Practical Guidance for Auditing IT General Controls
Chase Whitaker
Whitaker, CPA
CPA, CIA
September 2, 2009
About Hospital Corporation of America
z
z
z
z
z
z
z
z
z
$28B annual revenue
$24B total assets
$4.6B EBDITA
$673M Net Income
Fortune 100 Company
~180 000 employees
~180,000 employees
~170 hospitals
~110
110 surgery centers
surgery centers
Common line of business, systems, and security
model
2
Session Objectives
z
z
z
IT general controls and significance for regulatory compliance
COBIT 4.1 IT control framework
IT general controls scope areas including:
–
–
–
–
–
z
Infrastructure/logical security
User access
Physical security/environmental controls
Ch
Change management
t
Disaster recovery/business continuity
How to plan and execute a risk‐based IT general How
to plan and execute a risk based IT general
controls review
3
What are IT general controls?
z
z
Encompassing controls designed to cover the entire organization’s IT infrastructure rather than specific applications
i i ’ IT i f
h h
ifi
li i
IT general controls help ensure CIA:
–
–
–
z
z
Confidentiality
Integrity Availability
Contribute to safeguarding of data and promotion of regulatory compliance.
Key control assessment would focus on IT general controls and
Key control assessment would focus on IT general controls and application‐specific controls (not covered)
4
Regulatory Compliance Significance
z
z
z
z
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry (PCI)
Gramm‐Leach‐Bliley Act (GLBA)
Sarbanes‐Oxley (SOX)
–
–
–
IT plays a major role in supporting financial reporting integrity
S ti 404
Section 404 requires an internal control report
i
i t
l
t l
t
Management must use a recognized internal control ( g,
,
)
framework (e.g., COBIT, COSO)
5
Frameworks
z
COBIT
–
z
COSO
–
z
Control Objectives for Information Technology
Most widely used internal control framework (commonly used for SOX compliance)
ISO 17799 / 27001
ISO 17799 / 27001
–
Detailed information security standards (commonly used to benchmark a company’ss policies/standards)
benchmark a company
policies/standards)
6
Additional Frameworks
z
NIST 800 Series
–
z
U.S. federal government computer security policies, procedures, and guidelines
GAIT M th d l
GAIT Methodology (IIA)
(IIA)
–
Focused on IT general controls
7
COBIT 4.1 Framework
z
z
z
z
COBIT – Control Objectives for Information and Related Technology
IT governance framework issued by ISACA
IT governance framework issued by ISACA (free)
Control objectives for safeguarding
Control objectives for safeguarding information assets
41 l
4.1 released in May 2007 (first published in d i M 2007 (fi t bli h d i
1996)
8
COBIT 4.1 Framework
z
z
z
z
Contains 210 detailed control objectives
COBIT Control Practices (for COBIT subscribers)
IT Assurance Guide (for ISACA members)
IT Assurance Guide (for ISACA members) Framework adopted by many companies to comply with legislation such as SOX
l ith l i l ti
h SOX
9
PO1 Define a strategic IT Plan
PO2 Define the information architecture
PO3 Determine technological direction
PO4 Define the IT processes, organisation, relationships
PO5 Manage the IT investment
PO6 C
Communicate
i t managementt aims
i
and
d direction
di
ti
PO7 Manage IT human resources
PO8 Manage quality
PO9 Assess and manage IT risks
PO10 Manage Projects
Version 4.1
ME1 Monitor & evaluate IT performance
ME2 Monitor & evaluate internal control
ME3 Ensure compliance with external
requirements
ME4 Provide IT governance
MONITOR AND EVALUATE
IT RESOURCES
•
•
•
•
Applications
Information
Infrastructure
People
COBIT
PLAN AND
ORGANISE
ACQUIRE AND
IMPLEMENT
DELIVER AND
SUPPORT
DS1 Define & manage service levels
DS2 Manage third-party services
DS3 Manage performance and capacity
DS4 Ensure continuous service
DS5 Ensure systems security
DS6 Identify and allocate costs
DS7 Educate and train users
DS8 Manage service desk and incidents
DS9 Manage the configuration
DS10 Manage problems
DS11 Manage data
DS12 Manage the physical environment
DS13 Manage operations
AI1
AI2
AI3
AI4
AI5
AI6
AI7
Identify automated solutions
Acquire and maintain application software
Acquire and maintain technology infrastructure
Enable operation and use
Procure IT resources
Manage changes
Install and accredit solutions and changes
®
COBIT Copyright 2007 by IT Governance Institute
Infrastructure Platforms
z
z
z
Operating Systems (O/S) – Controls program execution, allocation of hardware resources, access to programs, etc.
– Examples: Windows, Linux, UNIX, Mainframe
Database Management Systems (DBMS)
– System of programs used to define, maintain, and manage access to large collections of data
– Examples: Oracle, DB2, SQL Server
Applications
–
–
Web‐based (thin‐client)
Thick client 11
Logical Security (DS5) ‐ Overview
z
z
z
z
Logical security controls should ensure confidentiality, integrity, and availability over systems and data.
Strong authentication controls should prevent user accounts from being compromised.
user accounts from being compromised.
File shares should be adequately restricted to appropriate users
appropriate users.
Patches/system updates should be applied ti l
timely.
12
Logical Security (DS5) – Overview (continued)
z
z
z
Network services should be closed unless necessary for business reasons.
Anti‐virus
Anti
virus software should be installed and up
software should be installed and up‐
to‐date.
Sensitive data should be encrypted
Sensitive data should be encrypted.
13
Logical Security ‐ Risks
z
z
z
Authentication controls may not provide reasonable measures to protect against unauthorized access.
Excessive file shares allowing inappropriate access to sensitive data.
access to sensitive data.
Systems may be susceptible to extended downtime viruses unauthorized access or
downtime, viruses, unauthorized access, or other malicious activity due to outdated patches and virus updates
patches and virus updates.
14
Logical Security – Risks (continued)
z
z
Inadequate protection over sensitive data resulting in unintended disclosure. Unnecessary network services may be
Unnecessary network services may be exploited to gain unauthorized access to sensitive data.
sensitive data.
15
Logical Security – Audit Tests
z
z
z
Compare password controls (e.g. length, complexity, expiration, history) to organizational standards or best practices.
Review network file shares for appropriateness and necessity.
and necessity. Ensure sensitive information is not inappropriately shared
inappropriately shared.
16
Logical Security – Audit Tests (cont.)
z
z
z
Evaluate the process to apply patches/updates to the O/S, DBMS, and application. Ensure patches are applied timely to remediate
Ensure patches are applied timely to remediate known vulnerabilities. Observe anti‐virus settings to ensure
Observe anti‐virus settings to ensure definitions are up‐to‐date
17
Logical Security – Audit Tests (cont.)
z
z
z
Determine if anti‐virus application is scanning drives regularly.
Determine if sensitive data is encrypted within
Determine if sensitive data is encrypted within databases, on hard drives, and during network transmissions.
Perform security scans to identify vulnerable services unnecessary for the role of the server
services unnecessary for the role of the server (e.g., FTP, HTTP, SMTP, Telnet, etc.).
18
User Access (DS5) ‐ Overview
z
z
z
z
z
Users and their system activity should be uniquely identifiable.
User access requests, modifications, and removals should be documented and approved. Terminated users should have access removed timely. Access levels should based on a user’s job duties (least privilege principle).
Remote access should rely on secure protocols.
19
User Access – Risks
z
z
z
z
z
Undetected fraudulent/inappropriate use of critical systems and data
Access granted without valid approval
Access to critical systems and data by unauthorized users
Appropriate access not defined for each specific job role (i.e., role‐based security)
Remote access to critical systems/data not configured correctly or using insecure protocols (e.g., modems, public networks)
public networks)
20
User Access – Audit Tests
z
z
z
z
z
Ensure user administration procedures have been developed and review for adequacy. d
i f
d
Review system accounts to determine if any terminated employees/unauthorized users have active accounts.
employees/unauthorized users have active accounts. Evaluate user access, including administrator‐level accounts, for adequacy and appropriateness based on the user’s job duties.
Determine how remote access is granted, and recommend the replacement of insecure solutions.
replacement of insecure solutions.
Ensure audit logging is enabled on critical systems/accounts, and logs are reviewed timely.
21
Physical/Environmental Controls (DS12) ‐ Overview
z
z
z
Physical security/environmental controls should protect the data center, server rooms, network closets, and other controlled areas.
Access to these areas should be restricted to appropriate personnel to reduce business interruptions from theft or destruction of computer
interruptions from theft or destruction of computer equipment.
Monitoring of environmental factors should reduce
Monitoring of environmental factors should reduce business interruptions from damage to computer equipment and personnel. q p
p
22
Physical/Environmental Controls – Risks
z
z
z
z
Unauthorized individuals may gain access to sensitive/controlled areas and may view modify or destroy
sensitive/controlled areas and may view, modify, or destroy equipment or sensitive business data.
Unauthorized/improper access to controlled areas may go unnoticed due to improper monitoring.
i dd
i
i i
Business disruption in the event of an environmental incident (e.g., fire, flood, power failure, excessive heat/humidity, etc.) g
p
y
because of inadequate protection of IT assets
Unmanageable network environments and/or extended network downtime due to poorly configured wiring within
network downtime due to poorly configured wiring within server rooms, communication closets, etc. 23
Physical/Environmental Controls – Audit Tests
z
z
z
Review list of individuals with access to controlled areas.
Review visitor logs for controlled areas.
Review maintenance/test logs for environmental control devices (e.g., testing of backup generators, maintenance of HVAC units, testing of UPS systems).
i
f HVAC i
i
f UPS
)
24
Physical/Environmental Controls – Audit Tests (cont.)
z
Walk‐through controlled areas to evaluate adequacy of physical and environmental.
–
–
–
–
Fire suppression systems and smoke detectors
Water/moisture detection sensors
Temperature/humidity sensors
Well‐maintained network wiring
25
Change Management (AI6 & AI7) ‐ Overview
z
z
z
z
z
Managing changes addresses how an organization modifies system functionality to meet business needs.
Requests for changes should be documented and follow defined change management procedures.
Emergency changes should follow a defined process.
Changes should be properly tested (in separate environments) to ensure functionality meets defined requirements.
i
t
Controls should restrict migration of program changes to production by authorized and appropriate
to production by authorized and appropriate individuals.
26
Change Management – Risks
z
z
z
z
Unauthorized/unapproved changes implemented into production environments.
Changes not adequately logged for monitoring and documentation purposes and to back out changes if change causes a system failure.
I
Incorrect system functionality (i.e., erroneous f
i
li (i
processing) due to inadequate testing of changes
D l
Developers with access to migrate code into ith
t
i t
d i t
production may implement unauthorized changes.
27
Change Management – Audit Tests
z
z
z
Evaluate change management procedures (including emergency changes) for adequacy.
Compare changes from the request system to implemented changes (usually obtained through system logs) to identify unauthorized changes.
R i
Review proper approvals for all implemented l f
ll i l
d
changes.
–
–
Routine
Emergency
28
Change Management – Audit Tests (cont.)
z
z
z
Assess adequacy of change testing.
Determine if regression and end‐user acceptance testing was performed.
Review for adequate segregation of duties between development, testing, and change implementation.
29
Disaster Recovery/Business Continuity (DS4) ‐ Overview
z
z
DR/BC plans help minimize business impact in the event of an IT service interruption.
DR/BC plans should be updated regularly and
DR/BC plans should be updated regularly and routinely tested to ensure systems and data can be recovered timely following a disaster or
can be recovered timely following a disaster or other interruption.
30
Disaster Recovery/Business Continuity (DS4) –
Overview (continued)
Overview (continued)
z
z
DR/BC plans and data backups should be stored offsite for recovery needs.
Quality of backup media and restoration tests
Quality of backup media and restoration tests should be periodically performed to ensure success of backup processes.
success of backup processes.
31
32
Disaster Recovery/Business Continuity – Risks
z
z
z
z
Backups may not include all necessary business data for comprehensive recovery in the event of unexpected system downtime or a disaster.
Data may be compromised by unauthorized individuals due to improper securing of backup media.
media
Extended downtime in the event of a disaster due to inadequate/lack of disaster recovery testing or
inadequate/lack of disaster recovery testing or thoroughly documented plans
Lack of executive/senior management support
Lack of executive/senior management support
33
Disaster Recovery and Business Continuity – Audit Tests
z
z
z
Ensure plans are comprehensive, up‐to‐date, and approved.
Determine if plans are tested regularly and
Determine if plans are tested regularly and results are documented (post‐exercise assessments).
Review backup logs to determine if data and system configurations are backing up
system configurations are backing up successfully.
34
Disaster Recovery and Business Continuity –
Audit Tests (continued)
Audit Tests (continued)
z
z
Determine if data is routinely test‐restored to confirm backups are recoverable.
Evaluate storage of backup media
Evaluate storage of backup media (logical/physical) and location (e.g., fireproof safe, offsite location, encrypted, etc.).
safe, offsite location, encrypted, etc.).
35
Freeware Tools for Assessing ITGC
Caveat – work with your information technology and security d
departments about permission to use these tools.
b
i i
h
l
z
DumpSec
–
–
–
z
www.somarsoft.com/
Logical security tool to assess local accounts, password configurations, audit log settings, etc. on Windows systems. User must have administrator rights to get full results.
Microsoft Baseline Security Analyzer ‐ MBSA
–
–
technet.microsoft.com/en‐us/security/cc184924.aspx
Logical security tool to identify security vulnerabilities (i.e., missing patches) and configuration best practices on Windows systems.
36
Some More Freeware Tools
z
Nmap
–
–
–
–
z
nmap.org/download.html
Logical security tool for Linux or Windows
Scans for network services (i.e., open ports), detects
Scans for network services (i.e., open ports), detects network devices, performs O/S fingerprinting, etc.
Can run against single IP addresses or entire IP address ranges.
ranges
BackTrack3
–
–
–
www.remote‐exploit.org/backtrack.html
Bootable Linux distribution – used for logical security (penetration)
(penetration).
Contains over 300 security tools.
37
Hey, Even MORE Freeware Tools!
z
Nessus
–
–
–
z
Free download at: www.nessus.org/
Linux or Windows scanning tool used to identify vulnerable network services (i.e., open ports), perform O/S
network services (i.e., open ports), perform O/S fingerprinting, etc. across all system platforms.
Can run against single IP addresses or IP address ranges.
Kismet –
–
–
www.kismetwireless.net/download.shtml
Linux‐based wireless network detection tool used to identify and evaluate encryption of wireless access points.
A similar tool for use on Windows systems is also available
A similar tool for use on Windows systems is also available (Wireshark).
38
Planning and Executing a risk‐based IT General Controls Reviews
IT General Controls Reviews
z
Perform a risk assessment
–
z
Risk = Likelihood * Impact
Develop the audit scope
Develop the audit scope
–
–
Focus on high‐risk areas identified during the risk assessment
Auditing all IT general controls is likely not feasible, p
practical, or necessary
,
y
39
Planning and Executing a risk‐based IT General Controls Reviews
IT General Controls Reviews
z
z
z
Audit planning and program development
Complete testing to evaluate control effectiveness
Report results to company management
40
Summary
z
z
z
z
z
Sound IT general controls help promote regulatory compliance
Must ensure controls effectively mitigate the associated risk.
An IT control framework such as COBIT 4.1 may help companies comply with regulations.
i
l ih
l i
Performing risk‐based IT general controls reviews will h l
help ensure scarce resources are focused on the most f
d
th
t
significant areas to the company.
Many freeware tools are available to assist the
Many freeware tools are available to assist the auditor in performing IT general controls reviews. 41
Contact Information
Chase Whitaker
Director of Internal Audit ‐ IT
(
(615) 344‐5973
)
[email protected]
42