Beruflich Dokumente
Kultur Dokumente
Methodologies
IT Audit Methodologies
IT Audit Methodoloies
IT Audit Methodologies
CobiT
ITSEC
IT Audit Methodoloies
CobiT:
www.isaca.org
BS7799: www.bsi.org.uk/disc/
BSI:
ITSEC: www.itsec.gov.uk
CC:
www.bsi.bund.de/gshb/english/menue.htm
csrc.nist.gov/cc/
IT Audit Methodoloies
IT Audits
Risk Analysis
Security Concepts
IT Audit Methodoloies
Security Definition
Confidentiality
Integrity
Correctness
Completeness
Availability
IT Audit Methodoloies
CobiT
Developed by ISACA
Releases
CobiT 1: 1996
32 Processes
CobiT 2: 1998
34 Processes
IT Audit Methodoloies
IT Audit Methodoloies
CobiT - Framework
IT Audit Methodoloies
CobiT - Structure
4 Domains
M - Monitoring
IT Audit Methodoloies
PO 1
PO 2
PO 3
PO 4
PO 5
PO 6
PO 7
PO 8
PO 9
Assess Risks
PO 10
Manage Projects
PO 11
Manage Quality
IT Audit Methodoloies
AI 1
Identify Solutions
AI 2
AI 3
AI 4
AI 5
AI 6
Manage Changes
IT Audit Methodoloies
DS 1
DS 8
DS 2
DS 9
DS 3
DS 10
DS 11
Manage Data
DS 12
Manage Facilities
DS 13
Manage Operations
DS 4
DS 5
DS 6
DS 7
IT Audit Methodoloies
M - Monitoring
M1
M2
M3
M4
IT Audit Methodoloies
IT Resources
People
Applications
Technology
Facilities
Data
IT Processes
Microsoft Excel-T abelle
IT Audit Methodoloies
CobiT - Summary
IT Audit Methodoloies
CobiT - Summary
IT Audit Methodoloies
BS 7799 - CoP
Releases
CoP: 1993
IT Audit Methodoloies
10 control categories
32 control groups
IT Audit Methodoloies
Security organisation
Personnel security
IT Audit Methodoloies
Compliance
IT Audit Methodoloies
Virus controls
IT Audit Methodoloies
Data protection
IT Audit Methodoloies
BS7799 - Summary
IT Audit Methodoloies
BS7799 - Summary
BS7799, Part1:
94.--
BS7799, Part2:
36.--
IT Audit Methodoloies
Releases:
IT Audit Methodoloies
BSI - Approach
IT Audit Methodoloies
BSI - Approach
IT Audit Methodoloies
BSI - Structure
IT security measures
7 areas
Safeguards catalogue
Threats catalogue
5 categories of threats
IT Audit Methodoloies
Infrastructure
Non-networked systems
LANs
Telecommunications
Other IT components
IT Audit Methodoloies
Organisation
Personnel
Contingency Planning
Data Protection
IT Audit Methodoloies
BSI - Infrastructure
4.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.4
4.5
Buildings
Cabling
Rooms
Office
Server Room
Storage Media Archives
Technical Infrastructure Room
Protective cabinets
Home working place
IT Audit Methodoloies
5.1
5.2
5.3
5.4
5.5
5.6
5.99
IT Audit Methodoloies
BSI - LANs
6.1
6.2
6.3
6.4
6.5
6.6
6.7
Server-Based Network
Networked Unix Systems
Peer-to-Peer Network
Windows NT network
Novell Netware 3.x
Novell Netware version 4.x
Heterogeneous networks
IT Audit Methodoloies
IT Audit Methodoloies
BSI - Telecommunications
8.1
8.2
8.3
8.4
Telecommunication system
Fax Machine
Telephone Answering Machine
LAN integration of an IT system via ISDN
IT Audit Methodoloies
Standard Software
Databases
Telecommuting
IT Audit Methodoloies
IT Audit Methodoloies
S1 - Infrastructure( 45 safeguards)
S3 - Personnel
S5 - Communications
( 22 safeguards)
( 62 safeguards)
IT Audit Methodoloies
S 1.7
S 1.10
S 1.17
S 1.18
S 1.27
S 1.28
S 1.36
dispatch
IT Audit Methodoloies
IT Audit Methodoloies
T 3.1
T 3.3
T 3.6
T 3.9
T 3.12
T 3.16
T 3.24
T 3.25
(31 threats)
IT Audit Methodoloies
BSI - Summary
IT Audit Methodoloies
BSI - Summary
IT Audit Methodoloies
Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange
Book)
Releases
ITSEC: 1991
IT Audit Methodoloies
Releases
CC 1.0: 1996
CC 2.0: 1998
IT Audit Methodoloies
ITSEC - Methodology
CC protection profiles
Evaluation steps:
Definition of functionality
IT Audit Methodoloies
ITSEC - Functionality
Security policy
Evaluation levels
IT Audit Methodoloies
ITSEC - Assurance
Correctness
Effectiveness
Suitability analysis
IT Audit Methodoloies
CC - Security Concept
IT Audit Methodoloies
CC - Evaluation Goal
IT Audit Methodoloies
CC - Documentation
CC Part 3
Assurance Requirements
CC Part 2
Functional Requirements
CC Part 1
Approach
Functional Classes
Functional Families
Functional
Components
Detailed Requirements
Assurance Classes
Assurance Families
Assurance Components
Detailed Requirements
Evaluation Assurance
Levels (EAL)
IT Audit Methodoloies
CC - Security Requirements
Functional Requirements
Assurance Requirements
IT product or system:
implemented requirements
become security functions
Functions:
correctness of implementation
effectiveness in satisfying
objectives
IT Audit Methodoloies
Name
FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FRU
FTA
FTP
Audit
Communications
Cryptographic Support
User Data Protection
Identification & Authentication
Security Management
Privacy
Protection of TOE Security Functions
Resource Utilization
TOE (Target Of Evaluation) Access
Trusted Path / Channels
IT Audit Methodoloies
Name
ACM
ADO
ADV
AGD
ALC
ATE
AVA
APE
ASE
AMA
Configuration Management
IT Audit Methodoloies
Name
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
Functionally Tested
Structurally Tested
Methodically Tested & Checked
Methodically Designed, Tested & Reviewed
Semiformally Designed & Tested
Semiformally Verified Design & Tested
Formally Verified Design & Tested
*TCSEC
C1
C2
B1
B2
B3
A1
IT Audit Methodoloies
ITSEC, CC - Summary
Used primarily for security evaluations and not for generalized IT audits
IT Audit Methodoloies
Standardisation
Independence
Certifiability
Applicability in practice
Adaptability
IT Audit Methodoloies
Extent of Scope
Presentation of Results
Efficiency
Update frequency
Ease of Use
IT Audit Methodoloies
CobiT
BS 7799
BSI
3.4
3.3
2.7
2.8
3.3
3.1
1.9
3.0
3.1
2.3
3.3
3.6
3.3
3.0
2.8
2.9
2.2
2.8
2.4
2.7
3.1
3.5
3.0
3.1
3.3
2.7
2.6
3.0
3.4
2.8
ITSEC/CC
3.9
3.9
3.7
2.5
3.0
2.6
1.7
2.5
2.8
2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger
IT Audit Methodoloies
CobiT - Assessment
IT Audit Methodoloies
BS 7799 - Assessment
IT Audit Methodoloies
BSI - Assessment
IT Audit Methodoloies
ITSEC/CC - Assessment
IT Audit Methodoloies
Detailed audit plans, checklists, tools for technical audits (operating systems, LANs,
etc.)
Herzlichen Dank
fr Ihr Interesse an
IT Audit Methodologies