INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK. Ronald E. Franke, CISA, CIA, CFE, CICA. April 30, 2010

Similar documents
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

LIST OF SUBSTANTIVE CHANGES AND ADDITIONS. PPC's Guide to Audits of Local Governments. Thirty first Edition (February 2016)

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Audit Considerations Relating to an Entity Using a Service Organization

SECURITY & PRIVACY DOCUMENTATION

Cybersecurity & Privacy Enhancements

Standard CIP Cyber Security Critical Cyber Asset Identification

Standard CIP Cyber Security Critical Cyber Asset Identification

General Information System Controls Review

TEL2813/IS2820 Security Management

Guidelines. on the security measures for operational and security risks of payment services under Directive (EU) 2015/2366 (PSD2) EBA/GL/2017/17

Fiscal Year 2013 Federal Information Security Management Act Report

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Judiciary Judicial Information Systems

SAS 70 Audit Concepts. and Benefits JAYACHANDRAN.B,CISA,CISM. August 2010

Annex 1 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Information Technology General Control Review

SAC PA Security Frameworks - FISMA and NIST

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Article II - Standards Section V - Continuing Education Requirements

Red Flags/Identity Theft Prevention Policy: Purpose

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

OSC Guidance and Training for Internal Audit and Internal Control Practitioners. Tina Kim John Buyce

HIPAA Compliance Checklist

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

The next generation of knowledge and expertise

Understanding and Evaluating Service Organization Controls (SOC) Reports

Subject: University Information Technology Resource Security Policy: OUTDATED

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Auditing IT General Controls

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

GAO INFORMATION SECURITY. Veterans Affairs Needs to Address Long-Standing Weaknesses

MIS Week 9 Host Hardening

ISACA Cincinnati Chapter March Meeting

Security Management Models And Practices Feb 5, 2008

University of Pittsburgh Security Assessment Questionnaire (v1.7)

PeopleSoft Finance Access and Security Audit

Security Standards for Electric Market Participants

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

RISK ASSESSMENTS AND INTERNAL CONTROL CIS CHARACTERISTICS AND CONSIDERATIONS CONTENTS

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Ensuring System Protection throughout the Operational Lifecycle

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

Critical Cyber Asset Identification Security Management Controls

Understanding IT Audit and Risk Management

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

Maryland Health Care Commission

REPORT 2015/010 INTERNAL AUDIT DIVISION

SERVICE ORGANIZATION CONTROL (SOC) REPORTS: WHAT ARE THEY?

Altius IT Policy Collection Compliance and Standards Matrix

Checklist: Credit Union Information Security and Privacy Policies

ISACA CISA Review Course CHAPTER 1 THE IS AUDIT PROCESS

Information Security Policy

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

ADDING BUSINESS VALUE THROUGH EFFECTIVE IT SECURITY MANAGEMENT

HIPAA Security and Privacy Policies & Procedures

Prevention of Identity Theft in Student Financial Transactions AP 5800

Risk Management in Electronic Banking: Concepts and Best Practices

REPORT 2015/149 INTERNAL AUDIT DIVISION

Altius IT Policy Collection Compliance and Standards Matrix

The Common Controls Framework BY ADOBE

AUTHORITY FOR ELECTRICITY REGULATION

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

Information for entity management. April 2018

Auditing in an Automated Environment: Appendix E: System Design, Development, and Maintenance

Exploring Emerging Cyber Attest Requirements

Juniper Vendor Security Requirements

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

HIPAA Federal Security Rule H I P A A

INTERNAL AUDIT DIVISION CLERK OF THE CIRCUIT COURT

INFORMATION ASSURANCE DIRECTORATE

Information Systems Security Requirements for Federal GIS Initiatives

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Streamlined FISMA Compliance For Hosted Information Systems

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

NIST Security Certification and Accreditation Project

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

SAS70 Type II Reports Use and Interpretation for SOX

Judiciary Judicial Information Systems

Trust Services Principles and Criteria

Internal Audit Report. Electronic Bidding and Contract Letting TxDOT Office of Internal Audit

Program Review for Information Security Management Assistance. Keith Watson, CISSP- ISSAP, CISA IA Research Engineer, CERIAS

No IT Audit Staff? How to Hack an IT Audit. Presenters. Mark Bednarz, Partner-In-Charge, Risk Advisory PKF O Connor Davies, LLP

Texas A&M University: Learning Management System General & Application Controls Review

10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment

SOC for cybersecurity

Article I - Administrative Bylaws Section IV - Coordinator Assignments

How Secure Do You Feel About Your HIPAA Compliance Plan? Daniel F. Shay, Esq.

EXHIBIT A. - HIPAA Security Assessment Template -

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

International Civil Aviation Organization and the Directorate General of Air Communication, Indonesia

SECURITY PLAN DRAFT For Major Applications and General Support Systems

READ ME for the Agency ATO Review Template

Making trust evident Reporting on controls at Service Organizations

ACHIEVING COMPLIANCE WITH NIST SP REV. 4:

Transcription:

INFORMATION TECHNOLOGY AUDITING GAO AND THE FISCAM AUDIT FRAMEWORK Presented by Ronald E. Franke, CISA, CIA, CFE, CICA April 30, 2010 1 Agenda General Accountability Office (GAO) and IT Auditing Federal Information System Controls Audit Manual (FISCAM) 2 Clifton Gunderson LLP 2010 1

General Accountability Office (GAO) 3 GAO and IT Auditing Government Auditing Standards GAO Financial Audit Manual (FAM) 4 Clifton Gunderson LLP 2010 2

Government Auditing Standards ( Yellow Book ) Revised July 2007 Effective for financial and attestation engagements for periods beginning on or after January 1, 2008 Effective for performance audits beginning on or after January 1, 2008 http://www.gao.gov/govaud/ybk01.htm 5 GAS Major Changes Standardized language to define the auditor s level of responsibility and distinguish between requirements and guidance/explanatory material. Recognizes that other sets of professional standards can be used in conjunction with GAGAS. Clarified discussion of nonaudit services and their impact on auditor independence Incorporated the revised CPE requirements that were issued by GAO in April 2005 Clarified Quality Control and Assurance requirements 6 Clifton Gunderson LLP 2010 3

GAS Major Changes Added/clarified reporting guidance. Updated financial auditing standards based on recent developments from AICPA (SAS 103 & SAS 112). Clarified/Revised definition of Performance Audits and enhanced performance auditing standards. Clarified auditors responsibilities for internal control based on significance to the audit objectives. Added a section on information systems controls for the purpose of assessing audit risk and planning the audit. 7 GAO Financial Audit Manual In July 2001 the GAO and the President s Council on Integrity and Efficiency (PCIE) jointly issued the GAO/PCIE Financial Audit Manual (FAM). The FAM presents a methodology to perform financial statement audits of federal entities in accordance with professional standards. Updated July 2008 for significant changes that have occurred in auditing financial statements in the federal government. 8 Clifton Gunderson LLP 2010 4

GAO FAM (Volume 1) Section 100 - Table of Contents, Introduction Section 200 - Planning Section 300 - Internal Control Section 400 - Testing Section 500 Reporting Section Appendixes - Appendixes, Glossary, Abbreviations, Index 9 GAO FAM (Volume 2) Section 600 - Planning and General Section 700 - Internal Control Section 800 - Compliance Section 900 - Substantive Testing Section 1000 - Reporting 10 Clifton Gunderson LLP 2010 5

GAO FAM (Volume 3) FAM 2010, Checklist for Federal Accounting FAM 2020, Checklist for Federal Reporting and Disclosures Checklists issued to assist: Federal entities in preparing their financial statements in accordance with U.S. GAAP Auditors in auditing them in accordance with U.S. generally accepted government auditing standards (GAGAS) 11 Federal Financial Management Improvement Act of 1996 (FFMIA) Each audit shall report whether the agency financial management reporting systems comply substantially with the act s three requirements. Federal financial management system requirements Federal accounting standards US Government Standard General Ledger (SGL) at the transaction level 12 Clifton Gunderson LLP 2010 6

FFMIA and OMB Cir A-127 OMB Circular A-127, Financial Management Systems Includes the Joint Financial Management Improvement Program s series of system requirements documents 13 Federal Information System Controls Audit Manual (FISCAM) 14 Clifton Gunderson LLP 2010 7

Increased Inherent Risks Dollars passing through automated systems increasing Speed and accessibility of processing Increased computer skills and availability of hacking tools Reduced paper backup More reliance on computer controls Trend toward providing broad access including web-based systems and applications Remote/telecommuting and mobile devices Inter-relations of systems 15 Outsourcing and use of service providers Information System Risks Modification or destruction of data Loss of Assets Errors in financial statements Release of sensitive information (taxes, social security, medical records, other) Disruption of critical operations 16 Clifton Gunderson LLP 2010 8

Assess IT Controls - Inherent Risks Uniform processing of transactions Automatic processing Increased potential for undetected misstatements Existence, completeness, and volume of the audit trail Nature of the hardware and software Unusual or non-routine transactions 17 Impact of Inherent Risk and Control Environment on Audits Assessed Risk Identify Effective IT-Related Controls Substantive Testing 18 Clifton Gunderson LLP 2010 9

FISCAM - Purpose At first, developed to support Chief Financial Officer Act financial statement audits Now, is also used during non-financial audits Describes elements of a full-scope information system controls audit from which auditor can select elements that support audit objectives 19 FISCAM Recent Revisions GAO Report Number GAO-09-232G Released February 2, 2009 http://www.gao.gov/special.pubs/fiscam.html 20 Clifton Gunderson LLP 2010 10

FISCAM Recent Revisions Reflects changes in: Technology used by government entities Audit guidance and control criteria issued by NIST GAGAS Provides a methodology for performing information system control audits in accordance with GAGAS, where IS controls are significant to the audit objectives. Conformity with AICPA auditing standards, including new risk standards. An overall framework of IS control objectives 21 FISCAM Recent Revisions IS controls audit documentation guidance for each audit phase Additional audit considerations that may affect an IS audit, including: information security risk factors automated audit tools sampling techniques Audit methodology and IS controls for business process applications that (1) are consistent with GAGAS and current NIST and OMB information security guidance (particularly NIST Special Publication 800-53) including references/mapping to such guidance 22 Clifton Gunderson LLP 2010 11

FISCAM Recent Revisions Expanded appendices to support IS audits: Updated IS controls audit planning checklist Tables for summarizing results of the IS audit Mapping of FISCAM to NIST SP 800-53 Knowledge, skills, and abilities needed to perform IS audits Scope of an IS audit in support of a financial audit Entity s use of service organizations Application of FISCAM to Single Audits Application of FISCAM to FISMA IS Controls Audit Documentation 23 FISCAM Overview FISCAM presents a methodology for performing information system (IS) control audits of federal and other governmental entities in accordance with professional standards. The FISCAM is designed to be used primarily on financial and performance audits and attestation engagements performed in accordance with GAGAS, as presented in Government Auditing Standards ( Yellow Book ). The FISCAM is consistent with the GAO/PCIE Financial Audit Manual (FAM). FISCAM control activities are consistent with NIST Special Publication 800-53, and all SP800-53 controls have been mapped to the FISCAM. 24 Clifton Gunderson LLP 2010 12

FISCAM Overview Organized to facilitate effective and efficient IS control audits: Top-down, risk based approach that considers materiality and significance in determining effective and efficient audit procedures and is tailored to achieve the audit objectives. Evaluation of entitywide controls and their effect on audit risk. Evaluation of general controls and their pervasive impact on business process application controls. Evaluation of security management at all levels. A control hierarchy (control categories, critical elements, and control activities) to assist in evaluating the significance of identified IS control weaknesses. Groupings of control categories consistent with the nature of the risk. Experience gained in GAO s performance and review of IS control audits. 25 FISCAM - Organization of Manual Chapter 1 - Introduction and General Methodology Chapter 2 - Performing the Information System Controls Audit Chapter 3 - Evaluating and Testing General Controls Chapter 4 - Evaluating and Testing Business Process Application Controls Appendices 26 Clifton Gunderson LLP 2010 13

FISCAM - Chapters 1 and 2 Plan the Information System Controls Audit: Understand the Overall Audit Objectives and Related Scope of the Information System Controls Audit. Understand the Entity s Operations and Key Business Processes. Obtain a General Understanding of the Structure of the Entity s Networks. Identify Key Areas of Audit Interest. Assess Information System Risk on a Preliminary Basis. Identify Critical Control Points. Obtain a Preliminary Understanding of Information System Controls. 27 FISCAM - Chapters 1 and 2 Perform Other Audit Planning Procedures; Relevant Laws and Regulations; Consideration of the Risk of Fraud; Audit Resources; Multiyear Testing Plans; Communication with Entity Management and Those Charged with Governance; Service Organizations; Using the Work of Others; Audit Plan. 28 Clifton Gunderson LLP 2010 14

FISCAM - Chapters 1 and 2 Perform Information System Controls Audit Tests: Understand Information Systems Relevant to the Audit Objectives. Determine which IS Control Techniques are Relevant to the Audit Objectives. For each Relevant IS Control Technique Determine Whether it is Suitably Designed to Achieve the Critical Activity and has been Implemented. Perform Tests to Determine Whether such Control Techniques are Operating Effectively. Identify Potential Weaknesses in IS Controls and Consider Compensating Controls. 29 FISCAM - Chapters 1 and 2 Report Audit Results: Evaluate the Effects of Identified IS Control Weaknesses: - Financial Audits, Attestation Engagements, and Performance Audits. Consider Other Audit Reporting Requirements and Related Reporting Responsibilities. 30 Clifton Gunderson LLP 2010 15

FISCAM - Chapters 3 and 4 Describe broad control areas; provide criteria Identify critical elements of each control area List common types of control techniques List suggested audit procedures 31 Chapter 3 - Evaluating and Testing General Controls Five general control areas covered Security Management (SM) Access Controls (AC) Configuration Management (CM) Segregation of Duties (SD) Contingency Planning (CP) 32 Clifton Gunderson LLP 2010 16

Critical Elements - Security Management Controls provide reasonable assurance that security management is effective, including effective: security management program periodic assessments and validation of risk security control policies and procedures security awareness training and other securityrelated personnel issues periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices remediation of information security weaknesses security over activities performed by external third parties. 33 Security Management -Audit Results No risk-based security plans No or inadequate risk assessment Undocumented policies Inadequate monitoring program Lack of coordinated security function Lack of or weak awareness training or lack of documentation 34 Clifton Gunderson LLP 2010 17

Critical Elements -Access Controls Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals, including effective: protection of information system boundaries identification and authentication mechanisms authorization controls protection of sensitive system resources audit and monitoring capability, including incident handling physical security controls 35 Access Controls -Audit Results Most widely reported problem area Overly broad access, not periodically reviewed Undocumented access granted Poor id and password management Improper implementation of software controls Inadequate monitoring of user activity 36 Clifton Gunderson LLP 2010 18

GAO Summary of Security Audit Results GAO found that out of 24 major agencies: Thirteen said controls over financial systems and information were a significant deficiency and seven said it was a material weakness in performance and accountability reports for fiscal 2008. Twenty-two of the agencies IGs identified information security as a major management challenge for their agency. Twenty-three had weaknesses in access controls reported and 23 had weaknesses in their agencywide information security programs. 37 Critical Elements Configuration Management Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended, including effective: configuration management policies, plans, and procedures current configuration identification information proper authorization, testing, approval, and tracking of all configuration changes routine monitoring of the configuration updating software on a timely basis to protect against known vulnerabilities documentation and approval of emergency changes to the configuration 38 Clifton Gunderson LLP 2010 19

Configuration Management - Audit Results Undisciplined testing procedures Unauthorized software and software changes Lack of documentation Inappropriate access to software 39 Critical Elements - Segregation of Duties Controls provide reasonable assurance that incompatible duties are effectively segregated, including effective segregation of incompatible duties and responsibilities and related policies control of personnel activities through formal operating procedures, supervision, and review 40 Clifton Gunderson LLP 2010 20

Segregation of Duties - Audit Results Excessive responsibilities Develop, test, review, and approve software changes Sharing of user, security management, DBA, system administrator functions Perform all steps needed to initiate and complete a payment 41 Critical Elements Contingency Planning Controls provide reasonable assurance that contingency planning (1) protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur, including effective assessment of the criticality and sensitivity of computerized operations and identification of supporting resources steps taken to prevent and minimize potential damage and interruption comprehensive contingency plan periodic testing of the contingency plan, with appropriate adjustments to the plan based on the testing 42 Clifton Gunderson LLP 2010 21

Contingency Planning - Audit Results Incomplete plans Incomplete testing Weaknesses in backup and recovery procedures 43 Example of Control Activities/Techniques and Audit Procedures Critical element and control activity SM-1.2. A security management structure has been established. Control techniques SM-1.2.1. Senior management establishes a security management structure for the entitywide, system, and application levels that have adequate independence, authority, expertise, and resources. Audit procedures Review security policies and plans, the entity s organization chart, and budget documentation. Interview security management staff. Evaluate the security structure: independence, authority, expertise, and allocation of resources required to adequately protect the information 44 systems. Clifton Gunderson LLP 2010 22

Example of Control Activities/Techniques and Audit Procedures Critical element and control activity AC-2.1. Users are appropriately identified and authenticated. Control techniques AC-2.1.1. Identification and authentication is unique to each user (or processes acting on behalf of users), except in specially approved instances (for example, public Web sites or other publicly available information systems). Audit procedures Review pertinent policies and procedures and NIST guidance pertaining to the authentication of user identities; interview users; review security software authentication parameters. 45 Example of Control Activities/Techniques and Audit Procedures Critical element and control activity CM-5.1. Software is promptly updated to protect against known vulnerabilities. Control techniques CM-5.1.1. Information systems are scanned periodically to detect known vulnerabilities. Audit procedures Interview entity officials. Identify the criteria and methodology used for scanning, tools used, frequency, recent scanning results, and related corrective actions. Coordinate this work with the AC section. 46 Clifton Gunderson LLP 2010 23

Chapter 4 Evaluating and Testing Business Process Application Controls Apply to the processing of individual applications Designed to ensure that transactions are valid properly authorized completely and accurately processed 47 Application controls consist of: Initial controls related to the control of information prior to system input Programmed controls, such as edits Manual follow-up of EDP produced reports, such as exception reports or reconciliations 48 Clifton Gunderson LLP 2010 24

FISCAM Application Controls Application Level General Controls (AS) Business Process Controls (BP) validity, completeness, accuracy, confidentiality of transactions and data during processing Interface Controls (IN) timely, accurate and complete processing of information between systems Data Management Systems Controls (DA) enter, store, retrieve or process information 49 Application Level General Controls Critical Elements Implement effective application security management Implement effective application access controls Implement effective application configuration management Segregate user access to conflicting transactions and activities and monitor segregation Implement effective application contingency planning 50 Clifton Gunderson LLP 2010 25

Critical Elements Application Level General Controls All data are authorized before entering the application system Restrict data entry terminals to authorized users for authorized purposes Master files and exception reporting help ensure all data processed are authorized 51 Critical Elements Application Level General Controls Implement effective application security management. Implement effective application access controls. Implement effective application configuration management Segregate user access to conflicting transactions and activities and monitor segregation Implement effective application contingency planning 52 Clifton Gunderson LLP 2010 26

Chapter 4 Evaluating and Testing Business Process Application Controls Completeness controls provide reasonable assurance that all transactions that occurred are input into the system, accepted for processing, processed once and only once by the system, and properly included in output. Accuracy controls provide reasonable assurance that transactions are properly recorded, with correct amount/data, and on a timely basis (in the proper period); key data elements input for transactions are accurate; data elements are processed accurately by applications that produce reliable results; and output is accurate. 53 Chapter 4 Evaluating and Testing Business Process Application Controls Validity controls provide reasonable assurance (1) that all recorded transactions and actually occurred (are real), relate to the organization, are authentic, and were properly approved in accordance with management s authorization; and (2) that output contains only valid data. Confidentiality controls provide reasonable assurance that application data and reports and other output are protected against unauthorized access. Availability controls provide reasonable assurance that application data and reports and other relevant business information are readily available to users when needed. 54 Clifton Gunderson LLP 2010 27

Critical Elements - Business Process Controls Transaction Data Input is complete, accurate, valid, and confidential (Transaction Data Input Controls) Transaction Data Processing is complete, accurate, valid, and confidential (Transaction Data Processing Controls) Transaction data output is complete, accurate, valid, and confidential (Transaction Data Output Controls) Master Data Setup and Maintenance is Adequately Controlled 55 Critical Elements - Interface Controls Implement an effective interface strategy and design. Implement effective interface processing procedures 56 Clifton Gunderson LLP 2010 28

Critical Elements - Data Management System Controls Implement an Effective Data Management System Strategy and Design 57 Application Controls - Common Control Techniques Authorization routines Segregation of duties Computer matching Computer sequence check Agreement of batch totals One for One checking Edit checks Reconciliations of file totals Exception reporting Detailed file data checks Data access security controls Physical access controls 58 Clifton Gunderson LLP 2010 29

FISCAM Appendices Appendix I - Information System Controls Audit Planning Checklist Appendix II - Tables for Summarizing Work Performed in Evaluating and Testing General and Business Process Application Controls Appendix III - Tables for Assessing the Effectiveness of General and Business Process Application Controls Appendix IV - Mapping of FISCAM to NIST SP 800-53 And Other Related NIST Publications 59 FISCAM Appendices Appendix V - Knowledge, Skills, and Abilities Needed to Perform Information System Controls Audits Appendix VI - Scope of an Information System Controls Audit in Support of a Financial Audit Appendix VII - Entity s Use of Service Organizations Appendix VIII - Application of FISCAM to Single Audits Appendix IX - Application of FISCAM to FISMA Appendix X - Information System Controls Audit Documentation 60 Clifton Gunderson LLP 2010 30

Penetration Testing Using automated tools and techniques to identify security exposures from internal and external threats 61 GAO Position Use penetration testing as part of all general control reviews Use penetration testing in selected sensitive areas Encourage Inspectors General to use 62 Clifton Gunderson LLP 2010 31

Tools and Techniques Internet Available Tools and Information Freeware Shareware Commercial Software 63 Common Vulnerabilities Weak Passwords Default Accounts and Passwords Not Changed Repeated Bad Logon Attempts Allowed No Real-Time Intrusion Detection Capability Unpatched, Outdated Vulnerable Services Running Unnecessary Services Misconfigured File Sharing Services Inappropriate File Permissions Excessive Admin & User Rights 64 Clifton Gunderson LLP 2010 32

Common Vulnerabilities Clear Text transmissions of Sensitive Information Unsecured Dial-In Modems Inadequate Filtering Inadequate Logging, Monitoring & Detection Excessive Trust Relationships Information Leakage Inadequate Segregation of Duties Inadequate Warning Banners 65 Questions? Ronald E. Franke, CISA, CIA, CFE, CICA Ron.Franke@cliftoncpa.com (512) 342-0800 66 Clifton Gunderson LLP 2010 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback