture Assessment (SPA) Headquarters: Ofisgate Sdn Bhd ( A), 2-15 Jalan Jalil Perkasa 13 Aked Esplanad, Bukit Jalil, Kuala Lumpur,
Chapter 7 Database Auditing Models

Chapter 7 Database Auditing Models
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.

© 2010 Plexent – All rights reserved. 1 Change –The addition, modification or removal of approved, supported or baselined CIs Request for Change –Record.
A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.

A Balancing Act Between Risk Appetite and Risk Tolerance Federal Information Systems Security Educators’ Association Conference March 2005 Ezra Cornell.
CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.

CMGT400 Intro to Information Assurance and Security (University of Phoenix) Lecture, Week 4 Tom Olzak, MBA, CISSP.

Similar presentations

Ads by Google