Sunday, January 13, 2013

Document Management

Document management is synonymous with information management and can feed into the information strategy. It should be encoded within a policy.

It should comprise
  • Creation -
  • Classification - sensitivity, ownership and custody includes labelling
  • Transmission - respond to risk of inadvertent transmission (e.g logical and physical access control, clear desk, clear screen, storage encryption policies), deliberate attempts to access or steal documents and confidentiality of documents sent to 3rd parties*
  • Retention & - should take into account commercial value and regulatory requirements. May be a minimum/maximum rule
  • Destruction  - should require heightened control where the risks associated with failure to destroy are high. Ideas include destruction certificates, outsourcing, management oversight, formal destruction process.
*Transmission conditions for sensitive data sent to third parties might include the following;
  • Management responsibilities and procedures for controlling and notifying transmission,despatch and receipt.
  • Minimum standards for packaging and transmission.
  • Responsibilities and liabilities in the event of loss of data.
  • Use of an agreed labelling system for sensitive or critical information, ensuring that the labels are immediately understood and that the information is appropriately protected.
  • Information ownership and responsibilities for data protection.
  • Technical standards for recording and reading information.
  • Any special controls that may be required to protect information in transit, such as passwords.
  • Splitting the consignment into more than one delivery and/or despatching
 Should take into account the particular security risks related to traffic travelling via the internet.

Saturday, January 12, 2013


Databases are application that store data. They fall into a number of types;
  • hierarchical
  • networked database systems
  • relational
  • object oriented



There are two types of network.
  • LAN &
  • WAN
Routers connect the two. They are configured to pass and accept messages to and from legitimate WAN addresses. Firewalls can be used, too.

Four types of architecture
  • Bus
  • Ring
  • Star
  • Tree
Network risks include
  • Wiretapping or copper of fibre optic cables
  • Sniffer programs
  • Wireless leakage
Separate domains can be used, but network management is a critical and highly skilled role.

The internet itself is a WAN. It was developed as a means for academic to share files, so it was not developed with security in mind. Messages are broken up into packets for transmission and are reconverted into messages at the target computer. The coding and decoding is done by TCP (transaction control protocol). Major uses of the internet for communication are email and ecommerce.

Network Management

Network management governs connections between hardware, applications, LANs, WANs and the internet. Responsibilities include
  • Planning & design
  • Change management
  • Troubleshooting
  • Maintenance
  • Performance
  • Capacity/availability management
  • Configuring, control and optimisation of networked resources
Network planning is closely aligned to IT strategy.

Managing Outsourcing Arrangements

The following covers the various outsourcing stages.

Requirement Analysis

Services required need to be planned internally and documented. Should be formalised in ITT or RFP documents which need to be very detailed.

Proposal Evaluation and Supplier Selection

XSP Evaluation process would include

- cost
- functionality (viability & their dependence on 3 Ps)
- supplier track record (references, credentials, service history)
- security

Contract Preparation

Contracts should include
  1. Security measures
  2. Change management process
  3. Audit provisions.
  4. Transitional details
  5. Termination provisions
  6. Escalation procedures
  7. Reporting structure, protocols, formats
  8. Regulatory responsibilities
  9. Access control agreements
  10. IPR, copyright issues
  11. Description of services and
  12. Service level agreement
Implementation of new service

May include a number of steps and transfer of staff, equipment, data etc


Service level management should be a defined process with clear reporting protocols. It can use KPIs.


Types of arrangements for managing resources are as follows

- Inhouse
- Outsourced
- Cosourcing
- Partnership
- Colocating

Main reasons/justifications for outsourcing;
  • Savings (Cost)
  • OpeX (Accounting, Cashflow)
  • Flexibility (Quality)
  • Take advantage of new technologies
  • Core Competencies (Quality)
  • Speed of deployment (Time)
  • Scalability (Quality)
Barriers to changing apps internally
  • Familiarity
  • Inevitability of bugs, patches,
  • Training
Hardware, software (Software as a Service - SaaS), network management (Platform/Infrastructure as a service PaaS/IaaS) and people can be outsourced. Outsourcing companies can be called XSPs meaning external service providers.

Application Service provider, Internet Service provider, Management service provider.

Things to consider

- Strategic value of IT to the organisation
- Future needs
- Transition costs
- Feasibility of separating IT (or elements of it) from the business
- Existing human resources

The next section is how to manage outsourcing arrangements effectively.

Capacity Management

The purpose of these activities is to determine how information technology demands will increase and over what timescale.

In essence capacity management is made up of three sub processes:
  • Business capacity management (BCM) – to forecast capacity needs based on business events
  • Service capacity management (SCM) – to ensure capacity levels support established service level targets
  • Resource capacity management (RCM)
  • Performance and workload monitoring
  • Application sizing
  • Resource forecasting
  • Demand forecasting and
  • Modelling
  • Forecasts
  • Capacity plan
  • Tuning data and
  • Service level management guidelines
Possible KPIs related to efficiency and effective capacity management
  • total cost of unplanned capacity expenditures
  • total cost of unused capacity
  • accuracy of capacity forecasts
  • number of incidents related to capacity/performance issues
  • number of service level agreement performance targets missed due to capacity.
ISO 2000 on service management covers this area.

Change Control

Distributed & Local Computing


Elements of project management are as follows

  • project outline
  • feasibility study
  • set-up and testing
  • implementation
  • monitoring.

Features Of System Development

The process should

- respond to agreed business requirements/criteria
- be practical and efficient
- take into account user and staff considerations
- incorporate service management and performance capabilities
- consider security from the very beginning (noting that the development of security is an iterative process)

It should be well documented and progress through the phases should be authorised

Types Of System Development

There are four types of system development which are as follows;

- Applications developed internally to be marketed commercially to third parties
- Applications developed internally to deploy internally*
- Development by a third party of bespoke software for you.*
- Development by a third party of software sold to your company and others.*

*There is more flexibility internally as support is on hand immediately and the application can be temporary withdrawn without wider ramifications.

Time, cost and quality considerations need to be taken into account and balanced.

System Development Life Cycle

The basic elements of the system development life cycle are as follows;
  • Plan
Those developing the new system will go out to the end user environment to discover what key functions the new system is expected to have. Constraints such as space, cost and legislate will supplement user needs at this stage. The initial analysis is validated with managers and users to check that the problem and context are fully understood.
  • Design and build
A variety of designs or solutions may be produced and evaluated. Trade-offs may be made between short-term and long-term considerations.
  • Implement
Occurs once the best design is chosen and agreed, the software construction begins. The newly developed system now needs to be tested to ensure that the system supports the desired functions and provides an acceptable performance.
  • Monitor
Monitoring means keeping a watching brief and dealing with maintenance and other issues as they arise such as errors not discovered during the testing phase to improve the systems services.

It is good practice to have development lifecycle documents - these should include security.

Life cycle models include the following

- waterfall, rapid prototyping, incremental and spiral.

System Development Testing Phases

Testing during the implementation phase of the system development life cycle should subject the system to conditions as similar as possible to real life. For example

- real information
- operating a capacity similar to expected high capacity workloads

In-house developed software has the following phases

- program testing
- system testing (simulates live running)
- operations acceptance testing to test the system to ensure compatability and that critical instructions (e.g. restart, back up, recovery) can be performed
- user acceptance testing

Separate domains should be maintained for development, testing and production.

For commercially produced software, the stages would include

- pre-alpha (e.g QA)
- alpha
- beta (testing ability to deliver and support the software)
- golden master
- first customer ship

Go-live options are as follows

Big bang
Phased implementation
Parallel systems

Friday, January 11, 2013

Operational Management

Conducting the operation and maintenance of computer equipment and services. Comprises

- Production cycle (e.g deployment of patches, upgrades and installations)
- Back-up management
- Batch management

IT Roles

A typical information technology department would encompass the following roles;


Firewalls are hardware or software used to filter traffic between networks. Often it is used to control traffic from the internet to the organisation's network, but this need not be the case.

The firewall can be configured to deny all with exceptions or accept all with exceptions. The former is the most secure, but bear in mind the costs associated with checking false negatives. The objectives of the firewall ought to be documented. These might include ;

- Rules about no services being run on the firewall other than those required to provide firewall services
- What may or may not be allowed to cross the firewall.

Public services should be placed on the outside of the firewall to prevent denial of service threats affecting the internal network.

Behind the firewall a demilitarised zone can be created. In this zone, the types of software tools operating may include the following;

- Hostile applet scare
- Authentication software for users trying to access the LAN remotely or from the internet.
- Net nanny
- Virus scanner 

Another alternative way of controlling traffic from the internet is to have an air gap in which just one computer is connected to the internet. Items are screened there, before being transmitted via a mobile device to computers on the internal network. This does have the disadvantage of being slower.


Hardware are tangible pieces of computer equipment.

They includes mainframes, servers, desktops, UPS, mobile devices and firewalls.

Hardware risks arise from physical and logical contact.

Examples of these risks are as follows which I have separated into overt and surreptitious actions.

  • Vandalism
  • Adjust hardware settings
  • Theft of entire item or components like memory chips
  • Spying (by attaching devices like keystroke loggers to capture information input to the computer)
  • Crashing the system
  • Access software and data for copying, deletion, alteration or transmission to another location
  • Malicious code

IT Equipment

These can be categorised as hardware, software and peripherals.

Features Of A Good IT Security System


Segregation of Duties

Here are some segregation of duties ideas

- Developers should never have acccess to production data.
- Logical access should never be approved by those setting up user profiles
- Application/operation managers should not be responsible for network controls
- Database access monitoring should be performed by an independent party.
- Dual control over deletions and other significant changes should be considered.

Monitoring Ideas

Application Controls

Business Continuity Planning

Business continuity can be defined as the

'strategic and tactical capability of the organisation to plan for and respond to incidents and business disruptions in order to continue business operations at an acceptable predefined level*"

Business continuity planning is the main answer to the risk of an unexpected business interruption. The objectives of a BCP are

1. Survival
2. Protection of corporate assets
3. Control of risks and exposures
4. Preventative measures of business interruption - see physical protection and logical access.
5. Management business interruption

It should provide a balance between acceptable potential losses as a result of a disaster and acceptable one-off and recurring costs related to business continuity management. Other benefits include

- providing customer confidence/satisfaction
- protecting reputation

BS25999 1 - 2006 (code of practice) and 2 - 2007 (specification) are the standards related to business continuity.

Features of an effective plan per BS25999

1. BC management policy -
2. Managing the BCM programme
3. Understanding the organisation and its requirements (incl. sufficiently robust and wide-ranging business risk identification (e.g. scenario planning, stress testing, what if planning) MTPD, RTO setting, available resources etc)
4. Determining the BC strategy (timescales, sequence of recovery)
5. Developing the plan (link to actions taken to respond to specific threats, incident management teams)
6. Exercising and maintaining the BCP. - ie test ongoing effectiveness and adjust for biz changes
7. Embed into the business culture. Ensure all stakeholders understand their responsibilities within the overall plan. (incident management team)

The overall plan needs to be realistic and achievable or it will be useless when called into action.

Recovery options

- Inhouse v outsourced
- recovery sequence (usually customer focused systems first)
- partnership with a similar firm?
- Readiness of facilities - hot, warm, cold, mobile

*What is an acceptable predefined level? Business would describe MTPD = maximum time period of disruption meaning the time that a business process can remain functioning in a limited way. IT woudl target RTO = recovery time objective meaning the time beyond which the non-availability of a service or function would be unacceptable.

Disaster Recovery

The process of recovering IT systems and services. DR can be seen as a sub-set of business continuity planning. The following are important elements of DR.
  • Risk assessment
  • Identification of most critical systems
  • Putting suitable DR arrangements in place (including suitable authorisations)
Risks within DR
  • Over-reliance on one supplier
  • Failure to test
  • Failure to update plans
 Commitment to resource disaster recovery process

Back Up

Taking back up copies of essential business information and software should be done to ensure that data and systems can be easily and quickly recovered in the case of a system problem.

Here are the minimal requirements for central IT departments;
  1. Remote location
  2. Accurate and complete
  3. Generations
  4. Restoration procedures
  5. Environment and physical protection in line with main location
  6. Access controls in line with original data
  7. Regularly Tested (incl. the operation of the control, the integrity of the backups and the effectiveness and timeliness of restoration)
Typical back-up cycle - daily, weekly, monthly, annual

Business with greater speed of data change may back-up more frequently or consider electronic vaulting whereby data is written twice, once locally and also to a remote machine.

However, sometimes backups are the responsibility of departments or individuals. In this case, clear guidance is required on responsibilities and protocols especially around handling of removable storage media.

System Recovery

System recovery is an important element of IT security.

Elements of system recovery are
Risks which arise within the above are as follows;

1. Completeness of recovery (quality)
2. Speed of recovery (time)
3. Expense of recovery (cost)

Auditing effort might focus on the above risks to check whether they have been diligently mitigated.

IT Strategy

Establishing a strategy involves assessing where you are, where you want to be and planning how to bridge the gap.

An overview of an IT strategy framework is described below.

External Biz Environment + External IT environment = Org Strategy (Note 1)

Org Strategy leads into Biz Process & Systems (Note 2)

Current IT Assessment leads into Implementation Programmes which interacts with strategic justification.

Org Strategy + Biz Process & Systems + Current IT Assessment (Note 3)  = IT Strategy and the Strategic Justification (Note 4) interacts with the IT Strategy (Note 5)

IT Strategy leads into Implementation Programme (Note 6)

Note 1 - Org strategy (Organisational objectives, KPIs, critical sucess factors)

Note 2 - Biz Process & Systems (A structured representation of departments and workflows

Note 3 - Current IT assessment (position, processes, people, tools, governance, control environment and an indication as to what extent IT systems support the organisational needs)

Note 4 - Strategic Justification - The business case. Would include a top-down review, cost/benefit analyses and responsibility assignments for benefit realisation.

Note 5 - IT Strategy - Physical and logical application and data architecture, IT management, IT organisation and IT policies.

Note 6 - Implementations Programmes - Description of key projects to realise IT strategy. Possibly groupings of projects into programmes. Resources required.

Monday, January 7, 2013

E Commerce & E Commerce Security


Knowledge has the following properties.
  • Intangible,
  • Not exhaustive,
  • Sharing increases it
Explicit and tacit (tangible and intangible(know-how))

Knowledge management steps are as follows
  • Identify/create,
  • Collect/codify,
  • Store (in a repository of sorts)
  • Diffuse/use

Data Protection Act 1998

The Act required member states ‘to protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal
data’. It came into force on 1 March 2000. It covers computer and manual records.

The Act contains the following principles. Personal Data (shall)/(shall not) be
  1. Processed fairly and lawfully, and not be processed unless certain conditions are met
  2. Obtained for specified and lawful purposes and not be further processed in any manner incompatible with those purposes.
  3. Adequate, relevant and not excessive in relation to the purpose for which they are processed.
  4. Accurate and, where necessary, kept up to date.
  5. Kept for longer than is necessary for its purpose. 
  6. Processed in accordance with the rights of data subjects under the Act. 
  7. Appropriate measures shall be taken against unauthorised or unlawful processing of personal data.
  8. Transferred to a country outside the EEA unless that country has an adequate level of protection for the rights and freedoms of data subjects.
The legislation enshrines the following rights;
  • Right of ACCESS - max fee of £10
  • Right to PREVENT processing if likely to cause distress or damage.
  • Right to prevent processing for MARKETING
  • Right in relation to AUTOMATED decision
  • Rectification, blocking, erasure and destruction
  • Request for ASSESSMENT


Copyright Designs & Patent Act 1988

This act relates to IPR rights.

Owners of copyrighted material have the right to
  • Copy,
  • Issue,
  • Broadcast and
  • Share their work

Legislation & Regulation

The following legislation relates to computer security and/or information.

Personnel Controls

Screening controls, confidentiality agreements and terms and conditions of employment.

Password Management

This can be done in a centralised or decentralised manner. The advantage of a decentralised model is that in the case of lost passwords etc, the person on the IT helpdesk is more likely to be able to make a positive identification of the individual.

The IT department should create minimum standards for
  • minimum password length
  • the number of previous passwords stored to avoid their re-use
  • obvious passwords which may not be used (if a dictionary checker is not in use)
  • password life
  • the number of access attempts allowed before a user is disconnected
These can be flexed according to the security needs of the system.


System Development

The introduction of new software can be done via system development or through projects. System development is usually performed by teams with system analysis and/or specific programming skills who are responsible for

- Designing,
- Building and
- Developing

applications. We consider the following in further detail.

- Types of system development
- Features of system development
- System development life cycle
- Testing phase (including implementation approaches)

Defence In Depth

The point of defence in depth is that it avoids a single point of failure and that supplementary controls working together increase the combined effectiveness of controls.

Might include some or all of the following.
  • Physical security (linked previously)
  • Policies & Procedures (linked previously)
  • Personnel security
  • Organisational Culture (linked previously)
  • Document Security
  • Audit Trails
  • Business Continuity (linked previously)

Information Security Policies

Should include policies related to the following;
  1. Mobile devices
  2. Access control (linked elsewhere)
  3. Computer forensics (linked elsewhere)
  4. Encryption
  5. Third party
  6. Clear desk

File Interrogations

File interrogation would encompass the following;
  • Objective setting - see internal audit planning process
  • File requirements (determination of)
  • Field Selection within the database - then decide
  • Where to store
  • How much to select and
  • Obtain the data (possibly a pilot) and fine tune
  • Prepare reports
Typical interrogations may include the following;
  • Ensuring liabilities are not un/der-recorded
  • Review invalid invoices, duplication
  • Review of firewall logs
  • Payroll existence tests
  • GP analysis
  • Completeness of transactions

Processing & Connectivity

Hardware and software together are known as system architecture.

Within infrastructure, we consider the IT roles within a centralised IT department, distributed computing, distributed and local computing and change control.

We consider network.

Computer Forensics

Computer forensics is defined as

techniques used to enable secure collection of computer data and analysis which can be admissible as evidence.

The two key principles of computer forensics are evidential integrity and evidential continuity. Evidential integrity is that the evidence taken must be an exact copy. Evidential continuity means that the chain of events between data contact and evidence presentation must be unbroken.

Throughout a computer forensic exercise, it is important to document all steps thoroughly. When deciding what you need it is important to collect the data you might need for a variety of scenarios. It is good practice to assume that the case may end up in litigation. Remembering that unauthorised seizure can be criminal, it is critical to gain proper permission when gathering evidence. Illegal seizure of equipment or data would lead to an evidential fail.

Care should be taken when gathering evidence as there is a risk that the computer equipment is booby trapped and a poorly executed information gathering may destroy important evidence (e.g dates). Fishing expeditions often result in evidential fails. The use of specialists should be considered. They would often take images of the data to preserve the integrity of the  source data.

How the evidence is retained is important as you must be able to account for evidence at all times post seizure. To ensure evidential integrity forensic software locks data when it is extracted. Failure to perform similar steps would be the third and final example of an evidential fail.

Logical Access Control

Logical access control is a very commonly used type of security measure. Aspects of logical access control include
  • Prevention of unauthorised access to the system
  • Detection unauthorised access to the system
  • Management of access to the system.
Access itself is not binary. There are a number of powers that can be given to the user namely
  • Read
  • Write
  • Delete
Access should be based purely on need and managing access should include at a minimum the following;
  • Segregration of duties should not be compromised.
  • Unique user identification
  • Require users to sign statements indicating understanding of their access rights
  • Granted of access dependent on suitable level of Authorisation including the system owner - extra scrutiny around requests > standard profiles.
  • Regular review of rights with redundant user IDs and accounts removed
However, given that higher levels of security come at a cost, the level of access security should be determined on the basis of a risk assessment.

A number of access security devices can be employed, but a basic log-on procedure should have the following features.
  • Warning notice
  • No help to users
  • Validation only on completion of all input data
  • Limited number of attempts
  • Record unsuccessful attempts
  • Enforce time delay between failed attempts
 Further ideas related to passwords are provided here.

Enhanced features may include encryption.

Managing a large number of users' access rights is a costly process which explains the use of standard user profiles.

Sunday, January 6, 2013

Access Security Devices

Authentication procedures can be bolstered by increasing the security factor.
  • Single factor security is proof by knowledge and where a user proves his/her identity by use of a pin, a password or something other piece of data/information which should only be known to the user.
  • Two factor security involves proof by possession where proof by knowledge is supplemented by something only the user should have (such as a token or a smart card).
  • Three factor security involves proof by property where the other factors are supplemented by something particular to the user such as their fingerprint or retinal scan. This approach is known as biometrics.
Single factor security is vulnerable to identify theft and Trojan programs capturing password data.

Whilst the higher factor security levels are theoretically more secure, an organisation should ensure that the controls over the issue of authentication are equally strong.

Information Security Management System

The ISMS concept is linked to ISO 27001 specification. It involves the following steps. First 3D;
  • Define scope and boundaries 
  • Define ISMS policy
  • Define the risk assessment approach

Then RMICAAP stuff;
  • Identify the risks
  • Analyse and evaluate the risks
  • Risk Treatment
  • Select control objectives and activities

And finally some disclosure type stuff
  • Gain management approval for residual risks
  • Obtain management approval for the ISMS
  • Prepare a statement of applicability

In the statement of applicability justifications must be provided for not selecting particular controls. Certification of the above must take place annually.

Physical Protection

When selecting a site for a centralised IT function you might consider the following
  • Remote location,
  • Reliable utilities,
  • Locate away from areas susceptible to natural disasters
Within the location the following features could provide additional physical protection to your IT equipment.
  • Access points to a minimum
  • Raised floor,
  • UPS room to provide back up electricity power and generation,
  • heating,
  • ventilation and
  • air condition.
The following detection devices could be installed into your secure area.
  • Water, 
  • Intruder,
  • Temperature,
  • Humidity,
  • Smoke
Of course, you can use a range of access security devices.

Governance Strategy

Strategically, the board should be providing the governance framework for the IT function.

Surveys have shown that Boards and Audit Committees may not have the skills required to understand and challenge IT risk and that the means of communicating IT risks to the Board may not be effective.

However, there are some high level considerations. Firstly is the aspirations of the function. There are three levels. These are
  • Basic
  • Central
  • World Class
Within IT governance is the development of an IT strategy.

ISO 38500

ISO 38500 relates to Corporate Governance Of IT. It sets out 6 principles for good corporate governance.
  • Strategy
  • Performance
  • Responsibility
  • Acquisition
  • Conformance
  • Human Behaviour


ValIT which was issued by ISACA attempts to align IT governance with wider business objectives. It attempts to
  • define the relationship between information technology and the business and those functions in the organisation with governance responsibilities.
  • manage an organisation’s portfolio of information technology-enabled business investments.
  • maximise the quality of business cases for information technology-enabledbusiness investments with particular emphasis on the definition of key financial indicators, the quantification of soft benefits and the comprehensive appraisal of the downside risk.
Publications, tools and guidance are provided to support this standard.


CobiT has four main elements to it
  • Plan & Organise (e.g. system architecture, governance)
  • Acquire & Implement (e.g. maintenance plan, execution)
  • Deliver & Support (e.g. security and training)
  • Monitor & Evaluate (e.g. Independent assessments)
CobiT has 34 processes and 210 control objectives.

Ethical Hacking

Hacking can be defined as unauthorised access to computer systems. The 1990 Computer Misuse Act made hacking an illegal activity.

Ethical hacking is the legitimate investigation of system security flaws using tools and techniques known to be employed by hostile attackers. It is also known as penetration testing.

The main purpose of ethical hacking is to discover the risks which you may be exposed to. The main drawbacks are that
  • It is at a single point in time.
  • The hackers resources are constrained by time and money which may not be the case with an actual hacker.
  • The ethical hacker may not have the requisite expertise.
You also have to consider the trustworthiness of the hacker.

As result ethical hacking should not be seen as a panacea. It should be complemented by other IT controls aimed at preventing or detecting unauthorised remote access including patch control management, strong access controls and monitoring use of systems.

CAAT - Audit Analysis

Here are some ways that CAAT can be used for audit analysis;
  • Information retrieval - e.g. JET, identify patterns, shifts or trends, duplicate records
  • Network security - e.g. system overrides, access authorities,
  • Fraud detection - e.g. transaction analysis. Comparing supplier and payroll records
  • Audit reporting and management tools
  • Continuous monitoring
  • E-commerce security
See file interrogation for ways that the above may be carried out.

CAAT for audit analysers faces the following problems. Information may be;

  • Confidential
  • Hard to retrieve
  • Encrypted
  • Spread over Several Systems

  • Ways of tackling this CHESSS problem are

    • building an audit team with these specialist skills
    • libraries of information describing retrieval routines

    Users should be aware of the risks of erroneous extrapolation and inappropriate disclosure related to use of analysis derived from CAATs.




    IT Audit Types

    The following are some IT audit types in descending from strategic to tactical.
    • Strategy
    • Application/Software Controls

    IT Audit Planning

    At the highest level IT audit planning would involve the following generic steps.

    • Define the risk universe - auditable entities and risk assessment
    • Consider results of previous audits or other similar information
    • Consider upcoming plans/projects with senior and middle management
    • Develop a plan typically for the coming year
    At the detailed level, the following steps are taken
    • Identify the risks
    • Identify the scope
    • Identify audit objectives
    • Design a test strategy (see file interrogations)
    • Estimate resources required

    Information System Auditing

    The problem with hard and fast rules about information system auditing is that each IT environment itself is unique (the snowflake theory). For example, each system will have the following ingredients.
    • Centralisation
    • Hardware
    • Empowerment of users
    • Software
    • Size
    • Customisation
    • Operating System
    • Managed In House
    Another thing about IT risk is that the risks are both dynamic and overlapping.

    When deciding what and how to audit the following should be considered
    • Security, Effectiveness & Efficiency
    • Whether issues are pervasive or system specific
    • Whether to plan separately or as part of the overall internal audit plan
    At the following links we describe an IT audit plan and some types of IT audit.


    These fall under 4 headings.


    IT governance is about the management of IT systems. The following are critical elements of good IT governance.
    • Monitoring and enforcement of IT policies and procedures
    • Organisational culture which encourages good behaviour
    • Assessment of performance
    • Tone at the top
    To support the above, suitable organisational and management structures are required as are clear performance goals. A major governance challenge that is faced by many organisations is the lack of IT knowledge or understanding at board level. This can lead to ineffective management of IT. An organisation might wish to consider having IT report at board level, provide the board themselves with IT training and involve them in the formation of the IT audit plan.

    There are three notable codes and standards related to IT governance.
    A number of further points can be made about governance strategy.

    Policies & Procedures

    The benefits of IT policies and procedures are that it -
    • shows that management take these matters seriously
    • helps staff to take appropriate actions to manage IT risks effectively
    • helps management take suitable disciplinary or legal action if wrong-doing has occurred in relation to the use of company IT systems.
    Here are some policies and procedures you might expect in an organisation;
    • Acceptable use (incl email)
    • Electronic connectivity
    • Monitoring and control
    • Software (including system development)
    • Retention
    • ISMS
    • IS security (includes a number of other elements such as cryptography, computer forensics, access control, clear desk and third party)
    • Business Continuity
    All policies should be owned by an individual within the organisation. They are responsible for
    • writing the policy
    • making updates &
    • communicating updates
    It is generally best policy to ensure that policies are updated regularly (usually at least annually) and that users of the policy provide written confirmation to confirm they have read and understood policy updates when they happen. These policies and procedures can be backed up with terms and conditions to employment.

    Approaches and Techniques to IT Security

    Approaches include
    • Defence in depth (overlapping controls are stronger)
    • Operational responsibilities (set clear expectations - see policies and procedures below)
    • Centralised security (to enable control - see physical protection)
    • Application controls (operating within an application)
    • Monitoring (detective control)
    • Personnel controls (preventative control)
    • User training (preventative control) &
    • Segregation of duties (reducing risks of fraud or error)
    I write about how to maximise each of them at the above links. Within the above approaches are a variety of more specific techniques or practices (some of which I cover in more detail).


    The whole course begins with some potential IT System attackers. Externally, they might include
    • State
    • Organised criminals
    • Customers
    • Opportunist criminals
    • Amateur hackers
    • Competitors
    • Hacktivists
    The following factors mean that IT systems are ever more vulnerable to attack.

    • Complexity of IT environments means risks are harder to identify/control
    • Intruder techniques improving
    • Dependence on computers increasing 

    Security is increasingly seen as an integral part of customer service which makes it ever more commercially important.

    The chapter on security opens with the three aspects of information security namely confidentiality, integrity and availability. Confidentiality is about ensuring that only authorised persons have access to information and systems, integrity is ensuring that only authorised modifications are made and availability is about ensuring that authorised users have access to systems and information as required. The section continues by describing in detail some of the different approaches and techniques to secure IT systems. Details on an information security management system (ISMS) are also provided as is detail on relevant pieces of legislation and regulation.


    This section begins with the information pyramid describing the relationship between data, information, knowledge and wisdom. Wisdom isn't mentioned again. Challenges related to data, knowledge and information management are covered. Information management is described under the heading of 'document' management.

    Saturday, January 5, 2013

    Introductory Overview

    The module deals with a number of elements to information systems auditing. These elements could broadly be categorised as the information systems environment and how to audit it.

    Information Systems Environment

    The information systems environment is focused on workplaces and organisations. This covers computer components (e.g. hardware and software), computer processing and connectivity (networks and infrastructure). Information in the broadest context is also examined including knowledge management, document management and aspects of data management (with the context of different database types) and UK legislation pertaining to the above. Challenges relating to IT security is singled out.

    Information Systems Auditing

    Special features of IT systems relevant to auditing them are explored. Ideas for planning and executing an IS audit are provided. The different types of IT audits are stated and explored in further detail. How to use IT systems to perform audits are covered as a separate topic.

    Information Systems Governance

    Ways of organising IT departments to ensure effective governance are covered.