|
|
|
|
|
Information Security Audit of the Department of Information Systems, University of Melbourne
|
|
|
The University of Melbourne 615-667 E-Commerce Security Semester 1, 2003 Project 2: Information Security Audit of the Department of Information Systems - Report- Sebastian Wiemann Student No 172372 June 1st, 2003 TABLE OF CONTENTS EXECUTIVE SUMMARY 3 PART I ¡V REPORT DETAILS 1 Audit Characteristics 4 1.1 Security Audit Objectives 4 1.2 Security Audit Issues 5 1.3 Scope 7 2 Evaluation of Controls 8 2.1 Access Control 8 2.1.1 Physical access control 8 2.1.2 Logical access control 8 2.1.3 Access Monitoring 9 2.1.4 Investigation of suspicious access 10 2.2 Application Software Development and Change Control 10 2.3 System Software Control 10 2.3.1 Limiting access to system software 11 2.3.2 Identification and control of access paths 11 2.3.3 Review of system software installations 12 2.4 Additional Computer Security 12 2.5 Service Continuity 13 2.5.1 Data and Backup procedures 13 2.5.2 Environmental controls 14 2.5.3 Effective software and hardware maintenance 14 2.5.4 Contingency plan 14 2.6 Anti-Virus Controls 14 2.7 Application Control 15 2.7.1 Application updates 15 2.7.2 Configuration of applications 15 PART II ¡V CONCLUSION AND RECOMMENDATIONS 1 Conclusion 17 2 Recommendations 17 BIBLIOGRAPHY¡K¡K..¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K¡K19 EXECUTIVE SUMMARY As part of the subject ¡§eCommerce Security¡¨ at the Department of Information Systems of the Uni-versity of Melbourne, an information security audit of the department¡¦s postgraduate support IT in-frastructure was conducted in semester 1, 2003. Preparing the audit, detailed information about the audit goals and issues involved had to be retrieved from a variety of sources. These are presented in ¡§I.1 Audit Characteristics¡¨. The audit objectives relevant for this assignment are to evaluate the ef-fectiveness and the compliance of existing controls and to give recommendations for improvement to the management. Therefore, the DIS security policy served as the basis for the audit. The controls examined involved physical and logical access controls, system software and applica-tion controls, computer security controls, anti-virus mechanisms and service continuity. The results of the analysis are presented in¡¨I.2 Evaluation of Controls¡¨. As the audit had to be conducted with limited resources, several assumptions had to be made and certain controls could not be audited completely. Nevertheless, the evaluation revealed the DIS security level to be high as it makes effective use of a variety of security features with high expertise. There is, however, room for improvement as several major weaknesses were detected. These weaknesses involve mainly procedures that need to be en-forced stronger as well as human behaviour that needs to be changed by training or awareness pro-grams. PART I ¡V REPORT DETAILS 1 Audit Characteristics 1.1 Security Audit Objectives Research material about information security audits (in the following just ¡§audits¡¨) was derived from the following types of sources: „X Computer and information security organizations (CERIAS, SANS) „X Information security auditing organizations (ISACA) „X Internal auditing and accounting organizations (IIA, GAO) „X Knowledge bases regarding IT, information systems, information security „X Governments. The security audit objectives will be explained in the following: Initially there is risk. Concluding the risk assessment, the organization sets down standards as part of their security policy to address the risks. The existing controls are the result of implementing the standards. Now, the maximum scope of an audit includes all three elements: First, it examines if the last risk assessment is up-to-date and how risks have changed. Then, it evaluates if the standards are still adequate to address the present or changed risks (review of policy). This is why KAPP (2000, p.1) characterize an audit as ¡§policy-based¡¨ which is confirmed by GAO (2001a). Going further, it ex-amines if the existing controls still fulfil the present or changed standards and requirements. Thus, the audit¡¦s goals are: „X To re-assess risks which provides ¡§an idea of the potential damage¡¨ (KAPP 2000, p.1) „X To give recommendations for establishing/improving policies, standards and procedures „X To evaluate the compliance of present controls and their effectiveness „X To give recommendations on how to improve the existing controls. In contrast, the minimum scope of an audit assumes that the risks have not changed and the stan-dards are still adequate to control the risks. Thus, the audit will not re-evaluate the policy and stan-dards. It will focus the evaluation of the current implementation of controls and if they comply with the standards. The goals of this audit are solely the last two points mentioned above. The type of audit conducted in this paper is close to the minimum audit, since the first assignment already covered risk assessment and policy evaluation in detail. The relevant goals for this paper are the actual evaluation of controls and to give recommendations. However, at some points it cannot be avoided to also evaluate the existing standards. Possible target groups of an audit can be management, legal bodies, other auditors or the public. An information security audit can either be carried out as a single audit or as part of another audit (i.e. financial audit). For this report, we conducted a single information security audit directed at the management. The sources mentioned above have been experienced to publish two different types of audit re-sources: Evaluation manuals explain in detail how the different types of controls have to be exam-ined, i.e. the Federal Information System Controls Audit Manual (FISCAM) by the U.S. General Accounting Office. Audit guides, in contrast, explain the whole audit process from a broader per-spective. In these audit guides, different sources emphasize different goals. Governmental and public institutions usually stress the goal of compliance evaluation and effi-ciency judgement in their audit guides, as i.e. the Treasury Board of Canada (TBoC 2002) and the University of Illinois (2001). This is because public authorities rely heavily on formal coordination by written rules. Thus, for them the most interesting aspect of an audit is to find out if these rules are followed correctly. In contrast, IS research institutions focus the goal of giving recommendations to management. They explain the whole audit process including how to collect necessary data. Particularly, they do not stress the goal of risk assessment as this has become a separate discipline in information security. Examples are The Institute of Internal Auditors (OLIPHANT 1998/99) and ITP Journals (KAPP 2000). 1.2 Security Audit Issues The audit conducted for the Department of Information Systems covered the following issues: „X Access Control* „X Application Software Development and Change Control* „X System Software Control* „X Additional Computer Security „X Anti-Virus Control „X Service Continuity* „X Application Control The issues marked with ¡§*¡¨ follow the FISCAM (GAO 2001a). The FISCAM category ¡§Segrega-tion of duties¡¨ was not covered though, as it would have required examining the department¡¦s or-ganizational structure in too much detail as impossible within the time restrictions. The FISCAM category ¡§Entitywide Security Program Planning and Management¡¨ basically refers to policy re-view which was already covered in the first assignment and was thus left out. The FISCAM suggests the division of controls in general controls and application controls. The first six categories mentioned above refer to general controls. As part of application controls, MS Inter-net Explorer and MS Office (in particular MS Outlook) were the relevant applications for this audit, as these are the most targeted applications by viruses. They are also the most used applications by DIS students. The audit assignment demands to identify the top five issues of Windows Security. These have been identified with the help of SANS (2003), MICROSOFT (2002) and OLIPHANT (1998/99): „X Policy and account setup „X File system access control „X Network configuration vulnerabilities (NetBIOS shares, null sessions) „X MS Internet Explorer & Outlook security „X System services Policy and account configuration is where all regulations for password authentication originate. Password authentication is the basis of windows security. It is examined in the section ¡§2.1 Access control¡¨. Unfortunately, an in-depth analysis of the policy and account configuration at the DIS re-quires administrative privileges and could not be done in this audit. Files are the elementary pieces of data that all applications, the operating system and user data itself are built of. Thus file system access control is discussed in the section ¡§2.3 System Software Con-trol¡¨. Network vulnerabilities allow hackers and malicious code access to system files and user data. They are also covered in the same section.
|
|
|
|
Still Can't Find What Your Looking For? Then Try a Essay Search!
|
