2A Introduction EDP Audit

PART 2-A
INTRODUCTION EDP AUDIT
Ronald Paans
kpmg IRM
vrije Universiteit amsterdam
2 & 9 September 2002
File 2-A Introduction EDP Audit © 2002
RP/VU
Contents SEP/2002
CONTENTS
• Information and business processes
• IT control and ITIL
• Quality aspects
– Corporate Information security
– Code of Practice
– Risk assessment
– Security layers
• Availability
• Effectiveness & efficiency
• Audit approach
– Types of audits
– “Voorschrift Informatiebeveiliging Rijksoverheid (VIR)”
Introduction EDP Audit 2
Page 1
1
RP/VU
EDP auditing SEP/2002
EDP AUDITING
• Independent, impartial judgment and advice on Information Technology (IT)
• Quality aspects
– Confidentiality, Integrity, Availability (CIA) and Auditability
– Effectiveness, Efficiency etc.
• Objects
– Information systems (Information Systems Auditor: ISA)
– Technical infrastructure and Organisation of IT (Technical Auditor: TA)
– IT contracts, Service Level Agreements etc.
In the Netherlands:
• Professionals are registered: NOREA
• Post-graduate education at three universities
• Large EDP audit departments of major audit / assurance firms and other organisations
• EDP auditors have a “short life time”, they soon move to management positions
RP/VU
EDP auditing SEP/2002
“ The two lies of the profession ... ”

I am here to help you
You are welcome
EDP
AUDITOR AUDITEE
AUDITEE
(How can we show our added value?)

Page 2
2
RP/VU
Corporate governance SEP/2002
Aandeelhouders Externe
Toezicht
Toezicht Raad van Commissarissen accountant
Ondernemingsraad
Besturen Raad van Bestuur, directie

Besturen
Interne accountants
Bewaken
Bewaken Controller
Bedrijfsprocessen
Bedrijfsprocessen Rapport van Commissie Peters,
((IT
ITondersteunt
ondersteuntde
dezakelijke
zakelijke Vereniging voor de Effectenhandel
processen
processenenendraagt
draagtzozobij
bijaan
aan
hun kwaliteit )
“Corporate Governance in Nederland”
hun kwaliteit ) 29 oktober 1996
RP/VU
Commissie Peters, Vereniging voor de Effectenhandel SEP/2002
Het rapport “Corporate Governance in Nederland” bevat geen enkele directe

verwijzing naar IT. Gerelateerde aanbevelingen zijn:
17. De RvC bepreekt tenminste éénmaal per jaar de strategie en risico’s verbonden
aan de onderneming en de uitkomsten van de beoordeling door de RvB van de
opzet van de interne beheersingssystemen.
21. De RvB rapporteert schriftelijk aan de RvC over de ondernemingsdoelstellingen,

de strategie, de daaraan verbonden risico’s en de mechanismen tot beheersing
van risico’s van financiële aard.
36. De accountantscontrole van de jaarrekening vormt een van de hoekstenen van

een goed systeem van Corporate Governance.
IT is ondersteunend aan de bedrijfsprocessen en introduceert specifieke risico’s.

Daarom dient IT te worden beschouwd als onderdeel van deze drie aanbevelingen.
Page 3
3
RP/VU
Management control SEP/2002
An effective management control system consists of

• Planning
• Execution
• Evaluation
Three categories of business objectives

a Effectiveness and efficiency of business processes (operational)
b Reliability of financial information (reporting)
c Compliance with laws and standards
Participation of the EDP-auditor

ad a Use of IT resources: incl. Confidentiality, Integrity, Availability and Auditability
ad b General IT controls and programmed controls in applications
ad c E.g., Wet Computer Criminaliteit (WCC), Wet Persoonsregistraties (WPR)
RP/VU
EDP auditor works for who? SEP/2002
LD
EE
Toezicht
RB
Ondernemingsraad
O
Raad van Bestuur

VO
Besturen Directie
jaarrekeningcontrole
Ondersteuning
Besturen
Bijz
Op
dr
Interne accountants
ond
ac
Bewaken Interne EDP auditor

ere
ht
Bewaken O
en
Controller ut
opd
so
va
ur
nm
c
rac
in
g
an
hte
ED
ag
P
n
e
au
me
Bedrijfsprocessen
Bedrijfsprocessen di
nt
((IT t
ITondersteunt
ondersteuntde
dezakelijke
zakelijke Bijzon
processen
processenenendraagt
draagtzozobij
bijaan
aan dere o Externe
pdrac
hun hten
hunkwaliteit
kwaliteit)) EDP auditor
Page 4
4
RP/VU
IT and business processes SEP/2002
Central / decentral
IT infrastructure
Information /
Control
Information systems support

the business functions, which
in turn support the business Business processes:
processes “here they make
their money”
RP/VU
IT and military processes SEP/2002
Central / decentral
IT infrastructure Business processes:
“here they do their
job”
Information /
Information systems support Control
the business functions, which
in turn support the military
business processes and
operations
Page 5
5
RP/VU
Information handling SEP/2002
Transfer / consolidate /
distribute / transform / etc.
ation Data
Management Inform
IT Business
processes
Instr
uctio
ns / c
o ntrol
Supporting the business / operations

RP/VU
Information SEP/2002
INFORMATION
• Data at such an aggregation level that it can be
understood by human beings and can be used
to control
• CoP: The quality aspects apply to all forms of
“information”: data stored on computers
(data, text, video, speech), transmitted across
networks, printed out or written down on
paper, and spoken in conversations
Da t
a
tran consoli
sfor dati
inte m o
rpre ation, n and
tabl mak
e an
d us ing it
able
Page 6
6
RP/VU
Position of IT SEP/2002
IT
Position of IT:
• An island in the
ocean?
• An empire within
an empire?
IT
No, IT must closely interact with the business and provide the
quality required by the business. Effective communication is
of vital importance
RP/VU
Concerns for IT organisations SEP/2002
CONSEQUENCES, e.g.
CONCERNS, e.g.
Failing projects
Costs too high
No compliance with quality
Risks too high targets
Slow response Conflicts: internal & external
Wrong focuss Dissatisfied customers
Irrealistic expectations Loss of imago
Insufficient management Loss of skills
involvement
Insufficient IT Decreasing budgets
communication Outsourcing
Page 7
7
RP/VU
Central versus decentral IT SEP/2002
IT in historical perspective
Mobile commerce
Quality aspects Functionality
Electronic commerce
Intra/Inter/Extranet
Distributed
Client/Server
PC and PC/LAN
Midrange Manageability
Controllability
Mainframe Auditability
Business systems Personal systems Network systems

Operational improvements Strategic improvements ?
Kol. P.C.J. Boelee, Min. van Defensie, NIVRA/VERA Conference Update on IT and Control, Nov 1998
RP/VU
Legacy SEP/2002
LEGACY PROBLEM IT today
Mobile commerce
,
Electronic commerce
ists
l ex
Intra/Inter/Extranet
Functionality
stil
Distributed
ng
Client/Server
thi
ery
cy”
PC and PC/LAN
Ev
ega
“L
Midrange
rtly
Mainframe
pa
Time
Kol. P.C.J. Boelee, Min. van Defensie, NIVRA/VERA Conference Update on IT and Control, Nov 1998
Page 8
8
RP/VU
Why do they hire you as EDP auditor? SEP/2002
WHY DO THEY HIRE YOU AS EDP AUDITOR ?

• You have experience and can judge and advise
• You understand
– the business
– the company / organisation
– the supporting role of IT
– the technical and organisational IT infrastructure
• You can set priorities for judging / advising on the quality
aspects of the IT objects, based on the interest of
stockholders, directors etc.
• You can translate the results of your work to text
understandable to your principal
• You can assist to translate your recommendations into
priorities and actions
RP/VU
EFFECTIVE IT CONTROL SEP/2002
IT
IT CONTROL
CONTROL
Definition:
Definition:Manage
Managethe theIT
ITresources
resourcesandandITITorganisation
organisationsosothat
thatitit
provides benefits to the business objectives with regard
provides benefits to the business objectives with regard to to
11 continuity,
continuity,effectiveness
effectivenessand andefficiency
efficiency
22 confidentiality
confidentialityand
andintegrity
integrity
Objects:
Objects:
•• Implement
Implementconflict
conflictofofinterests
interestsbetween
betweenuseruserorganisations
organisationsand
and
IT organisation (buyer / seller relationship)
IT organisation (buyer / seller relationship)
•• Clear
Clearrequirements
requirementsand andcost
cost//benefit
benefitassessments
assessments
•• Obligation
Obligationto
toprovide
provideresults
results
•• Contracts
Contractsand
andService
ServiceLevel
LevelAgreements
Agreements(SLAs)
(SLAs)
•• Well
Welldefined
definedprocesses
processesand anddisciplines
disciplines(including
(includingITIL)
ITIL)
Page 9
9
RP/VU
A professional interaction based on contracts/SLAs SEP/2002
User organisation IT organisation

Requirement
DESIGN
Telematica architecture:
Translation of functional
In charge, Requirement owner Obligation to and quality requirements
budgets “behoeftesteller” provide results
Knowledge IV/IM functions
BUILD
Contract / System development
SLA
Use End user
RUN
Deliver services Exploitation
(verification of
agreements)
Feedback
IV/IM = Informatie Voorziening / Information Management
RP/VU
The centralised approach SEP/2002
Requirement Legend
owner Define functional and quality requirements SDTV:
- S(peech)
- D(ata)
IV/IM function - T(ext)
Director IT - V(ideo)
Account
managers
Telematica Administration etc.

architecture
S D T V
System development feedback Exploitation

S D T V S D T V
End user council

Page 10
10
RP/VU
Outsourcing SEP/2002
After the requirements are specified

correctly, select on basis of costs and
quality (“smart buyer”)
ND NTS
USER S A EE ME
CT GR
ORGANIZATION(S) TRA LA
CON LEVE
E
VIC
SER
One single SERVICE

counter PROVIDER(S):
Internal or External
‘CYCLE/TRANSPORT’
CONTRACTS AND SERVICE PROVIDER(S):
LEVEL AGREEMENTS Internal or External
(transparent to the users)
RP/VU
IT services: (internal/external) outsourcing models SEP/2002
User organisations
Models, e.g. Users
Services
IT orga-
nisation(s)
Applications System
Technical and
development
organisational
infrastructure
(including
other Operating systems
hardware) Standard program products
Data
Hardware
communication
Every combination is possible

Page 11
11
RP/VU
Framework IT control SEP/2002
Quality of service delivery must be described in a Service Level Agreement (SLA), which
belongs to the IT organisation’s Service Level Management (SLM) discipline
User IT
organisations Contract organisation
Policy Policy
SLA
Control
Control
SLM
Execution
Execution
RP/VU
Model for IT control SEP/2002
IT CONTROL
IT policy and
Strategic Policy
Audit organisation
11 IT disciplines
Tactical Execution
Audit of policy
Operational Execution
ems
e
Midrange
am
Network
t
Subsys
infr
etc.
Tool
Ma
Page 12
12
RP/VU
Model of IT disciplines SEP/2002
Variable and
Service
(e.g., SAP functions)
fixed variable End-User
process parameters
Business functions Application System development

(e.g., SAP applications) parameters • Policy • Quality
• Methods • Change
Sub systems • Technology • Problem
(e.g., SAP base) Control
IT infrastructure
Improvement
• IT policy • Security
Operating system
System • Service level • Availability
parameters • Configuration • Performance
Hardware • Capacity • Operations
• Change • Accounting
• Problem • Workload
RP/VU
Possible IT management disciplines SEP/2002
IT MANAGEMENT DISCIPLINES ARE, E.G.

• IT Policy and organisation • Security management
• Service Level management • Availability management
• Configuration management • Performance management
• Capacity management • Operations management
• Change management • Accounting management
• Problem management • Workload management
• People management • Quality management
Note 1: For EDP audit of the technical and organisational infrastructure,

we use 12 of them
Note 2: IT disciplines are primarily used to group the control objectives in
a structured and logical way
Page 13
13
RP/VU
Relations between IT disciplines (as used by Leen van Rij) SEP/2002
Information Technologie Policy
Configuration Security
Change
Problem
Service
Level
Availability
Performance
Operations
Capacity Workload
USERS Accounting
These are the 12 IT management disciplines relevant to EDP auditors

RP/VU
Relations between IT disciplines (simplified view) SEP/2002
Information Technology policy
Availability
Availability
Change
Change Problem
Problem Security
Security
Configuration
Configuration
Service
Service
Level
Level
USERS Operations
Operations
Performance
Performance//Workload
Workload
Accounting
Accounting
Capacity
Capacity
Service Level Management is the pivot
Page 14
14
RP/VU
World Class IT model SEP/2002
Bu
sin
ess
ge
Kl ric
ht
ity
an
tg
ur Se er pro-ac
tief pa
at
rv ich produkt rtnersh
t
M
ic flexibi- preven- ip
eg prioriteits-
Be eric kosten/
liteit tief
stelling klant
Te he ht baten; level kwaliteits-
ch er volumekennis
management parameter en
no st opbouw integraal,
flexibiliteit proces metingen
log logistieke verbij- service
ie zonderd level
ge planning
registratie methoden
dr & control management en
ev en control
en partieel technieken
operationeel geïntegreerd
technisch service
re-actief agreement
Productie informeel gefrag- stabiel
menteerd proces
Incidenten & problemen basic
control
Wijzigingen & configuratie ad-hoc
informeel
Service level management
Ontwikkeling & onderhoud
RP/VU
ITIL SEP/2002
A
A standard
standard for
for control
control
ITIL
Information
InformationTechnology
TechnologyInfrastructure
InfrastructureLibrary
Library
Page 15
15
RP/VU
Management of IT, using ITIL SEP/2002
GROWING COMPLEXITY
ITIL
IT -- ITIL
Past
of IT
Public
Management of
infrastructure
Present (KPN etc.)
Management
Future
Introduction EDP Audit ITIL foils: written by Paul Overbeek and Gerben Nelemans 31
RP/VU
Growing complexity SEP/2002
GROWING COMPLEXITY
• Technique
– More types and more complex datacommunications
– More types and more complex operating systems
– More types and more complex middleware
– More types and more complex applications
• Organisations
– New organisational structures, switching between central and decentral
– Changing dependencies
• Trends
– Single Sign On
– Repositories
– Authorisation Services
– Decentral security and Client/Server security
– Public Key Infrastructures (PKIs) and Trusted Third Parties (TTPs)
– Internet and firewalls
Page 16
16
RP/VU
ITIL SEP/2002
SECURITY AND CONTROL REQUIRES

UNIFORMITY OF IT MANAGEMENT
Due to the growing complexity
• Uniformity of management is a prerequisite to have a controlled IT
environment
• ITIL is a means for uniformity of IT management
• ITIL = IT Infrastructure Library
– 60 books
– 30 processes in some 9 sets
– for security management, 12 processes in 2 sets are relevant
• Best practice for exploitation and control of IT
• Written by CCTA (former Central Computer and Telecommunications
Agency)
• Also contains ITIL Security Management (since 1998)
RP/VU
What is infrastructure in ITIL ? SEP/2002
WHAT IS INFRASTRUCTURE IN ITIL ?

• Focused upon control and exploitation of IT Infrastructure
• What is included
– software (applications)
– hardware
– documentation
– procedures
– information system (combination hardware, software and procedures)
• What is not included
– individual files, queues, messages
– people
– environment
– physical aspects
}
for security aspects, see
Code of Practice
• Note for EDP auditor: ITIL has no knowledge of business processes
Page 17
17
RP/VU
ITIL layers SEP/2002
There are 9 ITIL sets, among which:
Managers’ set
Strategy
Tactic Service Delivery Set

tactical control,
usage of IT resources
Operations Service Support Set

operational control,
the resources themself
RP/VU
ITIL service delivery set SEP/2002
ITIL SERVICE DELIVERY SET

Focused on tactical control (usage of the IT resources)
Processes
• Service level management
Stra-
• Availability management tegy
• Capacity management Tactic
– Workload management
Operations
– Performance management (tuning)
– Delivery management
• Contingency management (in the past: Disaster planning)
• Accounting management
• Security management
Page 18
18
RP/VU
ITIL service support set SEP/2002
ITIL SERVICE SUPPORT SET

Focused on operational control (the IT resources themself)
Processes
• Configuration management
Stra-
• Incident management / Help desk tegy
• Problem management Tactic
• Change management Operations
• Software control & distribution
RP/VU
ITIL management processes SEP/2002
ELEMENTARY VIEW ON A PROCESS

Process
Purpose
Activities
Activities
input output
Relations
Relations with
with
other processes
other processes
Page 19
19
RP/VU
ITIL security management SEP/2002
ITIL PROCESS SECURITY MANAGEMENT
Process
Purpose: comply with objectives + baseline
SLA with Activities

Activities output
security
objectives
Relations
Relations with
with
other processes
other processes
RP/VU
Relations between ITIL processes SEP/2002
Relations with:
• Service Level Management
• Availability Management
• Capacity Management
• Contingency Planning
Relations with:
• Configuration Management
Security • Incident Management / Helpdesk
Management • Problem Management
• Change Management
• Software Control & Distribution
Page 20
20
RP/VU
ITIL security management SEP/2002
SECURITY MANAGEMENT
The Three Challenges
• Process
– the Security Management Process
itself
• Relationships
– between Security Management and
the other processes
• External relationships
– managing the SLA requirements
for security
RP/VU
ITIL security management ... SEP/2002
SECURITY: managing the SLA requirements for security
REPORT SLA CUSTOMER

REPORT SLA
IT Service Provider
MAINTAIN PLAN
PLAN
MAINTAIN
CONTROL
CONTROL
EVALUATE
EVALUATE IMPLEMENT
IMPLEMENT
Page 21
21
RP/VU
ITIL security management ... SEP/2002
CUSTOMER defines requirements

based on business needs
Service
ServiceLevel
LevelAgreement
Agreement/ /Security
Securitysection
REPORT
REPORT
••conform
SECURITY ••agreed
agreedbetween
betweencustomer
customerand
section
andprovider
provider
conformSLA
SLA
IT SERVICE PROVIDER implements, PLAN:

PLAN:
SLA by ITIL Security Management ••Service
Servicelevel
levelagreement
agreement
••Underpinning
Underpinningcontracts
contracts
MAINTENANCE: ••Operational
Operational Levelagreements
Level agreements
MAINTENANCE: ••Policy statements
••Learn
Learn Policy statements
••Improve
Improve CONTROL:
••plan CONTROL: IMPLEMENT:
plan •• Get
Getorganised
organised IMPLEMENT:
••implementation •• Create
implementation •• Establish
Establishmanagement
management Createawareness
awareness
framework •• Classification
Classification&&registration
registration
framework •• Personnel
EVALUATE:
•• Allocate responsibilities
Allocate responsibilities Personnelsecurity
security
EVALUATE: •• Physical security
Physical security
••Internal
Internalaudits
audits •• Security
Securitymanagement
managementcomputers,
computers,
••External
Externalaudits
audits networks,
networks,applications
applications......
••Self assessments
Self assessments •• Control
Control & managementofofaccess
& management accessrights
rights
••Security incidents
Security incidents •• Security
Securityincident
incidenthandling,
handling,registration
registration
•• ……
RP/VU
ITIL configuration management SEP/2002
Configuration
Management
Configuration
Management
Page 22
22
RP/VU
ITIL configuration management ... SEP/2002
CONFIGURATION MANAGEMENT
The foundation for control / use it to control the changes
• Know what you have
– version management
• Names
– CI : Configuration Item Configuration management
– CMDB : Configuration Management Data Base
• EDP audit questions, e.g. CMDB
– verify whether there is configuration management
– who is reponsible, how is the process organised?
– which CIs are included (which level of detail?)
– is the input to the process reliable?
– how is the completeness guaranteed and is it up to date?
– are there cross references, e.g., with the license administration and
maintenance contracts? Etc.
RP/VU
Scope process Configuration management SEP/2002
SCOPE OF CONFIGURATION MANAGEMENT

• Granularity of control determined by
choice of configuration items - CIs
– very important !!
• Per CI
– attributes and classification Configuration management
– status
– relations with other CIs CMDB
• CIs, e.g.
– software (applications) - packages, licensed programs, home spun
programs, at which level of detail?
– hardware - boxes, patch panels, cables, at which level of detail for
peripherals?
– documentation - which books and CD-roms at which location?
– information system - or are the components included in the items
above?
Page 23
23
RP/VU
Support of Security management SEP/2002
CONFIGURATION MANAGEMENT SUPPORT OF

SECURITY MANAGEMENT
• Classification system
– availability
– integrity / reliability
– availability / continuity
• Classification connects CI to
– activities, to be understood as
» instructions for how to handle, or
» procedures !
» documentation
» or Manuals / Implementation Guidelines
RP/VU
Classification of sensitivity SEP/2002
CLASSIFICATION OF SENSITIVITY
A dedicated classification system tailor cut to the organisation
Availability / Continuity
Confidentiality / Exclusivity
Integrity
Class Description / objective
no criterion
desirable
important
essential
Page 24
24
RP/VU
ITIL incident management, help desk SEP/2002
Incident
management
Help desk
An incident is
Incident an occurrence
Management, of a problem
Help Desk
RP/VU
ITIL incident management, Help Desk process SEP/2002
INCIDENT MANAGEMENT, HELP DESK PROCESS

• Purpose: incident control
– one desk for first line support - the Help Desk or IT Call Center
• Activities
– registration and monitoring the progress of incident handling
– incident control deals with symptoms
• Input
– complaints and questions by users
• Output
– solutions, workarounds etc.
– problem description
Page 25
25
RP/VU
ITIL incident management, Help Desk process … SEP/2002
RP/VU
ITIL incident management, Help Desk proces ... SEP/2002
EDP audit questions, e.g.

• Is there an effective incident management process?
• Are all incidents documented? How long are the records retained?
• Are the Help Desk employess well trained, also for security aspects?
• When is an incident called a security incident ?
– CI classified
–?
• Verify
– handling security incidents is a ‘normal’ procedure
– how is the contact with or reporting to the security officer
– are there additional security measures
» e.g., security incident reporting and alarm
» reporting
• Consider classification scheme for incidents
• Verify the completeness and accessibility of the records, reports etc.
Page 26
26
RP/VU
ITIL problem management SEP/2002
Problem
management
Incident
Management, Problem A problem may cause
Management multiple incidents
Help Desk
RP/VU
ITIL problem management proces SEP/2002
PROBLEM MANAGEMENT PROCESS

• Purpose
– problem control
– solving problems or identifying known errors
– recording problems and monitoring the progress of solving them
• Input
– incidents which cannot be solved (input from Help Desk, but also
from system owners, programmers etc.)
• Activities
– using organisation scheme
– procedures (incl. registration and monitoring)
– some security measures Help
Help Desk
Desk
– reporting status and progress
• Output
– solution
– related to known error Problem
Problem
Management
Management
Page 27
27
RP/VU
Kwaliteitsprocedure SEP/2002
Standaard flowchart
Probleem
Probleem
voor het oplossen van
technische problemen
Functioneert
Functioneerthet
het?? nee Heb
ja Hebjejeer
eraan
aangezeten
gezeten??
ja nee
Afblijven
Afblijvendan
dan
Stommeling
Stommeling
nee
Weet
Weetiemand
iemandervan
ervan??
Pand Krijg
Krijgjejeop
opjejedonder
donder??
Pandverlaten
verlaten ja
ja nee
KLUNS
KLUNS!!!
!!!
nee
Kan
Kanjejeiemand
iemandanders
andersde
deschuld
schuldgeven
geven?? Naar
Naarhuis
huisgaan
gaan
ja
Probleem
Probleemopgelost
opgelost
RP/VU
ITIL change management SEP/2002
Change
management
Change
Management
Page 28
28
RP/VU
ITIL change management process SEP/2002
CHANGE MANAGEMENT PROCESS

• Purpose
– assure that all changes of CIs are controlled and documented
• Input
– known errors from Problem management
– Requests for Changes (RFCs), e.g., from system owners etc.
• Activities
– supported by organisation structure
– execute procedures (incl. registration and monitoring)
– RFCs: define, handle and (let) implement
– monitor and warrant security level
• Output
– controlled changes of the IT infrastructure
– ditto in the CMDB
RP/VU
A change SEP/2002
RFC = Request for Change, change proposal on CI(s)
Assign status: Urgent / not
Determine impact on security
Reviewed / authorised by CAB
Implementation
Tests
Acceptance or Restore old situation

Page 29
29
RP/VU
Change management process SEP/2002
REQUEST FOR CHANGE (RFC)
PREPARATION:
- assess risk and impact
- open change record in Change Database
VERIFICATION: Change Advisory Board (CAB)

REJECTED
DECISION: CAB
ASSIGN A DATE APPROVED

FEEDBACK: change record FEEDBACK: change record
IMPLEMENTATION: backup and make change

EVALUATION: verify correct operation SEVERE PROBLEM: RESTORE
- verify security and internal control
- complete and close change record
OK: READY
RP/VU
Change Advisory Board SEP/2002
CHANGE ADVISORY BOARD (CAB)

Configuration Control Board, daily or weekly meeting, the participation
may vary
• Change Manager
• Service Level Manager
• Case specialists
– architect
– technical experts
– design & development
• Operational management
• User / customer representative ?
• …
• Other process managers
• Security Manager for security relevant changes !
Page 30
30
RP/VU
Example SEP/2002
EXAMPLE
• Incident
– car does not start
– work around / contingency plan: push
• Problem
– car does not start the entire week
– known problem: Lada
• RFC
– give me a Ferrari
• CAB decision
– use the train
RP/VU
Support of Security management SEP/2002
CHANGE MANAGEMENT SUPPORT OF

SECURITY MANAGEMENT
In change management many issues are to be ensured
• Perform risk analyses
– impact in business processes (customer’s responsibility)
– impact on IT infrastructure as a whole
– which level of security is needed
• Security plan (SOLL)
– selection of security controls / measures + audit +
contingency + availability
– define Operational Level Agreements (OLAs)
Page 31
31
RP/VU
Support of Security management ... SEP/2002
CHANGE MANAGEMENT SUPPORT OF

SECURITY MANAGEMENT (cont.)
• Implementation plan (SOLL minus IST), plan for
– implementation of selected controls / measures
– implementation of security baseline
– Operational Level Agreements (OLAs)
• Input for Request for Change (RFC)
• Change Advisory Board (CAB)
• Implementation
• Testing
• Acceptance
RP/VU
ITIL service level management SEP/2002
Service Level
I deliver with quality
Management
signature
Service Level
Management
Page 32
32
RP/VU
SLA SEP/2002
Customer / company Service requirement

management
Customer / company
‘controls’ via SLA
IT service provider gives SLA
SLA
feedback on compliance
Service Level management

ITIL Management
processes
IT Service Provider
Security management
RP/VU
ITIL & security: a controlled process SEP/2002
ITIL & security provides a controlled process and

hence results in less errors in operation and security
Incidents Help Desk / Incident

management
}
Problems
Co
Problem Management
n
Known
rit
fig
errors
cu
u
ra
Se
tio
RFC’s Change Management

n
Configuration Management
Security Management
Page 33
33
RP/VU
SLA ... SEP/2002
Representant
Representant Account
Accountmanager
manager
•• customer
customer •• on
onbehalf
behalfof
of
•• user
userorganisation
organisation •• IT
ITorganisation
organisation
•• service
serviceuser
user •• Service
ServiceProvider
Provider
SLA
SLA
••service
servicecatalog
catalog
••including
includingsecurity
security
Underpinning contracts:
Service Provision Agreements: external focus, e.g., datacom
performance of the Service provider, electricity, hardware
Provider itself maintenance
RP/VU
QUALITY ASPECTS SEP/2002
QUALITY
QUALITY ASPECTS
ASPECTS
•• Confidentiality
Confidentiality
•• Integrity
Integrity Reliability
Reliability
•• Auditability
Auditability
•• Availability
Availability
•• Effectiveness
Effectiveness
•• Efficiency
Efficiency
•• Manageability
Manageability
•• etc.
etc.
Page 34
34
RP/VU
Information security: the business perspective SEP/2002
Total
TotalEnterprise
EnterpriseRisk
RiskManagement
Management
resource
Finance
Finance Assets
Assets Information
Information Personnel
Personnel
currency
currencyrisks risks fire
fire eavesdropping
eavesdropping illness
illness
risk areas
interest
interestrisks
risks burglary
burglary illegal
illegalmodification
modification turnover
turnover
risks /
payments
paymentsdue due theft
theft interruptions
interruptions demotivation
demotivation
cash
cashflow
flowrisksrisks calamities
calamities masquerading
masquerading knowledge
knowledgedrain drain
...... ...... ...... ......
measures
treasury,
treasury, security,
security,alarms,
alarms, information
informationsecurity,
security, human
humanresource
resource
insurance,
insurance,...... insurance,
insurance,...... EDP
EDPaudit,
audit,...... management,
management,......
RP/VU
Laws and standards SEP/2002
LAWS
• Computer crime: the owner must apply certain measures to protect networks,
systems and data
• Privacy: special attention for information about individual persons
• IT for banks: regulations by national banks
STANDARDS
• US Department of Defence, orange book: classification of trusted computing
base
• European Community: ditto
• Code of Practice (CoP: UK and NL) with the objectives
– deals with the technical infrastructure and the organisation of IT
– create a common basis to develop an effective security practice
– increase the confidence in the business
• IT Infrastructure Library (ITIL): some 60 books on IT management practices
OUR CHOICE: We selected the Code of Practice as a basis
Page 35
35
RP/VU
Nederlandse verwarring over namen SEP/2002
Veel kwaliteitsaspecten worden gebruikt in een verschillende context, zoals in

• NIVRA-geschriften (o.a. 53 en 62)
– Efficiëntie
– Effectiviteit
– Integriteit
– Exclusiviteit
– Controleerbaarheid
– Beschikbaarheid
• Memorandum van De Nederlandsche Bank (memo DNB)
– Betrouwbaarheid (integriteit, exclusiviteit en controleerbaarheid)
– Continuïteit (beschikbaarheid)
• Code of Practice (CoP) - CIA
– Confidentiality - vertrouwelijkheid
– Integrity - integriteit
– Availability - beschikbaarheid
RP/VU
Code of Practice Introduction SEP/2002
• The purpose of information security is to ensure business continuity and to

minimize business damage by preventing and minimizing the impact of security
incidents.
• Information security management enables information to be shared, while ensuring
the protection of information and computing assets.
• The three basic components (quality aspects) of CoP are:

– CONFIDENTIALITY
– INTEGRITY
– AVAILABILITY
• Information takes many forms. It can be stored on computers, transmitted

across networks, printed out or written down on paper, and spoken in
conversations.
• From a security perspective, appropriate protection must be applied to all forms of
information, including papers, databases, films, view foils, models, tapes, diskettes,
conversation and any other methods to convey knowledge and ideas.
Page 36
36
RP/VU
What is important? SEP/2002
QUALITY ASPECTS OF INFORMATION

• CONFIDENTIALITY
– Protecting sensitive information from unauthorized disclosure or
intelligible interception
• INTEGRITY
– Safeguarding the accuracy and completeness of information and CIA
computer software
• AVAILABILITY
– Ensuring that information and vital services are available to the
business processes when required
• AUDITABILITY
– Allowing to verify compliance with the objectives
• EFFECTIVENESS
– Doing the right things
• EFFICIENCY
– Doing the things right (at the lowest costs)
RP/VU
Mapping/grouping quality aspects SEP/2002
Exclusivity (Wet Computer Criminaliteit)

Reliability (Memo De Nederlandsche Bank - DNB)
Effectiveness
Efficiency
Manageability
Etc.
Confidentiality
(CoP)
Auditability Availability
(NIVRA) (CoP, DNB, NIVRA)
Integrity
(CoP)
CIA: Confidentiality, Integrity & Availability

CoP: Code of Practice for Information Security Management (UK BS7799:1995)
Page 37
37
RP/VU
CORPORATE INFORMATION SECURITY SEP/2002
CORPORATE
CORPORATE INFORMATION
INFORMATION SECURITY
SECURITY
•• Positioning
Positioning
•• ACIB
ACIBmodel
model
•• CIS
CIS
•• Code
Codeof ofPractice
Practice
RP/VU
Causes of damage to information SEP/2002
CAUSES OF DAMAGE TO INFORMATION

Investigation
InvestigationPrice
PriceWaterhouse
WaterhouseUK,
UK, Similar
Similarinvestigation
investigationin
inUSA
USA
}
causes
causesare
are 55%
55% Human
Humanerrors
errors
}
33%
33% Human
Humanerrors
errors 16%
16% Dishonest
Dishonestacts
acts
10%
10% Strikes
Strikes(UK)
(UK) 11%
11% Disgruntled
Disgruntledemployees
employees
10%
10% Industrial
Industrialespionage
espionage 10% Fire
10% Fire
10%
10% Fraud
Fraud 5% Water
5% Water
33%
33% Errors
Errorsin
ininformation
informationsystems
systems 3% Other
3% Othercauses
causes
and
and technicalinfrastructure
technical infrastructure Almost
Almost82%
82%isiscaused
causedby
byhuman
humanactions.
actions.
• The conclusion is: people are the weak link in computer security
• The financial consequences due to fraud substantially exceed those due to errors.
Exact figures are not available due to enterprises’ reluctancy to provide details
SECURITY IS BASED ON PROCEDURES AND CONTROLLING THE PEOPLE IN
YOUR ENTERPRISE
Page 38
38
RP/VU
Positioning for EDP audit SEP/2002
POSITIONING FOR EDP AUDIT

Top management Reporting on
(Board of Directors) ‘security health’
Line management
and staff Code of Practice
for IT Security (CoP: UK and NL)
IT management Technical security standards and studies

and staff (by EDP auditors, e.g, Platform Informatiebeveiliging - PI)
Unix Internet OS/390 SNA etc.

OS/400 Intranet RACF Novell
NT Workflow Oracle Lan Server
RP/VU
Positioning for management SEP/2002
PLATFORM INFORMATIEBEVEILIGING (PI) AND CoP
Strategic
Policy
Tactical
Code of Practice
Baseline approach
PI standards PI studies
Operational
“baselines”
Unix OS/390 SNA Internet Multimedia
OS/400 RACF Novell Intranet Mobile
NT Oracle Lan Server Workflow Cryptography
Page 39
39
RP/VU
Dutch ACIB model SEP/2002
View an organisation as a building:

Penthouse: Board
Directors Laws
Top-management
Work floor: Line management Code of Practice

Staff as a guideline
Basement: Technical infrastructure Technical guidelines

(system owners etc.) for implementation
ACIB = Advies- en Coordinatiepunt Informatiebeveiliging, Min. v. Binn. Zaken

RP/VU
Corporate Information Security (CIS) SEP/2002
What we cannot do… and what we can

Practical approach, using (self) assessments based upon CoP
• What we cannot do
– change the organisation overnight
– shut down Silicon Valley
– protect ourselves from all risks
• What we can do
– identify and protect our critical systems (if any…)
– exercise due care for all oher systems
– create a security organisation
– integrate security into our processes
– balance cost and control
• Objective 1: Taking care of yourself
– tailor CoP to fit your needs based on risk analysis
– establish a future-proof security framework
– identify, develop and implement measures overdue
• Objective 2: Taking care of your business partners
– request your business partners to comply with CoP
– establish and maintain security agreements
Page 40
40
RP/VU
Corporate Information Security (CIS) ... SEP/2002
Review process: 8 steps (may be followed by certification process)
1 Business
Businessanalysis
analysis
2 Policy
Policyformulation
formulation
3 (Self)
(Self)Assessment
Assessment
4 Intermediate
Intermediateevaluation
evaluation
5 Information
Informationsecurity
securityplan
plan
6 Development
Development
7 Implementation
Implementation
8 Evaluation
Evaluation
RP/VU
CIS phase 3: (Self) Assessment report SEP/2002
CoP Deelonderwerp Status
3 • Informatiebeveiligingsbeleid
• Security manager
• Coördinatie informatiebeveiliging / overlegstructuur
4 • Toewijzing verantwoordelijkheden
• Beoordeling door externe organisatie
E T
• Vastleggen beveiligingsvoorwaarden in contracten met derden

TJ CH
5 • Overzicht van bedrijfsmiddelen; procedure voor classificatie

• Beveiligingstaken zijn vastgelegd in functie-omschrijvingen
• Antecedentenonderzoek sollicitanten
A A LI
6 • Geheimhoudingsverklaring intern en extern

• Voorlichting over risico’s
PL OP
• Disciplinaire maatregelen bij overtreding

• Richtlijnen voor melding beveiligingsincidenten
ST
• Overzicht van ruimten

7 • Kritische ruimten worden adequaat beveiligd
• Clear-desk policy
• Noodstroom voor veilige afsluiting
• Richtlijnen voor systeembeheer
• Richtlijnen voor incidentafhandeling
• Adequate functiescheiding
• Scheiding ontwikkeling en produktie
• Richtlijnen voor inschakelen externen
• Capaciteitsplanning
8 • Viruscontrole
• Backup en restore onvoldoende
• Logging van beheersactiviteiten
• Richtlijnen voor gegevensdragers gedeeltelijk
• Richtlijnen voor uitwisseling van gegevens met derden voldoende
• Beveiliging kantoorautomatisering
Page 41
41
RP/VU
CIS phase 3: (Self) Assessment report ... SEP/2002
CoP Deelonderwerp Status
• Need to use
• Beheer van gebruikerstoegang en -bevoegdheden
• Beheer van gebruikerstoegang / speciale permissies
9 • Wachtwoorden
• Beveiliging van netwerken
• Beveiliging van computersystemen
• Beveiliging van applicaties en systeemtools
• Logging en monitoring
• Ondersteuning klant bij specificatie beveiligingseisen
10 • Change management
• Beveiliging testgegevens
• Onderhoud systeemprogrammatuur
11 • Continuïteit
• Auteursrecht
12 • WPR / WCC
• Externe toetsing onvoldoende
gedeeltelijk
• Verzekeringsfunctionaris
plus “13” • Verzekering brand/WA/bedrijfsvoering voldoende
CIS phase 6/7: layered audit structure, e.g.

• External audit (say once per 2 years)
• Internal audit (annually, part of auditing general IT controls)
• Self assessment (monthly, e.g., through Secur-o-meter of GAK ASZ or a similar
assessment and reporting tool)
RP/VU
Other checklists SEP/2002
OTHER CHECKLISTS
• NGI
• NATO
• Handboek Voorschrift Informatiebeveiliging Rijksoverheid (VIR)
• NIVRA-geschriften
• IT-specifieke checklists
– Windows NT, Unix, MVS …
– Internet, inbelverbindingen …
– Databases: Oracle, Sybase, DB/2 …
• PI - Platform Informatiebeveiliging (voorheen: CSA - Computer
Security Association - en OTB - Overlegorgaan Technische
Beveiligingsstandaarden)
Page 42
42
RP/VU
Checklists SEP/2002
CHECKLISTS
• Easy to use
– one size does (not) fit all
– uniformity
– efficiency
• Dangerous in the hands of the innocent !
• Best before …
• Everybody loves checklists
– auditors
– security managers
– IT managers
– hackers
– normal people
– but … for different reasons
• Checklists are not enough !
RP/VU
Doelstelling: bladeren door de Code of Practice SEP/2002
BLADEREN
BLADEREN DOOR
DOOR DE
DE CODE
CODE OF
OF PRACTICE
PRACTICE
Page 43
43
RP/VU
CODE OF PRACTICE SEP/2002
CODE
CODEOFOF NEW:
PRACTICE
PRACTICE 2000
for
forinformation
informationsecurity
security
==
British
BritishStandard
StandardBS7799
BS7799
OLD:
1994
RP/VU
Code of Practice (CoP) SEP/2002
CODE OF PRACTICE FOR INFORMATION

SECURITY MANAGEMENT (CoP)
• Developed in UK BRITISH STANDARD
BS BRITISH
7799:1995 STANDARD
• Also published in Dutch by Min v EZ / NNI, 1994

BS 7799:1995
• Update, 1999 / 2000 Code

Codeofofpractice
practicefor
Information
for
Informationsecurity
security
• Based on best practice of participants management
management
• Purpose as mentioned in “Introduction”
– intended as a baseline level of security (due care)
– enable mutual trust between partners
– suitable for small, medium and large enterprises
• Organisational and technical measures BSi
BSi
• 10 chapters, 8 key controls, 36 objectives
Note: It is not a standard for you as EDP auditor, but a set of guidelines
and attention items. Use it with common sense!
Page 44
44
RP/VU
CoP chapters SEP/2002
CODE OF PRACTICE FOR INFORMATION SECURITY

MANAGEMENT (CoP)
Chapters
3 Security policy
4 Security organisation
5 Assets classification and control
6 Personnel security
7 Physical and environmental security
8 Communications and operations management
9 Access control
10 System development and maintenance
11 Business continuity planning
12 Compliance
RP/VU
CoP Introduction SEP/2002
THREE PRIMARY QUALITY ASPECT (CIA)

CONFIDENTIALITY
Protecting sensitive information from unauthorized disclosure or intelligible
interception
!
INTEGRITY (In new CoP: “Data integrity”)
Safeguarding the accuracy and completeness of information and processing
methods
AVAILABILITY
Ensuring that information and vital services are available to the business
processes when required
CoP DEALS WITH INFORMATION SECURITY

“INFORMATION” in CoP has been defined as:
!
The quality aspects apply to all forms of “information”: data stored on computers
(data, text, video, speech), transmitted across networks, printed out or written
down on paper, and spoken in conversations
Page 45
45
RP/VU
CoP 3 – Security policy SEP/2002
CoP 3
Security
Security policy
policy
RP/VU
CoP 3: Security policy SEP/2002
SECURITY POLICY
3.1 Information security policy

Objective: To provide management direction and support for information
security.
Management should set a clear direction and demonstrate their support
for, and commitment to, information security through the issue of an
information security policy across the organization.
• “Information security policy” must be defined by top management

• There must be an explicit owner of the policy, also responsible for
periodical revisions and updates
• Accessible to all persons involved
• Attention for threats specific to the own business
Page 46
46
RP/VU
Threats and requirements SEP/2002
Threats and external requirements
Reliability requirements
Measures
Assets
Information
RP/VU
Example of incidents SEP/2002
EXAMPLE OF INCIDENTS
• Website defacing
– See www.attrition.org
• Virus outbreaks
• Denial-of-service attacks
• Access to credit card numbers
• Website outage due to software errors
• Outage due to “flash crowd”
• …
Page 47
47
RP/VU
Example of incidents ... SEP/2002
Hacking is greater threat
than military attack
Source ZDNet UK, 30 Mar 2001
Foreign secretary Robin Cook warns that the
fabric of British life is at risk from viruses or a
hack attack
The foreign secretary warned on Thursday that
Results
hacking and computer viruses present a bigger
threat to Britain than a military attack.
RP/VU
The Information Security Management Cycle ... SEP/2002
THE INFORMATION SECURITY MANAGEMENT CYCLE
Policy • Environment
• External
Control, organisation requirements
• Internal
Risk analysis requirements
Feedback
Planning
• Organisational
Evaluation & Testing Controls • Technical
• Procedural
Implementation • Physical
Page 48
48
RP/VU
CoP 4 – Security organisation SEP/2002
CoP 4
Security
Security organization
organization
RP/VU
CoP 4: Security organisation SEP/2002
SECURITY ORGANISATION
4.1 Objective: To manage information security within the
organization.
A management framework should be established to initiate
and control the implementation of information security
within the organization.
• Steering committee / coordination
• Allocation of security responsibilities
• Authorisation process for IT facilities
• Specialist security advice
• Cooperation between organisations
• Indepence of reviews
• The risks of third party access; what should be included in
a third party contract and what should be covered by an
outsourcing contract
Page 49
49
RP/VU
CoP 5 – Asset calssification and control SEP/2002
CoP 5
Asset
Asset classification
classification and
and control
control
RP/VU
CoP 5: Assets classification and control SEP/2002
ASSETS CLASSIFICATION AND CONTROL

5.1 Accountability for assets
Objective: To maintain appropriate protection of
organizational assets.
All major information assets should be accounted for and have
a nominated owner.
Accountability for assets helps ensure that adequate security
protection is maintained. Owners should be identified for
major assets and assigned responsibility for the maintenance
of appropriate security measures.
Label:
• vital to busines
owner RESOURCE classifi- • Top Secret data
cation
Page 50
50
RP/VU
CoP 5: Assets classification and control ... SEP/2002
ASSETS CLASSIFICATION AND CONTROL (cont.)

• Inventory of assets
• Each asset must have an owner
• Classification guidelines
• Classification labels
Availability / Continuity
Confidentiality / Exclusivity
Integrity
Class Description / objective
no criterion
desirable
important
essential
RP/VU
Data classification SEP/2002
DATA CLASSIFICATION
One must classify all data, systems and equipment. Such classification may be
• Unclassified
public information (or information belonging to business partners, to be
protected as agreed with the owner)
• Internal Use Only
no real value outside the company. However, it is preferred not to distribute it
beyond the company’s premises and employees
• Confidential
only to be distributed to persons or groups with a need to know
• Secret
sensitive information about new products and marketing plans, only to be
distributed to authorized individuals
• Top Secret
highly sensitive information with specifications of future products and business
strategies, all copies must be registered
Page 51
51
RP/VU
Mainframe access authorities SEP/2002
MAINFRAME ACCESS AUTHORITIES

The following RACF (IBM’s Resource Access Control Facility) access
authorities can be used (a level includes all above)
• NONE
• EXECUTE: the user may execute a program, but not copy it
• READ: can be executed and read/copied
• UPDATE: execute, read and write (but no scratch and no create)
• ALTER: execute, read, write, scratch, create and the authority to modify
the access list (adding, changing and removing authorities of
users/groups to this resource)
} {
Subjects: “Entire world” NONE
data program
EXECUTE set
Group READ
UPDATE Objects: Resources
User ALTER
RP/VU
CoP 5.2 Information classification SEP/2002
CoP 5.2 Information classification
Objective: To ensure that information assets receive an appropriate level of

protection.
• Security classifications should be used to indicate the need and priorities

for security protection.
• Information has varying degrees of sensitivity and criticality. Some items
may require an additional level of security protection or special handling.
A security classification system should be used to define an appropriate set
of security protection levels, and to communicate the need for special
handling measures to users.
• NOTE: There is not yet an accepted standard for classification labels
between organizations. Care should be taken in interpreting classification
labels from other organizations that may have different definitions for the
same, or a similar sounding, label.
Page 52
52
RP/VU
CoP 6 – personnel security SEP/2002
CoP 6
Personnel
Personnel security
security
RP/VU
CoP 6: Personnel security SEP/2002
PERSONNEL SECURITY
6.1 Security in job definition and resourcing
Objective: To reduce the risks of human error, theft, fraud or
misuse of facilities.
Security should be addressed at the recruitment stage,
included in job descriptions and contracts, and monitored
during an individual’s employment.
Managers should ensure that job descriptions address all
relevant security responsibilities. Potential recruits should
be adequately screened, especially for sensitive jobs. All
employees and third party users of IT facilities should sign a
confidentiality (non-disclosure) agreement.
Page 53
53
RP/VU
CoP 6: Personnel security ... SEP/2002
PERSONNEL SECURITY (cont.)

• Security in job descriptions / terms and conditions of employment
• Recruitment screening
– references, check of c.v., confirmation of qualifications,
identity check, credit check
• Confidentiality agreement
• User education and training
• Responding to incidents
– reporting of security incidents
– reporting of security weaknesses
– reporting of software malfunctions
– disciplinary process
RP/VU
CoP 7 – Physical and environmental security SEP/2002
CoP 7
Physical
Physical and
and
environmental
environmental security
security
Page 54
54
RP/VU
CoP 7: Physical and environmental security SEP/2002
PHYSICAL AND ENVIRONMENTAL SECURITY

7.1 Secure areas
Objective: To prevent unauthorized access, damage and
interference to IT services.
IT facilities supporting critical or sensitive business activities
should be housed in secure areas, protected by a defined
security perimeter, with appropriate security barriers and
entry controls.
They should be physically protected from unauthorized access,
damage and interference.
A clear desk policy is recommended to reduce the risk of
unauthorized access or damage to papers and media.
RP/VU
CoP 7: Physical and environmental security ... SEP/2002
PHYSICAL AND ENVIRONMENTAL SECURITY

• Physical security perimeter Non-company
– buildings and/or campus Space
Company Public Space
– physical barriers / procedures
Company Internal Space
» badges, card keys
Office room,
» registration and Controlled
Access (1) Area locked when
supervision of visitors unattended
• Physical entry controls Controlled Access (2) Area
– data centers, computer rooms “raised floor” Isolated Area
– clear desk policy
• Equipment security
– due care (“goed huisvaderschap”)
– including equipment used off-site and home working
Page 55
55
RP/VU
CoP 8 – Communications and operations management SEP/2002
CoP 8
Communications
Communications and
and operations
operations
management
management
RP/VU
CoP 8: Communications and operations management SEP/2002
COMMUNICATIONS AND OPERATIONS MANAGEMENT

8.1 Operational procedures and responsibilities
Objective: To ensure the correct and secure operation of
information processing facilities.
Responsibilities and procedures for the management and
operation of all computers and networks should be established.
This should be supported by appropriate operating instructions
and incident response procedures.
The principle of segregation of duties should be applied, where
appropriate, to reduce the risk of negligent or deliberate system
misuse.
Page 56
56
RP/VU
CoP 8: Communications and operations management ... SEP/2002
COMMUNICATIONS AND OPERATIONS MANAGEMENT

(cont.)
• Documented operating, development and control
• Capacity planning, system acceptance
• Contingency
Partly: ITIL
• Change management
• Backups, operator logs, airco
• Virus controls – malicious software
• Network security
• Protection of removable media – also at disposal
RP/VU
CoP 9 – Access control SEP/2002
CoP 9
Access
Access control
control
Page 57
57
RP/VU
CoP 9: Access control SEP/2002
ACCESS CONTROL
9.1 Business requirement for access control
Objective: To control access to information.
Access to information and business processes should be
controlled on the basis of business and security
requirements.
This should take account of policies for information
dissemination and authorization.
• User registration
• User password management
• Access control for work stations, network, services and
applications
• Monitoring system access and use
RP/VU
CoP 10 – System development and maintenance SEP/2002
CoP 10
System
System development
development
and
and maintenance
maintenance
Page 58
58
RP/VU
CoP 10: Systems development and maintenance SEP/2002
SYSTEMS DEVELOPMENT AND MAINTENANCE

10.1 Security requirements of systems
Objective: To ensure that security is built into IT systems.
Security requirements should be identified and agreed prior to
the development of IT systems.
Security countermeasures are substantially cheaper and more
effective if incorporated in application systems at the
requirements specification and design stages. All security
requirements, including the need for fallback processing,
should be identified at the requirements phase of a project
and justified, agreed and documented as part of the overall
business case for an information system.
RP/VU
CoP 10: Systems development and maintenance ... SEP/2002
SYSTEMS DEVELOPMENT AND MAINTENANCE (cont.)

• Security requirements analysis and specification
• Input data validation
• Data encryption
• Message authentication
• Change management
• Technical review of operating system changes
• Output validation, digital signatures, non-repudiation, key
management, covert channels and Trojan code
• Cryptographic techniques
Page 59
59
RP/VU
CoP 11 – Business continuity planning SEP/2002
CoP 11
Business
Business continuity
continuity planning
planning
RP/VU
CoP 11: Business continuity planning SEP/2002
BUSINESS CONTINUITY PLANNING

11.1 Aspects of business continuity planning
Objective: To counteract interruptions to business activities.
Business continuity plans should be available to protect critical
business processes from the effects of major failures or
disasters.
There should be a process to develop and maintain appropriate
plans for the timely restoration of critical business processes
and services in the event of serious business interruptions.
Business continuity planning should include measures to
identify and reduce risks, limit the consequences of damaging
incidents, and ensure timely resumption of essential
operations.
Page 60
60
RP/VU
CoP 12 SEP/2002
CoP 12
Compliance
Compliance
RP/VU
CoP 12: Compliance SEP/2002
COMPLIANCE
12.1 Compliance with legal requirements
Objective: To avoid breaches of any statutory, criminal or civil
obligations and of any security requirements.
The design, operation and use of IT systems may be subject to
statutory and contractual security requirements.
All relevant statutory and contractual requirements should be
explicitly defined and documented for each IT system. The
specific controls, countermeasures and individual
responsibilities to meet these requirements should be similarly
defined and documented.
Advice on specific legal requirements should be sought from the
organization’s legal advisers.
NOTE: Legislative requirements vary from country to country.
Page 61
61
RP/VU
CoP 12: Compliance ... SEP/2002
COMPLIANCE
• Compliance with legal and contractual requirements
– illegal copies / copyright
– confidential data
– privacy laws
– misuse
– “wet computercriminaliteit”
• Compliance with security policy
• Technical compliance checking
• Collection of evidence
RP/VU
RISK ASSESSMENT SEP/2002
RISK
RISK ASSESSMENT
ASSESSMENT
•• Risks
Risks
•• Residual
Residualrisks
risks
•• Damage types
Damage types
•• Balance
Balancebetween
betweenrisks
risksand
andmeasures
measures
Page 62
62
RP/VU
Risk assessment SEP/2002
RISK ASSESSMENT THREATS RELATED TO IT

• probability of occurrence
• damage (direct + indirect)
BUSINESS PROCESS
• primary process
• secondary / support
d :
ate IT (incl. voice, energy etc.) ty
ili ency es .
rel b
IT la g r c
• technical and organisational vai mer edu k et
infrastructure A e r oc a c
• p llb
• information systems fa
•
OTHER THREATS
RP/VU
Risk assessment ... SEP/2002
RISK ASSESSMENT
R
NGE
THREAT
THREAT(something
(somethingwhich
whichmay
mayhappen,
happen,e.g.,
e.g.,aapower
powerdown)
down) A
D
Identify
RISK Depends upon

RISK(probability
(probabilityof
ofoccurrence)
occurrence) actual measures
Assess
DAMAGE
DAMAGE(direct
(direct++indirect
indirectcosts
costsof
ofincident/catastrophy)
incident/catastrophy) $
Your advice
ADDITIONAL
ADDITIONALMEASURES
MEASURES(preventive,
(preventive,detective,
detective,corrective)
corrective)
RESIDUAL RISKS ( “REST RISICO’S” )
Page 63
63
RP/VU
Residual risks SEP/2002
How to deal with residual risks?

• Residual risk is the level of risk that remains if the identified controls
operate as intended
• It is normal for any process to contain some level of residual risk. (Note:
Organisations are rewarded for taking risk and the reward is in
proportion to the risk level accepted)
• Some controls can be very effective and mitigate specific risks by
themselves, whilst in other circumstances a set of controls can only
partly mitigate a threat
• There is no simple arithmetic approach to assess the effectiveness of
individual controls. You have to use experience and professional
judgment to assess the level of residual risk
• Consideration must be given as to whether the cost of operation of
additional controls does not exceed the cost of the risk occurring
RP/VU
Risk analysis SEP/2002
RISK ANALYSIS
• Used to set priorities and to prepare backup or fallback plans
Compute per incident type: PROBABILITY x COSTS OF INCIDENT

RISK PROBABILITIES (some examples):
• Airplane crashing on computing center: never occurred in NL
• Bomb explosion in computing center (by terrorists): 1 incident/annum/country
• (Part of) Building destroyed due to accident or mistake of construction workers: 1 to
3 incidents/annum/country
• etc. etc.
• Water damage or leakage: 1 to 3 incidents/annum/center
COSTS OF INCIDENT:
• Loss of entire IT Æ replacement value + costs of loss N weeks production
• etc.
Page 64
64
RP/VU
Risk assessment (computation) SEP/2002
RISK ASSESSMENT
• Identify relevant incident types: e.g., power down, destruction of servers, fire etc.
• Assess per incident type the probability (# per annum, or High, Medium, Low) and
damage (direct + indirect)
• Compute:
# incident types
Damage expectation = Σ Pr(incident type) ∗ damage(incident type)
N=1
• Computed per incident: used to set priorities for selecting measures
• Perform the entire computation for
– no measures
– the current set of measures
– alternative sets of current plus additional measures
• Purpose: find a cost effective mix of measures, reducing the damage
expectation to a level acceptable to line management
RP/VU
Incident types SEP/2002
IT INCIDENT TYPES R OTHER INCIDENT TYPES

NGE
• Internal network down DA • Electricity outage (short, medium,
• External network down long period)
• System failure large servers • Air conditioning failure
(hardware, operating system, • Water flood
subsystems, operations) • Fire (minor, major, catastrophic)
• System failure servers • Explosion
• System failure workstations • Loss of building
• Critical information system failure • Loss of personnel
(application, operations, usage) • Strike
• Important information system • Sabotage (internal, external)
failure • Theft
• Useful information system failure • Vandalism
• Unauthorized usage, abuse
• Disclosure of highly classified data
• Disclosure of classified data
• Contamination with harmful code
• Denial of access
Page 65
65
RP/VU
Probability of electricity outage SEP/2002
EXAMPLE: PROBABILITY OF ELECTRICITY OUTAGE

Pr average = 20 Pr
minutes / annum
in Netherlands
Approximation
t t
Long power down:

Long down due to severe • 1 < t < 3 days
incident (e.g., power plants • 0.01 / annum
down) or combined incidents
Medium period power down:
Medium period down due to • 30 minutes < t < 1 day
damage to single point of failure • 0.1 / annum
(e.g., fire in switch station)
Short power down:
• t ≤ 30 minutes
Short down due to local incident • 1 / annum
(e.g., fuses or cable)
RP/VU
Damage types SEP/2002
DAMAGE TYPES
Five types of consequences of an incident
• Delay the primary business process
– no production and no output
• Destroy assets
– e.g., deterioration of food and materials
• Disturb the primary business process
– less output
• Time related damage
– e.g., salaries of inactive staff, claims and fines due to legal obligations
etc.
• Non-time related damage
– publicity, loss of imago
Page 66
66
RP/VU
Minimize the damage expected SEP/2002
MINIMIZE THE DAMAGE EXPECTED

Reduce the probability of an incident
– Preventive controls
– Locate the buildings in a secure environment (far from airports etc.)
– Physical security of the site, guards
– Safe construction (no water pipes above the computers etc.)
– Alternative power supply
– etc. etc.
AND/OR
Reduce the costs of an incident
– Detective controls (detect a problem as soon as possible)
– Backup systems / disks / data communication / etc.
– Disaster fallback site
– Recovery plans (incl. manual procedures to continue the business)
– etc. etc.
RP/VU
Balance SEP/2002
BALANCE
Objective: Avoid overkill of measures (too expensive) and risks too high
There must be a balance between:

• Importance of the information systems
– How dependent is the business on this information system (type A/B/C)?
– What are the costs (direct + indirect) if it is down?
• Value of the data (data classification, privacy aspects, confidentiality etc.)
• Value of the equipment (replacement costs)
AND
• The costs of security and availability measures
Page 67
67
RP/VU
Balance viewed in historical perspective SEP/2002
EVOLUTION IN CONTROL AND SECURITY

• 1970’s: glasshouse (“closed shop”)
• 1980’s: networks (accessible by entire world)
• 1990’s: downsizing and head-count reduction
l
rkil gh)
O ve s t oo h i
Level of Real (cos
t
control &
security Required
ts
d en gh)
Inci s too hi
(risk
1970 1980 1990 2000

RP/VU
Hacktic - tijdschrift voor techno-anarchisten SEP/2002
www.klaphek.nl
Page 68
68
RP/VU
Hacktic 1989, nr 2 SEP/2002
Hacktic 89-2
• Autotelefoonnet 1
gehackt
• Gratis bellen in cellen
• AKZO gehackt
• Telefoonfraude te
makkelijk
• Cursus UNIX hacking
• Lijst snelheidscontrole-
punten
RP/VU
Hacktic 1989, nr 5/6 SEP/2002
Hacktic 89-5/6
• UNISYS gehackt
• Galactic Hacker Party
• Cursus VMS hacking deel
II
• Gratis nummers
“gescanned”
Page 69
69
RP/VU
Hacktic 1990, nr 11/12 SEP/2002
Hacktic 90-11/12
• Wetsvoorstel computer-
criminaliteit
• Vervolging hackers in
USA
• Wij copiëren jouw
magneetkaart
• Word Perfect 5 locked
file decoder
• Valsspelen op fruitauto-
maten
• etc.
RP/VU
Hacktic 1993, nr 20/21 SEP/2002
Hacktic 93-20/21
• Internationaal
zomercongres op camping
in Flevopolder (aug 1993)
1,
ugust 200
10 – 12 A La r ge”
at
“Hackers s
A L 2 0 01, Campu
H n te (use
y Twe
Universit t a n d
ten
your own
m pu te r )
co
001.nl
www.hal2
Page 70
70
RP/VU
Hacktic 1992, nr 18/19 SEP/2002
Justitie en BVD
• Citaat blz 3: 10 tot 15
mensen op hacking
• Digitale misdaad
• Hoofdredacteur 38 dagen
in cel en weer vrijgelaten
• “Vrije nieuwsgaring”
RP/VU
Central versus decentral IT SEP/2002
Mainframes
Midrange systems
Personal systems ‘CHAOS’
Page 71
71
RP/VU
Example: Portable storage media SEP/2002
Data is moved from the well protected mainframe

environment to the distributed environment
Example: Valente case

Question: How can we protect data on portable media?
RP/VU
SECURITY LAYERS SEP/2002
SECURITY
SECURITY LAYERS
LAYERS
•• Security
Securitytopology
topology
•• E&Y:
E&Y:Logical
Logicalaccess
accesspath
pathanalysis
analysis
•• Identification and authentication
Identification and authentication
Page 72
72
RP/VU
Security topology SEP/2002
END-USER Nowadays a part of the data is stored here
NETWORK SECURITY
(userid, password: control path)
SERVICE SECURITY
(userid, password: control access)
Physical APPLICATION SECURITY

Security (additional verification)
of the
Computing Center
COMPUTING CENTER STAFF DATA
RP/VU
Security topology ... SEP/2002
TOPOLOGY OF SECURITY LAYERS
End user
Network security
Measures depend upon security
Security in system/service objectives and the enterprise’s
‘Frontdoor’ security strategy
Security in application
Physical Access control

security of the Trusted Computing
computing center Operating Systems Base (TCB - certified
using US Department
Computing Hardware
of Defense standards)
center staff
DATA
Note: The security measures in the network, services and applications may use the ‘Access
Control’ in the TCB. Although this access control mechanism may have been classified in
accordance with the US DoD standards, the actual security depends upon how the security facilities
are used.
Page 73
73
RP/VU
Security topology ... SEP/2002
SECURITY LAYERS
• Security-objective dependent layers:
– Network security: NETVIEW/Access Services, connectivity, sessions
– Security in the service: Time Sharing Option (TSO), Customer Information
Control System (CICS), Information Management System (IMS), logon,
authorization, resources
– Application security: functions, transactions, records, data items,
programmed controls
• Trusted Computer Base (TCB) layers:
– Access control: Resource Access Control Facility (RACF), support above three
layers, protect resources etc.
– Operating system: Multiple Virtual Storage (OS/390), UNIX, OS/400,
Windows 95, software foundation for security and integrity
– Equipment: hardware foundation
TCB classified by USA DoD Orange Book:
– C1 - discretionary security protection
– C2 - controlled access protection (RACF up to 1.8)
– B1 - mandatory labeled security protection (RACF 1.9 and higher)
• Physical security of equipment and staff
RP/VU
MEY: Logical access path analysis SEP/2002
Ernst & Young “A practical approach to logical access control” (1993)
Ac
ce
Interactive ss
Data
Datacommunication
communicationsoftware
software c on
user tro
l pr
Transaction
Transactionsoftware
software od
Batch uc
t
Application
Applicationsoftware
software
Data
Dataaccess
accessmethod
method
Operating system
(and hardware) DATA
Page 74
74
RP/VU
MEY: Logical access path analysis ... SEP/2002
• Layer 1: Data communication software

– controls the data communication network connected to the computer
– operates at the level of terminals or port addresses
– transports data between network components
• Layer 2: Transaction software
– allows application software to be run by users
– divides the available processing time among active users and programs
• Layer 3: Application software
– provides functionality to the business (contains programmed controls)
• Layer 4: Data access method
– links to the real data
• Access control product
– provides for identification, authentication, authorisation and logging
• Operating system
– has interfaces to and supports all above
RP/VU
Identification and authentication SEP/2002
IDENTIFICATION AND AUTHENTICATION

RM
• User identification codes (USERIDs) must be traceable to the individual to NO
whom they have been assigned (exception: if prohibited by law such as in Italy or
limited by industrial relation agreements such as in Germany)
• Before granting access to a service, identification must be verified through
authentication. Ask the user, e.g.:
– something he/she knows (“kenniskenmerk”) (name, account number,
password etc. Alternative: dialog with an expert system using pre-specified
user-related information such as name of eldest son, birthday of granny etc.,
randomly selecting questions)
– something he/she has (“bezitskenmerk”) (badge, plastic card, key)
– something he/she is, personal characteristics (“biometrisch”)
(fingerprint, voiceprint, hand size, signature movements, iris scan etc.)
Note: All authentication methods have inherent weaknesses. However, a mechanism

with a minor weakness provides more security than no mechanism
Page 75
75
RP/VU
AVAILABILITY SEP/2002
AVAILABILITY
AVAILABILITY
Definition
Definition(CoP):
(CoP):Ensuring
Ensuringthat
thatinformation
informationand
andvital
vitalservices
services
are available to the business processes when required
are available to the business processes when required
Objects:
Objects:
•• Security
Securitypolicy
policyand
andorganisation
organisation
•• Assets
Assets classification andcontrol
classification and control
•• Personnel security
Personnel security
•• Physical,
Physical,environmental
environmentalandandlogical
logicalsecurity
security
•• Business continuity planning
Business continuity planning
RP/VU
Threaths to continuity of IT processing SEP/2002
Technical catastrophes
Acts of God • airplane crash
• hurricane • destruction of building
• flood • water
• avalanche • power failure
• etc. • etc.
Human interference
• acts of war
• terrorism
• blackmail and theft
• human mistake and intentional interruption
• etc.
Page 76
76
RP/VU
What is the value for the business SEP/2002
IMPORTANCE FOR THE BUSINESS

Before selecting or advising any measures, determine how important the
availability of the information system is for the business
• Type A: critical
– The costs of measures are hardly relevant, since the impact of a
system down may be severe for the business. So management has to
invest in continuity
• Type B: important
– If a large number of users or an important process are handicapped
by a system down, one has to balance the costs of measures versus
the costs of the waiting users and/or the interrupted business process
• Type C: useful
– If there is a simple work around, such as for a lost or damaged
personal workstation, one should not spent a lot of money to
continuity
RP/VU
Information system types for continuity SEP/2002
INFORMATION SYSTEM TYPES

• How dependent is the business on continuity of a specific information system?
• What are the costs if the system is down ?
TYPE A systems; keyword: critical to the business RM

NO
• Removal from service for any significant period of time cannot be tolerated (hours)
• Examples: medical information, electronic patient files
TYPE B systems; keyword: important to the business

RM
• Removal from service for an extended period of time cannot be tolerated (days) NO
• Examples: invoicing, payroll, general ledger, e-mail
TYPE C systems; keyword: useful service RM

• Removal from service for an extended period of time can be tolerated NO
• Examples: workstations
Page 77
77
RP/VU
Information system types SEP/2002

DECISION BASED UPON CONTINUITY REQUIREMENTS !
critical Type A:
critical
Type B:
important
Type C:
business useful
function
(( The vast majority of systems is type C ))
non-critical
low high
dependency on IT
RP/VU
Information system types ... SEP/2002

• The system owner must categorize an information system as either type A, B or C
• The number of type A systems will be (very) limited
• Top management: pay primarily attention to type A (and B) systems
• (At IBM, suggested rule of thumb: if the system is categorized as type C, it must be
possible to demonstrate the correctness of this decision by shutting down the system
for some time)
CoP 5.2 Information classification
• Objective: To ensure that information assets receive an appropriate level of
protection. (Note: this must also apply to information systems)
• Security classifications should be used to indicate the need and priorities for
security protection.
• Information has varying degrees of sensitivity and criticality. A security
classification system should be used to define an appropriate set of security
protection levels, and to communicate the need for special handling measures to
users.
Page 78
78
RP/VU
Example of information system types SEP/2002
INFORMATION SYSTEM TYPES: INDUSTRY EXAMPLE

DECISION BASED UPON CONTINUITY REQUIREMENTS !
critical production Type C Type B Type A

planning order entry
payroll, invoicing,
e-mail
business
general
function ledger
text processing
executive
information
non-critical system
low high
dependency on IT
RP/VU
Continuity SEP/2002
CONTINUITY OF THE BUSINESS

• Statistics (e.g. from DTI, Loughborough University and IBM)
– 70% of companies suffering severe computer disruption are out-of-
business within 18 months (especially smaller companies)
• The vital question of backups is not ‘How?’ or ‘Why?’ but ‘Yes or no?’
• Approach:
– Involve management of user organisations and make them aware of the risks
– Assess business impact of a system’s disruption (e.g. type A/B/C)
– Prioritize the implemention of measures (start with type A, then B etc.)
– Note: Some backup is better than no backup
– Automate the backup programme (eliminate sloppiness by users)
– Mission critical data must be copied to off-site storage and secured there against
misuse (e.g. by physical access control or encryption)
– Test the effectiveness of the programme periodically, including restore
Page 79
79
RP/VU
Comdisco 1993 survey SEP/2002
MARKET SURVEY ON DISASTER RECOVERY Vulnerability

• Research in USA 100%
• ‘Vulnerability index’ scale 0 - 100 (with 100 as the most
vulnerable)
– Data centers (mainframes): average index of 46
– LANs: average of 75
– 42% of organisations with LANs: score of 100 (total
vulnerability in case of disaster)
• Only some 60% of the organisations had a formal recovery plan
for large systems
• Less than 30% had a plan for LANs outside the data center
• During the survey, 20% of the LANs supported mission critical 0%
data, going up to over 50% nowadays
Mainframes
LANs
• Advice: Implement backup and disaster recovery plans and
measures
Source: Computer Fraud & Security Bulletin (April 1993), survey by Comdisco Disaster Recovery Inc
RP/VU
UK 1995 survey SEP/2002
Contingency plans of 421 UK organisations
Tested viable plan (22%) No plans (43%)
Doubtful
plans (15%)
Untested plans (20%)
Source: Computer Audit Update (July 1995), Business continuity planning, by Keith Hearnden, Loughborough Univ.
Page 80
80
RP/VU
Communicating computer policies and procedures SEP/2002
How policies and procedures are conveyed to employees

0 10 20 30 40 %
23% Personal memo to all employees
Good / very 18% Personal memo to registered users
effective 18% Compulsory training
28% Formal introduction training
33% Included in staff handbook
Average / 22% Personal memo to dept. heads
fairly 21% News sheets to registered users
effective 16% News sheets to dept. heads
35% Optional training
25% Electronic mail
Poor / 9% News sheets available on request
ineffective 45% Word of mouth
30% User initiative in finding out
Disastrous 16% No formal policies or procedures
Source: Computer Audit Update (May 1995)
RP/VU
Baseline controls SEP/2002
DO SOMETHING
Level of exposure / vulnerability
• For many threats, a surprisingly large (uncontrolled risks)
number of organizations have hardly
any controls (point A)
• Adding a few controls (point B)
significantly reduces the level of A
exposure
Note: The first set of additional controls

requires a minor investment, but
substantially raises the level of continuity B
and security. Creating Fort Knox is not
required. An EDP auditor must set
priorities (and consider ‘quick wins’)
A B Number of
Source: Computer Fraud & Security Bulletin (Oct controls
1993), The easy approach to information security, by
Charles Cresson Wood
Page 81
81
RP/VU
EFFECTIVENESS AND EFFICIENCY SEP/2002
EFFECTIVENESS
EFFECTIVENESS &
& EFFICIENCY
EFFICIENCY
Definition
Definition
Effectiveness:
Effectiveness:doing
doingthe
theright
rightthings
things
Efficiency:
Efficiency: doing the things right(at
doing the things right (atthe
thelowest
lowestcosts)
costs)
Objects:
Objects:
•• Information
Informationservices
servicesand
andsystems
systems
•• IT resources
IT resources
•• IT
ITorganisation
organisation
RP/VU
Strategy and management SEP/2002
Strategy / policy Management Who decides ?
• Information • Implement and Who acts?

(architecture, support the
applications etc.) services Who is responsible ?
• IT organisation (size, • Center of Who is called to

skills, tasks etc.) excellence
account ?
• Resources (tools, • IT management
costs/benefits,
packages etc.)
And, very important, how ?
• Infrastructure • Exploitation
(mainframes, net-
work etc.) Note: Each subject can be
handled centrally or
decentrally
Page 82
82
RP/VU
Centralized versus decentralized IT control SEP/2002
DECENTRAL / CENTRAL BUSINESS AFFECTS WAY OF CONTROL
Fully centralized IT control

CONTROL OF IT
Time
Fully decentralized IT control
Note: IT control applies to networks, mainframes, midrange and decentral systems

RP/VU
Flexibility or synergy? SEP/2002
Decide whether IT services must be flexible or synergetic
Flexibility Synergy
• Decentral control • Central control

• Differentiation of strategy • Economy of scale: synergy is
• Market covered via niches important goal
• Flexibility in business is important • Agreements on products and
• Usually product oriented markets
• Overlap in activities • Usually transaction oriented
• Often insurance companies • Many banks
• IT skills distributed over the organisation • Use scarce IT skills
Page 83
83
RP/VU
What is the best balance for you? SEP/2002
Common
Common computing
computing
center
center
Common
Commonsystem
system Common
CommonIT IT
development
development strategy
strategy
Flexibility Synergy
Common
Common Central
CentralIT
IT
architecture
architecture organisation
organisation
(which
(whichscope?)
scope?)
Uniform
UniformIT
ITinfrastructure
infrastructure
Alternatives and combinations are possible: each with advantages and disadvantages
RP/VU
WARNING: Functionality of information systems SEP/2002
HOW IS THE FUNCTIONALITY USED?

7% intensively used
13% often used
45% never 16% sometimes

used used
FUNCTIONALITY
19% rarely used
Source: report “Chaos ’98”, Standish Group

U.S., Computable, 30 October 1998
Page 84
84
RP/VU
WARNING: Costs of downsizing SEP/2002
COSTS OF DOWNSIZING
Costs/user/annum
• Investigation Xephon (1992)
• Costs per user / annum

– central: $ N
– midrange: $ 1,3 x N
– LANs: $ 1,7 tot 2,7 x N
Example:
• central: Dfl 15.000 / user / annum
• midrange: Dfl 20.000
• workstations/LANs: Dfl 25.000 to 40.000
Mainframe Midrange LANs
RP/VU
Costs of downsizing... SEP/2002
Costs of a personal system, going up to Dfl 36,000 per annum
user IT / service
organisation provider
33% informal 25% technical
support and service costs
HW
SW
NW
17% waste
25% formal
support and service
Source: Nolan Norton & Co.
Page 85
85
RP/VU
AUDIT APPROACH SEP/2002
AUDIT
AUDIT APPROACH
APPROACH
Objects:
Objects:
•• Types
Typesof
ofaudits
audits//who
whoisisthe
theprincipal
principal
•• Audit method
Audit method
•• “Normenstelsel”
“Normenstelsel”
•• “Voorschrift
“VoorschriftInformatiebeveiliging
InformatiebeveiligingRijksoverheid
Rijksoverheid(VIR)”
(VIR)”
RP/VU
EDP auditor works for who? SEP/2002
LD
EE
Toezicht
RB
Ondernemingsraad
O
Raad van Bestuur

VO
Besturen Directie
jaarrekeningcontrole
Ondersteuning
Besturen
Bijz
Op
dr
Interne accountants
ond
ac
Bewaken Interne EDP auditor

ere
ht
Bewaken O
en
Controller ut
opd
so
va
ur
nm
c
rac
in
g
an
hte
ED
ag
P
n
e
au
me
Bedrijfsprocessen
Bedrijfsprocessen di
nt
((IT t
ITondersteunt
ondersteuntde
dezakelijke
zakelijke Bijzon
processen
processenenendraagt
draagtzozobij
bijaan
aan dere o Externe
pdrac
hun hten
hunkwaliteit
kwaliteit)) EDP auditor
Page 86
86
RP/VU
Who is the principal? SEP/2002
Customers and other third parties (e.g., DNB)
Financial Internal
Audit Business Control Audit
Statement of
Business Control
Management
External supervision Internal
Process Technical
control control
ISO quality
EDP audit control EDP audit
RP/VU
Types of audits SEP/2002
TYPES OF AUDITS, E.G.

• Third Party Announcement / Review (TPA / TPR) ( “Third Party Mededeling -
TPM”, SAS 70)
–on request of customer(s) or Financial Auditor
–focus on systems and IT objects where specific customer(s) depend on
–focus on all IT disciplines and covers a time period of, say, 3 or 12 months
–advantage: no need for all customers to send their own auditors
• Computer Center Review ( “general IT controls” )
–on request of management, Internal Audit or third party (e.g., DNB)
–entire IT environment of computer center, except the applications
–focus on all or selected IT disciplines (e.g., by 3-year audit cycle)
• Technical Audit (TA)
–on request of customer, management or Internal Audit
–indepth audit of selected IT object(s)
• System Review (ISA)
–on request of customer, Financial Auditor or third party (e.g., DNB)
–focus on applications, programmed controls and user procedures
–focus on IT disciplines for applications
Page 87
87
RP/VU
Types of audits ... SEP/2002
IT infrastructure User organisation
Applications
Subsystems
and tools
Platforms
Networks
RP/VU
Types of audits: Third Party Announcement / Review SEP/2002
Services used by customer(s) If application is operated

requiring the TPA / TPM / TPR by the auditee, it may be
part of the review
Applications
Subsystems
and tools
Platforms
SCOPE OF AUDIT
Networks
Page 88
88
RP/VU
Types of audits: computer center review SEP/2002
COMPUTER CENTER REVIEW: Audit based upon an audit plan,

e.g., covering a 3-year cycle (some components once per 3 year, others
annually)
Applications
Subsystems
1999 2000 2001 2001 1999 2000
and tools
Platforms 1999 / 2000 / 2001 2000 1999
SCOPE OF AUDIT
Networks 1999 / 2000 / 2001 2001
RP/VU
Types of audits: technical audit SEP/2002
TECHNICAL AUDIT: Indepth audit of selected IT object(s) by

specialised technical auditors, selected relatively ad hoc or based upon
a multi-year audit cycle
Scope
Applications of audit
Subsystems Scope Scope

and tools of audit of audit
Scope
Platforms of audit
Networks Scope of audit
Page 89
89
RP/VU
Application exposure: home-banking system SEP/2002
APPLICATION EXPOSURE: HOME-BANKING SYSTEM

• EXAMPLE: 1986, test version of home-banking system
• For each transaction a Transaction Authorization Number (TAN) was required
• A batch job was automatically submitted every afternoon at 17.00 to generate TAN
lists to be mailed to the users
• The TAN was the result of a model list encrypted using the account number and a
random factor, i.e. the time of day
• Due to the fixed time of automated job submission, the TAN list was predictable
– hackers were hired to test the system, and succeeded within a few days by
transferring 17,000 Dutch guilder of another user to their own accounts
– the attack was published by newspapers
Cause: the algorithm was too simple, the designers focussed on the function and paid
insufficient attention to the operational procedures (and inventivity of fraudsters)
Advice: let independent skilled reviewers scrutinize your security mechanisms (e.g., via
a penetration test by experienced EDP-auditors)
RP/VU
Types of audits: system review (ISA) SEP/2002
SYSTEM REVIEW: Review of one or more systems, focussing

on the application, programmed controls and user procedures
Scope Scope
Applications
of audit of audit
Subsystems
and tools
Platforms
Networks
Page 90
90
RP/VU
Types of audits: system review (ISA) ... SEP/2002
Controls within and around an information system

SYSTEM REVIEW
General controls Specific controls

(“Algemene beheersmaatregelen”) (“Specifieke beheersmaatregelen”)
General IT Application controls

controls
(“Algemene
computer Programmed User
maatregelen”) controls controls
RP/VU
Types of audits: system review (ISA) ... SEP/2002
Due to increasing dependency upon IT, the relative importance of

general IT controls and programmed controls increases
General IT controls
Progra
mmed
control
s
User controls
manual highly time

process automated
Page 91
91
RP/VU
Audit approach (simplified) SEP/2002
AUDIT APPROACH (SIMPLIFIED)

• Understand the question of your principal
• Define your approach (and use proven methods)
• Set the scope of your investigation: object(s) and quality aspect(s)
• Define your control objectives (normen) and get agreement on them with
your principal
• Investigate and describe the current situation, via interviews,
documentation and tests - obtain evidence
• Evaluate the current situation against the control objectives
• Perform your risk assessment, prepare your recommendations and
assess the residual risks
• Write your draft report and discuss it with either the auditees or your
principal (your must be sure that everything is correct)
• Finalise your report
• Send your bill and a Service Evaluation Form
• Keep in touch with your principal and try to get future engagements...
• Build your file during the entire process
RP/VU
Audit approach (simplified) SEP/2002
Object = organisation, information

Proposal
Proposal//planning
planning system, part of infrastructure,
management discipline etc.
Define object(s)
Define object(s) CIA etc.
Define
Definequality
qualityaspect(s)
aspect(s)
Control
Controlobjectives
objectives
((“normenkader”
“normenkader”))
Describe
Describecurrent
currentsituation
situation
!
•• interviews
interviews
•• documentation
documentation Confrontation
Een norm is
Finding(s)
Finding(s)&&risks
risksassessment
assessment • stellig (bevat “moet” of
&
&recommendation(s)
recommendation(s) “dient”)
• duidelijk (eenduidig, geen
Feedback
Feedbackto
toauditee
auditee beschrijvend verhaal)
• toetsbaar (anders kan u er
Reporting niets mee)
Reporting
Page 92
92
RP/VU
Eisen stellen aan normen SEP/2002
EISEN STELLEN AAN NORMEN

Alle activiteiten m.b.t. oordeelsvorming zijn
gebaseerd op NORMEN
Voorbeeld:
!
Er moet een norm zijn
Toetsbaar: is er wel of niet

Stellig: “moet” of “dient”
Kort en duidelijk
RP/VU
Normen ... SEP/2002
NORMEN
Waar komen normen vandaan?
Code
Code of
of ITIL
ITIL Cobit
Cobit etc.
etc. kantoor
kantoor extern
extern
Practice
Practice
Normen afleiden Copiëren

Opdrachtgever
• beleid
• contracten
• SLA’s Verzamelen en op maat snijden
voor het specifieke onderzoek
Page 93
93
RP/VU
CERTIFICATION based on CoP SEP/2002
CERTIFICATION
CERTIFICATION
•• Creates
Createsaagoal
goaland
andoffers
offersan
an
additional management
additional management tool tool
•• Provides
Providesaameans
meansto toshow
showyou
you
are
are ‘in control’ to theoutside
‘in control’ to the outside
world
world
•• ISO
ISO17799
17799––certify
certifyagainst
againstCoP
CoP
RP/VU
Evaluation approach to certify SEP/2002
EVALUATION APPROACH TO CERTIFY

• Application for certification against CoP
• Trial assessment
• Review of documentation
• Implementation assessment
• Decision to certify
• Issue the certificate
• The period of the certification agreement is three years
• Each year surveillance audits
Page 94
94
RP/VU
Implication of the certificate SEP/2002
IMPLICATION OF THE CERTIFICATE

• The certificate implies that
– a management framework for information security
is in place
– there are no critical non-conformities against the
code of practice
– there can exists some non-critical non-conformities
• The certificate does not imply that
– no weaknesses exist at all
– there cannot raise any shortcomings on the
information security ever
RP/VU
Why do they hire you as EDP auditor? SEP/2002
WHY DO THEY HIRE YOU AS EDP AUDITOR ?

• You have experience and can judge and advise
• You understand
– the business
– the company / organisation
– the supporting role of IT
– the technical and organisational IT infrastructure
• You can set priorities for judging / advising on the quality
aspects of the IT objects, based on the interest of
stockholders, directors etc.
• You can translate the results of your work to text
understandable to your principal
• You can assist to translate your recommendations into
priorities and actions
Page 95
95
RP/VU
VOORSCHRIFT INFORMATIEBEILIGING RIJKSOVERHEID SEP/2002
VOORSCHRIFT
VOORSCHRIFT
INFORMATIEBEVEILIGING
INFORMATIEBEVEILIGING
RIJKSOVERHEID
RIJKSOVERHEID (VIR)
(VIR)
Objects:
Objects:
•• Voorschrift
Voorschrift
•• Afhankelijkheidsanalyse
Afhankelijkheidsanalyse
•• Kwetsbaarheidanalyse
Kwetsbaarheidanalyse
RP/VU
VIR SEP/2002
VOORSCHRIFT INFORMATIEBEVEILIGING RIJKSOVERHEID (VIR)

• Besluit van de Minister-President, 22 juli 1994
• Art. 1. Definities
• Art. 2. Reikwijdte: ministeries met daaronder ressorterende diensten, bedrijven en
instellingen, en betreft gehele proces van informatievoorziening en gehele
levenscyclus van informatiesystemen
• Art. 3. De secretaris-generaal van een departement stelt het
informatiebeveiligingsbeleid vast in een beleidsdocument en draagt dit beleid uit
• Art. 4. Het lijnmanagement zorgt dat voor elk informatiesysteem en voor elk
verantwoordelijkheidsgebied op systematische manier wordt bepaald welk stelsel
van maatregelen uit hoofde van informatiebeveiliging dient te worden getroffen.
Dit omvat tenminste:
– afhankelijksanalyse en te stellen betrouwbaarheidseisen
– via kwetsbaarheidsanalyse aantonen dat aan gestelde eisen wordt voldaan
• Art. 5. … maatregelen vastleggen, implementeren en/of uitdragen, werking volgens
vastgesteld schema controleren ...
Page 96
96
RP/VU
VIR: A&K analyse SEP/2002
RISICOMANAGEMENT: AFHANKELIJKHEIDS- en
KWETSBAARHEIDSANALYSE (A&K analyse)
• AFHANKELIJKHEIDSANALYSE
– Afhankelijkheden tussen bedrijfsprocessen en externe factoren (wet- en
regelgeving, bedrijfsbeleid, bedrijfsdoelstellingen etc.)
– Afhankelijkheden van bedrijfsprocessen van IT
– Resultaat: betrouwbaarheidseisen voor informatiesystemen die de
bedrijfsprocessen ondersteunen
– In feite wordt hierbij normenkader opgesteld
• KWETSBAARHEIDSANALYSE
• Identificeer relevante bedreigingen en mogelijke daaruit volgende incidenten
• Selecteer op basis hiervan de vereiste maatregelen
(Ref. “De rol van risicoanalyse in risicomanagement” A. Brouwer, in Informatiebeveiliging

Praktijkjournaal, augustus 1998, vol 1 nr 2/3, tenHagenStam, NGI afd Beveiliging)
RP/VU
VIR: Afhankelijkheidsanalyse SEP/2002
Interne omgeving Externe omgeving

Bedrijfsbeleid Regelgeving Wetgeving Politiek Externe organisatie
Secundair proces
voorgaand Primair ontvangend (PIOFAH)
proces proces proces • Personeel
• Informatie
• Organisatie
Besturend proces • Financiën
• Planning • Algemene Zaken
• Logistiek • Huisvesting
Informatiesystemen
Mensen Apparatuur Programmatuur Gegevens Organisatie Omgeving Diensten
Page 97
97
RP/VU
VIR: Kwetsbaarheidsanalyse SEP/2002
Betrouwbaarheidseisen
Betrouwbaarheidseisen Bestaande
Bestaandemaatregelen
maatregelen
Bedreigingen
Bedreigingen
Gevolgen
Gevolgenvan
vanincidenten
incidenten
Incidenten
Incidenten (bij
(bijgeen
geenmaatregelen)
maatregelen)
Selecteren Vergelijken
Selecterenvan
vande
devereiste
vereiste
maatregelen
maatregelen
≠ =
• Betrouwbaarheidseisen zijn in
Kiezen
Kiezenaanvullende
aanvullendemaatregelen
maatregelen
feite het normenstelsel
• Het vergelijken is de confrontatie
• Komt dan redelijk overeen met
Audit approach (simplified)
Uiteindelijke
Uiteindelijkestelsel
stelselvan
vanmaatregelen
maatregelen
Page 98
98

2A Introduction EDP Audit

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

2A Introduction EDP Audit

Загружено:

Авторское право:

Доступные форматы

PART 2-A

INTRODUCTION EDP AUDIT

vrije Universiteit amsterdam

2 & 9 September 2002

File 2-A Introduction EDP Audit © 2002

Introduction EDP Audit 2

Introduction EDP Audit 3

“ The two lies of the profession ... ”

You are welcome

(How can we show our added value?)

Besturen Raad van Bestuur, directie

Het rapport “Corporate Governance in Nederland” bevat geen enkele directe

21. De RvB rapporteert schriftelijk aan de RvC over de ondernemingsdoelstellingen,

36. De accountantscontrole van de jaarrekening vormt een van de hoekstenen van

IT is ondersteunend aan de bedrijfsprocessen en introduceert specifieke risico’s.

Introduction EDP Audit 6

An effective management control system consists of

Three categories of business objectives

Participation of the EDP-auditor

Introduction EDP Audit 7

Raad van Bestuur

Bewaken Interne EDP auditor

Introduction EDP Audit 8

Information systems support

Introduction EDP Audit 9

Introduction EDP Audit 10

Supporting the business / operations

Introduction EDP Audit 12

Introduction EDP Audit 13

Insufficient IT Decreasing budgets

Introduction EDP Audit 14

Business systems Personal systems Network systems

Introduction EDP Audit 15

LEGACY PROBLEM IT today

Introduction EDP Audit 16

WHY DO THEY HIRE YOU AS EDP AUDITOR ?

Introduction EDP Audit 17

User organisation IT organisation

Knowledge IV/IM functions

Telematica Administration etc.

System development feedback Exploitation

End user council

After the requirements are specified

One single SERVICE

Introduction EDP Audit 21

Every combination is possible

Introduction EDP Audit 23

Introduction EDP Audit 24

Business functions Application System development

IT MANAGEMENT DISCIPLINES ARE, E.G.

Note 1: For EDP audit of the technical and organisational infrastructure,

Introduction EDP Audit 26

Information Technologie Policy

These are the 12 IT management disciplines relevant to EDP auditors

Information Technology policy

Introduction EDP Audit 30

Introduction EDP Audit 32

SECURITY AND CONTROL REQUIRES

Introduction EDP Audit 33

WHAT IS INFRASTRUCTURE IN ITIL ?

• Note for EDP auditor: ITIL has no knowledge of business processes

Introduction EDP Audit 34

There are 9 ITIL sets, among which:

Tactic Service Delivery Set