Академический Документы
Профессиональный Документы
Культура Документы
Ronald Paans
kpmg IRM
RP/VU
Contents SEP/2002
CONTENTS
• Information and business processes
• IT control and ITIL
• Quality aspects
– Corporate Information security
– Code of Practice
– Risk assessment
– Security layers
• Availability
• Effectiveness & efficiency
• Audit approach
– Types of audits
– “Voorschrift Informatiebeveiliging Rijksoverheid (VIR)”
Page 1
1
RP/VU
EDP auditing SEP/2002
EDP AUDITING
• Independent, impartial judgment and advice on Information Technology (IT)
• Quality aspects
– Confidentiality, Integrity, Availability (CIA) and Auditability
– Effectiveness, Efficiency etc.
• Objects
– Information systems (Information Systems Auditor: ISA)
– Technical infrastructure and Organisation of IT (Technical Auditor: TA)
– IT contracts, Service Level Agreements etc.
In the Netherlands:
• Professionals are registered: NOREA
• Post-graduate education at three universities
• Large EDP audit departments of major audit / assurance firms and other organisations
• EDP auditors have a “short life time”, they soon move to management positions
RP/VU
EDP auditing SEP/2002
EDP
AUDITOR AUDITEE
AUDITEE
Page 2
2
RP/VU
Corporate governance SEP/2002
Aandeelhouders Externe
Toezicht
Toezicht Raad van Commissarissen accountant
Ondernemingsraad
Interne accountants
Bewaken
Bewaken Controller
Bedrijfsprocessen
Bedrijfsprocessen Rapport van Commissie Peters,
((IT
ITondersteunt
ondersteuntde
dezakelijke
zakelijke Vereniging voor de Effectenhandel
processen
processenenendraagt
draagtzozobij
bijaan
aan
hun kwaliteit )
“Corporate Governance in Nederland”
hun kwaliteit ) 29 oktober 1996
Introduction EDP Audit 5
RP/VU
Commissie Peters, Vereniging voor de Effectenhandel SEP/2002
17. De RvC bepreekt tenminste éénmaal per jaar de strategie en risico’s verbonden
aan de onderneming en de uitkomsten van de beoordeling door de RvB van de
opzet van de interne beheersingssystemen.
Page 3
3
RP/VU
Management control SEP/2002
RP/VU
EDP auditor works for who? SEP/2002
LD
Aandeelhouders Externe
EE
Toezicht
Toezicht Raad van Commissarissen accountant
RB
Ondernemingsraad
O
Besturen Directie
jaarrekeningcontrole
Ondersteuning
Besturen
Bijz
Op
dr
Interne accountants
ond
ac
Bewaken O
en
Controller ut
opd
so
va
ur
nm
c
rac
in
g
an
hte
ED
ag
P
n
e
au
me
Bedrijfsprocessen
Bedrijfsprocessen di
nt
((IT t
ITondersteunt
ondersteuntde
dezakelijke
zakelijke Bijzon
processen
processenenendraagt
draagtzozobij
bijaan
aan dere o Externe
pdrac
hun hten
hunkwaliteit
kwaliteit)) EDP auditor
Page 4
4
RP/VU
IT and business processes SEP/2002
Central / decentral
IT infrastructure
Information /
Control
RP/VU
IT and military processes SEP/2002
Central / decentral
IT infrastructure Business processes:
“here they do their
job”
Information /
Information systems support Control
the business functions, which
in turn support the military
business processes and
operations
Page 5
5
RP/VU
Information handling SEP/2002
Transfer / consolidate /
distribute / transform / etc.
ation Data
Management Inform
IT Business
processes
Instr
uctio
ns / c
o ntrol
RP/VU
Information SEP/2002
INFORMATION
• Data at such an aggregation level that it can be
understood by human beings and can be used
to control
• CoP: The quality aspects apply to all forms of
“information”: data stored on computers
(data, text, video, speech), transmitted across
networks, printed out or written down on
paper, and spoken in conversations
Da t
a
tran consoli
sfor dati
inte m o
rpre ation, n and
tabl mak
e an
d us ing it
able
Page 6
6
RP/VU
Position of IT SEP/2002
IT
Position of IT:
• An island in the
ocean?
• An empire within
an empire?
IT
No, IT must closely interact with the business and provide the
quality required by the business. Effective communication is
of vital importance
RP/VU
Concerns for IT organisations SEP/2002
CONSEQUENCES, e.g.
CONCERNS, e.g.
Failing projects
Costs too high
No compliance with quality
Risks too high targets
Slow response Conflicts: internal & external
Wrong focuss Dissatisfied customers
Irrealistic expectations Loss of imago
Insufficient management Loss of skills
involvement
communication Outsourcing
Page 7
7
RP/VU
Central versus decentral IT SEP/2002
IT in historical perspective
Mobile commerce
Quality aspects Functionality
Electronic commerce
Intra/Inter/Extranet
Distributed
Client/Server
PC and PC/LAN
Midrange Manageability
Controllability
Mainframe Auditability
RP/VU
Legacy SEP/2002
Mobile commerce
,
Electronic commerce
ists
l ex
Intra/Inter/Extranet
Functionality
stil
Distributed
ng
Client/Server
thi
ery
cy”
PC and PC/LAN
Ev
ega
“L
Midrange
rtly
Mainframe
pa
Time
Kol. P.C.J. Boelee, Min. van Defensie, NIVRA/VERA Conference Update on IT and Control, Nov 1998
Page 8
8
RP/VU
Why do they hire you as EDP auditor? SEP/2002
RP/VU
EFFECTIVE IT CONTROL SEP/2002
IT
IT CONTROL
CONTROL
Definition:
Definition:Manage
Managethe theIT
ITresources
resourcesandandITITorganisation
organisationsosothat
thatitit
provides benefits to the business objectives with regard
provides benefits to the business objectives with regard to to
11 continuity,
continuity,effectiveness
effectivenessand andefficiency
efficiency
22 confidentiality
confidentialityand
andintegrity
integrity
Objects:
Objects:
•• Implement
Implementconflict
conflictofofinterests
interestsbetween
betweenuseruserorganisations
organisationsand
and
IT organisation (buyer / seller relationship)
IT organisation (buyer / seller relationship)
•• Clear
Clearrequirements
requirementsand andcost
cost//benefit
benefitassessments
assessments
•• Obligation
Obligationto
toprovide
provideresults
results
•• Contracts
Contractsand
andService
ServiceLevel
LevelAgreements
Agreements(SLAs)
(SLAs)
•• Well
Welldefined
definedprocesses
processesand anddisciplines
disciplines(including
(includingITIL)
ITIL)
Introduction EDP Audit 18
Page 9
9
RP/VU
A professional interaction based on contracts/SLAs SEP/2002
DESIGN
Telematica architecture:
Translation of functional
In charge, Requirement owner Obligation to and quality requirements
budgets “behoeftesteller” provide results
BUILD
Contract / System development
SLA
Use End user
RUN
Deliver services Exploitation
(verification of
agreements)
Feedback
IV/IM = Informatie Voorziening / Information Management
Introduction EDP Audit 19
RP/VU
The centralised approach SEP/2002
Requirement Legend
owner Define functional and quality requirements SDTV:
- S(peech)
- D(ata)
IV/IM function - T(ext)
Director IT - V(ideo)
Account
managers
Page 10
10
RP/VU
Outsourcing SEP/2002
ND NTS
USER S A EE ME
CT GR
ORGANIZATION(S) TRA LA
CON LEVE
E
VIC
SER
RP/VU
IT services: (internal/external) outsourcing models SEP/2002
User organisations
Models, e.g. Users
Services
IT orga-
nisation(s)
Applications System
Technical and
development
organisational
infrastructure
(including
other Operating systems
hardware) Standard program products
Data
Hardware
communication
Page 11
11
RP/VU
Framework IT control SEP/2002
Quality of service delivery must be described in a Service Level Agreement (SLA), which
belongs to the IT organisation’s Service Level Management (SLM) discipline
User IT
organisations Contract organisation
Policy Policy
SLA
Control
Control
SLM
Execution
Execution
RP/VU
Model for IT control SEP/2002
IT CONTROL
IT policy and
Strategic Policy
Audit organisation
11 IT disciplines
Tactical Execution
Audit of policy
Operational Execution
ems
e
Midrange
am
Network
t
Subsys
infr
etc.
Tool
Ma
Page 12
12
RP/VU
Model of IT disciplines SEP/2002
Variable and
Service
(e.g., SAP functions)
fixed variable End-User
process parameters
RP/VU
Possible IT management disciplines SEP/2002
Page 13
13
RP/VU
Relations between IT disciplines (as used by Leen van Rij) SEP/2002
Configuration Security
Change
Problem
Service
Level
Availability
Performance
Operations
Capacity Workload
USERS Accounting
RP/VU
Relations between IT disciplines (simplified view) SEP/2002
Availability
Availability
Change
Change Problem
Problem Security
Security
Configuration
Configuration
Service
Service
Level
Level
USERS Operations
Operations
Performance
Performance//Workload
Workload
Accounting
Accounting
Capacity
Capacity
Service Level Management is the pivot
Introduction EDP Audit 28
Page 14
14
RP/VU
World Class IT model SEP/2002
Bu
sin
ess
ge
Kl ric
ht
ity
an
tg
ur Se er pro-ac
tief pa
at
rv ich produkt rtnersh
t
M
ic flexibi- preven- ip
eg prioriteits-
Be eric kosten/
liteit tief
stelling klant
Te he ht baten; level kwaliteits-
ch er volumekennis
management parameter en
no st opbouw integraal,
flexibiliteit proces metingen
log logistieke verbij- service
ie zonderd level
ge planning
registratie methoden
dr & control management en
ev en control
en partieel technieken
operationeel geïntegreerd
technisch service
re-actief agreement
Productie informeel gefrag- stabiel
menteerd proces
Incidenten & problemen basic
control
Wijzigingen & configuratie ad-hoc
informeel
Service level management
Ontwikkeling & onderhoud
Introduction EDP Audit 29
RP/VU
ITIL SEP/2002
A
A standard
standard for
for control
control
ITIL
Information
InformationTechnology
TechnologyInfrastructure
InfrastructureLibrary
Library
Page 15
15
RP/VU
Management of IT, using ITIL SEP/2002
GROWING COMPLEXITY
ITIL
IT -- ITIL
Past
of IT
Public
Management of
infrastructure
Present (KPN etc.)
Management
Future
Introduction EDP Audit ITIL foils: written by Paul Overbeek and Gerben Nelemans 31
RP/VU
Growing complexity SEP/2002
GROWING COMPLEXITY
• Technique
– More types and more complex datacommunications
– More types and more complex operating systems
– More types and more complex middleware
– More types and more complex applications
• Organisations
– New organisational structures, switching between central and decentral
– Changing dependencies
• Trends
– Single Sign On
– Repositories
– Authorisation Services
– Decentral security and Client/Server security
– Public Key Infrastructures (PKIs) and Trusted Third Parties (TTPs)
– Internet and firewalls
Page 16
16
RP/VU
ITIL SEP/2002
RP/VU
What is infrastructure in ITIL ? SEP/2002
Page 17
17
RP/VU
ITIL layers SEP/2002
Managers’ set
Strategy
RP/VU
ITIL service delivery set SEP/2002
Page 18
18
RP/VU
ITIL service support set SEP/2002
RP/VU
ITIL management processes SEP/2002
Activities
Activities
input output
Relations
Relations with
with
other processes
other processes
Page 19
19
RP/VU
ITIL security management SEP/2002
Process
Purpose: comply with objectives + baseline
Relations
Relations with
with
other processes
other processes
RP/VU
Relations between ITIL processes SEP/2002
Relations with:
• Service Level Management
• Availability Management
• Capacity Management
• Contingency Planning
Relations with:
• Configuration Management
Security • Incident Management / Helpdesk
Management • Problem Management
• Change Management
• Software Control & Distribution
Page 20
20
RP/VU
ITIL security management SEP/2002
SECURITY MANAGEMENT
The Three Challenges
• Process
– the Security Management Process
itself
• Relationships
– between Security Management and
the other processes
• External relationships
– managing the SLA requirements
for security
RP/VU
ITIL security management ... SEP/2002
MAINTAIN PLAN
PLAN
MAINTAIN
CONTROL
CONTROL
EVALUATE
EVALUATE IMPLEMENT
IMPLEMENT
Page 21
21
RP/VU
ITIL security management ... SEP/2002
Service
ServiceLevel
LevelAgreement
Agreement/ /Security
Securitysection
REPORT
REPORT
••conform
SECURITY ••agreed
agreedbetween
betweencustomer
customerand
section
andprovider
provider
conformSLA
SLA
RP/VU
ITIL configuration management SEP/2002
Configuration
Management
Configuration
Management
Page 22
22
RP/VU
ITIL configuration management ... SEP/2002
CONFIGURATION MANAGEMENT
The foundation for control / use it to control the changes
• Know what you have
– version management
• Names
– CI : Configuration Item Configuration management
– CMDB : Configuration Management Data Base
• EDP audit questions, e.g. CMDB
– verify whether there is configuration management
– who is reponsible, how is the process organised?
– which CIs are included (which level of detail?)
– is the input to the process reliable?
– how is the completeness guaranteed and is it up to date?
– are there cross references, e.g., with the license administration and
maintenance contracts? Etc.
RP/VU
Scope process Configuration management SEP/2002
Page 23
23
RP/VU
Support of Security management SEP/2002
RP/VU
Classification of sensitivity SEP/2002
CLASSIFICATION OF SENSITIVITY
A dedicated classification system tailor cut to the organisation
Availability / Continuity
Confidentiality / Exclusivity
Integrity
Class Description / objective
no criterion
desirable
important
essential
Page 24
24
RP/VU
ITIL incident management, help desk SEP/2002
Incident
management
Help desk
An incident is
Incident an occurrence
Management, of a problem
Help Desk
RP/VU
ITIL incident management, Help Desk process SEP/2002
Page 25
25
RP/VU
ITIL incident management, Help Desk process … SEP/2002
RP/VU
ITIL incident management, Help Desk proces ... SEP/2002
Page 26
26
RP/VU
ITIL problem management SEP/2002
Problem
management
Incident
Management, Problem A problem may cause
Management multiple incidents
Help Desk
RP/VU
ITIL problem management proces SEP/2002
Page 27
27
RP/VU
Kwaliteitsprocedure SEP/2002
Standaard flowchart
Probleem
Probleem
voor het oplossen van
technische problemen
Functioneert
Functioneerthet
het?? nee Heb
ja Hebjejeer
eraan
aangezeten
gezeten??
ja nee
Afblijven
Afblijvendan
dan
Stommeling
Stommeling
nee
Weet
Weetiemand
iemandervan
ervan??
Pand Krijg
Krijgjejeop
opjejedonder
donder??
Pandverlaten
verlaten ja
ja nee
KLUNS
KLUNS!!!
!!!
nee
Kan
Kanjejeiemand
iemandanders
andersde
deschuld
schuldgeven
geven?? Naar
Naarhuis
huisgaan
gaan
ja
Probleem
Probleemopgelost
opgelost
Introduction EDP Audit 55
RP/VU
ITIL change management SEP/2002
Change
management
Change
Management
Page 28
28
RP/VU
ITIL change management process SEP/2002
RP/VU
A change SEP/2002
Implementation
Tests
Page 29
29
RP/VU
Change management process SEP/2002
PREPARATION:
- assess risk and impact
- open change record in Change Database
OK: READY
Introduction EDP Audit 59
RP/VU
Change Advisory Board SEP/2002
Page 30
30
RP/VU
Example SEP/2002
EXAMPLE
• Incident
– car does not start
– work around / contingency plan: push
• Problem
– car does not start the entire week
– known problem: Lada
• RFC
– give me a Ferrari
• CAB decision
– use the train
RP/VU
Support of Security management SEP/2002
Page 31
31
RP/VU
Support of Security management ... SEP/2002
RP/VU
ITIL service level management SEP/2002
Service Level
I deliver with quality
Management
signature
Service Level
Management
Page 32
32
RP/VU
SLA SEP/2002
RP/VU
ITIL & security: a controlled process SEP/2002
}
Problems
Co
Problem Management
n
Known
rit
fig
errors
cu
u
ra
Se
tio
Configuration Management
Security Management
Introduction EDP Audit 66
Page 33
33
RP/VU
SLA ... SEP/2002
Representant
Representant Account
Accountmanager
manager
•• customer
customer •• on
onbehalf
behalfof
of
•• user
userorganisation
organisation •• IT
ITorganisation
organisation
•• service
serviceuser
user •• Service
ServiceProvider
Provider
SLA
SLA
••service
servicecatalog
catalog
••including
includingsecurity
security
Underpinning contracts:
Service Provision Agreements: external focus, e.g., datacom
performance of the Service provider, electricity, hardware
Provider itself maintenance
Introduction EDP Audit 67
RP/VU
QUALITY ASPECTS SEP/2002
QUALITY
QUALITY ASPECTS
ASPECTS
•• Confidentiality
Confidentiality
•• Integrity
Integrity Reliability
Reliability
•• Auditability
Auditability
•• Availability
Availability
•• Effectiveness
Effectiveness
•• Efficiency
Efficiency
•• Manageability
Manageability
•• etc.
etc.
Page 34
34
RP/VU
Information security: the business perspective SEP/2002
Total
TotalEnterprise
EnterpriseRisk
RiskManagement
Management
resource
Finance
Finance Assets
Assets Information
Information Personnel
Personnel
currency
currencyrisks risks fire
fire eavesdropping
eavesdropping illness
illness
risk areas
interest
interestrisks
risks burglary
burglary illegal
illegalmodification
modification turnover
turnover
risks /
payments
paymentsdue due theft
theft interruptions
interruptions demotivation
demotivation
cash
cashflow
flowrisksrisks calamities
calamities masquerading
masquerading knowledge
knowledgedrain drain
...... ...... ...... ......
measures
treasury,
treasury, security,
security,alarms,
alarms, information
informationsecurity,
security, human
humanresource
resource
insurance,
insurance,...... insurance,
insurance,...... EDP
EDPaudit,
audit,...... management,
management,......
RP/VU
Laws and standards SEP/2002
LAWS
• Computer crime: the owner must apply certain measures to protect networks,
systems and data
• Privacy: special attention for information about individual persons
• IT for banks: regulations by national banks
STANDARDS
• US Department of Defence, orange book: classification of trusted computing
base
• European Community: ditto
• Code of Practice (CoP: UK and NL) with the objectives
– deals with the technical infrastructure and the organisation of IT
– create a common basis to develop an effective security practice
– increase the confidence in the business
• IT Infrastructure Library (ITIL): some 60 books on IT management practices
OUR CHOICE: We selected the Code of Practice as a basis
Page 35
35
RP/VU
Nederlandse verwarring over namen SEP/2002
RP/VU
Code of Practice Introduction SEP/2002
Page 36
36
RP/VU
What is important? SEP/2002
RP/VU
Mapping/grouping quality aspects SEP/2002
Integrity
(CoP)
Page 37
37
RP/VU
CORPORATE INFORMATION SECURITY SEP/2002
CORPORATE
CORPORATE INFORMATION
INFORMATION SECURITY
SECURITY
•• Positioning
Positioning
•• ACIB
ACIBmodel
model
•• CIS
CIS
•• Code
Codeof ofPractice
Practice
RP/VU
Causes of damage to information SEP/2002
}
causes
causesare
are 55%
55% Human
Humanerrors
errors
}
33%
33% Human
Humanerrors
errors 16%
16% Dishonest
Dishonestacts
acts
10%
10% Strikes
Strikes(UK)
(UK) 11%
11% Disgruntled
Disgruntledemployees
employees
10%
10% Industrial
Industrialespionage
espionage 10% Fire
10% Fire
10%
10% Fraud
Fraud 5% Water
5% Water
33%
33% Errors
Errorsin
ininformation
informationsystems
systems 3% Other
3% Othercauses
causes
and
and technicalinfrastructure
technical infrastructure Almost
Almost82%
82%isiscaused
causedby
byhuman
humanactions.
actions.
• The conclusion is: people are the weak link in computer security
• The financial consequences due to fraud substantially exceed those due to errors.
Exact figures are not available due to enterprises’ reluctancy to provide details
SECURITY IS BASED ON PROCEDURES AND CONTROLLING THE PEOPLE IN
YOUR ENTERPRISE
Page 38
38
RP/VU
Positioning for EDP audit SEP/2002
Line management
and staff Code of Practice
for IT Security (CoP: UK and NL)
RP/VU
Positioning for management SEP/2002
Strategic
Policy
Tactical
Code of Practice
Baseline approach
PI standards PI studies
Operational
“baselines”
Unix OS/390 SNA Internet Multimedia
OS/400 RACF Novell Intranet Mobile
NT Oracle Lan Server Workflow Cryptography
Page 39
39
RP/VU
Dutch ACIB model SEP/2002
RP/VU
Corporate Information Security (CIS) SEP/2002
Page 40
40
RP/VU
Corporate Information Security (CIS) ... SEP/2002
1 Business
Businessanalysis
analysis
2 Policy
Policyformulation
formulation
3 (Self)
(Self)Assessment
Assessment
4 Intermediate
Intermediateevaluation
evaluation
5 Information
Informationsecurity
securityplan
plan
6 Development
Development
7 Implementation
Implementation
8 Evaluation
Evaluation
RP/VU
CIS phase 3: (Self) Assessment report SEP/2002
CoP Deelonderwerp Status
3 • Informatiebeveiligingsbeleid
• Security manager
• Coördinatie informatiebeveiliging / overlegstructuur
4 • Toewijzing verantwoordelijkheden
• Beoordeling door externe organisatie
E T
Page 41
41
RP/VU
CIS phase 3: (Self) Assessment report ... SEP/2002
CoP Deelonderwerp Status
• Need to use
• Beheer van gebruikerstoegang en -bevoegdheden
• Beheer van gebruikerstoegang / speciale permissies
9 • Wachtwoorden
• Beveiliging van netwerken
• Beveiliging van computersystemen
• Beveiliging van applicaties en systeemtools
• Logging en monitoring
• Ondersteuning klant bij specificatie beveiligingseisen
10 • Change management
• Beveiliging testgegevens
• Onderhoud systeemprogrammatuur
11 • Continuïteit
• Auteursrecht
12 • WPR / WCC
• Externe toetsing onvoldoende
gedeeltelijk
• Verzekeringsfunctionaris
plus “13” • Verzekering brand/WA/bedrijfsvoering voldoende
RP/VU
Other checklists SEP/2002
OTHER CHECKLISTS
• NGI
• NATO
• Handboek Voorschrift Informatiebeveiliging Rijksoverheid (VIR)
• NIVRA-geschriften
• IT-specifieke checklists
– Windows NT, Unix, MVS …
– Internet, inbelverbindingen …
– Databases: Oracle, Sybase, DB/2 …
• PI - Platform Informatiebeveiliging (voorheen: CSA - Computer
Security Association - en OTB - Overlegorgaan Technische
Beveiligingsstandaarden)
Page 42
42
RP/VU
Checklists SEP/2002
CHECKLISTS
• Easy to use
– one size does (not) fit all
– uniformity
– efficiency
• Dangerous in the hands of the innocent !
• Best before …
• Everybody loves checklists
– auditors
– security managers
– IT managers
– hackers
– normal people
– but … for different reasons
• Checklists are not enough !
RP/VU
Doelstelling: bladeren door de Code of Practice SEP/2002
BLADEREN
BLADEREN DOOR
DOOR DE
DE CODE
CODE OF
OF PRACTICE
PRACTICE
Page 43
43
RP/VU
CODE OF PRACTICE SEP/2002
CODE
CODEOFOF NEW:
PRACTICE
PRACTICE 2000
for
forinformation
informationsecurity
security
==
British
BritishStandard
StandardBS7799
BS7799
OLD:
1994
RP/VU
Code of Practice (CoP) SEP/2002
Page 44
44
RP/VU
CoP chapters SEP/2002
RP/VU
CoP Introduction SEP/2002
!
INTEGRITY (In new CoP: “Data integrity”)
Safeguarding the accuracy and completeness of information and processing
methods
AVAILABILITY
Ensuring that information and vital services are available to the business
processes when required
!
The quality aspects apply to all forms of “information”: data stored on computers
(data, text, video, speech), transmitted across networks, printed out or written
down on paper, and spoken in conversations
Page 45
45
RP/VU
CoP 3 – Security policy SEP/2002
CoP 3
Security
Security policy
policy
RP/VU
CoP 3: Security policy SEP/2002
SECURITY POLICY
Page 46
46
RP/VU
Threats and requirements SEP/2002
Reliability requirements
Measures
Assets
Information
RP/VU
Example of incidents SEP/2002
EXAMPLE OF INCIDENTS
• Website defacing
– See www.attrition.org
• Virus outbreaks
• Denial-of-service attacks
• Access to credit card numbers
• Website outage due to software errors
• Outage due to “flash crowd”
• …
Page 47
47
RP/VU
Example of incidents ... SEP/2002
Hacking is greater threat
than military attack
Source ZDNet UK, 30 Mar 2001
Foreign secretary Robin Cook warns that the
fabric of British life is at risk from viruses or a
hack attack
The foreign secretary warned on Thursday that
Results
hacking and computer viruses present a bigger
threat to Britain than a military attack.
RP/VU
The Information Security Management Cycle ... SEP/2002
Policy • Environment
• External
Control, organisation requirements
• Internal
Risk analysis requirements
Feedback
Planning
• Organisational
Evaluation & Testing Controls • Technical
• Procedural
Implementation • Physical
Page 48
48
RP/VU
CoP 4 – Security organisation SEP/2002
CoP 4
Security
Security organization
organization
RP/VU
CoP 4: Security organisation SEP/2002
SECURITY ORGANISATION
4.1 Objective: To manage information security within the
organization.
A management framework should be established to initiate
and control the implementation of information security
within the organization.
• Steering committee / coordination
• Allocation of security responsibilities
• Authorisation process for IT facilities
• Specialist security advice
• Cooperation between organisations
• Indepence of reviews
• The risks of third party access; what should be included in
a third party contract and what should be covered by an
outsourcing contract
Introduction EDP Audit 98
Page 49
49
RP/VU
CoP 5 – Asset calssification and control SEP/2002
CoP 5
Asset
Asset classification
classification and
and control
control
RP/VU
CoP 5: Assets classification and control SEP/2002
Label:
• vital to busines
owner RESOURCE classifi- • Top Secret data
cation
Introduction EDP Audit 100
Page 50
50
RP/VU
CoP 5: Assets classification and control ... SEP/2002
RP/VU
Data classification SEP/2002
DATA CLASSIFICATION
One must classify all data, systems and equipment. Such classification may be
• Unclassified
public information (or information belonging to business partners, to be
protected as agreed with the owner)
• Internal Use Only
no real value outside the company. However, it is preferred not to distribute it
beyond the company’s premises and employees
• Confidential
only to be distributed to persons or groups with a need to know
• Secret
sensitive information about new products and marketing plans, only to be
distributed to authorized individuals
• Top Secret
highly sensitive information with specifications of future products and business
strategies, all copies must be registered
Page 51
51
RP/VU
Mainframe access authorities SEP/2002
} {
Subjects: “Entire world” NONE
data program
EXECUTE set
Group READ
UPDATE Objects: Resources
User ALTER
RP/VU
CoP 5.2 Information classification SEP/2002
Page 52
52
RP/VU
CoP 6 – personnel security SEP/2002
CoP 6
Personnel
Personnel security
security
RP/VU
CoP 6: Personnel security SEP/2002
PERSONNEL SECURITY
6.1 Security in job definition and resourcing
Objective: To reduce the risks of human error, theft, fraud or
misuse of facilities.
Security should be addressed at the recruitment stage,
included in job descriptions and contracts, and monitored
during an individual’s employment.
Managers should ensure that job descriptions address all
relevant security responsibilities. Potential recruits should
be adequately screened, especially for sensitive jobs. All
employees and third party users of IT facilities should sign a
confidentiality (non-disclosure) agreement.
Page 53
53
RP/VU
CoP 6: Personnel security ... SEP/2002
RP/VU
CoP 7 – Physical and environmental security SEP/2002
CoP 7
Physical
Physical and
and
environmental
environmental security
security
Page 54
54
RP/VU
CoP 7: Physical and environmental security SEP/2002
RP/VU
CoP 7: Physical and environmental security ... SEP/2002
Page 55
55
RP/VU
CoP 8 – Communications and operations management SEP/2002
CoP 8
Communications
Communications and
and operations
operations
management
management
RP/VU
CoP 8: Communications and operations management SEP/2002
Page 56
56
RP/VU
CoP 8: Communications and operations management ... SEP/2002
RP/VU
CoP 9 – Access control SEP/2002
CoP 9
Access
Access control
control
Page 57
57
RP/VU
CoP 9: Access control SEP/2002
ACCESS CONTROL
9.1 Business requirement for access control
Objective: To control access to information.
Access to information and business processes should be
controlled on the basis of business and security
requirements.
This should take account of policies for information
dissemination and authorization.
• User registration
• User password management
• Access control for work stations, network, services and
applications
• Monitoring system access and use
RP/VU
CoP 10 – System development and maintenance SEP/2002
CoP 10
System
System development
development
and
and maintenance
maintenance
Page 58
58
RP/VU
CoP 10: Systems development and maintenance SEP/2002
RP/VU
CoP 10: Systems development and maintenance ... SEP/2002
Page 59
59
RP/VU
CoP 11 – Business continuity planning SEP/2002
CoP 11
Business
Business continuity
continuity planning
planning
RP/VU
CoP 11: Business continuity planning SEP/2002
Page 60
60
RP/VU
CoP 12 SEP/2002
CoP 12
Compliance
Compliance
RP/VU
CoP 12: Compliance SEP/2002
COMPLIANCE
12.1 Compliance with legal requirements
Objective: To avoid breaches of any statutory, criminal or civil
obligations and of any security requirements.
The design, operation and use of IT systems may be subject to
statutory and contractual security requirements.
All relevant statutory and contractual requirements should be
explicitly defined and documented for each IT system. The
specific controls, countermeasures and individual
responsibilities to meet these requirements should be similarly
defined and documented.
Advice on specific legal requirements should be sought from the
organization’s legal advisers.
NOTE: Legislative requirements vary from country to country.
Page 61
61
RP/VU
CoP 12: Compliance ... SEP/2002
COMPLIANCE
• Compliance with legal and contractual requirements
– illegal copies / copyright
– confidential data
– privacy laws
– misuse
– “wet computercriminaliteit”
• Compliance with security policy
• Technical compliance checking
• Collection of evidence
RP/VU
RISK ASSESSMENT SEP/2002
RISK
RISK ASSESSMENT
ASSESSMENT
•• Risks
Risks
•• Residual
Residualrisks
risks
•• Damage types
Damage types
•• Balance
Balancebetween
betweenrisks
risksand
andmeasures
measures
Page 62
62
RP/VU
Risk assessment SEP/2002
d :
ate IT (incl. voice, energy etc.) ty
ili ency es .
rel b
IT la g r c
• technical and organisational vai mer edu k et
infrastructure A e r oc a c
• p llb
• information systems fa
•
OTHER THREATS
RP/VU
Risk assessment ... SEP/2002
RISK ASSESSMENT
R
NGE
THREAT
THREAT(something
(somethingwhich
whichmay
mayhappen,
happen,e.g.,
e.g.,aapower
powerdown)
down) A
D
Identify
DAMAGE
DAMAGE(direct
(direct++indirect
indirectcosts
costsof
ofincident/catastrophy)
incident/catastrophy) $
Your advice
ADDITIONAL
ADDITIONALMEASURES
MEASURES(preventive,
(preventive,detective,
detective,corrective)
corrective)
Page 63
63
RP/VU
Residual risks SEP/2002
RP/VU
Risk analysis SEP/2002
RISK ANALYSIS
• Used to set priorities and to prepare backup or fallback plans
COSTS OF INCIDENT:
• Loss of entire IT Æ replacement value + costs of loss N weeks production
• etc.
Page 64
64
RP/VU
Risk assessment (computation) SEP/2002
RISK ASSESSMENT
• Identify relevant incident types: e.g., power down, destruction of servers, fire etc.
• Assess per incident type the probability (# per annum, or High, Medium, Low) and
damage (direct + indirect)
• Compute:
# incident types
Damage expectation = Σ Pr(incident type) ∗ damage(incident type)
N=1
• Computed per incident: used to set priorities for selecting measures
• Perform the entire computation for
– no measures
– the current set of measures
– alternative sets of current plus additional measures
• Purpose: find a cost effective mix of measures, reducing the damage
expectation to a level acceptable to line management
RP/VU
Incident types SEP/2002
Page 65
65
RP/VU
Probability of electricity outage SEP/2002
t t
RP/VU
Damage types SEP/2002
DAMAGE TYPES
Five types of consequences of an incident
• Delay the primary business process
– no production and no output
• Destroy assets
– e.g., deterioration of food and materials
• Disturb the primary business process
– less output
• Time related damage
– e.g., salaries of inactive staff, claims and fines due to legal obligations
etc.
• Non-time related damage
– publicity, loss of imago
Page 66
66
RP/VU
Minimize the damage expected SEP/2002
RP/VU
Balance SEP/2002
BALANCE
Objective: Avoid overkill of measures (too expensive) and risks too high
AND
• The costs of security and availability measures
Page 67
67
RP/VU
Balance viewed in historical perspective SEP/2002
l
rkil gh)
O ve s t oo h i
Level of Real (cos
t
control &
security Required
ts
d en gh)
Inci s too hi
(risk
RP/VU
Hacktic - tijdschrift voor techno-anarchisten SEP/2002
www.klaphek.nl
Page 68
68
RP/VU
Hacktic 1989, nr 2 SEP/2002
Hacktic 89-2
• Autotelefoonnet 1
gehackt
• Gratis bellen in cellen
• AKZO gehackt
• Telefoonfraude te
makkelijk
• Cursus UNIX hacking
• Lijst snelheidscontrole-
punten
RP/VU
Hacktic 1989, nr 5/6 SEP/2002
Hacktic 89-5/6
• UNISYS gehackt
• Galactic Hacker Party
• Cursus VMS hacking deel
II
• Gratis nummers
“gescanned”
Page 69
69
RP/VU
Hacktic 1990, nr 11/12 SEP/2002
Hacktic 90-11/12
• Wetsvoorstel computer-
criminaliteit
• Vervolging hackers in
USA
• Wij copiëren jouw
magneetkaart
• Word Perfect 5 locked
file decoder
• Valsspelen op fruitauto-
maten
• etc.
RP/VU
Hacktic 1993, nr 20/21 SEP/2002
Hacktic 93-20/21
• Internationaal
zomercongres op camping
in Flevopolder (aug 1993)
1,
ugust 200
10 – 12 A La r ge”
at
“Hackers s
A L 2 0 01, Campu
H n te (use
y Twe
Universit t a n d
ten
your own
m pu te r )
co
001.nl
www.hal2
Page 70
70
RP/VU
Hacktic 1992, nr 18/19 SEP/2002
Justitie en BVD
• Citaat blz 3: 10 tot 15
mensen op hacking
• Digitale misdaad
• Hoofdredacteur 38 dagen
in cel en weer vrijgelaten
• “Vrije nieuwsgaring”
RP/VU
Central versus decentral IT SEP/2002
Mainframes
Midrange systems
Page 71
71
RP/VU
Example: Portable storage media SEP/2002
RP/VU
SECURITY LAYERS SEP/2002
SECURITY
SECURITY LAYERS
LAYERS
•• Security
Securitytopology
topology
•• E&Y:
E&Y:Logical
Logicalaccess
accesspath
pathanalysis
analysis
•• Identification and authentication
Identification and authentication
Page 72
72
RP/VU
Security topology SEP/2002
NETWORK SECURITY
(userid, password: control path)
SERVICE SECURITY
(userid, password: control access)
RP/VU
Security topology ... SEP/2002
End user
Network security
Measures depend upon security
Security in system/service objectives and the enterprise’s
‘Frontdoor’ security strategy
Security in application
Page 73
73
RP/VU
Security topology ... SEP/2002
SECURITY LAYERS
• Security-objective dependent layers:
– Network security: NETVIEW/Access Services, connectivity, sessions
– Security in the service: Time Sharing Option (TSO), Customer Information
Control System (CICS), Information Management System (IMS), logon,
authorization, resources
– Application security: functions, transactions, records, data items,
programmed controls
• Trusted Computer Base (TCB) layers:
– Access control: Resource Access Control Facility (RACF), support above three
layers, protect resources etc.
– Operating system: Multiple Virtual Storage (OS/390), UNIX, OS/400,
Windows 95, software foundation for security and integrity
– Equipment: hardware foundation
TCB classified by USA DoD Orange Book:
– C1 - discretionary security protection
– C2 - controlled access protection (RACF up to 1.8)
– B1 - mandatory labeled security protection (RACF 1.9 and higher)
• Physical security of equipment and staff
RP/VU
MEY: Logical access path analysis SEP/2002
Ac
ce
Interactive ss
Data
Datacommunication
communicationsoftware
software c on
user tro
l pr
Transaction
Transactionsoftware
software od
Batch uc
t
Application
Applicationsoftware
software
Data
Dataaccess
accessmethod
method
Operating system
(and hardware) DATA
Page 74
74
RP/VU
MEY: Logical access path analysis ... SEP/2002
RP/VU
Identification and authentication SEP/2002
Page 75
75
RP/VU
AVAILABILITY SEP/2002
AVAILABILITY
AVAILABILITY
Definition
Definition(CoP):
(CoP):Ensuring
Ensuringthat
thatinformation
informationand
andvital
vitalservices
services
are available to the business processes when required
are available to the business processes when required
Objects:
Objects:
•• Security
Securitypolicy
policyand
andorganisation
organisation
•• Assets
Assets classification andcontrol
classification and control
•• Personnel security
Personnel security
•• Physical,
Physical,environmental
environmentalandandlogical
logicalsecurity
security
•• Business continuity planning
Business continuity planning
RP/VU
Threaths to continuity of IT processing SEP/2002
Technical catastrophes
Acts of God • airplane crash
• hurricane • destruction of building
• flood • water
• avalanche • power failure
• etc. • etc.
Human interference
• acts of war
• terrorism
• blackmail and theft
• human mistake and intentional interruption
• etc.
Introduction EDP Audit 152
Page 76
76
RP/VU
What is the value for the business SEP/2002
RP/VU
Information system types for continuity SEP/2002
Page 77
77
RP/VU
Information system types SEP/2002
critical Type A:
critical
Type B:
important
Type C:
business useful
function
non-critical
low high
dependency on IT
Introduction EDP Audit 155
RP/VU
Information system types ... SEP/2002
Page 78
78
RP/VU
Example of information system types SEP/2002
payroll, invoicing,
e-mail
business
general
function ledger
text processing
executive
information
non-critical system
low high
dependency on IT
Introduction EDP Audit 157
RP/VU
Continuity SEP/2002
Page 79
79
RP/VU
Comdisco 1993 survey SEP/2002
Mainframes
LANs
• Advice: Implement backup and disaster recovery plans and
measures
Source: Computer Fraud & Security Bulletin (April 1993), survey by Comdisco Disaster Recovery Inc
RP/VU
UK 1995 survey SEP/2002
Doubtful
plans (15%)
Source: Computer Audit Update (July 1995), Business continuity planning, by Keith Hearnden, Loughborough Univ.
Page 80
80
RP/VU
Communicating computer policies and procedures SEP/2002
RP/VU
Baseline controls SEP/2002
DO SOMETHING
Level of exposure / vulnerability
• For many threats, a surprisingly large (uncontrolled risks)
number of organizations have hardly
any controls (point A)
• Adding a few controls (point B)
significantly reduces the level of A
exposure
Page 81
81
RP/VU
EFFECTIVENESS AND EFFICIENCY SEP/2002
EFFECTIVENESS
EFFECTIVENESS &
& EFFICIENCY
EFFICIENCY
Definition
Definition
Effectiveness:
Effectiveness:doing
doingthe
theright
rightthings
things
Efficiency:
Efficiency: doing the things right(at
doing the things right (atthe
thelowest
lowestcosts)
costs)
Objects:
Objects:
•• Information
Informationservices
servicesand
andsystems
systems
•• IT resources
IT resources
•• IT
ITorganisation
organisation
RP/VU
Strategy and management SEP/2002
Page 82
82
RP/VU
Centralized versus decentralized IT control SEP/2002
Time
RP/VU
Flexibility or synergy? SEP/2002
Flexibility Synergy
Page 83
83
RP/VU
What is the best balance for you? SEP/2002
Common
Common computing
computing
center
center
Common
Commonsystem
system Common
CommonIT IT
development
development strategy
strategy
Flexibility Synergy
Common
Common Central
CentralIT
IT
architecture
architecture organisation
organisation
(which
(whichscope?)
scope?)
Uniform
UniformIT
ITinfrastructure
infrastructure
Alternatives and combinations are possible: each with advantages and disadvantages
Introduction EDP Audit 167
RP/VU
WARNING: Functionality of information systems SEP/2002
FUNCTIONALITY
Page 84
84
RP/VU
WARNING: Costs of downsizing SEP/2002
COSTS OF DOWNSIZING
Costs/user/annum
Example:
• central: Dfl 15.000 / user / annum
• midrange: Dfl 20.000
• workstations/LANs: Dfl 25.000 to 40.000
Mainframe Midrange LANs
RP/VU
Costs of downsizing... SEP/2002
user IT / service
organisation provider
33% informal 25% technical
support and service costs
HW
SW
NW
17% waste
25% formal
support and service
Source: Nolan Norton & Co.
Page 85
85
RP/VU
AUDIT APPROACH SEP/2002
AUDIT
AUDIT APPROACH
APPROACH
Objects:
Objects:
•• Types
Typesof
ofaudits
audits//who
whoisisthe
theprincipal
principal
•• Audit method
Audit method
•• “Normenstelsel”
“Normenstelsel”
•• “Voorschrift
“VoorschriftInformatiebeveiliging
InformatiebeveiligingRijksoverheid
Rijksoverheid(VIR)”
(VIR)”
RP/VU
EDP auditor works for who? SEP/2002
LD
Aandeelhouders Externe
EE
Toezicht
Toezicht Raad van Commissarissen accountant
RB
Ondernemingsraad
O
Besturen Directie
jaarrekeningcontrole
Ondersteuning
Besturen
Bijz
Op
dr
Interne accountants
ond
ac
Bewaken O
en
Controller ut
opd
so
va
ur
nm
c
rac
in
g
an
hte
ED
ag
P
n
e
au
me
Bedrijfsprocessen
Bedrijfsprocessen di
nt
((IT t
ITondersteunt
ondersteuntde
dezakelijke
zakelijke Bijzon
processen
processenenendraagt
draagtzozobij
bijaan
aan dere o Externe
pdrac
hun hten
hunkwaliteit
kwaliteit)) EDP auditor
Page 86
86
RP/VU
Who is the principal? SEP/2002
Financial Internal
Audit Business Control Audit
Statement of
Business Control
Management
External supervision Internal
Process Technical
control control
ISO quality
EDP audit control EDP audit
RP/VU
Types of audits SEP/2002
Page 87
87
RP/VU
Types of audits ... SEP/2002
Applications
Subsystems
and tools
Platforms
Networks
RP/VU
Types of audits: Third Party Announcement / Review SEP/2002
Applications
Subsystems
and tools
Platforms
SCOPE OF AUDIT
Networks
Page 88
88
RP/VU
Types of audits: computer center review SEP/2002
Applications
Subsystems
1999 2000 2001 2001 1999 2000
and tools
SCOPE OF AUDIT
Networks 1999 / 2000 / 2001 2001
RP/VU
Types of audits: technical audit SEP/2002
Scope
Applications of audit
Scope
Platforms of audit
Page 89
89
RP/VU
Application exposure: home-banking system SEP/2002
RP/VU
Types of audits: system review (ISA) SEP/2002
Scope Scope
Applications
of audit of audit
Subsystems
and tools
Platforms
Networks
Page 90
90
RP/VU
Types of audits: system review (ISA) ... SEP/2002
RP/VU
Types of audits: system review (ISA) ... SEP/2002
General IT controls
Progra
mmed
control
s
User controls
Page 91
91
RP/VU
Audit approach (simplified) SEP/2002
RP/VU
Audit approach (simplified) SEP/2002
!
•• interviews
interviews
•• documentation
documentation Confrontation
Een norm is
Finding(s)
Finding(s)&&risks
risksassessment
assessment • stellig (bevat “moet” of
&
&recommendation(s)
recommendation(s) “dient”)
• duidelijk (eenduidig, geen
Feedback
Feedbackto
toauditee
auditee beschrijvend verhaal)
• toetsbaar (anders kan u er
Reporting niets mee)
Reporting
Introduction EDP Audit 184
Page 92
92
RP/VU
Eisen stellen aan normen SEP/2002
Kort en duidelijk
Introduction EDP Audit 185
RP/VU
Normen ... SEP/2002
NORMEN
Waar komen normen vandaan?
Code
Code of
of ITIL
ITIL Cobit
Cobit etc.
etc. kantoor
kantoor extern
extern
Practice
Practice
Page 93
93
RP/VU
CERTIFICATION based on CoP SEP/2002
CERTIFICATION
CERTIFICATION
•• Creates
Createsaagoal
goaland
andoffers
offersan
an
additional management
additional management tool tool
•• Provides
Providesaameans
meansto toshow
showyou
you
are
are ‘in control’ to theoutside
‘in control’ to the outside
world
world
•• ISO
ISO17799
17799––certify
certifyagainst
againstCoP
CoP
RP/VU
Evaluation approach to certify SEP/2002
Page 94
94
RP/VU
Implication of the certificate SEP/2002
RP/VU
Why do they hire you as EDP auditor? SEP/2002
Page 95
95
RP/VU
VOORSCHRIFT INFORMATIEBEILIGING RIJKSOVERHEID SEP/2002
VOORSCHRIFT
VOORSCHRIFT
INFORMATIEBEVEILIGING
INFORMATIEBEVEILIGING
RIJKSOVERHEID
RIJKSOVERHEID (VIR)
(VIR)
Objects:
Objects:
•• Voorschrift
Voorschrift
•• Afhankelijkheidsanalyse
Afhankelijkheidsanalyse
•• Kwetsbaarheidanalyse
Kwetsbaarheidanalyse
RP/VU
VIR SEP/2002
Page 96
96
RP/VU
VIR: A&K analyse SEP/2002
RISICOMANAGEMENT: AFHANKELIJKHEIDS- en
KWETSBAARHEIDSANALYSE (A&K analyse)
• AFHANKELIJKHEIDSANALYSE
– Afhankelijkheden tussen bedrijfsprocessen en externe factoren (wet- en
regelgeving, bedrijfsbeleid, bedrijfsdoelstellingen etc.)
– Afhankelijkheden van bedrijfsprocessen van IT
– Resultaat: betrouwbaarheidseisen voor informatiesystemen die de
bedrijfsprocessen ondersteunen
– In feite wordt hierbij normenkader opgesteld
• KWETSBAARHEIDSANALYSE
• Identificeer relevante bedreigingen en mogelijke daaruit volgende incidenten
• Selecteer op basis hiervan de vereiste maatregelen
RP/VU
VIR: Afhankelijkheidsanalyse SEP/2002
Secundair proces
voorgaand Primair ontvangend (PIOFAH)
proces proces proces • Personeel
• Informatie
• Organisatie
Besturend proces • Financiën
• Planning • Algemene Zaken
• Logistiek • Huisvesting
Informatiesystemen
Mensen Apparatuur Programmatuur Gegevens Organisatie Omgeving Diensten
Page 97
97
RP/VU
VIR: Kwetsbaarheidsanalyse SEP/2002
Afhankelijkheidsanalyse
Afhankelijkheidsanalyse
Betrouwbaarheidseisen
Betrouwbaarheidseisen Bestaande
Bestaandemaatregelen
maatregelen
Bedreigingen
Bedreigingen
Gevolgen
Gevolgenvan
vanincidenten
incidenten
Incidenten
Incidenten (bij
(bijgeen
geenmaatregelen)
maatregelen)
Selecteren Vergelijken
Selecterenvan
vande
devereiste
vereiste
maatregelen
maatregelen
≠ =
• Betrouwbaarheidseisen zijn in
Kiezen
Kiezenaanvullende
aanvullendemaatregelen
maatregelen
feite het normenstelsel
• Het vergelijken is de confrontatie
• Komt dan redelijk overeen met
Audit approach (simplified)
Uiteindelijke
Uiteindelijkestelsel
stelselvan
vanmaatregelen
maatregelen
Page 98
98