Question

Select one area of risk related to auditing operating systems and networks: Describe the threats associated with the risk area. What are the associated controls to address and reduce the likelihood of these threats? What are the audit objectives related to these controls? List the appropriate audit procedures to test these controls?

Answer 1

Hello,

Need for Protection of Operating Systems

As their are many issues but some of them are listed below:-

x    Widespread use of technology;

x    Interconnectivity of systems;

x    Devolution of management and control;

x    Attractiveness of conducting unconventional electronic attacks over more conventional
         physical attacks against organizations; and

x    External factors such as legislative, legal, and regulatory requirements or technological
               developments.

Audit objective of the controls is to maintain the below points in operating systems and network

x    Confidentiality: Prevention of the unauthorized disclosure of information;
x    Integrity: Prevention of the unauthorized modification of information; and
x    Availability: Prevention of the unauthorized withholding of information.

Following required to be checked in organisation whether they are present in organisation or not like mentioned below:-

User Security Policies - These include User Security Policy and Acceptable Usage Policy

x    User Security Policy - This policy sets out the responsibilities and requirements
         for all IT system users. It provides security terms of reference for Users, Line

Managers and System Owners.

x    Acceptable Usage Policy - This sets out the policy for acceptable use of email,
         Internet services and other IT resources.

Organization Security Policies - These include Organizational Information Security

Policy, Network & System Security Policy and Information Classification Policy.

x    Organizational Information Security Policy - This policy sets out the Group
         policy for the security of its information assets and the Information Technology (IT)

systems processing this information. Though it is positioned at the bottom of the hierarchy, it is the main IT security policy document.

x    Network & System Security Policy - This policy sets out detailed policy for
         system and network security and applies to IT department users.

x    Information Classification Policy - This policy sets out the policy for the
         classification of information.

Conditions of Connection - This policy sets out the Group policy for connecting to the network. It applies to all organizations connecting to the Group, and relates to the conditions that apply to different suppliers’ systems.

Issue selected is unauthorised Physical Access in organisation which may cause below :-

Physical Access Issues and Exposures

The following points elaborate the results due to accidental or intentional violation of

the access paths:

x     Abuse of data processing resources;

x     Blackmail;

x     Embezzlement (an act of dishonestly withholding assets for the purpose of conversion (theft) of such assets, by one or more persons to whom the assets

were entrusted, either to be held or to be used for specific purposes);

x     Damage, vandalism or theft to equipments or documents;

x     Public disclosure of sensitive information; and

x     Unauthorized entry.

Controls related to physical unauthorised access is mentioned below :-

(a) Locks on Doors: These are given as follows:

o    Cipher locks (Combination Door Locks) - Cipher locks are used in low security situations or when a large number of entrances and exits must be usable all the time. To enter, a person presses a four digit number, and the door will unlock for a predetermined period of time, usually ten to
thirty seconds.

o    Bolting Door Locks - A special metal key is used to gain entry when the lock is a bolting door lock. To avoid illegal entry, the keys should be not be duplicated.

o    Electronic Door Locks - A magnetic or embedded chip-based plastics   card key or token may be entered into a reader to gain access in these systems

(b) Physical Identification Medium: These are discussed below:

o    Personal Identification numbers (PIN): A secret number will be
         assigned to the individual, in conjunction with some means of identifying the individual, serves to verify the authenticity of the individual. The visitor will be asked to log on by inserting a card in some device and then entertheir PIN via a PIN keypad for authentication. His/her entry will be

matched with the PIN number available in the security database.

o    Plastic Cards: These cards are used for identification purposes.Customers should safeguard their card so that it does not fall into unauthorized hands.

o    Identification Badges-Special identification badges can be issued to personnel as well as visitors. For easy identification purposes, their colour of the badge can be changed. Sophisticated photo IDs can also be utilized as electronic card keys.

(c)    Logging on Facilities: These are given as under:

o    Manual Logging: All visitors should be prompted to sign a visitor’s log indicating their name, company represented, their purpose of visit, and person to see. Logging may happen at both fronts - reception and entrance to the computer room. A valid and acceptable identification such as a driver’s license, business card or vendor identification tag may also be asked for before allowing entry inside the company.

o    Electronic Logging: This feature is a combination of electronic and biometric security systems. The users logging can be monitored and the unsuccessful attempts being highlighted

(d)    Other means of Controlling Physical Access: Other important means of controlling physical access are given as follows:

o    Video Cameras: Cameras should be placed at specific locations and monitored by security guards. Refined video cameras can be activated by motion. The video supervision recording must be retained for possible future play back.

o Security Guards: Extra security can be provided by appointing guards aided with CCTV feeds. Guards supplied by an external agency should be made to sign a bond to protect the organization from loss.

o Controlled Visitor Access: A responsible employee should escort all visitors. Visitors may be friends, maintenance personnel, computer vendors, consultants and external auditors.

o Bonded Personnel: All service contract personnel, such as cleaning people and off-site storage services, should be asked to sign a bond. This may not be a measure to improve physical security but to a certain extent can limit the financial exposure of the organization.

o Dead Man Doors: These systems encompass a pair of doors that are typically found in entries to facilities such as computer rooms and document stations. The first entry door must close and lock, for the second door to operate, with the only one person permitted in the holding area.

o Non-exposure of Sensitive Facilities: There should be no explicit indication such as presence of windows of directional signs hinting the presence of facilities such as computer rooms. Only the general location of the information processing facility should be identifiable.

o Computer Terminal Locks: These locks ensure that the device to the desk is not turned on or disengaged by unauthorized persons.

o Controlled Single Entry Point: All incoming personnel can use controlled Single Entry Point. A controlled entry point is monitored by a receptionist. Multiple entry points increase the chances of unauthorized entry. Unnecessary or unused entry points should be eliminated or deadlocked.

o Alarm System: Illegal entry can be avoided by linking alarm system to inactive entry point and the reverse flows of enter or exit only doors, so as to avoid illegal entry. Security personnel should be able to hear the alarm when activated.

o Perimeter Fencing: Fencing at boundary of the facility may also enhance the security mechanism.

o Control of out of hours of employee-employees: Employees who are out of office for a longer duration during the office hours should be monitored carefully. Their movements must be noted and reported to the concerned officials frequently

o Secured Report/Document Distribution Cart: Secured carts, such as mail carts, must be covered and locked and should always be attended.

Thanks hope you like this compilation of answer