IT Security System Audits CH.1

Regulatory compliance

- protects the reputation and integrity of the organizations that are required to comply. - It considers the interests of the consumer and shareholders. - has a farther-reaching economic impact on ensuring public confidence in organizations and capital markets

general steps to meeting compliance

1. Interpret the regulation and how it applies to the organization. 2. Identify the gap or determine where the organization stands with the compliance mandate. 3. Devise a plan to close the gap. 4. Execute the plan.

NIST 800-53A provides ________.

A guide for assessing security controls

TJX Breach

An unauthorized intruder first accessed systems in July 2005, and unauthorized access continued through mid-January 2007. On December 18, 2006, TJX discovered suspicious software on its systems and immediately initiated an investigation along with leading computer security firms. Within a few days, TJX had notified law enforcement officials and met with the U.S. Department of Justice and the U.S. Secret Service to brief them on the discovery. Shortly thereafter, TJX notified contracting banks and payment card processing companies. Before the public announcement of the incident, the company had notified the U.S. Federal Trade Commission (FTC), the U.S. Securities and Exchange Commission (SEC), and the Canadian authorities.

Which of the following best describes an audit used to determine if a Fortune 500 health care company is adhering to Sarbanes-Oxley and HIPAA regulations? A. IT audit B. Operational audit C. Compliance audit D. Financial audit E. Investigative audit

Compliance Audit

categories from where costs can occur following a breach

Discovery, notification, and response Lost productivity Opportunity Cost Regulatory fines Restitution Additional security and audit requirements Other liabilities

Interview

Discuss associated assessment objects with groups or individuals to understand or obtain evidence to support the existence and effectiveness of the security control. can include senior officials, information system owners, security officers, information system operators, and network administrators.

A security assessment is a method for proving the strength of security systems.

False

An IT security audit is an ________ assessment of an organization's internal policies, controls, and activities.

Independent

6. Which of the following is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker? A. Policy review B. Penetration test C. Standards review D. Controls audit E. Vulnerability scan

Penetration test

The Big Four

PricewaterhouseCoopers (known as PwC), Deloitte, Ernst & Young (known as EY), and KPMG.

Test

Put associated assessment objects under specific conditions to compare actual behavior with what is expected to obtain evidence to support the existence and effectiveness of the security control. Objects can include hardware or software mechanisms or system operations or administration activities. Examples include testing actual security configuration settings and conducting penetration tests.

Which one of the following is not a method used for conducting an assessment of security controls? A. Examine B. Interview C. Test D. Remediate

Remediate

Categorizing information and information systems and then selecting and implementing appropriate security controls is part of a ________

Risk-Based Approach

Information technology audits

These address the risk exposures within IT systems and assess the controls and integrity of information systems.

Compliance audits

These determine if an organization is adhering to applicable laws, regulations, and industry requirements.

Financial audits

These determine whether an organization's financial statements accurately and fairly represent the financial position of the organization.

Investigative audits

These investigate company records and processes based on suspicious activity or alleged violations.

Operational audits

These provide a review of policies, procedures, and operational controls across different departments to ensure processes are adequate.

Technical (IT audit scope)

This examines the IT infrastructure and data communications.

Organizational (IT audit scope)

This examines the management control over IT and related programs, policies, and processes.

Application (IT audit scope)

This involves the applications that are strategic—for example, those typically used by finance and operations.

Compliance (IT audit scope)

This pertains to ensuring that specific guidelines, laws, or requirements have been met.

NIST Special Publication 800-53A

This publication defines a recommended assessment procedure, which includes a set of assessment objectives

Compliance initiatives typically are efforts around all except which one of the following? A. To adhere to internal policies and standards B. To adhere to regulatory requirements C. To adhere to industry standards and best practices D. To adhere to an auditor's recommendation

To adhere to an auditor's recommendation

The internal audit function may be outsourced to an external consulting firm. A. True B. False

True

Whereas only qualified auditors perform security audits, anyone may do security assessments.

True

Examination

Verify, inspect, or review associated assessment objects to understand or obtain evidence to support the existence and effectiveness of the security control. Examples include reviewing security policies and procedures and observing physical security mechanisms.

IT security assessment

a key activity that involves the management of risk

penetration test

an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker.

IT security audit

an independent assessment of an organization's internal policies, controls, and activities.

Payment Card Industry Data Security Standard (PCI DSS)

an industry-created standard that applies to organizations that process credit cards. Companies that meet a specific threshold for large volumes of credit card transactions are required to achieve compliance. This is done via an audit by an independent Qualified Security Assessor (QSA).

Internal compliance

an organization's ability to follow its own rules, which are typically based on defined policies.

risk

an uncertainty that might lead to a loss.

Internal auditors

are employed by the organization that they audit.

IT security assessment report

documents the findings of the assessment and provides the information necessary to determine the effectiveness of the controls.

general controls

embedded in IT services

application controls

embedded in business applications

Strict liability

even if there wasn't intent, government agencies can levy huge fines on organizations and some individuals can spend years in prison

assessment methods

examination, interview, and test

Security controls

include the physical, procedural, and technical mechanisms to safeguard systems.

external auditor

is independent of the organization and is often engaged from one of the big accounting and consulting firms.

black box pen test

makes no assumptions about the environment to be tested

National Institute of Standards and Technology (NIST)

provides a framework for effective security assessment plans in NIST Special Publication 800-53A

white box pen test

provides complete knowledge and information, such as network diagrams, about the environment to be tested

External compliance

refers to the need or desire for an organization to follow rules and guidelines set forth by external organizations and initiatives.

Governance

seeks to better run an organization using complete and accurate information and management processes or controls.

Risk management

seeks to mitigate risk through controls.

assessment objects

specification, mechanism, activity, and individual

A proposed merger in 2000 with Sprint would have eclipsed the merger with MCI; however, the merger was disapproved and WorldCom started to unravel. In an attempt to maintain its earnings, WorldCom liberally interpreted accounting rules to make its financial statements seem profitable. The company soon moved from liberal interpretation into outright fraud by creating false entries.

true

An assessment objective includes one or more statements that are directly related to a corresponding control to determine the validity and effectiveness of the control.

true

An audit is concerned about past results and performance, whereas an assessment considers previous and current results as well as expected performance.

true

At a fundamental level, internal compliance to corporate policies is critical to the success of any business.

true

Auditors should never be involved in the auditing of processes, systems, or applications that they themselves designed or implemented.

true

Audits are an independent evaluation. A security assessment may also be conducted independently, but it is not necessary. Many organizations use a combination of both.

true

Audits follow a rigorous approach and are conducted according to accepted principles. This also requires that auditors be qualified. The approach taken for an assessment can fall across a wide spectrum, but in many cases, they have taken a cue from audits with well-defined approaches and frameworks

true

Compliance embraces the organizational mission and noncompliance can harm or even impede business

true

Compliance frameworks, such as Control Objectives for Information and Related Technology (COBIT), and standards, such as NIST, help interpret how to comply with the regulations.

true

Compliance helps governance by ensuring such information and controls also satisfy applicable standards or regulations.

true

Compliance helps risk management by verifying that the desired controls are in place.

true

Compliance laws and regulations ensures there are proper information system controls throughout the environment to provide the necessary security of customer data, as well as ensure the integrity of the systems upon which business processes run

true

External auditors are typically limited to providing information about gaps discovered and leading the client to accepted principles.

true

In the event an organization passes an audit, the organization typically receives some type of certification or confirmation. This is not the case for assessments.

true

Initially, the TJX attackers accessed only historical data. To capture live transaction data, the attackers installed software that recorded the traffic. This enabled the attackers to steal credit card data as customer transactions were occurring in the store.

true

Internal auditors can provide recommendations for improvements; however, they should never be involved in the design or implementation of any system or control.

true

It's helpful to create an executive summary document that quickly highlights the key findings and recommendations in a security assessment report.

true

Many organizations use assessments to prepare for audits.

true

Meeting compliance often includes implementing mechanisms to prove that an organization has properly executed its plan.

true

Not all IT security assessments need to be comprehensive to cover all security controls or even all information systems.

true

On January 17, 2007, TJX announced it had become a victim of an intrusion into portions of its information systems that process and store customer transaction data.

true

On a strategic level, compliance ensures an organization can effectively meet organizational goals and objectives as planned. This means IT must ensure it is capable of delivering services to satisfy business needs and to stay compliant with external laws and regulations.

true

Organizations have spent and continue to spend large sums of money to achieve and maintain regulatory and industry compliance.

true

Organizations often outsource their internal audit functions to an external consulting firm.

true

Penetration tests often reveal weaknesses or easily exploited vulnerabilities within a system.

true

Publicly traded companies are required to engage external auditors.

true

Regular assessments and audits of the IT environment are important for ensuring compliance.

true

Risk management means deeming some risks acceptable so a company may accomplish its business goals.

true

Security auditing, in general, must follow a more rigid approach and process over a security assessment.

true

TJX did not break any laws, it was simply not compliant with stated payment card processing guidelines.

true

The Enron collapse was a result of a complex and methodical accounting scandal. The fallout was massive, resulting in thousands of employees who were laid off and who lost their life savings plans that were tied to the company's stock. In addition, shareholders saw a loss of $11 billion. Economically, the disaster perpetuated a lack of trust in the stock market and eroded public confidence.

true

The benefits provided to organizations as a result of information technology involve complex systems and processes.

true

The cost per record breached can be anywhere between $90 and $305, depending on the type of breach and how regulated the industry within which the breach occurs is.

true

The market value of WorldCom continued to grow substantially through these acquisitions, and high expectations continued to be placed on the company. This generated pressure to keep the stock price at elevated levels, which in turn allowed WorldCom to continue its acquisition spree.

true

The personnel who conduct security assessments can be internal or external to an organization

true

The point of infiltration in the TJX breach was a wireless network at a retail store using WEP instead of WPA.

true

Unlike external auditors, internal auditors are not independent of the organization they audit.

true

Without proper governance in place, an organization can have neither effective risk management nor compliance.

true

WorldCom spent approximately $60 billion and accumulated approximately $41 billion in debt via mergers and acquisitions.

true

You use an audit to assess the presence and effectiveness of IT controls and to ensure that those controls are compliant with stated policies.

true

a penetration test is not necessarily the best means by which to judge the security of an information system.

true

an IT audit includes elements of a regulatory compliance audit and an operational audit includes elements of a financial and IT audit.

true

an audit is an assessment

true

audits provide reasonable assurance that organizations are compliant with applicable regulations and other industry requirements.

true

compliance laws and regulations place an increased responsibility on information technology (IT) staff

true

it was the Enron fiasco that led to the downfall of Arthur Andersen as one of the largest auditing and consulting firms.

true

penetration tests operate under specific constraints and rules of engagement.

true

the Sarbanes-Oxley Act was created in response to the Enron scandal.

true

gray box pen test

variations between black-box and white-box tests

A risk-based approach to managing information security

• Identifying and categorizing the information and the information systems • Selecting and implementing appropriate security controls—actions or changes to be applied to systems to reduce weaknesses or potential losses • Assessing the controls for effectiveness • Authorizing the systems by accepting the risk based upon the selected security controls • Monitoring the security controls on a continual basis

IT security audit program goals

• Provide an objective and independent review of an organization's policies, information systems, and controls. • Provide reasonable assurance that appropriate and effective IT controls are in place. • Provide audit recommendations for both corrective actions and improvement to controls.