Practical Guidance for Auditing IT General Controls Chase Whitaker, CPA, CIA September 2, 2009
About Hospital Corporation of America $28B annual revenue $24B total assets $4.6B EBDITA $673M Net Income Fortune 100 Company ~180,000 000 employees ~170 hospitals ~110surgery centers Common line of business, systems, and security model 2
Session Objectives IT general controls and significance for regulatory compliance COBIT 4.1 IT control framework IT general controls scope areas including: Infrastructure/logical security User access Physical security/environmental controls Change management Disaster recovery/business continuity How to plan and execute a risk based IT general controls review 3
What are IT general controls? Encompassing controls designed to cover the entire organization s i IT infrastructure rather than specific applications i IT general controls help ensure CIA: Confidentiality Integrity Availability Contribute to safeguarding of data and promotion of regulatory compliance. Key control assessment would focus on IT general controls and application specific controls (not covered) 4
Regulatory Compliance Significance Health Insurance Portability and Accountability Act (HIPAA) Payment Card Industry (PCI) Gramm Leach Bliley Act (GLBA) Sarbanes Oxley (SOX) IT plays a major role in supporting financial reporting integrity Section 404 requires an internal control report Management must use a recognized internal control framework (e.g., COBIT, COSO) 5
Frameworks COBIT Control Objectives for Information Technology COSO Most widely used internal control framework (commonly used for SOX compliance) ISO 17799 / 27001 Detailed information security standards (commonly used to benchmark a company s policies/standards) 6
Additional Frameworks NIST 800 Series U.S. federal government computer security policies, procedures, and guidelines GAIT Methodology (IIA) Focused on IT general controls 7
COBIT 4.1 Framework COBIT Control Objectives for Information and Related Technology IT governance frameworkissued by ISACA (free) Control objectives forsafeguarding information assets 4.1 released din May 2007 (first published in 1996) 8
COBIT 4.1 Framework Contains 210 detailed control objectives COBIT Control Practices (for COBIT subscribers) IT Assurance Guide (forisaca members) Framework adopted by many companies to comply with legislation l such as SOX 9
Version 4.1 ME1 Monitor & evaluate IT performance ME2 Monitor & evaluate internal control ME3 Ensure compliance with external requirements ME4 Provide IT governance IT RESOURCES Applications Information Infrastructure People PO1 Define a strategic IT Plan PO2 Define the information architecture PO3 Determine technological direction PO4 Define the IT processes, organisation, relationships PO5 Manage the IT investment PO6 Communicate management aims and direction PO7 Manage IT human resources PO8 Manage quality PO9 Assess and manage IT risks PO10 Manage Projects MONITOR AND EVALUATE OBIT COBI PLAN AND ORGANISE DELIVER AND SUPPORT ACQUIRE AND IMPLEMENT DS1 Define & manage service levels DS2 Manage third-party services DS3 Manage performance and capacity DS4 Ensure continuous service DS5 Ensure systems security DS6 Identify and allocate costs DS7 Educate and train users DS8 Manage service desk and incidents DS9 Manage the configuration DS10 Manage problems DS11 Manage data DS12 Manage the physical environment DS13 Manage operations AI1 Identify automated solutions AI2 Acquire and maintain application software AI3 Acquire and maintain technology infrastructure AI4 Enable operation and use AI5 Procure IT resources AI6 Manage changes AI7 Install and accredit solutions and changes COBIT Copyright 2007 by IT Governance Institute
Infrastructure Platforms Operating Systems (O/S) Controls program execution, allocation of hardware resources, access to programs, etc. Examples: Windows, Linux, UNIX, Mainframe Database Management Systems (DBMS) System of programs used to define, maintain, and manage access to large collections of data Examples: Oracle, DB2, SQL Server Applications Web based (thin client) Thick client 11
Logical Security (DS5) Overview Logical security controls should ensure confidentiality, integrity, and availability over systems and data. Strong authentication controls should prevent user accounts from being compromised. File shares should be adequately restricted to appropriate users. Patches/system updates should be applied timely. 12
Logical Security (DS5) Overview (continued) Network services should be closed unless necessary for business reasons. Anti virus softwareshould should be installed and up to date. Sensitive data should be encrypted. 13
Logical Security Risks Authentication controls may not provide reasonable measures to protect against unauthorized access. Excessive file shares allowing inappropriate access to sensitive data. Systems may be susceptible to extended downtime, viruses, unauthorizedaccess, or other malicious activity due to outdated patches and virus updates. 14
Logical Security Risks (continued) Inadequate protection over sensitive data resulting in unintended disclosure. Unnecessary network services may be exploited to gain unauthorized access to sensitive data. 15
Logical Security Audit Tests Compare password controls (e.g. length, complexity, expiration, history) to organizational standards or best practices. Review network file shares for appropriateness and necessity. Ensure sensitive information is not inappropriately shared. 16
Logical Security Audit Tests (cont.) Evaluate the process to apply patches/updates to the O/S, DBMS, and application. Ensure patches are applied timely to remediate known vulnerabilities. Observe anti virus settings toensure definitions are up to date 17
Logical Security Audit Tests (cont.) Determine if anti virus application is scanning drives regularly. Determine if sensitive data is encrypted within databases, on hard drives, and during network transmissions. Perform security scans to identify vulnerable services unnecessary for the role of the server (e.g., FTP, HTTP, SMTP, Telnet, etc.). 18
User Access (DS5) Overview Users and their system activity should be uniquely identifiable. User access requests, modifications, and removals should be documented and approved. Terminated users should have access removed timely. Access levels should based on a user s job duties (least privilege principle). Remote access should rely on secure protocols. 19
User Access Risks Undetected fraudulent/inappropriate use of critical systems and data Access granted without valid approval Access to critical systems and data by unauthorized users Appropriate access not defined for each specific job role (i.e., role based security) Remote access to critical systems/data not configured correctly or using insecure protocols (e.g., modems, public networks) 20
User Access Audit Tests Ensure user administration procedures have been developed and review for adequacy. Review system accounts to determine if any terminated employees/unauthorized users haveactiveaccounts. active accounts. Evaluate user access, including administrator level accounts, for adequacy and appropriateness based on the user s job duties. Determine how remote access is granted, and recommend the replacement of insecure solutions. Ensure audit logging is enabled on critical systems/accounts, and logs are reviewed timely. 21
Physical/Environmental Controls (DS12) Overview Physical security/environmental controls should protect the data center, server rooms, network closets, and other controlled areas. Access to these areas should be restricted to appropriate personnel to reduce business interruptions fromtheft or destruction of computer equipment. Monitoring of environmental factors should reduce business interruptions from damage to computer equipment and personnel. 22
Physical/Environmental Controls Risks Unauthorized individuals may gain access to sensitive/controlled areas and mayview view, modify, ordestroy equipment or sensitive business data. Unauthorized/improper access to controlled areas may go unnoticed ddue to improper monitoring. i Business disruption in the event of an environmental incident (e.g., fire, flood, power failure, excessive heat/humidity, etc.) because of inadequate protection of IT assets Unmanageable network environments and/or extended network downtime due to poorly configured wiring within server rooms, communication closets, etc. 23
Physical/Environmental Controls Audit Tests Review list of individuals with access to controlled areas. Review visitor logs for controlled areas. Review maintenance/test logs for environmental control devices (e.g., testing of backup generators, maintenance of HVAC units, testing of UPS systems). 24
Physical/Environmental Controls Audit Tests (cont.) Walk through controlled areas to evaluate adequacy of physical and environmental. Fire suppression systems and smoke detectors Water/moisture detection sensors Temperature/humidity sensors Well maintained network wiring 25
Change Management (AI6 & AI7) Overview Managing changes addresses how an organization modifies system functionality to meet business needs. Requests for changes should be documented and follow defined change management procedures. Emergency changes should follow a defined process. Changes should be properly tested (in separate environments) to ensure functionality meets defined requirements. Controls should restrict migration of program changes to production by authorized and appropriate individuals. 26
Change Management Risks Unauthorized/unapproved changes implemented into production environments. Changes not adequately logged for monitoring and documentation purposes and to back out changes if change causes a system failure. Incorrect system functionality (i.e., erroneous processing) due to inadequate testing of changes Developers with access to migrate code into production may implement unauthorized changes. 27
Change Management Audit Tests Evaluate change management procedures (including emergency changes) for adequacy. Compare changes from the request system to implemented changes (usually obtained through system logs) to identify unauthorized changes. Review proper approvals for all implemented changes. Routine Emergency 28
Change Management Audit Tests (cont.) Assess adequacy of change testing. Determine if regression and end user acceptance testing was performed. Review for adequate segregation of duties between development, testing, and change implementation. 29
Disaster Recovery/Business Continuity (DS4) Overview DR/BC plans help minimize business impact in the event of an IT service interruption. DR/BC plans should be updated regularly and routinely tested to ensure systems and data can be recovered timely following a disaster or other interruption. 30
Disaster Recovery/Business Continuity (DS4) Overview (continued) DR/BC plans and data backups should be stored offsite for recovery needs. Quality of backup media and restoration tests should be periodically performed to ensure success of backup processes. 31
32
Disaster Recovery/Business Continuity Risks Backups may not include all necessary business data for comprehensive recovery in the event of unexpected system downtime or a disaster. Data may be compromised by unauthorized individuals due to improper securing of backup media. Extended downtime in the event of a disaster due to inadequate/lack of disaster recovery testing or thoroughly documented plans Lack of executive/senior management support 33
Disaster Recovery and Business Continuity Audit Tests Ensure plans are comprehensive, up to date, and approved. Determine if plans are tested regularly and results are documented (post exercise assessments). Review backup logs to determine if data and system configurations are backing up successfully. 34
Disaster Recovery and Business Continuity Audit Tests (continued) Determine if data is routinely test restored to confirm backups are recoverable. Evaluate storage of backup media (logical/physical) and location (e.g., fireproof safe, offsite location, encrypted, etc.). 35
Freeware Tools for Assessing ITGC Caveat work with your information technology and security departments about permission i to use these tools. DumpSec www.somarsoft.com/ Logical security tool to assess local accounts, password configurations, audit log settings, etc. on Windows systems. User must have administrator rights to get full results. Microsoft Baseline Security Analyzer MBSA technet.microsoft.com/en us/security/cc184924.aspx Logical security tool to identify security vulnerabilities (i.e., missing patches) and configuration best practices on Windows systems. 36
Nmap Some More Freeware Tools nmap.org/download.html Logical security tool for Linux or Windows Scansfor network services (i.e., open ports), detects network devices, performs O/S fingerprinting, etc. Can run against single IP addresses or entire IP address ranges. BackTrack3 www.remote exploit.org/backtrack.html Bootable Linux distribution used for logical security (penetration). Contains over 300 security tools. 37
Nessus Hey, Even MORE Freeware Tools! Free download at: www.nessus.org/ Linux or Windows scanning tool used to identify vulnerable network services (i.e., open ports), perform O/S fingerprinting, etc. across all system platforms. Can run against single IP addresses or IP address ranges. Kismet www.kismetwireless.net/download.shtml Linux based wireless network detection tool used to identify and evaluate encryption of wireless access points. A similar tool for use on Windows systems is also available (Wireshark). 38
Planning and Executing a risk based IT General Controls Reviews Perform a risk assessment Risk = Likelihood * Impact Develop theaudit scope Focus on high risk areas identified during the risk assessment Auditing all IT general controls is likely not feasible, practical, or necessary 39
Planning and Executing a risk based IT General Controls Reviews Audit planning and program development Complete testing to evaluate control effectiveness Report results to company management 40
Summary Sound IT general controls help promote regulatory compliance Must ensure controls effectively mitigate the associated risk. An IT control framework such as COBIT 4.1 may help companies comply with ihregulations. Performing risk based IT general controls reviews will hl help ensure scarce resources are focused on the most significant areas to the company. Many freeware tools are available to assist the auditor in performing IT general controls reviews. 41
Contact Information Chase Whitaker Director of Internal Audit IT (615) 344 5973 Chase.Whitaker@HCAHealthcare.com 42