Seven Technical Audit Areas to Cover
Technical reviews require auditors to have comprehensive knowledge of both the technical equipment and processes for the business under review. When conducting a technical review, assessment or audit of an organization’s IT, there are 7 areas often recommended for coverage and investigation:
Examine and assess the internal network—The network components such as the routers, gateways, switches, firewalls and intrusion detection system (IDS) devices are all important to the traffic and communications related to the organizational processes. These need review to ensure proper operation and security. Many tools and techniques exist for verification of internal network components and devices, so cover all during a review.
Examine and assess the external network connectivity—How the network connects to other networks, other locations and the Internet are all critically important to the organization and its business objectives. Therefore, looking at the external connectivity, routing, Domain Name System (DNS), email and other connection components to the outside of the network is vital to the operations of the business.
Examine and assess connectivity and information sharing with third-party entities—All of the organizational partners and suppliers have their own networks, but what these parties do with the business under review’s information needs to be checked and validated. Supply chain, managed service providers, cloud providers and outsourced functions all need checking, when possible, and verification of actions taken with the business requirements that are under review.
Examine and assess wireless connectivity and security—Organizations often employ wireless communications equipment to extend the range of and access to network resources for users and guests. Each of these wireless methods has unique security and protocol usage concerns and, therefore, requires independent checking, testing and evaluation. This part of networking is very dynamic and demanding, with new changes constantly being added.
Examine and assess resource accessibility and remote access—Access to programs, files, data and network resources is often the most important feature of systems and networks in today’s mobile user environment. Many of these access control methods require different techniques to account for the variety of users, partners, guests and others who desire legitimate access to the services. Remote access is a primary technical and environmental means for illegitimate access and a “way in” to obtain data and files otherwise not available to those from outside the organization.
Examine and assess all hosts, their configurations and documentation—All computing devices within the boundaries of the organization need constant review, updates and checking to ensure that they are properly configured and have not been altered in any way to allow access to important features or data of the organization. Hosts refer to the laptops, desktops, servers, notebooks, tablets and other computing devices that the organization allows its users to use to perform their work.
Examine and assess all infrastructure devices, technologies and connectivity—The organizational infrastructure is vital to the operations of the network and all business efforts. Therefore, it becomes paramount to understand and review the various components of the organizational technical support machines and devices. Connectivity to the outside world is also important in communicating and projecting the business goals, activities and efforts for the organization.
These areas are not the only technical components or arenas to look into when auditing, but they constitute a starting point for auditors and assessors to check and test when conducting a technical assessment. Technical reviews often utilize both automated and manual methods and techniques and require a strong understanding of the technical equipment and processes being reviewed.
Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security and Forensics Management Team of Bath, South Carolina, USA.
New Design and Implementation Guides for COBIT 2019 Now Available
Governance frameworks are always evolving and, as a result, governance design and implementation must evolve to follow suit. To adopt the new COBIT 2019 framework seamlessly, ISACA has published 2 new COBIT 2019 guides:
The Design Guide is an entirely new addition to the COBIT product family. The Implementation Guide is an update to the COBIT 5 Implementation Guide. It incorporates the design factors to ensure that its guidance is more practical and customizable for specific governance needs.
Both publications are available as free downloads for ISACA members, along with the 2 COBIT 2019 framework publications. Additional COBIT 2019 information and resources are available on the COBIT page of the ISACA website.
Stay Safe in the Face of SAP Application Attacks
In July 2018, the US Department of Homeland Security uncovered new threat intelligence indicating that cybercriminals were exploiting Systems, Applications and Products in Data Processing (SAP) business-critical applications, explicitly targeting enterprise resource planning (ERP) applications. This alert raised an awareness for organizations to stay vigilant against attacks that disrupt business-critical operations.
To help you gain insight into mitigating SAP application attacks, ISACA and Onapsis Inc. present the “ERP Under Attack—Fighting Back Against Breaches” webinar. It will explore why and how cybercriminals, hacktivists and nation states are actively attacking SAP applications and how malware is evolving to target "behind-the-firewall" business applications. This webinar takes place on 18 December at 11AM CST (UTC -6 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending this webinar and completing a related survey.
Anand Kotti is a SAP cybersecurity professional at Onapsis Inc. and will present the webinar. Kotti will use his more than 10 years of experience working as a consultant in export controls; governance, risk and compliance (GRC) access controls; security best practices; and cybersecurity to help you determine the best plan of action to protect your business-critical assets.
To learn more about this webinar or to register for it, visit the ERP Under Attack—Fighting Back Against Breaches page of the ISACA website.
Get the Latest Relevant News on Women in Tech With SheLeadsTech Newsletter
Barwick; Getty Images
Women’s roles in technology are evolving, but women still must overcome career hurdles such as salary equality and taking on leadership roles. Even further, the visibility of women in the industry needs to increase to accurately reflect the impact women are making.
The SheLeadsTech newsletter’s goal is to get women the career advice they need while also shedding light on just exactly what waves women are making in the tech industry today. By subscribing to this monthly newsletter you will receive the latest updates on what the ISACA SheLeadsTech program is accomplishing and uncovering about the latest strides women are making in the tech industry.
In November, the newsletter highlighted SheLeadsTech program’s launch in South Africa, Zambia and Kenya; shared the latest SheLeadsTech podcast, “Championing Female Colleagues in the Tech Workforce”; featured a question-and-answer session with Jo Stewart Rattray, CISA, CISM, CGEIT, CRISC, FACS CP; and also shared curated news stories about women making a difference in the technology industry in real life and on television.
To subscribe to the newsletter, visit the SheLeadsTech page of the ISACA website.