You are on page 1of 65

IT Audit Methodologies

IT Audit Methodologies

IT Audit Methodoloies

IT Audit Methodologies

CobiT BS 7799 - Code of Practice (CoP) BSI - IT Baseline Protection Manual ITSEC Common Criteria (CC)

IT Audit Methodoloies

IT Audit Methodologies - URLs

CobiT: BSI:

BS7799: ITSEC:


IT Audit Methodoloies

Main Areas of Use

IT Audits Risk Analysis Health Checks (Security Benchmarking) Security Concepts

Security Manuals / Handbooks

IT Audit Methodoloies

Security Definition

Confidentiality Integrity

Correctness Completeness


IT Audit Methodoloies


Governance, Control & Audit for IT Developed by ISACA Releases

CobiT 1: 1996

32 Processes
271 Control Objectives 34 Processes 302 Control Objectives

CobiT 2: 1998

IT Audit Methodoloies

CobiT - Model for IT Governance

36 Control models used as basis:

Business control models (e.g. COSO) IT control models (e.g. DTIs CoP)

CobiT control model covers:

Security (Confidentiality, Integrity, Availability)

Fiduciary (Effectiveness, Efficiency, Compliance, Reliability of Information) IT Resources (Data, Application Systems, Technology, Facilities, People)

IT Audit Methodoloies

CobiT - Framework

IT Audit Methodoloies

CobiT - Structure

4 Domains

PO - Planning & Organisation

11 processes (high-level control objectives)

AI - Acquisition & Implementation

6 processes (high-level control objectives)

13 processes (high-level control objectives) 4 processes (high-level control objectives)

DS - Delivery & Support

M - Monitoring

IT Audit Methodoloies

PO - Planning and Organisation

PO 1 PO 2 PO 3 PO 4

Define a Strategic IT Plan Define the Information Architecture Determine the Technological Direction Define the IT Organisation and Relationships

PO 5
PO 6 PO 7 PO 8 PO 9 PO 10 PO 11

Manage the IT Investment

Communicate Management Aims and Direction Manage Human Resources Ensure Compliance with External Requirements Assess Risks Manage Projects Manage Quality

IT Audit Methodoloies

AI - Acquisition and Implementation

AI 1 AI 2 AI 3 AI 4

Identify Solutions Acquire and Maintain Application Software Acquire and Maintain Technology Architecture Develop and Maintain IT Procedures

AI 5
AI 6

Install and Accredit Systems

Manage Changes

IT Audit Methodoloies

DS - Delivery and Support

DS 1 DS 2 DS 3

Define Service Levels Manage Third-Party Services Manage Performance and Capacity

DS 8 DS 9 DS 10 DS 11 DS 12 DS 13

Assist and Advise IT Customers Manage the Configuration Manage Problems and Incidents Manage Data Manage Facilities Manage Operations

DS 4 DS 5 DS 6

Ensure Continuous Service Ensure Systems Security Identify and Attribute Costs

DS 7

Educate and Train Users

IT Audit Methodoloies

M - Monitoring

M1 M2 M3 M4

Monitor the Processes Assess Internal Control Adequacy Obtain Independent Assurance Provide for Independent Audit

IT Audit Methodoloies

CobiT - IT Process Matrix

Information Criteria Effectiveness Efficiency Confidentiality Integrity Availability Compliance Reliability IT Resources People Applications Technology Facilities Data

IT Processes

IT Audit Methodoloies

CobiT - Summary

Mainly used for IT audits, incl. security aspects No detailed evaluation methodology described Developed by international organisation (ISACA) Up-to-date: Version 2 released in 1998

Only high-level control objectives described

Detailed IT control measures are not documented Not very user friendly - learning curve! Evaluation results not shown in graphic form

IT Audit Methodoloies

CobiT - Summary

May be used for self assessments Useful aid in implementing IT control systems No suitable basis to write security handbooks CobiT package from ISACA: $ 100.--

3 parts freely downloadable from ISACA site

Software available from Methodware Ltd., NZ (

CobiT Advisor 2nd edition:

US$ 600.--

IT Audit Methodoloies

BS 7799 - CoP

Code of Practice for Inform. Security Manag. Developed by UK DTI, BSI: British Standard Releases

CoP: 1993

BS 7799: Part 1: 1995

BS 7799: Part 2: 1998

Certification & Accreditation scheme (c:cure)

IT Audit Methodoloies

BS 7799 - Security Baseline Controls

10 control categories 32 control groups 109 security controls 10 security key controls

IT Audit Methodoloies

BS 7799 - Control Categories

Information security policy Security organisation Assets classification & control Personnel security

Physical & environmental security

Computer & network management

IT Audit Methodoloies

BS 7799 - Control Categories

System access control Systems development & maintenance Business continuity planning Compliance

IT Audit Methodoloies

BS7799 - 10 Key Controls

Information security policy document Allocation of information security responsibilities Information security education and training Reporting of security incidents

Virus controls

IT Audit Methodoloies

BS7799 - 10 Key Controls

Business continuity planning process Control of proprietary software copying Safeguarding of organizational records Data protection

Compliance with security policy

IT Audit Methodoloies

BS7799 - Summary

Main use: Security Concepts & Health Checks No evaluation methodology described British Standard, developed by UK DTI Certification scheme in place (c:cure)

BS7799, Part1, 1995 is being revised in 1999

Lists 109 ready-to-use security controls No detailed security measures described Very user friendly - easy to learn

IT Audit Methodoloies

BS7799 - Summary

Evaluation results not shown in graphic form May be used for self assessments BS7799, Part1: BS7799, Part2: 94.- 36.--

BSI Electronic book of Part 1:

190.-- + VAT

Several BS7799 c:cure publications from BSI CoP-iT software from SMH, UK: 349+VAT (

IT Audit Methodoloies

BSI (Bundesamt fr Sicherheit in der Informationstechnik)

IT Baseline Protection Manual (IT- Grundschutzhandbuch )

Developed by German BSI (GISA: German Information Security Agency)


IT security manual:

1992 1995 each year

IT baseline protection manual: New versions (paper and CD-ROM):

IT Audit Methodoloies

BSI - Approach

IT Audit Methodoloies

BSI - Approach

Used to determine IT security measures for medium-level protection requirements Straight forward approach since detailed risk analysis is not performed Based on generic & platform specific security requirements detailed protection measures are constructed using given building blocks

List of assembled security measures may be used to establish or enhance baseline protection

IT Audit Methodoloies

BSI - Structure

IT security measures

7 areas 34 modules (building blocks)

Safeguards catalogue

6 categories of security measures

5 categories of threats

Threats catalogue

IT Audit Methodoloies

BSI - Security Measures (Modules)

Protection for generic components Infrastructure Non-networked systems LANs

Data transfer systems

Telecommunications Other IT components

IT Audit Methodoloies

BSI - Generic Components

3.1 3.2 3.3 3.4

Organisation Personnel Contingency Planning Data Protection

IT Audit Methodoloies

BSI - Infrastructure

4.1 4.2 4.3 4.3.1

Buildings Cabling Rooms Office

4.3.3 4.3.4 4.4 4.5

Server Room
Storage Media Archives Technical Infrastructure Room Protective cabinets Home working place

IT Audit Methodoloies

BSI - Non-Networked Systems

5.1 5.2 5.3 5.4

DOS PC (Single User) UNIX System Laptop DOS PC (multiuser)

5.6 5.99

Non-networked Windows NT computer

PC with Windows 95 Stand-alone IT systems

IT Audit Methodoloies


6.1 6.2 6.3 6.4

Server-Based Network Networked Unix Systems Peer-to-Peer Network Windows NT network

6.6 6.7

Novell Netware 3.x

Novell Netware version 4.x Heterogeneous networks

IT Audit Methodoloies

BSI - Data Transfer Systems

7.1 7.2 7.3 7.4

Data Carrier Exchange Modem Firewall E-mail

IT Audit Methodoloies

BSI - Telecommunications

8.1 8.2 8.3 8.4

Telecommunication system Fax Machine Telephone Answering Machine LAN integration of an IT system via ISDN

IT Audit Methodoloies

BSI - Other IT Components

9.1 9.2 9.3

Standard Software Databases Telecommuting

IT Audit Methodoloies

BSI - Module Data Protection (3.4)

Threats T 4.13 Security Measures S 6.36 S 6.37 S 6.33 S 6.34 S 6.35 S 6.41 Security Measures S 2.41 S 2.137

Technical failure: Loss of stored data Contingency planning: Stipulating a minimum data protection concept Documenting data protection procedures Development of a data protection concept (optional) Determining the factors influencing data protection (optional) Stipulating data protection procedures (optional) Training data reconstruction Organisation: Employees' commitment to data protection Procurement of a suitable data backup system

IT Audit Methodoloies

BSI - Safeguards (420 safeguards)

S1 - Infrastructure S2 - Organisation S3 - Personnel

( 45 (153

safeguards) safeguards) ( 22 safeguards)

S4 - Hardware & Software ( 83 safeguards)

S5 - Communications ( 62 safeguards)
S6 - Contingency Planning ( 55 safeguards)

IT Audit Methodoloies

BSI - S1-Infrastructure (45 safeguards)

S 1.7 S 1.10 S 1.17 S 1.18

Hand-held fire extinguishers Use of safety doors Entrance control service Intruder and fire detection devices

S 1.27
S 1.28 S 1.36

Air conditioning
Local uninterruptible power supply [UPS] Safekeeping of data carriers before and after dispatch

IT Audit Methodoloies

BSI - Security Threats (209 threats)

T1 - Force Majeure (10 T3 - Human Errors (31

threats) threats) threats) threats) (32

T2 - Organisational Shortcomings (58 T4 - Technical Failure

T5 - Deliberate acts (78


IT Audit Methodoloies

BSI - T3-Human Errors

(31 threats)
user error

T 3.1 T 3.3 T 3.6 T 3.9

Loss of data confidentiality/integrity as a result of IT Non-compliance with IT security measures Threat posed by cleaning staff or outside staff Incorrect management of the IT system

T 3.12
T 3.16 T 3.24 T 3.25

Loss of storage media during transfer

Incorrect administration of site and data access rights Inadvertent manipulation of data Negligent deletion of objects

IT Audit Methodoloies

BSI - Summary

Main use: Security concepts & manuals No evaluation methodology described Developed by German BSI (GISA) Updated version released each year

Lists 209 threats & 420 security measures

34 modules cover generic & platform specific security requirements

IT Audit Methodoloies

BSI - Summary

User friendly with a lot of security details Not suitable for security risk analysis Results of security coverage not shown in graphic form Manual in HTML format on BSI web server

Manual in Winword format on CD-ROM

(first CD free, additional CDs cost DM 50.-- each)

Paper copy of manual: DM 118.-Software BSI Tool (only in German): DM 515.--

IT Audit Methodoloies

ITSEC, Common Criteria

ITSEC: IT Security Evaluation Criteria Developed by UK, Germany, France, Netherl. and based primarily on USA TCSEC (Orange


ITSEC: 1991
ITSEM: 1993 (IT Security Evaluation Manual) UK IT Security Evaluation & Certification scheme: 1994

IT Audit Methodoloies

ITSEC, Common Criteria

Common Criteria (CC) Developed by USA, EC: based on ITSEC ISO International Standard Releases

CC 1.0: 1996
CC 2.0: 1998 ISO IS 15408: 1999

IT Audit Methodoloies

ITSEC - Methodology

Based on systematic, documented approach for security evaluations of systems & products Open ended with regard to defined set of security objectives

ITSEC Functionality classes; e.g. FC-C2

CC protection profiles
Definition of functionality Assurance: confidence in functionality

Evaluation steps:

IT Audit Methodoloies

ITSEC - Functionality

Security objectives (Why)

Risk analysis (Threats, Countermeasures) Security policy

Security enforcing functions (What)

technical & non-technical

Security mechanisms (How) Evaluation levels

IT Audit Methodoloies

ITSEC - Assurance

Goal: Confidence in functions & mechanisms Correctness

Construction (development process & environment) Operation (process & environment) Suitability analysis Strength of mechanism analysis Vulnerabilities (construction & operation)


IT Audit Methodoloies

CC - Security Concept

IT Audit Methodoloies

CC - Evaluation Goal

IT Audit Methodoloies

CC - Documentation
CC Part 3 CC Part 2 CC Part 1
Introduction and Model
Introduction to

Assurance Requirements
Assurance Classes Assurance Families Assurance Components

Functional Requirements
Functional Classes Functional Families Functional

Detailed Requirements
Evaluation Assurance



Terms and Model Requirements for

Detailed Requirements

Levels (EAL)

Protection Profiles (PP) and Security Targets (ST)

IT Audit Methodoloies

CC - Security Requirements
Functional Requirements
for defining security behavior of the

Assurance Requirements
for establishing confidence in Security

IT product or system: implemented requirements become security functions

Functions: correctness of implementation effectiveness in satisfying objectives

IT Audit Methodoloies

CC - Security Functional Classes


Audit Communications Cryptographic Support User Data Protection Identification & Authentication Security Management Privacy Protection of TOE Security Functions Resource Utilization TOE (Target Of Evaluation) Access Trusted Path / Channels

IT Audit Methodoloies

CC - Security Assurance Classes


Configuration Management

Delivery & Operation Development Guidance Documents Life Cycle Support Tests Vulnerability Assessment Protection Profile Evaluation Security Target Evaluation Maintenance of Assurance

IT Audit Methodoloies

CC - Eval. Assurance Levels (EALs)


Functionally Tested Structurally Tested Methodically Tested & Checked Methodically Designed, Tested & Reviewed Semiformally Designed & Tested Semiformally Verified Design & Tested Formally Verified Design & Tested

C1 C2 B1 B2 B3 A1

*TCSEC = Trusted Computer Security Evaluation Criteria --Orange Book

IT Audit Methodoloies

ITSEC, CC - Summary

Used primarily for security evaluations and not for generalized IT audits Defines evaluation methodology Based on International Standard (ISO 15408) Certification scheme in place

Updated & enhanced on a yearly basis

Includes extensible standard sets of security requirements (Protection Profile libraries)

IT Audit Methodoloies

Comparison of Methods - Criteria

Standardisation Independence Certifiability Applicability in practice


IT Audit Methodoloies

Comparison of Methods - Criteria

Extent of Scope Presentation of Results Efficiency Update frequency

Ease of Use

IT Audit Methodoloies

Comparison of Methods - Results

Standardisation Independence Certifyability Applicability in practice Adaptability Extent of Scope Presentation of Results Efficiency Update frequency Ease of Use 3.4 3.3 2.7 2.8 3.3 3.1 1.9 3.0 3.1 2.3 BS 7799 3.3 3.6 3.3 3.0 2.8 2.9 2.2 2.8 2.4 2.7

3.1 3.5 3.0 3.1 3.3 2.7 2.6 3.0 3.4 2.8

3.9 3.9 3.7 2.5 3.0 2.6 1.7 2.5 2.8 2.0

Scores between 1 (low) and 4 (high) - Scores for CobiT, BS7799, BSI from ISACA Swiss chapter; score for ITSEC/CC form H.P. Winiger

IT Audit Methodoloies

CobiT - Assessment

IT Audit Methodoloies

BS 7799 - Assessment

IT Audit Methodoloies

BSI - Assessment

IT Audit Methodoloies

ITSEC/CC - Assessment

IT Audit Methodoloies

Use of Methods for IT Audits

CobiT: Audit method for all IT processes ITSEC, CC: Systematic approach for evaluations BS7799, BSI: List of detailed security measures to be used as best practice documentation

Detailed audit plans, checklists, tools for technical audits (operating systems, LANs, etc.)
What is needed in addition:

Audit concept (general aspects, infrastructure audits, application audits)

Herzlichen Dank fr Ihr Interesse an IT Audit Methodologies