Question

Assuming that your group is a team of IT auditors who have just got an assignment to audit information logging of servers of a company. You have known that logs are important for information systems operation and security because logs can be used to detect unauthorized access, identify unfavorable trend, and provide data for determining the root cause of system failures. Your supervisor asked you to (1) find out what system activities are to be logged according to commonly used policies or standards. (Hint: Use the internet to search for commonly used policies of standards. Then, list the system activities in you answer. The source of the list should be included in your answer.) (2) verify whether the company maintains all those necessary logs defined in (1). (Hint: Describe the audit procedure(s) you will use to accomplish this task) (3) find out what are necessary elements of system log, such as user id. (4) examine whether the system logs actually include necessary elements (Hint: Describe the audit procedure(s) you will use to accomplish this task) (5) verify whether these logs are regularly reviewed (Hint: Describe the audit procedure(s) you will use to accomplish this task)

Answer 1

Internal audit typically has three phases; planning, testing & reporting. Every audit begins with the definition of scope of audit. Once the scope is defined, the audit plan is laid out with the inputs and data requirements, analysis & sampling of input data based on deviations and material observations, the audit initially begins with the sample data and is then extended based on the audit findings.

Logging provides a record of events related to IT systems and processes. Every recorded log is an independent entry with information of the event like time stamp, user id, ip address and approval level etc.

The organization generates audit trails and logs to reconstruct the following events:

• All individual user data to cardholder data
• All actions taken by any individual with root or adminitrative privileges
• Access to audit trails
• Invalid logical access attempts
• Use of identification and authentication mechanisms
• Initialization of audit logs
• Creation & deletion of system level objects

An organization records the audit trail with following elements:

• user identification
• type of event
• date & time
• success or failure indication
• origination of event
• identity or name of affected data, system component or resource

Audit Planning

• The auditor develops an initial audit plan draft.
• Auditor meets the relevant department officials to review audit program and define key inputs and stakeholders.
• Management provides the data as requested by the auditor
• Auditor drafts the internal audit program plan.
• Auditor shares the plan with management who agree or modify the same based on mutual arrangement.

Audit Testing

• Auditor evaluates information on logging, monitoring and reporting policies and procedures.
• Stakeholders of relevent departments conduct walk-throughs of the entire process and checks and controls in place
• Auditor evaluates the quality of information, reliability and consistency of the inputs shared.
• Auditor assesses logging, monitoring & reporting performance metrics
• Auditor evaluates whether logging, monitoring and reporting controls are satisfactory or not
• Auditor defines tests to confirm the operational effectiveness
• Auditor identifies and recommends scope of improvement and observations
• There's a final meeting with the relevant stakeholders to share the test results and feedback on overall review

Audit Standard Practices & Procedures

• Service Level Monitoring & Reporting - The organization continously monitors identified service level performance and provides status reports to the management
• Access Control - It includes information access tracking, account management, account change notification, account access supervision & review, remote access tracking, wireless access tracking, tracking on portable & network devices and system use notification
• System Logging & Monitoring - It includes log monitoring, analysis & reporting and log retention
• Security Assessment & Accreditation - Periodic tests and audits as per COBIT, ISO, NIST and relevant standards
• Change & Configuration Management - It includes change control, monitoring configuration changes & information change detection
• Identification & Authentication - Authenticator Management across all forms of access; tokens, PKI certificates, biometrics, passwords, key cards etc.
• Incident Reponse - Incident tracking, response, reporting, support and monitoring
• System Maintenance - System maintenance tool tracking & remote maintenance monitoring
• Media Protection - Media access monitoring & control, media preservation & media sanitization monitoring
• Infrastructure Protection - Infrastructure monitoring with a log of events to enable investigaton understanding sequence of operations, impacting events and other activities
• Physical Protection - Physical access tracking, visitor tracking, visitor access log reviews, internal climate control & Third Party Security Monitoring
• Systems & Communications Protection - Boundary monitoring, mobile code monitoring and voip monitoring
• Account Management - Automation , remote access monitoring, wireless access monitoring, portable devices and cardholder data