QUESTION NUMBER 102-106
102. State the benefits & objectives of information security audit.
BENEFITS AND OBJECTIVES
Audit trails can provide a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events (actions that happen on a computer system), intrusion detection, and problem analysis.
Individual Accountability
Audit trails are a technical mechanism that help managers maintain individual accountability. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log.
For example, audit trails can be used in concert with access controls to identify and provide information about users suspected of improper modification of data (e.g., introducing errors into a database). An audit trail may record "before" and "after" versions of records. (Depending upon the size of the file and the capabilities of the audit logging tools, this may be very resource-intensive.) Comparisons can then be made between the actual changes made to records and what was expected. This can help management determine if errors were made by the user, by the system or application software, or by some other source.
Audit trails work in concert with logical access controls, which restrict use of system resources. Granting users access to particular resources usually means that they need that access to accomplish their job. Authorized access, of course, can be misused, which is where audit trail analysis is useful. While users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions. For example, consider a personnel office in which users have access to those personnel records for which they are responsible. Audit trails can reveal that an individual is printing far more records than the average user, which could indicate the selling of personal data. Another example may be an engineer who is using a computer for the design of a new product. Audit trail analysis could reveal that an outgoing modem was used extensively by the engineer the week before quitting. This could be used to investigate whether proprietary data files were sent to an unauthorized party.
Reconstruction of Events
Audit trails can also be used to reconstruct events after a problem has occurred. Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased. Audit trail analysis can often distinguish between operator-induced errors (during which the system may have performed exactly as instructed) or system-created errors (e.g., arising from a poorly tested piece of replacement code). If, for example, a system fails or the integrity of a file (either program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps taken by the system, the users, and the application. Knowledge of the conditions that existed at the time of, for example, a system crash, can be useful in avoiding future outages. Additionally, if a technical problem occurs (e.g., the corruption of a data file) audit trails can aid in the recovery process (e.g., by using the record of changes made to reconstruct the file).
Intrusion Detection
Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access. If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Although normally thought of as a real-time effort, intrusions can be detected in real time, by examining audit records as they are created (or through the use of other kinds of warning flags/notices), or after the fact (e.g., by examining audit records in a batch process).
Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system. It may also be used to detect changes in the system's performance indicative of, for example, a virus or worm attack (forms of malicious code). There may be difficulties in implementing real-time auditing, including unacceptable system performance.
After-the-fact identification may indicate that unauthorized access was attempted (or was successful). Attention can then be given to damage assessment or reviewing controls that were attacked.
Problem Analysis
Audit trails may also be used as on-line tools to help identify problems other than intrusions as they occur. This is often referred to as real-time auditing or monitoring. If a system or application is deemed to be critical to an organization's business or mission, real-time auditing may be implemented to monitor the status of these processes (although, as noted above, there can be difficulties with real-time analysis). An analysis of the audit trails may be able to verify that the system operated normally (i.e., that an error may have resulted from operator error, as opposed to a system-originated error). Such use of audit trails may be complemented by system performance logs. For example, a significant increase in the use of system resources (e.g., disk file space or outgoing modem use) could indicate a security problem.
103. List the principles of Auditing.
PRINCIPLES OF AUDITING :-
Fundamental principles are those according to which the books of business accounts are audited. These principles can be changed according the desire of the auditor. We discuss the main principles of auditing under these headings :
1. Planning :-
It is the basic principle of auditing. The auditor should plan before starting the work. In planning auditor decides accounting about the system and internal control procedure.
2. Honesty :-
Honesty and sincerity is the second important principle of auditing. The loyalty of auditor to work and profession must be beyond the doubts.
3. Impartiality :-
In case of audit the attitude of the auditor must be impartial. Keeping in view this principle his personal views may not be included in the audit report.
4. Secrecy :-
Secrecy must be maintained by the auditor during the process of audit. He cannot disclose any information to the third party.
5. Evidence :-
During the audit the auditor can collect the evidence through the working papers. He can frame his opinion on the audit evidence. The nature and source of evidence must be kept in view by the auditor.
6. Consistency :-
It is an important principle of auditing. In case of selecting the rates of depreciation and valuation of stock the accountant must follow the rates of the coming years. In this regard there should be consistency and changes are not acceptable.
7. Legal Frame Work :-
The business activities may run within the rules and legal formalities. To protect the rights of the interested parties rules must be applied.
8. Working Paper Preparation :-
The auditor collect documents providing evidence that audit was carried out according the principles. The auditor prepares the working paper and kept in this custody as a proof.
9. Internal Control :-
The auditor will examine the accounting system and inter control. To frame his opinion, he keeps in view the evidence obtained from the books.
10. Report :-
According the principle of auditing a report will be prepared by the auditor at the end. It may be conditional or unconditional. The auditor can draw conclusion and disclose the facts and figures about the business for general information.
104. List and explain the phases of a disaster recovery plan.
Phase 1: Disaster Assessment and Risk Analysis
The first phase of a disaster recovery plan involves assessing the amount of damage caused and the further extent of damage that will occur if a recovery plan is not used for mediation. The disaster recovery plan must clearly identify the team members who will be responsible for identifying, notifying and accounting the damage. The assessment usually includes:
• Tracing the origin of the problem
• The likelihood and extent of further damage
• Prime areas that have been affected
• Damage done to the equipment, inventory, resources or finished products
• Things that must be replaced
• The current state of the problem
• Gathering critical information
• The estimated time available for dealing with the disaster without hampering the overall progress
Carrying out a detailed risk analysis is another important activity that must be completed during this first phase. If you need help with identifying and prioritizing the threats and estimating the amount of damage these threats can cause here are links to some tools that may come handy – Risk Assessment Forms, Risk Assessment Matrix and a Risk Register.
Phase 2: Activation and Planning
This second phase in a disaster recovery plan involves pulling together a team who will actively participate in planning and executing a disaster recovery solution. The role of each and every team member must be clearly defined. Once the team members are together, they have to begin devising a disaster recovery plan to tackle the situation and restore normalcy. Some of important aspects of this planning are:
• Listing what all will be restored and also assigning priorities to the items to be restored
• Detailing out the procedures to be followed
• Allocating roles to team members
• Setting up a communication, reporting and review system
• Setting up time lines and schedules for activities to be performed
• Allocating resources and equipments
• Setting up operating and quality standards
• Identifying and importing the required data sources
• Setting up review procedures and review points • Documenting the recovery plan
Phase 3: Execution of the Disaster Recovery Plan
In the execution phase, the recovery team finally gets into action and begins executing the recovery activities as per the procedures specified in the plan. At the end of each phase of the recovery, or after execution of the important recovery activities, a review or appraisal must follow to monitor the progress and ensure compliance with the established quality standards.
Phase 4: Integrating the Disaster Recovery Plan with the Project Plan
Disaster recovery is not something that is carried out completely in isolation. Thus, in this phase, efforts are made to integrate the disaster plan with the overall project plan. This phase also involves testing and verifying the disaster recovery plan for its feasibility. This integration will ensure optimum usage of resources and concentrated efforts toward the overall objective of the project.
Phase 5: Reconstitution and Restoration
This final phase of the five phases in a disaster recovery plan follows after the disaster has been completely managed and it is time to get back to restoring normalcy. Once the execution and testing of the recovery plan is over, this reconstitution phase begins and may last even for a few weeks. The resources and team members that were diverted toward the disaster recovery must be moved back to their original places. Here are some of the activities that form a part of the restoration and reconstitution phase:
• Ensure that there are no remaining aftereffects of the disaster and that no threats have remained unaddressed
• All team members have returned to their original roles
• All resources deployed for the recovery have been secured and relocated to where they are needed
• The disaster recovery efforts are completely over.
105. State and explain any 4 interdependencies of audit trails.
The ability to audit supports many of the controls presented in this handbook. The following paragraphs describe some of the most important interdependencies.
Policy.
The most fundamental interdependency of audit trails is with policy. Policy dictates who is authorized access to what system resources. Therefore it specifies, directly or indirectly, what violations of policy should be identified through audit trails. .
Assurance.
System auditing is an important aspect of operational assurance. The data recorded into an audit trail is used to support a system audit. The analysis of audit trail data and the process of auditing systems are closely linked; in some cases, they may even be the same thing. In most cases, the analysis of audit trail data is a critical part of maintaining operational assurance. .
Identification and Authentication.
Audit trails are tools often used to help hold users accountable for their actions. To be held accountable, the users must be known to the system (usually accomplished through the identification and authentication process). However, as mentioned earlier, audit trails record events and associate them with the perceived user (i.e., the user ID). If a user is impersonated, the audit trail will establish events but not the identity of the user. .
Logical Access Control.
Logical access controls restrict the use of system resources to authorized users. Audit trails complement this activity in two ways. First, they may be used to identify breakdowns in logical access controls or to verify that access control restrictions are behaving as expected, for example, if a particular user is erroneously included in a group permitted access to a file. Second, audit trails are used to audit use of resources by those who have legitimate access. Additionally, to protect audit trail files, access controls are used to ensure that audit trails are not modified. .
Contingency Planning.
Audit trails assist in contingency planning by leaving a record of activities performed on the system or within a specific application. In the event of a technical malfunction, this log can be used to help reconstruct the state of the system (or specific files). .
Incident Response.
If a security incident occurs, such as hacking, audit records and other intrusion detection methods can be used to help determine the extent of the incident. For example, was just one file browsed, or was a Trojan horse planted to collect passwords? .
Cryptography.
Digital signatures can be used to protect audit trails from undetected modification. (This does not prevent deletion or modification of the audit trail, but will provide an alert that the audit trail has been altered.) Digital signatures can also be used in conjunction with adding secure time stamps to audit records. Encryption can be used if confidentiality of audit trail information is important. .
106. Write a note on cost considerations in audit trails.
Audit trails involve many costs. First, some system overhead is incurred recording the audit trail. Additional system overhead will be incurred storing and processing the records. The more detailed the records, the more overhead is required.
Another cost involves human and machine time required to do the analysis. This can be minimized by using tools to perform most of the analysis. Many simple analyzers can be constructed quickly (and cheaply) from system utilities, but they are limited to audit reduction and identifying particularly sensitive events. .
More complex tools that identify trends or sequences of events are slowly becoming available as off-the-shelf software. (If complex tools are not available for a system, development may be prohibitively expensive. Some intrusion detection systems, for example, have taken years to develop.) .
The final cost of audit trails is the cost of investigating anomalous events. If the system is identifying too many events as suspicious, administrators may spend undue time reconstructing events and questioning personnel. .
No comments:
Post a Comment