Practical IT General Controls

Applications
Set of programs designed to carry out operations for a specific application. Application software cannot run in the absence of an operating system.
Examples: SAP, People Soft, Oracle EBS, Sage, Pastel
Tolence Fambayi (CISA, CFE, FICO (SAP))
PRACTICAL IT GENERAL CONTROLS REVIEW
SESSION OBJECTIVES
Overview of IT General Controls
Cobit 5 Framework
IT General Controls Scope Areas
Planning and executing a risk based IT General Controls review
Infrastructure/logical security
User access
Physical security/environmental controls
Change management
Disaster recovery/business continuity
What are IT General Controls?
Controls designed to cover the organisation's IT infrastructure rather than specific applications
IT General controls help ensure CIA:
Completeness
Integrity
Availability
Contribute to safeguarding data and promotion of regulatory compliance
Key control assessment would focus on IT General controls and application-specific controls (Not covered)
Examples Of Available Frameworks
COBIT - Control Objective for Information Technology
COSO - Most widely used internal control framework (commonly used for SOX compliance)
ISO 17799/27001 - Detailed information security standards (commonly used to benchmark a company's policies/standards
COBIT 5.0 Framework (1/3)
Control Objectives for Information and Related Technology
IT governance framework issued by ISACA (free)
Control objectives for safeguarding information assets
5.0 released in xxx (First published in 1996)
COBIT 5.0 Framework (2/3)
Contains 210 detailed control objectives
COBIT control practices (for COBIT subscribers)
IT Assurance Guide (for ISACA members)
Framework adopted by many companies to comply with legislation such as SOX
COBIT 5.0 Framework (3/3)
Contains 210 detailed control objectives
COBIT control practices (for COBIT subscribers)
IT Assurance Guide (for ISACA members)
Framework adopted by many companies to comply with legislation such as SOX
Infrastructure Platforms
Operating Systems
Controls program execution, allocation of hardware resources, access to programs, etc
Examples: Windows, Linux, Unix, Mainframe, IOS
Database Management Systems (DBMS)
System of programs used to define, maintain, and manage access to large collections of data
Examples: Oracle, DB2, SQL Server
Logical security controls should ensure confidentiality, integrity and availability over systems and data
Strong authentication controls should prevent user accounts from being compromised
File shares should be adequately restricted to appropriate users
Patches/system updates should be applied timely
Logical Security (DS5) Overvies (1/2 )
Logical Security (DS5) Overvies (2/2 )
Network services should be closed unless necessary for business reasons
Anti-virus software should be installed and up-to-date
Sensitive data should be encrypted
Logical Security Risks (1/2)
Authentication controls may not provide reasonable measures to protect against unauthorised access
Excessive file shares allowing inappropriate access to sensitive data
Systems may be susceptible to extended downtime, viruses, unauthorised access, or other malicious activity due to outdated patches and virus updates
Logical Security Risks (2/2)
Inadequate protection over sensitive data resulting in unintended disclosure
Unnecessary network services may be exploited to gain unauthorised access to sensitive data
Logical Security - Audit Tests (1/2)
Compare password controls (e.g. length, complexity, etc) to organisational standards or best practice
Review network file shares for appropriateness and necessity
Ensure sensitive information is not inappropriately shared
Evaluate process to apply patches or updates to systems
Ensure patches are applied timely to remediate known vulnerabilities
Logical Security - Audit Tests (2/2)
Observe anti-virus settings to ensure definitions are up-to-date
Determine if drives are being scanned regularly for viruses
Determine if sensitive data is encrypted within databases, on hard drives and during network transmission
Perform security scans to identify vulnerable services unnecessary for the role of the server (e.g. FTP, HTTP, SMTP, Telnet, etc)
User Acess (DS5) - Overview
Users and their system activity should be uniquely identifiable
User access requests, modifications and removals should be documented and approved
Terminated users should have access removed timely
Access levels should be based on a user's responsibilities (least priviledge principle)
Remote access should rely on secure protocols
User Access Risks
Undetected fraudulent/ inappropriate use of critical systems and data
Access granted without valid approval
Access to critical systems and data by unauthorised users
Appropriate access not defined for each specific job role (i.e. role based security)
Remote access to critical data/ systems not configured correctly or using insecure protocols (e.g. modems, public networks)
User Access - Audit Tests
Ensure user administration procedures have been developed and review for adequacy
Review system accounts to determine if any terminated employees/ unauthorised users have active accounts
Evaluate user access, including administrator level accounts for adequacy based on the user's duties
Determine how remote access is granted and recommend the replacement of insecure solutions
Ensure audit logging is enabled on critical systems/accounts and logs are reviewed timely
Physical/Environmental Controls (DS12) - Overview
Physical security/ environmental controls should protect the data centre, server rooms, network closets, and other controlled areas
Access to these areas should be restricted to appropriate personnel to reduce business interruptions from theft or destruction of computer
Monitoring of environmental factors should reduce business interruptions from damage to computer equipment and personnel
Physical/Environmental Controls - Risks
Unauthorised individuals may gain access to sensitive controlled areas and may view, modify or destroy equipment or sensitive information
Unauthorised access to controlled areas may go unnoticed due to improper monitoring
Business disruption in the event of an environmental incident (fire, flood, power failure) because of inadequate protection of IT Assets
Unmanageable network environments and/or extended downtime due to poorly configured wiring within server rooms, communication closets, etc
Physical/Environmental Controls - Audit Tests
Review lists of individuals with access to controlled areas
Review visitor logs to controlled areas
Review maintenance/test logs for environmental control devices
Walkthrough controlled areas to evaluate adequacy of physical and environmental (fire supression and smoke detectors, water/moisture detection sensors, temperature/ humidity sensors)
Change Management Overview
Managing changes addresses how an organisation modifies system functionality to meet business needs
Requests for changes should be documented and follow defined change management procedures
Emergency changes should follow a defined process
Changes should be properly tested to ensure functionality meets defined requirements
Controls should restrict migration of program changes to production by authorised and appropriate individuals
Change Management - Risks
Unauthorised/unapproved changes implemented into production
Changes not adequately logged for monitoring and documentation purposes and to back out changes if changes cause system failure
Incorrect system functionality due to inadequate testing of changes
Developers with access to migrate code into production may implement unauthorised changes
Change Management - Audit Tests
Evaluate change management procedures for adequacy
Compare changes from the request system to implemented changes (usually obtained through system logs) to identify unauthorised changes
Review proper approval for all implemented changes (routine and emergency)
Assess adequacy of change testing
Establish if regression and end-user testing was performed
Check for adequate segregation of duties between development, testing and implementation
Disaster Recovery/Business Continuity (DS4) - Overview
DR/BC plans help minimise business impact in the event of an IT service interruption
DR/BC plans should be updated and tested regularly to ensure systems and data can be recovered timely in the event of a disaster
DR/BC plans and data backups should be stored offsite for recovery needs
Quality of backup media and restoration tests should be periodically performed to ensure success of back up process
Disaster Recovery/Business Continuity - Risks
Backups may not include all necessary business data
Data may be compromised by unauthorised individuals due to improper securing of backup media
Extended downtime in the event of a disaster due to inadequate /lack of disaster recovery testing or thoroughly documented plans
Lack of executive, senior management support
Disaster Recovery/Business Continuity - Audit Tests
Ensure plans are comprehensive, up-to-date and approved
Determine if plans are tested regularly and results are documented
Review backup logs to determine if data and system configurations are backing up successfully
Determine if data is routinely test restored to confirm recoverability
Evaluate storage of backup media (logical/physical) and location (e.g. fireproof safe, offsite locations, etc)
Freeware Tools for Assessing ITGCs
Dumpsec
Microsoft Baseline Security Analyser (MBSA)
Nmap
Kali (ex Backtrack)
Nessus
Kismet
Planning and Executing a Risk Based ITGC Review
Perform a risk assessment (RISK = LIKELIHOOD * IMPACT)
Develop the audit scope
Focus on high-risk areas identified during the risk assessment
Auditing all ITGCs is likely not feasible, practical or necessary
Audit planning and program development
Complete testing to evaluate control effectiveness
Report results to management
Summary
Sound ITGCs help promote regulatory compliance
Must ensure controls effectiveky mitigate the risk
An IT control framework like COBIT 5, may help companies comply with regulations
Performing a risk based ITGC review will help ensure scarce resources are focused on the most significant areas of the business
Many freeware tools are available to assist the auditor in assessing ITGCs
Contact Information
Email
tolence.fambayi@gmail.com
tolence.fambayi@econet.co.zw
Skype: tollence
Mobile: +263774222309
Institute of Internal Auditors Zimbabwe
26 November 2015