It Auditmethodologies 110527045713 Phpapp02

IT Audit
Methodologies
IT Audit Methodologies
IT Audit Methodoloies
CobiT
BS 7799 - Code of Practice (CoP)
BSI - IT Baseline Protection Manual
ITSEC
Common Criteria (CC)
IT Audit Methodologies - URLs
CobiT:
www.isaca.org
BS7799: www.bsi.org.uk/disc/
BSI:
ITSEC: www.itsec.gov.uk
CC:
www.bsi.bund.de/gshb/english/menue.htm
csrc.nist.gov/cc/
Main Areas of Use
IT Audits
Risk Analysis
Health Checks (Security Benchmarking)
Security Concepts
Security Manuals / Handbooks
Security Definition
Confidentiality
Integrity
Correctness
Completeness
Availability
CobiT
Governance, Control & Audit for IT
Developed by ISACA
Releases
CobiT 1: 1996
32 Processes
271 Control Objectives
CobiT 2: 1998
34 Processes
302 Control Objectives
CobiT - Model for IT Governance
36 Control models used as basis:
Business control models (e.g. COSO)
IT control models (e.g. DTIs CoP)
CobiT control model covers:
Security (Confidentiality, Integrity, Availability)
Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information)
IT Resources (Data, Application Systems, Technology, Facilities, People)
CobiT - Framework
CobiT - Structure
4 Domains
PO - Planning & Organisation
AI - Acquisition & Implementation
6 processes (high-level control objectives)
DS - Delivery & Support
M - Monitoring
PO - Planning and Organisation
PO 1
Define a Strategic IT Plan
PO 2
Define the Information Architecture
PO 3
Determine the Technological Direction
PO 4
Define the IT Organisation and Relationships
PO 5
Manage the IT Investment
PO 6
Communicate Management Aims and Direction
PO 7
Manage Human Resources
PO 8
Ensure Compliance with External Requirements
PO 9
Assess Risks
PO 10
Manage Projects
PO 11
Manage Quality
AI - Acquisition and Implementation
AI 1
Identify Solutions
AI 2
Acquire and Maintain Application Software
AI 3
Acquire and Maintain Technology Architecture
AI 4
Develop and Maintain IT Procedures
AI 5
Install and Accredit Systems
AI 6
Manage Changes
DS - Delivery and Support
DS 1
Define Service Levels
DS 8
Assist and Advise IT Customers
DS 2
Manage Third-Party Services
DS 9
Manage the Configuration
DS 3
Manage Performance and

Capacity
DS 10
Manage Problems and Incidents
DS 11
Manage Data
DS 12
Manage Facilities
DS 13
Manage Operations
DS 4
Ensure Continuous Service
DS 5
Ensure Systems Security
DS 6
Identify and Attribute Costs
DS 7
Educate and Train Users
M - Monitoring
M1
Monitor the Processes
M2
Assess Internal Control Adequacy
M3
Obtain Independent Assurance
M4
Provide for Independent Audit
CobiT - IT Process Matrix

Information Criteria
Effectiveness
Efficiency
Confidentiality
Integrity
Availability
Compliance
Reliability
IT Resources
People
Applications
Technology
Facilities
Data
IT Processes
Microsoft Excel-T abelle
CobiT - Summary
Mainly used for IT audits, incl. security aspects
No detailed evaluation methodology described
Developed by international organisation (ISACA)
Up-to-date: Version 2 released in 1998
Only high-level control objectives described
Detailed IT control measures are not documented
Not very user friendly - learning curve!
Evaluation results not shown in graphic form
CobiT - Summary
May be used for self assessments
Useful aid in implementing IT control systems
No suitable basis to write security handbooks
CobiT package from ISACA: $ 100.--
3 parts freely downloadable from ISACA site
Software available from Methodware Ltd., NZ (www.methodware.co.nz)
CobiT Advisor 2nd edition: US$ 600.--
BS 7799 - CoP
Code of Practice for Inform. Security Manag.
Developed by UK DTI, BSI: British Standard
Releases
CoP: 1993
BS 7799: Part 1: 1995
BS 7799: Part 2: 1998
Certification & Accreditation scheme (c:cure)
BS 7799 - Security Baseline Controls
10 control categories
32 control groups
109 security controls
10 security key controls
BS 7799 - Control Categories
Information security policy
Security organisation
Assets classification & control
Personnel security
Physical & environmental security
Computer & network management
BS 7799 - Control Categories
System access control
Systems development & maintenance
Business continuity planning
Compliance
BS7799 - 10 Key Controls
Information security policy document
Allocation of information security responsibilities
Information security education and training
Reporting of security incidents
Virus controls
BS7799 - 10 Key Controls
Business continuity planning process
Control of proprietary software copying
Safeguarding of organizational records
Data protection
Compliance with security policy
BS7799 - Summary
Main use: Security Concepts & Health Checks
No evaluation methodology described
British Standard, developed by UK DTI
Certification scheme in place (c:cure)
BS7799, Part1, 1995 is being revised in 1999
Lists 109 ready-to-use security controls
No detailed security measures described
Very user friendly - easy to learn
BS7799 - Summary
Evaluation results not shown in graphic form
May be used for self assessments
BS7799, Part1:
94.--
BS7799, Part2:
36.--
BSI Electronic book of Part 1: 190.-- + VAT
Several BS7799 c:cure publications from BSI
CoP-iT software from SMH, UK: 349+VAT (www.smhplc.com)
BSI (Bundesamt fr Sicherheit in der

Informationstechnik)
IT Baseline Protection Manual

(IT- Grundschutzhandbuch )
Developed by German BSI (GISA: German Information Security Agency)
Releases:
IT security manual: 1992
IT baseline protection manual: 1995
New versions (paper and CD-ROM): each year
BSI - Approach
BSI - Approach
Used to determine IT security measures for medium-level protection requirements
Straight forward approach since detailed risk analysis is not performed
Based on generic & platform specific security requirements detailed protection

measures are constructed using given building blocks
List of assembled security measures may be used to establish or enhance baseline

protection
BSI - Structure
IT security measures
7 areas
34 modules (building blocks)
Safeguards catalogue
6 categories of security measures
Threats catalogue
5 categories of threats
BSI - Security Measures (Modules)
Protection for generic components
Infrastructure
Non-networked systems
LANs
Data transfer systems
Telecommunications
Other IT components
BSI - Generic Components

3.1
3.2
3.3
3.4
Organisation
Personnel
Contingency Planning
Data Protection
BSI - Infrastructure
4.1
4.2
4.3
4.3.1
4.3.2
4.3.3
4.3.4
4.4
4.5
Buildings
Cabling
Rooms
Office
Server Room
Storage Media Archives
Technical Infrastructure Room
Protective cabinets
Home working place
BSI - Non-Networked Systems
5.1
5.2
5.3
5.4
5.5
5.6
5.99
DOS PC (Single User)

UNIX System
Laptop
DOS PC (multiuser)
Non-networked Windows NT computer
PC with Windows 95
Stand-alone IT systems
BSI - LANs
6.1
6.2
6.3
6.4
6.5
6.6
6.7
Server-Based Network
Networked Unix Systems
Peer-to-Peer Network
Windows NT network
Novell Netware 3.x
Novell Netware version 4.x
Heterogeneous networks
BSI - Data Transfer Systems

7.1
7.2
7.3
7.4
Data Carrier Exchange

Modem
Firewall
E-mail
BSI - Telecommunications
8.1
8.2
8.3
8.4
Telecommunication system
Fax Machine
Telephone Answering Machine
LAN integration of an IT system via ISDN
BSI - Other IT Components

9.1
9.2
9.3
Standard Software
Databases
Telecommuting
BSI - Module Data Protection (3.4)

Threats - Technical failure:
T 4.13 Loss of stored data
Security Measures - Contingency planning:
S 6.36 Stipulating a minimum data protection concept
S 6.37 Documenting data protection procedures
S 6.33 Development of a data protection concept (optional)
S 6.34 Determining the factors influencing data protection (optional)
S 6.35 Stipulating data protection procedures (optional)
S 6.41 Training data reconstruction
Security Measures - Organisation:
S 2.41 Employees' commitment to data protection
S 2.137 Procurement of a suitable data backup system
BSI - Safeguards (420 safeguards)
S1 - Infrastructure( 45 safeguards)
S2 - Organisation (153 safeguards)
S3 - Personnel
S4 - Hardware & Software ( 83 safeguards)
S5 - Communications
S6 - Contingency Planning ( 55 safeguards)
( 22 safeguards)
( 62 safeguards)
BSI - S1-Infrastructure (45 safeguards)
S 1.7
S 1.10
S 1.17
S 1.18
S 1.27
S 1.28
S 1.36
Hand-held fire extinguishers

Use of safety doors
Entrance control service
Intruder and fire detection devices
Air conditioning
Local uninterruptible power supply [UPS]
Safekeeping of data carriers before and after
dispatch
BSI - Security Threats (209 threats)
T1 - Force Majeure (10 threats)
T2 - Organisational Shortcomings (58 threats)
T3 - Human Errors (31 threats)
T4 - Technical Failure (32 threats)
T5 - Deliberate acts (78 threats)
BSI - T3-Human Errors
T 3.1
T 3.3
T 3.6
T 3.9
T 3.12
T 3.16
T 3.24
T 3.25
(31 threats)
Loss of data confidentiality/integrity as a result of IT user error

Non-compliance with IT security measures
Threat posed by cleaning staff or outside staff
Incorrect management of the IT system
Loss of storage media during transfer
Incorrect administration of site and data access rights
Inadvertent manipulation of data
Negligent deletion of objects
BSI - Summary
Main use: Security concepts & manuals
No evaluation methodology described
Developed by German BSI (GISA)
Updated version released each year
Lists 209 threats & 420 security measures
34 modules cover generic & platform specific security requirements
BSI - Summary
User friendly with a lot of security details
Not suitable for security risk analysis
Results of security coverage not shown in graphic form
Manual in HTML format on BSI web server
Manual in Winword format on CD-ROM

(first CD free, additional CDs cost DM 50.-- each)
Paper copy of manual: DM 118.--
Software BSI Tool (only in German): DM 515.--
ITSEC, Common Criteria
ITSEC: IT Security Evaluation Criteria
Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange
Book)
Releases
ITSEC: 1991
ITSEM: 1993 (IT Security Evaluation Manual)
UK IT Security Evaluation & Certification scheme: 1994
ITSEC, Common Criteria
Common Criteria (CC)
Developed by USA, EC: based on ITSEC
ISO International Standard
Releases
CC 1.0: 1996
CC 2.0: 1998
ISO IS 15408: 1999
ITSEC - Methodology
Based on systematic, documented approach for security evaluations of systems &

products
Open ended with regard to defined set of security objectives
ITSEC Functionality classes; e.g. FC-C2
CC protection profiles
Evaluation steps:
Definition of functionality
Assurance: confidence in functionality
ITSEC - Functionality
Security objectives (Why)
Risk analysis (Threats, Countermeasures)
Security policy
Security enforcing functions (What)
technical & non-technical
Security mechanisms (How)
Evaluation levels
ITSEC - Assurance
Goal: Confidence in functions & mechanisms
Correctness
Construction (development process & environment)
Operation (process & environment)
Effectiveness
Suitability analysis
Strength of mechanism analysis
Vulnerabilities (construction & operation)
CC - Security Concept
CC - Evaluation Goal
CC - Documentation
CC Part 3
Assurance Requirements
CC Part 2
Functional Requirements
CC Part 1
Introduction and Model

Introduction to
Approach
Terms and Model

Requirements for
Protection Profiles (PP)

and Security Targets (ST)
Functional Classes
Functional Families
Functional
Components
Detailed Requirements
Assurance Classes
Assurance Families
Assurance Components
Detailed Requirements
Evaluation Assurance
Levels (EAL)
CC - Security Requirements
Functional Requirements
Assurance Requirements
for defining security behavior of the
for establishing confidence in Security
IT product or system:
implemented requirements
become security functions
Functions:
correctness of implementation
effectiveness in satisfying
objectives
CC - Security Functional Classes

Class
Name
FAU
FCO
FCS
FDP
FIA
FMT
FPR
FPT
FRU
FTA
FTP
Audit
Communications
Cryptographic Support
User Data Protection
Identification & Authentication
Security Management
Privacy
Protection of TOE Security Functions
Resource Utilization
TOE (Target Of Evaluation) Access
Trusted Path / Channels
CC - Security Assurance Classes

Class
Name
ACM
ADO
ADV
AGD
ALC
ATE
AVA
APE
ASE
AMA
Configuration Management
Delivery & Operation

Development
Guidance Documents
Life Cycle Support
Tests
Vulnerability Assessment
Protection Profile Evaluation
Security Target Evaluation
Maintenance of Assurance
CC - Eval. Assurance Levels (EALs)

EAL
Name
EAL1
EAL2
EAL3
EAL4
EAL5
EAL6
EAL7
Functionally Tested
Structurally Tested
Methodically Tested & Checked
Methodically Designed, Tested & Reviewed
Semiformally Designed & Tested
Semiformally Verified Design & Tested
Formally Verified Design & Tested
*TCSEC = Trusted Computer Security Evaluation Criteria --Orange Book
*TCSEC
C1
C2
B1
B2
B3
A1
ITSEC, CC - Summary
Used primarily for security evaluations and not for generalized IT audits
Defines evaluation methodology
Based on International Standard (ISO 15408)
Certification scheme in place
Updated & enhanced on a yearly basis
Includes extensible standard sets of security requirements (Protection Profile libraries)
Comparison of Methods - Criteria
Standardisation
Independence
Certifiability
Applicability in practice
Adaptability
Comparison of Methods - Criteria
Extent of Scope
Presentation of Results
Efficiency
Update frequency
Ease of Use
Comparison of Methods - Results

Standardisation
Independence
Certifyability
Applicability in practice
Adaptability
Extent of Scope
Presentation of Results
Efficiency
Update frequency
Ease of Use
CobiT
BS 7799
BSI
3.4
3.3
2.7
2.8
3.3
3.1
1.9
3.0
3.1
2.3
3.3
3.6
3.3
3.0
2.8
2.9
2.2
2.8
2.4
2.7
3.1
3.5
3.0
3.1
3.3
2.7
2.6
3.0
3.4
2.8
ITSEC/CC
3.9
3.9
3.7
2.5
3.0
2.6
1.7
2.5
2.8
2.0
Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger
CobiT - Assessment
BS 7799 - Assessment
BSI - Assessment
ITSEC/CC - Assessment
Use of Methods for IT Audits
CobiT: Audit method for all IT processes
ITSEC, CC: Systematic approach for evaluations
BS7799, BSI: List of detailed security measures to be used as best practice

documentation
Detailed audit plans, checklists, tools for technical audits (operating systems, LANs,
etc.)
What is needed in addition:
Audit concept (general aspects, infrastructure audits, application audits)
Herzlichen Dank
fr Ihr Interesse an

It Auditmethodologies 110527045713 Phpapp02

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

It Auditmethodologies 110527045713 Phpapp02

Hochgeladen von

Copyright:

Verfügbare Formate

IT Audit

BS 7799 - Code of Practice (CoP)

BSI - IT Baseline Protection Manual

Common Criteria (CC)

IT Audit Methodologies - URLs

Main Areas of Use

Health Checks (Security Benchmarking)

Security Manuals / Handbooks

Governance, Control & Audit for IT

271 Control Objectives

302 Control Objectives

CobiT - Model for IT Governance

36 Control models used as basis:

Business control models (e.g. COSO)

IT control models (e.g. DTIs CoP)

CobiT control model covers:

Security (Confidentiality, Integrity, Availability)

Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information)

IT Resources (Data, Application Systems, Technology, Facilities, People)

PO - Planning & Organisation

AI - Acquisition & Implementation

6 processes (high-level control objectives)

DS - Delivery & Support

11 processes (high-level control objectives)

13 processes (high-level control objectives)

4 processes (high-level control objectives)

PO - Planning and Organisation

Define a Strategic IT Plan

Define the Information Architecture

Determine the Technological Direction

Define the IT Organisation and Relationships

Manage the IT Investment

Communicate Management Aims and Direction

Manage Human Resources

Ensure Compliance with External Requirements

AI - Acquisition and Implementation

Acquire and Maintain Application Software

Acquire and Maintain Technology Architecture

Develop and Maintain IT Procedures

Install and Accredit Systems

DS - Delivery and Support

Define Service Levels

Assist and Advise IT Customers

Manage Third-Party Services

Manage the Configuration

Manage Performance and

Manage Problems and Incidents

Ensure Continuous Service

Ensure Systems Security

Identify and Attribute Costs

Educate and Train Users

Monitor the Processes

Assess Internal Control Adequacy

Obtain Independent Assurance

Provide for Independent Audit

CobiT - IT Process Matrix

Mainly used for IT audits, incl. security aspects

No detailed evaluation methodology described

Developed by international organisation (ISACA)

Up-to-date: Version 2 released in 1998

Only high-level control objectives described

Detailed IT control measures are not documented