Audit Testing, and Developing an Effective Approach

Transcription

1 Audit Testing, and Developing an Effective Approach Wayne Sisk CISA, CRISC September 2015

2 Who Is Wayne Sisk? System Administrator, Mechanic, Race Car Crew Chief, Designer, Manager, Mechanical Engineer, Mentor, Software Engineer, Advisor, Aerospace Engineer, Father, Teacher, Inventor, System Architect, Author, Husband, Policy Maker, Auditor, Writer But tonight, I m here to talk about audit, audit testing and what I ve discovered over the past decade about it. 2

3 Who are you? Does anyone here tonight currently work for the big 4? Has anyone worked for them in the past? How many have worked with the Big 4 for their own Audit testing? 3

4 Agenda: What we will discuss tonight: Audit and Test efficiency. Impacts of inefficiencies Methods Taking back some control from the external auditors. 4

5 Audit Efficiency: How many think that the external testing performed for them by the big four was efficient? 5

6 What s wrong with that picture? 6

7 Why is it like that? 7

8 What is the Impact? With that approach: Evidence gathering is always inefficient! Cost in Time and $$$ Evidence could be the wrong evidence The process is Auditor dependant! Not repeatable! The test results could vary Did I say It s always inefficient? 8

9 ISO 27001/2: A Audit requirements and activities involving verification of operational systems shall be carefully planned and agreed to minimise disruptions to business processes. 9.2 The organization shall conduct internal audits at planned intervals to provide information on whether the information security management system: b) is effectively implemented and maintained. The organization shall: c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods, responsibilities, planning requirements and reporting. The audit programme(s) shall take into consideration the importance of the processes concerned and the results of previous audits; 9

10 Because Passing Audit is Simple! Say what you do. Do what you say 10

11 Because Passing Audit is Simple! Say what you do. Do what you say, (the Basics of ISO 9001!) Save enough evidence to prove it later! 11

12 How does that apply? Do we say what we do? Clear well defined evidence requests? Not from the Big four! Do we do what we say? Not without better evidence requests and Testing instructions! Do we save sufficient evidence? How consistent are the evidence packages, year to year, auditor to auditor?? 12

13 Common Big Four evidence and test requests. Date of Test: 6/21/20XX Frequency: per occurrence Sample Size: n/a Effective Date: 7/3/20XX Obtain evidence that modifications for all network devices are prioritized and scheduled Date of Test: 6/21/20XX Frequency: n/a Sample Size: n/a Effective Date: 7/3/20XX Obtain evidence that control activity is being performed as stated. 13

14 Common Big Four evidence and test request. Date of Test: 6/19/20XX Inquired with staff to discuss password and audit policies and enforcing them at the Windows operating system level. Confirm, observe, and obtain a copy of the Default Domain Policy, showing the Account Policies/Password Policy and Account Policies/Account Lockout Policy, with the following settings: Password History 6 passwords Maximum password age 90 days Minimum password length 8 characters Passwords must meet complexity requirements enabled Account lockout duration 60 minutes Account lockout threshold 3 invalid attempts Reset account after 10 minutes. 14

15 What we need is Evidence: What do we need for evidence? Who can provide it, or, where does it live? Test: How to test it (if complex) What the results should be 15

16 Lets try that last one a bit differently Evidence Request: Obtain from J. Smith, (Domain Administrator) LDAP Domain password complexity policies from the LDAP system settings. Test: Verify that the Default Domain Policy adheres to the following settings: Password History 6 passwords Maximum password age 90 days Minimum password length 8 characters Passwords must meet complexity requirements enabled Account lockout duration 60 minutes Account lockout threshold 3 invalid attempts Reset account after 10 minutes. What constitutes an Exception? Any default setting not meeting the minimum requirements. 16

17 How about requesting procedures for access? Evidence Request: Obtain from Wiki page _SOPs Access requesting and provisioning procedures for System ABC, and System XYZ. (or See Scoping list ) Test: Verify the procedures have been approved or reviewed in the past 12 months: What constitutes an Exception? Any procedure not having been reviewed or approved in the past 12 months. 17

18 Benefits: The evidence request has clearly identified who or where to get the evidence from You may need to do an initial review to verify if the players have changed, but you have a starting point. (name and title, or URL) The test is easily repeatable, year to year, auditor to auditor. Only if something has operationally changed are you likely to need to rewrite the test 18

19 What next? 19

20 Next Steps: A challenge:; Review your current evidence and tests processes: Define concise evidence and test strategies and practices Develop evidence requests that support the strategies Develop repeatable test procedures Define what constitutes an exception.. 20

21 Questions? Comments? Ideas? 21

22 Thank you for having me here! 22