5.4 it security audit (mauritius)

IT Security Audit of Information Systems M. Imran Ameerally Project Manager IT Security Unit Ministry of Information and Communication Technology 22 April 2010

Agenda About IT Security Unit Types of Audits Conducted Companies Division Audit Audit Tasks Audit Deliverables Overview of Audit Findings Benefits of the Audit

About IT Security Unit (I) Objectives To implement Government policies with regar ds to IT Security To assist Ministries/Departments in the implementation of security standards To disseminate information on IT security To carry out security audits

About IT Security Unit (II) Strategic Activity Areas for IT Security Unit : ISO Information Security Standards IT Security Audits of Government Systems Security Awareness and Promotion Develop Security Policies and Guidelines Advisory Service to Ministries and Departments on IT Security

Types of Audits Conducted (I) ISO/IEC 27001 Internal audits Part of certification process Information Security Assessments Complete or Partial – to know security posture of the organisation In House Security Audits Outsourced Security Audits

Types of Audits Conducted (II) In House Security Audits Target : Ministries and Departments with IT Infrastructure of basic to medium complexity Scope : Key components of the IT infrastructure Servers and Network devices Representative sample of PCs in use at the organisation

Types of Audits Conducted (III) In House Security Audits Approach Conducted by IT Security Unit staff Use of an Industry standard Vulnerability Assessment Toolset Outcome Report on vulnerabilities identified and recommendations Recommendations implemented by Ministries/Departments

Types of Audits Conducted (IV) Outsourced Audits Target : Highly complex and critical Information Systems of the Government Audits undertaken by consultants following a tendering exercise IT Security Unit manages the project Post Audit Implementation Committee set up with various stakeholders to implement audit recommendations

Companies Division Audit Outsourced Audit conducted by external consultants in December 2008 Scope Include all components of the Information System: application software, middleware, database, operating system, hardware and network infrastructure All interfaces to/from remote applications

Audit Tasks (I) Task 1 Identify vulnerabilities of the information system and rate them in terms of risk level (e.g. High, Medium and Low) Perform checks regarding: Adequacy of logical security controls to protect data from unauthorised access Effectiveness of all interfaces with remote applications

Audit Tasks (II) Adequacy of input, processing, and output controls to ensure data integrity Adequacy of physical access controls for the Information System Determine areas that may be susceptible to fraud and assess the adequacy of related controls Assess the availability and performance of the Information System and the mechanism used for their monitoring

Audit Tasks (III) Assessment of all applicable domains/control as listed in ISO/IEC 27001 Task 2 Propose measures to address each vulnerability identified together with the implementation timeframe and related cost estimates through a risk mitigation strategy Technical or operational measures

Audit Tasks (IV) Task 3 Elaborate a Security Policy for the Information System which includes ISO/IEC 27001 controls Task 4 Elaborate an IT Contingency Plan (ITCP) for the Information System

Audit Tasks (V) Task 5 Provide a transfer of knowledge gained from the IT Security Audit to selected staff Allow technical IT staff to be fully acquainted with the tools used for the audit and the methodology applied A standard small-scale sample application utilized with hands-on usage of auditing tools and techniques followed by analysis and interpretation of the results

Audit Deliverables (I) Audit deliverables to be submitted at the end of each phase of the Audit Audit broken in 3 phases Phase 1 – Planning the Audit Phase 2 – Performing the Audit Work Phase 3 – Reporting Audit Results

Audit Deliverables (II) Phase 1 – Planning the Audit Inception Report which include the following: Agreed methodology to be used for assessing the risk areas and conducting the audit Detailed workplan for conducting tasks 1 to 5 Approach to be used for providing the transfer of knowledge

Audit Deliverables (III) Phase 2 – Performing the Audit Work Draft Audit report which include the following: Methodology used for assessing the risk areas and conducting the audit Tests performed and tools/software that have been used during the exercise Weaknesses found and areas of risks identified with clear indication on the severity

Audit Deliverables (IV) Time bound corrective action proposed (short and long term) with procurement details (i.e. specifications and cost estimates) where applicable Draft Security Policy for the Information System Draft IT Contingency plan for the Information System Weekly status meetings to review findings

Audit Deliverables (V) Phase 2 – Reporting Audit Results Final IT Security Audit report which contain all reportable issues (findings) Report must be comprehensive and include the following information: Executive Summary, detailing the significant issues (findings) and a high level corrective action plan Scope of the IT Security Audit Objectives

Audit Deliverables (VI) Methodology used for assessing the risk areas and conducting the audit Tests performed and tools/software that have been used during the exercise Audit results which address the audit objectives, including detailed information on weaknesses found and areas of risks identified with clear indication on the severity of the findings

Audit Deliverables (VII) Time bound corrective action proposed (short and long term) with procurement details (i.e. specifications and cost estimates) where applicable including recommendation of measures to strengthen the security of the Information System Final Security Policy document for the Information System Final IT Contingency plan

Overview of Audit Findings (I) Findings broken into 3 categories Application Security Network and System Security Physical Security Severity Rating Basis of giving severity rating Recommended timeframe to fix High Privileged access or severely impact system operation Immediate Medium Hacker may gain limited user or network level access Within 1 month Low Minimal possibility for hacker to again access to resources Within 6 months

Overview of Audit Findings (II) Some examples … Application Security Configuration of Application Server to be strengthened Input validation to be implemented for all data input Define user access roles Do not allow simultaneous logins of same user

Overview of Audit Findings (III) Network and System Security Use of strong passwords Hardening of Operating System Use of a legal banner Enable auditing on systems Physical Security Strengthen entry controls in high security area

Benefits of the Audit (I) Health check of the Information System from a security perspective: Physical, Network and Application levels Security policy endorsed by top management of CD that provides a framework for implementing security procedures and guidelines

Benefits of the Audit (II) Availability of an IT Contingency Plan that should be followed in case of IT failure/disruption Documented procedures Physical Security strengthened and physical access control implemented

Benefits of the Audit (III) Post Audit Implementation Committee Corrective Action Plan elaborated Cross functional team of different stakeholders set up to monitor, review, maintain and continuously improve the information system Several working sessions held where implementation of audit recommendations is closely monitored

Benefits of the Audit (IV) Ultimately Enhanced security posture of the Information System Information System is less vulnerable A process is in place to identify vulnerabilities, reduce threats, manage risks and act in case Information System is impacted

5.4 it security audit (mauritius)

More Related Content

What's hot (20)

Similar to 5.4 it security audit (mauritius) (20)

More from Corporate Registers Forum (20)

Recently uploaded (20)

5.4 it security audit (mauritius)