IT Audit Process

Information about IT Audit Process

Published on August 5, 2014

Author: ghdavani



Information Technology Audit Process: Information Technology Audit Process Business Practices Seminar Paul Toffenetti, CISA Internal Audit 29 February 2008 Overview: Overview What is Internal Audit IT Audit Process Common IT Audit Observations So What Should We Do Questions Authority and Policies: Authority and Policies What is Internal Audit? Internal auditing is an independent, objective assurance and advisory activity designed to add value and improve an organization’s operations. Internal Audit helps organizations accomplish their objectives by evaluating business risk and controls and where appropriate, offer recommendations to improve risk management and governance processes. Audit Process: Audit Process Planning Testing Reporting Follow-up Planning: Planning Annual Risk Assessment Preliminary Audit Plan Board of Visitors Approval Notification and Request for Information Understand Your Risks and Controls Opening Conference Testing: Testing Security Backup & Recovery Resource Management Web Site Security Testing Remote Vulnerability Scans: Security Testing Remote Vulnerability Scans Servers Printers Routers Workstations Laptops If it’s on the network we scan it! Nmap & Nessus Security Testing On-Site, Follow-up Vulnerability Tests : Security Testing On-Site, Follow-up Vulnerability Tests Workstations Laptops Servers We Test Computers That May Have Security Vulnerabilities! WinAudit MSBA CIS Tools & Benchmarks Backup & Recovery Testing: Backup & Recovery Testing You Must Have Effective Controls to Backup & Recover “Critical Data” Resource Management Testing: Resource Management Testing Computer Hardware & Software Procurement through Surplus Web Site Testing: Web Site Testing University Relations Web Guidelines & Procedures Web Development Best Practices Content Recommendations Templates Privacy Statement (Policy 7030) Web Server & Application Security Reporting Observations: Reporting Observations When Unexpected Results are Noted We Solicit Your Comments Reporting Recommendations: Reporting Recommendations We May Recommend Opportunities To Improve Your Controls Reporting Management Action Plans: Reporting Management Action Plans You Develop Plans, Schedules, and Priorities To Implement Solutions Reporting: Reporting A Final Report is Sent to The Board of Visitors Follow-Up: Follow-Up Follow-Up Actions are Based on Your “Management Action Plan” Progress is Monitored Some Re-Testing May be Necessary Board of Visitors is Updated Audit is closed Common Audit Observations: Common Audit Observations Weak Security Settings Windows Operating System Common Audit Observations : Common Audit Observations Missing Security Patches Operating Systems Applications Databases Common Audit Observations : Common Audit Observations Misconfigured Anti-Malware Tools Out-of-Date Threat Signatures Scans Not Scheduled Common Audit Observations : Common Audit Observations Inadequate Access Controls Weak Passwords & File Permissions Common Audit Observations : Common Audit Observations Open Communication Ports The Hacker’s Point of Entry Common Audit Observations: Common Audit Observations “The System Administrator’s Dilemma” How Much Risk is Senior Management Willing to Accept? Security Convenience So What Should We Do?: So What Should We Do? Harden Security Settings Keep Everything Patched Install and Use Anti-Malware Tools Enforce Strong Passwords Close or Filter Communication Ports Test Your Systems Support Your System Administrator! Questions: Questions “Success Redefined”

Related presentations

Other presentations created by ghdavani

05. 08. 2014