Unit-4

Unit-4

benefits & objectives of information security audit Benefits and Objectives: Audit trails can provide a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events, intrusion detection, and problem analysis.

1.Individual Accountability: Audit trails are a technical mechanism that help managers maintain individual accountability. For example, audit trails can be used in concert with access controls to identify and provide information about users suspected of improper modification of data (e.g., introducing errors into a database). An audit trail may record "before" and "after" versions of records.

2.Reconstruction of Events: Audit trails can also be used to reconstruct events after a problem has occurred. Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased. If, for example, a system fails or the integrity of a file (either program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps taken by the system, the users, and the application.

3. Intrusion Detection: If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system. It may also be used to detect changes in the system's performance indicative of, for example, a virus or worm attack.

4.Problem Analysis: Audit trails may also be used as on-line tools to help identify problems other than intrusions as they occur. This is often referred to as real-time auditing or monitoring. If a system or application is deemed to be critical to an organization's business or mission, real-time auditing may be implemented to monitor the status of these processes.

Principles of audit 1.Audit planning & preparation: The auditor should be adequately educated about the company and its critical business activities before conducting a data center review. The objective of the data center is to align data center activities with the goals of the business while maintaining the security and integrity of critical information and processes.

the auditor should perform the following before conducting the review: Meet with IT management to determine possible areas of concern Review the current IT organization chart Review job descriptions of data center employees Research all operating systems, software applications and data center equipment operating within the data center Review the company’s IT policies and procedures Evaluate the company’s IT budget and systems planning documentation Review the data center’s disaster recovery plan

2.Establishing audit objectives: The next step in conducting a review of a corporate data center takes place when the auditor outlines the data center audit objectives. Auditors consider multiple factors that relate to data center procedures and activities that potentially identify audit risks in the operating environment and assess the controls in place that mitigate those risks.

Following is a list of objectives the auditor should review: Personnel procedures and responsibilities including systems and cross-functional training Change management processes are in place and followed by IT and management personnel Appropriate back up procedures are in place to minimize downtime and prevent loss of important data The data center has adequate physical security controls to prevent unauthorized access to the data center Adequate environmental controls are in place to ensure equipment is protected from fire and flooding.

3.Performing the review: The next step is collecting evidence to satisfy data center audit objectives. This involves traveling to the data center location and observing processes and procedures performed within the data center.

The following review procedures should be conducted to satisfy the pre-determined audit objectives: Data center personnel – All data center personnel should be authorized to access the data center (key cards, login ID’s, secure passwords, etc.). Equipment – The auditor should verify that all data center equipment is working properly and effectively. Policies and Procedures – All data center policies and procedures should be documented and located at the data center Physical security / environmental controls – The auditor should assess the security of the client’s data center. Backup procedures – The auditor should verify that the client has backup procedures in place in the case of system failure.

3.Issuing the review report: The data center review report should summarize the auditor’s findings and be similar in format to a standard review report. The review report should be dated as of the completion of the auditor's inquiry and procedures. It should state what the review entailed and explain that a review provides only "limited assurance" to third parties.

phases of a disaster recovery plan The phases of a disaster recovery plan process are 1.Awareness and discovery 2.Risk assessment 3.Mitigation 4.Preparation 5.Testing 6.Response and recovery

1. Awareness and Discovery: Awareness begins when a recovery planning team can identify both possible threats and plausible threats to business operations. These threats must be evaluated by recovery planners, and their planning efforts, in turn, will depend on these criteria: The business of the company. The area of the country in which the company is located. The company’s existing security measures. The level of adherence to existing policies and procedures. Management’s commitment to existing policies and procedures.

2.Risk assessment: Risk Assessment is one of the key components of disaster recovery planning. A major part of the disaster recovery planning process is the assessment of the potential risks to the organization which could result in the disasters or emergency situations themselves.

Mitigation: Mitigation involves steps to reduce vulnerability to disaster impacts such as injuries and loss of life and property. This might involve changes in local building codes to fortify buildings; revised zoning and land use management; strengthening of public infrastructure; and other efforts to make the community more resilient to a catastrophic event.

4.Preparation: Preparedness focuses on understanding how a disaster might impact the community and how education, outreach and training can build capacity to respond to and recover from a disaster. Develop a written preparedness, response and recovery plan. Keep the plan up-to-date, and test it. Keep together supplies and equipment required in a disaster and maintain them.

Establish and train an in-house disaster response team. Training in : – Disaster response techniques – Identification and marking on floor-plans and enclosures of irreplaceable and important material for priority salvage.

5.Testing 6.Response and recovery: Response: Response addresses immediate threats presented by the disaster, including saving lives, meeting humanitarian needs (food, shelter, clothing, public health and safety), cleanup, damage assessment, and the start of resource distribution. Recovery: Recovery is the fourth phase of disaster and is the restoration of all aspects of the disaster’s impact on a community and the return of the local economy to some sense of normalcy. By this time, the impacted region has achieved a degree of physical, environmental, economic and social stability.

interdependencies of audit trails 1.Policy: The most fundamental interdependency of audit trails is with policy. Policy dictates who is authorized access to what system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails.

2. Assurance: System auditing is an important aspect of operational assurance. The data recorded into an audit trail is used to support a system audit. The analysis of audit trail data and the process of auditing systems are closely linked; in some cases, they may even be the same thing. In most cases, the analysis of audit trail data is a critical part of maintaining operational assurance.

3.Identification and Authentication: Audit trails are tools often used to help hold users accountable for their actions. However, as mentioned earlier, audit trails record events and associate them with the perceived user (i.e., the user ID).

4.Logical Access Control: Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity in two ways. First, they may be used to identify breakdowns in logical access controls or to verify that access control restrictions are behaving as expected, for example, if a particular user is erroneously included in a group permitted access to a file. Second, audit trails are used to audit use of resources by those who have legitimate access.

5. Contingency Planning: Audit trails assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files).

6.Incident Response: If a security incident occurs, such as hacking, audit records and other intrusion detection methods can be used to help determine the extent of the incident. For example, was just one file browsed, or was a Trojan horse planted to collect passwords?

7.Cryptography: Digital signatures can be used to protect audit trails from undetected modification. (This does not prevent deletion or modification of the audit trail, but will provide an alert that the audit trail has been altered.) Digital signatures can also be used in conjunction with adding secure time stamps to audit records. Encryption can be used if confidentiality of audit trail information is important

cost considerations in audit trails Cost Considerations: Audit trails involve many costs. First, some system overhead is incurred recording the audit trail. Additional system overhead will be incurred storing and processing the records. The more detailed the records, the more overhead is required. Another cost involves human and machine time required to do the analysis. This can be minimized by using tools to perform most of the analysis.

Audit Trails A record showing who has accessed a computer system and what operations he or she has performed during a given period of time. Audit trails are useful both for maintaining security and for recovering lost transactions. Most accounting systems and database management systems include an audit trail component. A system can maintain several different audit trails concurrently. There are typically two kinds of audit records, (1) an event-oriented log and (2) a record of every keystroke, often called keystroke monitoring.

1.Keystroke Monitoring: Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer's response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails. Examples of keystroke monitoring would include viewing characters as they are typed by users, reading users' electronic mail, and viewing other recorded information typed by users.

2.Audit Events: System audit records are generally used to monitor and fine-tune system performance. Application audit trails may be used to discern flaws in applications, or violations of security policy committed within an application. User audits records are generally used to hold individuals accountable for their actions. An analysis of user audit records may expose a variety of security violations, which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges.

a. System-Level Audit Trails: If a system-level audit capability exists, the audit trail should capture, at a minimum, any attempt to log on (successful or unsuccessful), the logon ID, date and time of each log-on attempt, date and time of each log-off, the devices used, and the function(s) performed once logged on (e.g., the applications that the user tried, successfully or unsuccessfully, to invoke).

b. Application-Level Audit Trails: System-level audit trails may not be able to track and log events within applications, or may not be able to provide the level of detail needed by application or data owners, the system administrator, or the computer security manager.

c.User Audit Trails: User audit trails can usually log: all commands directly initiated by the user; all identification and authentication attempts; and files and resources accessed.

steps to perform information security audit 1.Preparing the IS audit (Step 1): When initiating an IS audit (for example by the IT Security Officer or the person responsible for IS audits), the management of the organisation to be examined must participate. In this stage, the object to be examined is specified, the contract is awarded, and the IS audit team contracted is granted the necessary authorisations (for example authorisation to view documents). Organisational documents: Technical documents:

2.Creating the IS audit plan and screening documents (Step 2): All reference documents are to be checked for completeness and up-to-dateness. When evaluating the up-to-dateness of the documents, note that some documents are more generic than others so that updates in the documents may be required more or less often, depending on the document.

3.Examining documents and updating the IS audit plan (Step 3): The document examination is performed based on the safeguards specified in the IS audit plan. The examination of the documents focuses primarily on the completeness and understandability of the documents.

4.On-site examination (Step 4): The goal of the on-site examination is to compare and check the documents presented, for example the concepts and guidelines, with the actual conditions on-site to see if information security is guaranteed in an adequate and practical form with the selected safeguards. The procedure follows the IS audit plan.

5.Evaluating the on-site examination (Step 5): After the on-site examination, the information obtained is consolidated further and evaluated. The evaluation can also be performed by external experts if the required expert knowledge is not covered by the IS audit team.

6.Producing the IS audit report (Step 6): The IS audit report, including the reference documents, is to be provided in writing to the management of the organisation audited or the client, the person responsible for IS audits, and the IT Security Officer.

implementations issues regarding Audit Trail 1.Protecting Audit Trail Data: Access to on-line audit logs should be strictly controlled. Computer security managers and system administrators or managers should have access for review purposes; however, security and/or administration personnel who maintain logical access functions may have no need for access to audit logs. It is particularly important to ensure the integrity of audit trail data against modification. One way to do this is to use digital signatures. Another way is to use write-once devices.

2.Review of Audit Trails: Audit trails can be used to review what occurred after an event, for periodic reviews, and for realtime analysis. Reviewers should know what to look for to be effective in spotting unusual activity. They need to understand what normal activity looks like.

3.Tools for Audit Trail Analysis: Many types of tools have been developed to help to reduce the amount of information contained in audit records, as well as to distill useful information from the raw data.

Some of the types of tools include: a.Audit reduction tools are preprocessors designed to reduce the volume of audit records to facilitate manual review. b.Trends/variance -detection tools look for anomalies in user or system behavior. It is possible to construct more sophisticated processors that monitor usage trends and detect major variations. c.Attack signature-detection tools look for an attack signature, which is a specific sequence of events indicative of an unauthorized access attempt.

Business Continuity Planning with its different phases.

Business continuity planning (or business continuity and resiliency planning) is the process of creating systems of prevention and recovery to deal with potential threats to a company. A business continuity plan is a plan to continue operations if a place of business is affected by different levels of disaster which can be localized short term disasters, to days long building wide problems, to a permanent loss of a building.

Phases of Business Community Planning: Phase 1: Identify the risks: The first phase is to conduct a risk assessment, identifying any potential hazards that could disrupt your business. Consider any type of risk your team can imagine, including natural threats, human threats and technical threats. Phase 2: Analyze the risks you face: Next, you’ll perform a business impact analysis (BIA) to gauge the impact of each potential risk. For each risk, determine how severe the impact would be and how long your business could survive without those processes running.

Phase 3: Design your strategy: Now it’s time to figure out strategies to mitigate interruptions and to quickly recover from them. Consider everything you’ll need to protect your people, your assets and you’re your functions. Finally, it’s time to create a concise, well organized and easy-to follow document or set of documents.

Phase 5: Measure your success by testing: A plan isn’t truly a plan until it has been thoroughly tested. There are a variety of tests you should perform, with each providing different information on how to improve your plan.

Business Continuity Planning and Recovery Plan in industry. Business continuity planning: Business continuity planning involves developing a practical plan for how our business can prepare for, and continue to operate after an incident or crisis. A business continuity plan will help you to: identify and prevent risks where possible prepare for risks that we can't control respond and recover if an incident or crisis occurs.

Distribution list: The distribution list details: where copies of the plan are stored (including e-records stored off site), in case your original copy is destroyed or unreachable in an incident who needs a copy of the plan any other associated documents and plans (e.g. an evacuation plan) and checklists for specific incidents (e.g. natural disasters, pandemics).

Recovery Plan: The recovery plan outlines the steps we will need to take to get our business running again after an incident or crisis. It includes a realistic time frame in which we can get our operations back on track to minimise financial losses. A recovery plan will help us respond effectively if an incident or crisis affects your business. It aims to shorten our recovery time and minimise losses.

logical security audit Logical security audit: The first step in an audit of any system is to seek to understand its components and its structure. When auditing logical security the auditor should investigate what security controls are in place, and how they work.

In particular, the following areas are key points in auditing logical security: 1.Passwords: Every company should have written policies regarding passwords, and employee’s use of them. Passwords should not be shared and employees should have mandatory scheduled changes.

2.Termination Procedures: Proper termination procedures so that old employees can no longer access the network. This can be done by changing passwords and codes. Also, all id cards and badges that are in circulation should be documented and accounted for.

3.Special User Accounts: Special User Accounts and other privileged accounts should be monitored and have proper controls in place. 4.Remote Access: Remote access is often a point where intruders can enter a system. The logical security tools used for remote access should be very strict. Remote access should be logged.