- CISA certification guide: Certified Information Systems Auditor explained
- Even if you hate security audits, it's in your best interest to make sure they're done right.
- Process of Auditing Information Systems: CISA Tutorial | Simplilearn
- Components of information systems
Find out what they know about prospective auditing firms. See if you can track down clients who have used the firms but are not on their reference list. Find the right fit. Meet with a range of auditing firms. Consider the small firms specializing in security, along with the Big 4 accounting firms to see which best meets your needs. An auditing firm needs to know if this is a full-scale review of all policies, procedures, internal and external systems, networks and applications, or a limited scope review of a specific system.
Smaller firms may choose not to bid on a large-scale project, and larger companies may not want to bother with a review of one system, because they're reluctant to certify a system without looking at the entire infrastructure. Insist on the details. Some firms may be reluctant to go into great detail about their methods without a contract. They may simply slide a sales brochure across the table and say, "Our record speaks for itself. If they're serious about bidding for your business, the auditors will put together a statement of work SOW , which details how they plan to meet your objectives--the methodologies and deliverables for the engagement.
The devil is in the details, and a good SOW will tell you a lot about what you should expect. The SOW will be the basis for a project plan. The SOW should include the auditor's methods for reviewing the network. If they balk, saying the information is proprietary, they may simply be trying to hide poor auditing methods, such as simply running a third-party scanner with no analysis.
While auditors may protect the source of any proprietary tools they use, they should be able to discuss the impact a tool will have and how they plan to use it. Most good auditors will freely discuss their methods and accept input from your organization's staff. Basic methodology for reviewing systems includes research, testing and analysis. Agree on the appropriate payment plan. The bottom line for the bid is how much it will cost and what you're getting for your money. Some auditing firms quote a flat rate in return for a report detailing their findings and recommendations.
Others may estimate the number of days an audit will take, with both sides agreeing to a flexible cost, within limits. For a complex audit of an entire company, many unanticipated issues could arise requiring extensive time from the auditors, making a flat rate more attractive for the contracting organization. If the organization has good documentation or if the scope is limited, a flexible rate may be more economical.
Auditors must make certain assumptions when bidding on a project, such as having access to certain data or staff. But once the auditor is on board, don't assume anything--everything should be spelled out in writing, such as receiving copies of policies or system configuration data. These assumptions should be agreed to by both sides and include input from the units whose systems will be audited. Nobody likes surprises.source site
CISA certification guide: Certified Information Systems Auditor explained
Involve the business and IT unit managers of the audited systems early on. This will smooth the process and perhaps flag some potential "Gotchas! Consider the case of one respected auditing firm that requested that copies of the system password and firewall configuration files be e-mailed to them. One of the targeted organizations flatly refused. In fact, they thought the request was a social engineering test.
Their security policy prohibited external release of any files requiring privileged access to read.
- Account Options.
- Stressaholic: 5 Steps to Transform Your Relationship with Stress.
- Understanding and Conducting Information Systems Auditing | Wiley Online Books.
- IT Auditing and Controls – Planning the IT Audit.
- The Cattle Health Handbook.
If the audited organizations had been involved in the process from the start, problems like this might have been avoided. So, set the ground rules in advance:. Your managers should specify restrictions , such as time of day and testing methods to limit impact on production systems. Most organizations concede that denial-of-service or social engineering attacks are difficult to counter, so they may restrict these from the scope of the audit. Make sure the auditors conform to your policy on handling proprietary information.
If the organization forbids employees from communicating sensitive information through nonencrypted public e-mail, the auditors must respect and follow the policy. Give the auditors an indemnification statement authorizing them to probe the network.
Even if you hate security audits, it's in your best interest to make sure they're done right.
This "get out of jail free card" can be faxed to your ISP, which may become alarmed at a large volume of port scans on their address space. As part of this "prep work," auditors can reasonably expect you to provide the basic data and documentation they need to navigate and analyze your systems. This will obviously vary with the scope and nature of the audit, but will typically include:. The entire process of analyzing and then testing your systems' security should be part of an overall plan. Make sure the auditor details this plan up front and then follows through. The auditor should begin by reviewing all relevant policies to determine the acceptable risks.
They should check for unauthorized implementations such as rogue wireless networks or unsanctioned use of remote access technology. The auditor should next confirm that the environment matches management's inventory. For example, the auditor may have been told all servers are on Linux or Solaris platforms, but a review shows some Microsoft servers.
If the auditing team was selected for Unix expertise, they may not be familiar with Microsoft security issues. If this happens, you'll want the auditor to get some Microsoft expertise on its team. That expertise is critical if auditors are expected to go beyond the obvious. Auditors often use security checklists to review known security issues and guidelines for particular platforms. Those are fine, but they're just guides.
Process of Auditing Information Systems: CISA Tutorial | Simplilearn
They're no substitute for platform expertise and the intuition born of experience. The auditor will use a reputable vulnerability scanner to check OS and application patch levels against a database see cover story, "How Vulnerable? Require that the scanner's database is current and that it checks for vulnerabilities in each target system. While most vulnerability scanners do a decent job, results may vary with different products and in different environments. The auditor should use several tools see "The Auditor's Toolbox" and methods to confirm his findings--most importantly, his own experience.
For example, a sharp auditor with real-world experience knows that many sysadmins "temporarily" open system privileges to transfer files or access a system. Sometimes those openings don't get closed. A scanner might miss this, but a cagey auditor would look for it. Discovering security vulnerabilities on a live production system is one thing; testing them is another. Some organizations require proof of security exposures and want auditors to exploit the vulnerabilities. This can be dangerous. A successful system compromise may be a graphic way to convince management of the dangers of the exposure, but are you prepared to risk compromising or even bringing down a live system?
The SOW should specify parameters of testing techniques. And the auditor should coordinate the rules of engagement with both your IT people and the business managers for the target systems. If actual testing isn't feasible, the auditor should be able to document all the steps that an attacker could take to exploit the vulnerablility.
For example, if the system password file can be overwritten by anyone with specific group privileges, the auditor can detail how he would gain access to those privileges, but not actually overwrite the file.
- Ubiquitin and Protein Degradation, Part A?
- Minimalist Syntax!
- Understanding and Conducting Information Systems Auditing + Website (eBook) | ALDI life!
- Atom, Molecule, and Cluster Beams I: Basic Theory, Production and Detection of Thermal Energy Beams (Springer Series on Atomic, Optical, and Plasma Physics).
- Jane Austen and Food.
Another method to prove the exposure would be to leave a harmless text file in a protected area of the system. It can be inferred that the auditor could have overwritten critical files.
Components of information systems
The audit's done, and you look at the report. Did you get your money's worth? If the findings follow some standard checklist that could apply to any organization, the answer is "no. While some commercial vulnerability scanners have excellent reporting mechanisms, the auditor should prove his value-added skills by interpreting the results based on your environment and a review of your organization's policies. That analysis should reflect your organization's risks.
As additional commentary of gathering evidence, observation of what an individual actually does versus what they are supposed to do, can provide the IT auditor with valuable evidence when it comes to control implementation and understanding by the user. Also performing a walk-through can give valuable insight as to how a particular function is being performed. General controls apply to all areas of the organization including the IT infrastructure and support services.
Some examples of general controls are:. Application controls refer to the transactions and data relating to each computer-based application system; therefore, they are specific to each application. The objectives of application controls are to ensure the completeness and accuracy of the records and the validity of the entries made to them.
Application controls are controls over IPO input, processing, output functions, and include methods for ensuring that:. After gathering all the evidence the IT auditor will review it to determine if the operations audited are well controlled and effective. Now this is where your subjective judgment and experience come into play. For example, you might find a weakness in one area which is compensated for by a very strong control in another adjacent area.
It is your responsibility as an IT auditor to report both of these findings in your audit report. When you communicate the audit results to the organization it will typically be done at an exit interview where you will have the opportunity to discuss with management any findings and recommendations. You need to be absolutely certain of:. Your presentation at this exit interview will include a high-level executive summary as Sgt. Friday use to say, just the facts please, just the facts. So CISA certification definitely opens up doors to many opportunities.
We are familiar with the term auditing, which is usually associated with financial auditing. We also come across terms like quality audit, management audit, environment audit and now, Information Systems Audit. So, who can be an IS Auditor? To quote from the famous book, Information Systems Control and Audit by Ron Weber: "To be a good auditor, you have to be better at business than your client. So, the expectations from an information systems auditor are rather high. The IS auditor should know what the business expects from information systems, what are the best IT practices, and whether the information systems of an organization realize these expectations and best practices.
Since all businesses are now heavily dependent on information systems, management wants assurance from independent experts. This has uplifted the status of the CISA designation, which is often a mandatory qualification for an information systems auditor. The CISA examination and certification was initiated in , to address industry requirements. Today, there are more than 30, CISAs worldwide. The syllabus is periodically enhanced to reflect the current trends in information technology.
The current syllabus expects one to know the following domains.
Figures in brackets are the weightage given to each domain in the examination paper. This domain describes the best IS management practices. To begin with, it defines the entire organizational structure of the Information Systems department, from Chief Information Officer to tape librarian, or data-entry operator. In the current scenario of downsizing and outsourcing, we may not find all the classical job definitions and practices in the organization, but we need to understand the best practices for managing the IS department, planning its activities and having an appropriate management structure in place.
This domain covers all the technologies pertaining to hardware, software and networking. Understanding the technology is important to evaluate whether the implementation has been done appropriately. This domain focuses on information security management. You have to study various vulnerabilities of the infrastructure as well as the security technologies that would protect these. These include logical access controls, networking access controls like firewalls, intrusion detection, encryption and environmental and physical exposure and controls. Business continuity has become a major focus area as the availability of information systems has become critical to business.