You may see the phrase "penetration test" used interchangeably with the phrase "computer security audit". They are not the same thing. A penetration test (also known as a pen-test) is a very narrowly focused attempt to look for security holes in a critical resource, such as a firewall or Web server. Penetration testers may only be looking at one service on a network resource. They usually operate from outside the firewall with minimal inside information in order to more realistically simulate the means by which a hacker would attack the site.
On the other hand, a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.
Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization. Given the dynamic nature of computer configurations and information storage, some managers may wonder if there is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a fair and measurable way to examine how secure a site really is.
Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:
Are passwords difficult to crack?
Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
Are there audit logs to record who accesses data?
Are the audit logs reviewed?
Are the security settings for operating systems in accordance with accepted industry security practices?
Have all unnecessary applications and computer services been eliminated for each system?
Are these operating systems and commercial applications patched to current levels?
How is backup media stored? Who has access to it? Is it up-to-date?
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
Have custom-built applications been written with security in mind?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
These are just a few of the kind of questions that can and should be assessed in a security audit. In answering these questions honestly and rigorously, an organization can realistically assess how secure its vital information is.
Security Policy Defined
As stated, a security audit is essentially an assessment of how effectively the organization's security policy is being implemented. Of course, this assumes that the organization has a security policiy in place which, unfortunately, is not always the case. Even today, it is possible to find a number of organizations where a written security policy does not exist. Security policies are a means of standardizing security practices by having them codified (in writing) and agreed to by employees who read them and sign off on them. When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Furthermore, until all employees have read and signed off on the security policy, compliance of the policy cannot be enforced. Written security policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company data and agrees to fulfill their obligations in order to do so.
Natural tensions frequently exist between workplace culture and security policy. Even with the best of intentions, employees often choose convenience over security. For example, users may know that they should choose difficult-to-guess passwords, but they may also want those passwords to be close at hand. So every fledgling auditor knows to check for sticky notes on the monitor and to pick up the keyboard and look under it for passwords. IT staff may know that every local administrator account should have a password; yet, in the haste to build a system, they may just bypass that step, intending to set the password later, and therefore place an insecure system on the network.
The security audit should seek to measure security policy compliance and recommend solutions to deficiencies in compliance. The policy should also be subject to scrutiny. Is it a living document, accurately reflecting how the organization protects IT assets on a daily basis? Does the policy reflect industry standards for the type of IT resources in use throughout the organization?
source
Performing security audit means that one should be good at computers.
Showing posts with label Auditing Around the Computer. Show all posts
Showing posts with label Auditing Around the Computer. Show all posts
Wednesday, July 29, 2009
Thursday, July 23, 2009
Computer-assisted Audit Techniques
The auditor may use three broad categories of computer-assisted techniques to test controls:
Auditing around the computer
Auditing with the computer
Auditing through the computer
Auditing Around the Computer
With this technique, auditors test the reliability of computer-generated information by first calculating expected results from the transactions entered into the system. Then, the auditors compare these calculations to the processing or output results. If they prove to be accurate and valid, it is assumed that the system of controls is effective and that the system is operating properly.
The auditing around the computer approach is adequate when automated systems applications are relatively simple and straightforward. SAS No. 94 does not eliminate the use of this technique. This approach may be suitable for firms using a variety of accounting software that process applications periodically and, when the audit trail generated is extensive, allow outputs to be traced back to inputs.
The major weakness of the auditing around the computer approach is that it does not determine whether the program logic is correct. In addition, this approach does not reveal how the automated controls respond to a wide variety of transactions containing errors. Therefore, in complex IT environments, this approach may overlook potentially significant errors and may be ineffective in restricting detection risk to an acceptable level.
Auditing With the Computer
The auditing with the computer approach embraces a variety of techniques and often is referred to as computer-assisted audit techniques (CAATs). CAATs involve using computers, often a microcomputer, to aid auditors. Although the utilization of CAATs has radically improved the capabilities and effectiveness of auditors, they are primarily used to perform substantive tests. One widely used CAAT, known as general audit software (GAS), is frequently employed to perform substantive tests and may be used for limited testing of controls. For example, GAS can be used to test the functioning of complex algorithms in computer programs, but it requires extensive experience in using the software. In contrast, the auditing through the computer techniques are designed specifically to test automated controls, and some techniques do not require extensive IT experience.
Auditing Through the Computer
These techniques focus on testing automated processing steps, programming logic, edit routines and programmed controls. The approach assumes that, if the processing programs are soundly developed and incorporate adequate edit routines and programmed checks, then errors and irregularities are not likely to slip by undetected. If these programs are functioning as designed, the outputs can reasonably be accepted as reliable.
The auditing through the computer approach is particularly appropriate for testing controls in the complex IT systems emphasized in SAS No. 94. This approach embraces a family of techniques (see table 1), including test data, parallel simulation, integrated test facility and embedded audit module. In a survey conducted by the authors, only 26 of 91 responding Fortune 500 firms, or 28.6 percent, indicated that auditing through the computer techniques were used in an audit of the purchase function, usually a highly automated and complex IT application. This survey, conducted before SAS No. 94, confirms that a majority of auditors continue to set control risk at the maximum level and rely solely on substantive testing to obtain evidence about the accuracy and completeness of the relevant information. When SAS No. 94 becomes widely adopted, the number of all firms, regardless of size, using auditing through the computer techniques should increase.
source
In today's fast changing, we need to use the computer to help us in our daily work.
Auditing around the computer
Auditing with the computer
Auditing through the computer
Auditing Around the Computer
With this technique, auditors test the reliability of computer-generated information by first calculating expected results from the transactions entered into the system. Then, the auditors compare these calculations to the processing or output results. If they prove to be accurate and valid, it is assumed that the system of controls is effective and that the system is operating properly.
The auditing around the computer approach is adequate when automated systems applications are relatively simple and straightforward. SAS No. 94 does not eliminate the use of this technique. This approach may be suitable for firms using a variety of accounting software that process applications periodically and, when the audit trail generated is extensive, allow outputs to be traced back to inputs.
The major weakness of the auditing around the computer approach is that it does not determine whether the program logic is correct. In addition, this approach does not reveal how the automated controls respond to a wide variety of transactions containing errors. Therefore, in complex IT environments, this approach may overlook potentially significant errors and may be ineffective in restricting detection risk to an acceptable level.
Auditing With the Computer
The auditing with the computer approach embraces a variety of techniques and often is referred to as computer-assisted audit techniques (CAATs). CAATs involve using computers, often a microcomputer, to aid auditors. Although the utilization of CAATs has radically improved the capabilities and effectiveness of auditors, they are primarily used to perform substantive tests. One widely used CAAT, known as general audit software (GAS), is frequently employed to perform substantive tests and may be used for limited testing of controls. For example, GAS can be used to test the functioning of complex algorithms in computer programs, but it requires extensive experience in using the software. In contrast, the auditing through the computer techniques are designed specifically to test automated controls, and some techniques do not require extensive IT experience.
Auditing Through the Computer
These techniques focus on testing automated processing steps, programming logic, edit routines and programmed controls. The approach assumes that, if the processing programs are soundly developed and incorporate adequate edit routines and programmed checks, then errors and irregularities are not likely to slip by undetected. If these programs are functioning as designed, the outputs can reasonably be accepted as reliable.
The auditing through the computer approach is particularly appropriate for testing controls in the complex IT systems emphasized in SAS No. 94. This approach embraces a family of techniques (see table 1), including test data, parallel simulation, integrated test facility and embedded audit module. In a survey conducted by the authors, only 26 of 91 responding Fortune 500 firms, or 28.6 percent, indicated that auditing through the computer techniques were used in an audit of the purchase function, usually a highly automated and complex IT application. This survey, conducted before SAS No. 94, confirms that a majority of auditors continue to set control risk at the maximum level and rely solely on substantive testing to obtain evidence about the accuracy and completeness of the relevant information. When SAS No. 94 becomes widely adopted, the number of all firms, regardless of size, using auditing through the computer techniques should increase.
source
In today's fast changing, we need to use the computer to help us in our daily work.
Subscribe to:
Posts (Atom)