C376 Different responsibilities of IS auditor

C376_WO01_6P.pdf X B Understand IT compliance and IT audit M In supporting organisational strategies and objectives, W Apply IT strategy B Identify different types of IT governance framework and assess the effectiveness B Apply IT risk and compliance as well as internal audit organisational structure concepts M Understand IS auditor’s role in Project Management M A typical project management processes include W Initiating E Planning L} M Executing E B Controlling § W Closing. Hand project over to end users once closed, it is. During project closure B Assign outstanding issues to someone to follow up FINISH B Archive project documentation M Discuss lessons learned B Considerations for IS Auditor include Program B Connection between organisation’s strategy and the project e end closely linked M Relationship between the project and other projects through a common B Connection between the project and the underlying business case i B Going through the considerations helps IS Auditor to identify Start with project Usually have a ) o charter, end with longer duration, B Common objectives for the organisation eompletiono, higher budget and B Risk project higher risk B Resource connections Managed by a Managed by a project manager program manager M Project organisational form B Projectised, Matrix o Influence

B IS auditor should review the adequacy of the W IS Auditor plays the role of control experts B Amount of involvement from project in application development projects committee/board, e.g. via meeting minutes B Auditor may be included in the project B Risk management methods team as an advisor but may be ineligible to R perform audit of the system when it educe . becomes operational u Avoid B Transfer B Helshe should be clear about the roles and responsibilities in project management, B Accepuable including: B Processes for planning and dependency management B Tasks include B Identifying significant application components and the flow of transactions (data flow) E Systems e project team B Identifying the application control strengths and evaluating the impact of the control weaknesses M Evaluating control environment by analysing test Security officer results and other audit evidence to determine that control objectives are achieved engineer B Considering the operational aspects of the application to ensure its efficiency and effectiveness C376_WO02_6P.pdf X

B Management need to know if high investment in IT projects/solutions is worth it. Projects are judged based on B Cost B Time M Scope B Quality B To assess projects, IS auditor need to understand how the business define Return of Investments (ROI) ROI = Net income / Total investment Example from the worksheet in week 02: Total investment = $2,000 Total investment = $2,500 Net income = $50,000 Net income = $50,000 ROl = Net income / Total investment ROl = Net income / Total investment =50,000/2,000 =25 =150,000/2,500 =20 B During testing, the IS auditor should B Review the test plan and end-user procedures for accuracy and completeness B Interview end-users of the system for their understanding of operating instructions W Verify that system security works as designed Review user acceptance testing results M Review unit and system test plans to determine whether tests for internal controls are planned and performed B Review the user acceptance testing and ensure that the accepted software has been delivered to the implementation team. The vendor should not be able to replace this version. =

Prior to system production cut-over, IS auditors must be able to effectively provide management with their assessment about the system readiness Plan ahead - Should be prepared well in advance of the implementation date Each step of setting up the production environment should be documented, including who will be responsible, how the steps will be verified and the back-out procedures Step | — Develop Support Structures B Define required roles M Find out the skills that support personnel need to improve by conducting workshops with the support personnel to understand their current tasks, skills, and tools Step 2 — Establish Support Functions W Develop plans for W Staff training ;; o 18 7\r W End user training During the implementation phase, the IS auditor should M Verify appropriate sign-offs have been obtained M Review all system documentation to ensure that all recent updates from the testing phase are included M Verify all data conversion to ensure that they are correct and complete Certification & Accreditation M Certification is the technical review of the system or product, e.g. Palo Alto Firewall is tested against Common Criteria certification at EAL4+. B Involves an audit of security controls, a risk assessment, or a security evaluation W Typically, the results of the certification testing are compiled into a report. It is the auditor opinion to management as to whether the system meets the business requirements, appropriate controls, and is ready to go-live. B Accreditation is the management formal acceptance of a system. M Itis an important step before system goes live.

Change management process should be formal, documented and should include the following procedures B Authorisation Detailed of the request = = Testing of changes Implementation, i.e. deploy changes into production Communication to end users B Handling unauthorised changes Procedures associated may vary according to the type of change request, such as B Emergency changes B Major changes M Minor changes Enhancement or defect IS auditor should review change management process for possible improvements in methodology and procedures M Response time and response effectiveness EMERGENCY M Emergency procedures M Change requests raised and whether appropriate operations documents are updated Problem Management deals with solving underlying cause of one or more incidents to resolve the root cause of errors and to find permanent solutions. This process deals at the enterprise level. Incident Management is to restore service as quickly as possible to meet Service Level Agreements (SLA).The process is primarily aimed at the user level. M Prioritisation of incidents, in the aspects of urgency and impact aspects, needs to be considered B IS management should have criteria for assigning incident priority, e.g.in an e- commerce company, network failure of the web server should be given high priority. IS auditor should examine problem reports and logs to ensure that incidents are resolved in time and by those most capable of resolving the problem

B When auditing a network, the IS auditor should review controls over network implementations, ensuring that standards are present for: B The design and selection of network architecture B A suitable cost-benefit relationship between network procurement and operation G S * Network hardware « Controls in the server * Passwords devices facility, including « Network user access * Documentation tem_perature_,_humidity_ and change requests * Key logs static electricity, surge, * Security reports and * Network wiring closet (e pro'tectlon.and U mechanisms and transmission wiring * Protection of backup media * Cleanliness C376_WO04_6P.pdf X

M Job scheduling is a major function within the IT department, and in environments with a large number of jobs to run.This may be managed with a job scheduling software, e.g. Systemwalker (Fujitsu) or Linux Cronjobs B Server resources must be able to support the number of jobs running! B The schedule includes B Jobs that must be run Batch A B The sequence of job execution (et Snck) B The conditions that cause job execution Batch 8 Batch ¢ B The ability to prioritize jobs according to time availability (WeskiyRactupl, |(Monthly Beokvp) B Scheduling review by the IS auditor includes the below: Schedule daily job Process priorities Check console log or “status ” - Output of the daily job saved? Jobs prioritised in correct order? screen - Status of jobs monitored? Jobs run according to schedule? Processing log and exception Re-execute task/job Personnel - Is written or electronic approval - Re-execute jobs authorised & logged? | Is the personnel who can assign, change from owners obtained when S g job schedules or job priorities scheduling ad-hoc jobs? ensure correct input files and rerun of authorised to do so? - Are exception processing requests subsequent jobs exist? recorded? B When performing an audit on hardware maintenance, IS auditor should ensure that a formal maintenance plan has been developed and it must be B Approved by management B Implemented and followed B To perform optimally, hardware needs be cleaned and serviced on a routine basis, e.g. photocopier M Identify maintenance costs that exceed budget or are excessive. B In the case of the photocopier, it needs to be serviced every 3 months.As the company would like to save money, it is serviced once a year.Thus, although there is savings in the first year but in the second year, due to wear and tear, there is the need to replace parts of the photocopier and this may cost even more. M This is likely an indication of not following maintenance procedures

Source code are lines of computer programs written, e.g. in Java System.out.println(“Hello World!”); — There are two types of version control system (VCS) namely, . B Centralized version control system (CVCS), e.g. Subversion B Distributed version control system (DVCS), e.g. Git 0 git Key advantages of DVCS M Commits new changes locally first before anyone else sees them M Allows developers to work remotely as entire source code is replicated to local PC IS auditor should be concerned about the following B Who has access to the source code? Who can commit the code? Is the correct source code used for compiling to object code? Is the change and release procedures followed? Is the source code backup? C376_WO05_6P.pdf X%

B Very often, organisations/system administrators/IS auditors are faced with challenge to check if their controls are effective/enough B CRITERIA for effective/enough is at least ONE control in each of the three areas namely Preventive, Detective, and Corrective M Preventive control is to prevent an unwanted event M Detective control is to record wanted and unwanted event M Corrective control is to check on a existing process in order to improve the process if found to be defective Type Area |:Preventive Area 2: Detective = Area 3: Corrective Administrative X Technical X Physical X C376_WO06_6P (2).pdf x M Evaluate the design, implementation and monitoring of system and logical security controls to verify confidentiality, integrity, and availability of Information M Evaluate the design, implementation, and monitoring of data classification processes and procedures for alignhment with the organisation’s policies, standards, procedures and applicable external requirements M Identify best practices for storage, retrieval, transportation, and disposal of information assets M Evaluate the processes and procedures to store, retrieve, transport and dispose information assets to ensure adequate protection M I|dentify Personal Data from the perspective of an individual as well as organisation

W Logical access controls are the primary means used to Application HITP,FTP, TP manage and protect information assets U pr Presentation JPEG, GIF, MPEG i TR ayers | IS auditors need to understand organisation’s IT e . environment, consisting of the below security layers, so as to effectively assess logical access controls Transport TCP.UDP. SPX A . WP, 1PX B Application — Network bt u 3 Ethemet ATH B Database @e || Datalink | povie =T | OS platform Physical Em;r::"v::::zmg B Network Paths of Logical Access B Access or points of entry to an organization’s IS infrastructure can be gained through M Direct e.g standalone PC M Local Area Network e g RP wireless network fl B Remote eg. FTR VPN o B Any point of entry not controlled effectively can e e potentially compromise the security of an organisation’s critical information resources o Local Area Network M IS auditor should determine whether all points of entry are identified and managed Process of establishing and proving a user’s identity For most systems, I&A is the first line of defense as it prevents unauthorised people (or processes) from entering a computer system or accessing an information asset Common I&A vulnerabilities include Use of simple or easily guessed passwords Lack of encryption for authentication and protection of information transmitted over a network, e.g. using TELNET to access FTP, Cisco switches, passwords are in cleartext! Lack of knowledge on the risk associated with sharing authentication elements, e.g. sharing administrator password Lack of confidentiality and integrity for stored authentication information, e.g. /etc/shadow, SAM file Authentication methods IS auditor should be familiar with the organisation’s authentication Multifactor authentication: Combination of more than one authentication method Single sign-on (SSO): Process for consolidating all of an iation' A - Logon ID: organisation’s platform-based administration, authentication and = authorisation functions into a centralised administrative function Passwords Tokens | Biometrics policies

B Management should define and implement procedures to prevent access to, or loss of, sensitive information when it is stored, disposed of or transferred to another user M Procedures must be created for M Storing information assets using magnetic tape or portable hard disk B Destroying information assets using Eraser software or Degausser B Transporting information using Secure Email System, or instant messaging M IS auditor must understand and be able to evaluate acceptable methods for data management from creation through destruction om‘. i et e S ot oy . i e e C376_WO07_6P.pdf X

Understand Personal Data Protection Act (PDPA) and its impact on individual and organisation Understand how organisation asks for personal data and handles to view or delete personal data Understand obligations of PDPA, especially on accountability and consent obligations Understand the usage of Do Not Call (DNC) registry and the various modes of registration Explain the protection of NRIC by individual and organisation and identify non- legitimate requests for NRIC by organisation Understand the penalty for individual and organisation for non-compliance to PDPA Apply policies, standards, procedures, and security controls in organisation that aligns to PDPA Understand amendments to PDPA and Spam Control Act