Nội dung

National State Auditors Association and the U. S. General Accounting Office A Joint Initiative Management Planning Guide for Information Systems Security Auditing December 10, 2001 References to specific vendors, services, products, and Web sites noted throughout this document are included as examples of information available on information security. Such references do not constitute a recommendation or endorsement. Readers should keep in mind that the accuracy, timeliness, and value of Web site information can vary widely and should take appropriate steps to verify any Web-based information they intend to rely on. December 10, 2001 On behalf of the U. S. General Accounting Office (GAO) and the National State Auditors Association (NSAA), it is our pleasure to present this Management Planning Guide for Information Systems Security Auditing. The rapid and dramatic advances in information technology (IT) in recent years have without question generated tremendous benefits. At the same time, however, they have created significant, unprecedented risks to government operations. Computer security has, in turn, become much more important as all levels of government utilize information systems security measures to avoid data tampering, fraud, disruptions in critical operations, and inappropriate disclosure of sensitive information. Such use of computer security is essential in minimizing the risk of malicious attacks from individuals and groups. To be effective in ensuring accountability, auditors must be able to evaluate information systems security and offer recommendations for reducing security risks to an acceptable level. To do so, they must possess the appropriate resources and skills. This guide is intended to help audit organizations respond to this expanding use of IT and the concomitant risks that flow from such pervasive use by governments. It applies to any evaluative government organization, regardless of size or current methodology. Directed primarily at executives and senior managers, the guide covers the steps involved in establishing or enhancing an information security auditing capability: planning, developing a strategy, implementing the capability, and assessing results. We hope this guide—a cooperative effort among those at the federal, state, and local levels—will assist governments in meeting the challenge of keeping pace with the rapid evolution and deployment of new information technology. We wish to extend sincere appreciation to the task force responsible for preparing this guide, particularly the work of task force leaders Carol Langelier of GAO and Jon Ingram of the Office of Florida Auditor General. Additional copies of the guide are available at the Web sites of both GAO (www.gao.gov) and the National Association of State Auditors, Comptrollers, and Treasurers (www.nasact.org). For further information about the guide, please contact any of the task force members listed on the next page. Sincerely, David M. Walker Comptroller General of the United States Ronald L. Jones President, NSAA Chief Examiner, Alabama i National State Auditors Association and the U. S. General Accounting Office Joint Information Systems Security Audit Initiative Management Planning Guide Committee Co-Chairs Jon Ingram, FL Office of the Auditor General joningram@aud.state.fl.us Carol Langelier U.S. General Accounting Office langelierc@gao.gov Members Andy Bishop, NJ Office of Legislative Services Beth Breier, City of Tallahassee Office of the City Auditor breierb@talgov.com Gail Chase, ME Department of Audit gail.chase@state.me.us John Clinch, NH Legislative Budget Office john.clinch@leg.state.nh.us Mike Cragin, LA Office of the Legislative Auditor mcragin@lla.state.la.us Bob Dacey U. S. General Accounting Office daceyr@gao.gov Allan Foster, KS Legislative Division of Post Audit allanf@lpa.state.ks.us Darrell Heim U. S. General Accounting Office heimd@gao.gov Walter Irving, NY Office of the State Comptroller wirving@osc.state.ny.us Bob Koslowski, MD Office of Legislative Audits rkoslowski@ola.state.md.us Beth Pendergrass, TN Comptroller of the Treasury Division of State Audit bpenderg@mail.state.tn.us Nancy Rainosek, TX State Auditor's Office nrainosek@sao.state.tx.us Chuck Richardson, TN Comptroller of the Treasury, Division of State Audit crichardson@mail.state.tn.us Martin Vernon, NC Office of the State Auditor martin_vernon@ncauditor.net Sharron Walker, AZ Office of the Auditor General swalker@auditorgen.state.az.us ii Contents I. Introduction and Background...........................................................................1 Purpose of the Guide .............................................................................................................. 1 Background ............................................................................................................................. 2 Information Systems Security Auditing ................................................................................ 6 Information Security Control, Assessment, and Assurance ................................................ 7 State and Local Government IS Audit Organizations .......................................................... 8 Applicable Legislation ............................................................................................................ 8 Influencing Legislation........................................................................................................... 9 Content of This Guide .......................................................................................................... 10 II. Developing a Strategic Plan for an IS Security Auditing Capability ............11 Define Mission and Objectives............................................................................................. 12 Assess IS Security Audit Readiness .................................................................................... 13 Address Legal and Reporting Issues .................................................................................................... 14 Determine Audit Environment.............................................................................................................. 15 Identify Security Risks........................................................................................................................... 16 Assess Skills ............................................................................................................................................ 17 Determine How to Fill Skill Gaps......................................................................................................... 22 Using In-House Staff........................................................................................................................... 22 Partnering ............................................................................................................................................ 24 Engaging Consultants ........................................................................................................................ 24 Identify and Select Automated Tools................................................................................................... 24 Assess Costs ............................................................................................................................................ 27 Devise Criteria for Project Selection .................................................................................. 29 Link Objectives to Supporting Activities ............................................................................ 29 Use Web-Based Security Research and Training Resources .............................................. 33 General IS Audit Information................................................................................................................ 33 IT and IT Security Training and Information ...................................................................................... 34 Data Extraction and Analysis Tools..................................................................................................... 34 Cybercrime .............................................................................................................................................. 35 III. Measuring and Monitoring the IS Audit Capability ......................................36 Purpose of Measuring and Monitoring Results................................................................... 36 Monitoring the Information System Security Audit Process ............................................. 37 Monitoring Key Performance Indicators ............................................................................................. 37 Assessing Performance of Critical Success Factors ...................................................................... 37 Devising Key Performance Measures .............................................................................................. 38 Performing Evaluations ......................................................................................................................... 38 Assessing Auditee Satisfaction ............................................................................................................. 39 Issuing Progress Reports ....................................................................................................................... 40 Establishing or Identifying Benchmarks for the Information System Security Audit Capability .............................................................................................................................. 40 Independence.......................................................................................................................................... 40 Professional Ethics and Standards....................................................................................................... 40 iii Competence and Retention of Qualified Staff .................................................................................... 41 Planning ................................................................................................................................................... 41 Using Performance and Reporting Measures ...................................................................... 41 Performance Measures of Audit Work ................................................................................................ 41 Reporting Measures ............................................................................................................................... 42 Measures for Follow-up Activities ....................................................................................................... 43 Appendices Auditing Standards Placing New Emphasis on IT Controls.......................................................................... 44 Federal Legislation, Rules, and Directives Applicable to Information Security Since 1974..................... 46 Assessing the IS Infrastructure......................................................................................................................... 49 Skills Self-Assessment for Information Security Audit Function Personnel .............................................. 51 IT Security Curriculum ...................................................................................................................................... 55 Training Information: Internet Sites ................................................................................................................ 57 Additional Web Resources ................................................................................................................................ 60 Table Table 1. Knowledge, Skills, and Abilities for IS Security Audit Areas by FISCAM Objective .................. 19 Table 2. KSAs for Information Security Technical Specialists ..................................................................... 20 Table 3. Key Considerations in Selecting Security Software ........................................................................ 25 Table 4. Possible IS Security Audit Objectives and Related Activities (Current and Future).................. 31 iv I. Introduction and Background Purpose of the guide Background Information systems security auditing Information security control, assessment, and assurance State and local government IS audit organizations Applicable legislation Influencing legislation Content of this guide Purpose of the Guide Rapid and dramatic advances in information technology (IT), while offering tremendous benefits, have also created significant and unprecedented risks to government operations. Federal, state, and local governments depend heavily on information systems (IS) security measures to avoid data tampering, fraud, inappropriate access to and disclosure of sensitive information, and disruptions in critical operations. These risks are expected to only continue to escalate as wireless and other technologies emerge. Government auditors, to be effective instruments of accountability, need to be able to evaluate IS security and offer recommendations for reducing the security risk to an acceptably low level. Further, the growing importance of IT in performing daily operational activities, along with the elimination of paper-based evidence and audit 1 trails, demands that auditors consider the effectiveness of IT controls during the course of financial and performance audits. To do so, auditors must acquire and maintain the appropriate resources and skill sets—a daunting challenge in an era of rapid evolution and deployment of new information technology. Likewise, government audit organizations need to take stock of their IS security audit capabilities and ensure that strategies exist for their continued development and enhancement. This guide was prepared by members of the National State Auditors Association (NSAA) and auditors from local governments in cooperation with staff of the United States General Accounting Office (GAO). It is intended to aid government audit organizations in responding to the risks attributable to the pervasive and dynamic effects of the expanding use of information technology by governments. Also, it is intended to be pertinent to any government audit organization, regardless of its size and current methodology. Directed primarily at senior and executive audit management, the guide leads the reader through the steps for establishing or enhancing an information security auditing capability. These include planning, developing a strategy, implementing the capability, and assessing results. Background Electronic information is essential to the achievement of government organizational objectives. Its reliability, integrity, and availability are significant concerns in most audits. The use of computer networks, particularly the Internet, is revolutionizing the way government conducts business. While the benefits have been enormous and vast amounts of information are now literally at our fingertips, these interconnections also pose significant risks to computer systems, information, and to the critical operations and infrastructures they support. Infrastructure elements such as telecommunications, power distribution, national defense, law enforcement, and government and emergency services are subject to these risks. The same factors that benefit operations—speed and accessibility—if not properly controlled, can leave them vulnerable to fraud, sabotage, and malicious or mischievous acts. In addition, natural disasters and inadvertent errors by authorized computer users can have devastating consequences if information resources are poorly protected. Recent publicized disruptions caused by virus, worm, 2 and denial of service attacks on both commercial and governmental Web sites illustrate the potential for damage. Computer security is of increasing importance to all levels of government in minimizing the risk of malicious attacks from individuals and groups. These risks include the fraudulent loss or misuse of government resources, unauthorized access to release of sensitive information such as tax and medical records, disruption of critical operations through viruses or hacker attacks, and modification or destruction of data. The risk that information attacks will threaten vital national interests increases with the following developments in information technology: • Monies are increasingly transferred electronically between and among governmental agencies, commercial enterprises, and individuals. • Governments are rapidly expanding their use of electronic commerce. • National defense and intelligence communities increasingly rely on commercially available information technology. • Public utilities and telecommunications increasingly rely on computer systems to manage everyday operations. • More and more sensitive economic and commercial information is exchanged electronically. • Computer systems are rapidly increasing in complexity and interconnectivity. • Easy-to-use hacker tools are readily available, and hacker activity is increasing. • Paper supporting documents are being reduced or eliminated. Each of these factors significantly increases the need for ensuring the privacy, security, and availability of state and local government systems. Although as many as 80 percent of security breaches are probably never reported, the number of reported incidents is growing dramatically. For example, the number of 3 incidents handled by Carnegie-Mellon University’s CERT Coordination Center1 has multiplied over 86 times since 1990,2 rising from 252 in 1990 to 21,756 in 2000. Further, the Center has handled over 34,000 incidents during the first three quarters of 2001. Similarly, the Federal Bureau of Investigation (FBI) reports that its case load of computer intrusion-related cases is more than doubling every year. The fifth annual survey conducted by the Computer Security Institute in cooperation with the FBI found that 70 percent of respondents (primarily large corporations and government agencies) had detected serious computer security breaches within the last 12 months and that quantifiable financial losses had increased over past years. 3 Are agencies responding to the call for greater security? There is great cause for concern regarding this question, since GAO’s November 2001 analyses4 of computer security identified significant weaknesses in each of the 24 major agencies covered by its reviews. The weaknesses identified place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. For example, weaknesses at the Department of Treasury increase the risk of fraud associated with billions of dollars of federal payments and collections, and weaknesses at the Department of Defense increase the vulnerability of various military operations that support the department’s war-fighting capability. Further, information security weaknesses place enormous amounts of confidential data, ranging from personal, financial, tax, and health data to proprietary business information, at risk of inappropriate disclosure. Reviews of general and application controls often point up basic control weaknesses in IT systems of state agencies as well. Typical weaknesses include the following: • Lack of formal IT planning mechanisms with the result that IT does not serve the agency’s pressing needs or does not do so in a timely and secure manner; __________________ 1 Originally called the Computer Emergency Response Team, the center was established in 1988 by the Defense Advanced Research Projects Agency. It is charged with (1) establishing a capability to quickly and effectively coordinate communication among experts in order to limit the damage associated with, and respond to, incidents and (2) building awareness of security issues across the Internet community. 2 Source: CERT Coordination Center Statistics, 1988–2001 (www.cert.org/stats/cert_stats.html). 3 Issues and Trends: 2000 CSI/FBI Computer Crime and Security Survey (The Computer Security Institute, March 2000). 4 Computer Security: Improvements Needed to Reduce Risks to Critical Federal Operations and Assets (GAO-02231T, November 9, 2001). 4