IT Security - Intosai Community Portal

INTOSAI IT AUDIT COMMITTEE













[pic]








IT Security
Student Notes
March 2007









TABLE OF CONTENTS





1 Module Objective 1


2 IT Security - An Overview 1


3 IT Security Standards and Frameworks 3


4 Risk analysis 10


5 Risk management 28


6 Security policy 36


7 Organisation of Information Security 39


8 Asset classification and control 44


9 Personnel security 48


10 Systems development and maintenance 53


11 Network and Communications Controls 59


12 Compliance Controls 81


13 Audit considerations 88


Annex 1: Glossary of terms 92


Annex 2: Examples of risk analysis methodologies 95


Annex 3: Sample IT security standards 111






Module Objective


This module provides an introduction to information system security from an
auditor's perspective. The objective is to enable the auditor to examine
clients' approaches to information system security and assess whether they
are doing enough to reduce the risk to their information systems to an
acceptable level.


Some of the terminology used in the context of information system security
is open to interpretation. Every effort has been made to make the meaning
of technical terms clear in the text, but in case there is any doubt, these
notes contain a glossary of terms at Annex 1.


Finally, these notes are supplemented by those on IT Controls and on
Business Continuity Planning.


IT Security - An Overview


1 Introduction


1 What is IT Security?


Information held in IT systems is increasingly a critical resource in
enabling organisations to achieve their goals. Additionally, individuals
whose personal information is contained in IT systems have a reasonable
expectation of privacy and protection from harm, while beneficiaries of IT
systems have a legitimate expectation that the systems will perform their
functions efficiently whilst exercising proper control of the information
to ensure it is protected against hazards such as unwanted or unwarranted
dissemination, alteration, or loss. The term IT security is used to cover
prevention and mitigation of these and similar hazards.


2 Management's Concern about IT Security


Management should be concerned about IT security for three principal
reasons:


. Dependence on IT systems. Information systems which can provide accurate
services when and where they are required are the key to the survival of
most modern businesses; without computers and communications they would
be unable to provide services, process invoices, contact customers or
make payments; information systems also handle the organisation's secrets
which, if made public, would cause embarrassment and may even lead to
business failure;


. Exposure of IT systems. IT systems need a stable environment and can be
wrecked by natural disasters such as fire, flood, hurricane or
earthquake; failure in the air conditioning or power supply can lead to
system failure; terrorist bombs can cause immense disruption; accidents
or deliberate sabotage can bring down whole networks. IT systems are the
key to accessing vast quantities of corporate data; this makes them an
attractive target for hackers, investigative journalists and spies, and
may provide staff with a motivation for abusing their privileges by
selling information to outsiders. Organisations rely upon the accuracy
of information provided by their systems; once this trust is destroyed
the impact on the business may be as great as that which would be caused
by the destruction of the system; as a result it is important to protect
data from accidental or deliberate corruption.


. Investment in IT systems. Information systems are costly both to develop
and maintain, and management should protect their investment like any
other valuable asset. IT assets are particularly attractive to thieves as
they are portable, have a high value to weight ratio and can readily be
sold.


Once senior managers are aware of their dependency on information systems
and the risks that they face, there may be a tendency to overreact; no
system is completely secure and, once baseline controls are in place, there
tends to be a diminishing return for further investment in security
measures. Protecting IT assets can be expensive and disruptive; hence, a
balance has to be struck by ensuring that security is:

1. appropriate to an organisation's business needs yet comprehensive in
its coverage;
2. justified to the extent that it will reduce perceived risks to the
level that management are willing to accept; and
3. effective against actual threats.

An emerging concept related to IT security is that of information security
governance, which has been defined by the National Institute of Standards
and Technology of the US Federal Government as "the process of establishing
and maintaining a framework and supporting management structure and
processes to provide assurance that information security strategies are
aligned with and support business objectives, are consistent with
applicable laws and regulations through adherence to policies and internal
controls, and provide assignment of responsibility, all in an effort to
manage risk."


3 Objectives of IT Security


The requirement for security is derived from the need for management to
reduce to an acceptable level the risk of a significant breach of the
confidentiality, integrity or availability of information systems or the
data handled by them. This can be achieved by reducing threats, reducing
the vulnerability to a threat or reducing the impact of a threat occurring
and adversely affecting the business.


The key security objectives (the so-called C-I-A triad) are:

4. confidentiality - ensuring that information is accessible only to
those authorised to have access;
5. integrity - safeguarding the accuracy and completeness of information
and processing methods; and
6. availability - ensuring that authorised users have access to
information and associated assets when required.

Which objectives are most important will depend on the nature of the
system; in systems that hold key military secrets the emphasis would be on
confidentiality above all else, whereas in most other applications the main
emphasis will probably be on availability followed by integrity.


Some authors have recently added an additional security objective of non-
repudiation. This relates to proving that a given individual did in fact
authorise the information in question; that it was sent at a particular
time, or that it was received by a particular individual at a particular
time. Measures which satisfy the non-repudiation objective would make it
difficult to deny being the originator, sending information or having
received it. Non-repudiation is sometimes considered to be included in the
integrity objective, but it is worth considering separately because the
measures needed for non-repudiation of despatch and receipt in particular
are distinct from those usually associated with integrity.


Information system security objectives overlap substantially with quality
of service objectives. The emphasis in quality of service tends to be
focused on timely availability of services and accurate information, rather
than confidentiality, but there is enough in common between quality of
service and security for it to be worthwhile to consider both together.


IT Security Standards and Frameworks


1 ISO/ IEC 17799


In 2000, the International Organization for Standardization (ISO) and the
International Electrotechnical Commission (IEC) released ISO/IEC 17799
"Information technology - Security techniques - code of practice for
information security management", which was based almost exclusively on the
control objectives of the British standard, BS7799 "Code of Practice for
Information Security". The latest version of the standard, ISO/IEC
17799:2005 was released in June 2005.


The standard contains the following twelve main sections:


. Risk assessment and treatment;


. Security policy;


. Organisation of information security;


. Asset management;


. Human resources security;


. Physical and environmental security;


. Communications and operations management;


. Access control;


. Information systems acquisition, development and maintenance;


. Information security incident management;


. Business continuity management; and


. Compliance


Within each section, IT security controls and their objectives are
specified and outlined, and for each of the controls, implementation
guidance is provided; a total of 39 main security categories are covered.
The main changes in the 2005 version include


. a special introductory clause on "risk assessment and treatment";


. A new top-level clause on "information security incident management";


. Substantial changes in sections relating to security of third party
services, human resources security, management of vulnerabilities, and
communications and operations management;


. additional emphasis on proper definition of information security roles
and responsibilities; and


. expanded detail for each control requirement (including a specification
of the overall control requirement, implementation guidance, and other
information).


In addition, ISO/ IEC 27001 "Information technology - Security techniques -
informa