In its most basic form, information technology (IT), can be reduced down to IPO. No that’s not an Initial Public Offering, but rather Input-Processing-Output. Think of it this way, you’re lying in bed, sleeping, and your ears pick up a distinct ringing (INPUT). Your ears send a message to the brain “there’s ringing going on out here.” Your brain processing the signal (PROCESSING) and sends a signal to your arm to reach out and hit the snooze button (OUTPUT). In its most basic form, IT takes INPUT, runs it through some programs PROCESSING and then sends OUTPUT. INPUT can take on many varied forms from data fields entered on a web-page to an analog circuit sensing a rise in temperature in a room. PROCESSING can also come in many different forms depending upon the program being executed or ran. OUTPUT can be as simple as a field in a file being updated, to a payroll check, to a voluminous report being printed on a high speed printer. Computers are generally categorized following several criteria, mainly based on their processing power, size and architecture. Some common types of computers are: Supercomputers, Mainframes, High-end and midrange servers, Personal computers (PCs), thin client computers, notebook/laptop computers and then on to smart phones and personal digital assistants (PDAs). Now here’s the oddity; I had the opportunity of seeing a supercomputer at a major university, constructed entirely of Apple MAC laptops. In my lifetime, the first mainframe I worked on had less memory, less disk space, and less processing power than the laptop which I currently use to write these articles. It also took up several thousand square feet of raised floor space and required special air conditioning, humidity control, electrical control and so forth. My laptop on the other hand fits comfortably in my lap while I sit in the lazy boy rocker writing this article. Disk storage too has dramatically been reduced in size. Now I can buy a thumb drive with more storage capacity than an array of hard drives attached to that old mainframe. However, the IT audit issues remain the same, so let’s get to some of those before I bore you completely out of your skull. Some of the key control points in today’s IT environment which need to be identified and categorized are those areas which directly affect confidentiality, integrity, and availability. For example, who has access to the hardware, logical or physical? Who has access to the data and are they authorized to make changes to the data? Who’s reviewing those changes to the data to see if the change was authorized? Let me re-introduce the principle of least privilege here. A person should only have access to the data, systems, hardware, etc., that they need to be able to do their job, no more. This access should be reviewed periodically, no less than annually and by all means when a change of employment occurs. That’s confidentiality, now let’s look at integrity. How do you know when you receive an email, say an offer of employment letter with a substantial salary quoted, that the letter has integrity? That the letter wasn’t tampered with in-route to your inbox in your email. Here you are thinking, WOW, they must be really impressed if they’re going to offer me that much money, when in fact, one of your co-workers interrupted your email, made some modifications (increased the salary by adding an extra zero at the end) and then forwarded it on to you. Ensuring that the email has not been tampered with; ensuring that the calculations of your net pay are as they should be; are examples of data integrity. Availability means just that, the data and/or system is available when it is needed. As an IT auditor this means you want to look at disaster recovery plans, recovery time objectives, recovery point objectives, and so forth but we’ll get into DRP details in the seventh article. Some of the basics of computer hardware architecture include the IPO as we discussed before. The I and O are the Input/Output components and include such things as this keyboard I’m typing on, or a mouse, both of which are I only. That is they only input, whereas a touchscreen is both input and output. On the O only side you have things like printers. Disk drives are examples of both input and output devices. The P in IPO is the processing components typically referred to as a CPU or central processing unit which consists of three primary pieces, an arithmetic logic unit (ALU), a control unit, and an internal memory. Now there are a lot of other components of a computer and I’m sure you’ve heard of several, like motherboard (but you’ll never hear of a fatherboard), RAM, ROM, DRAM, SDRAM and the letters go on and on. Memory comes in all different types and sizes and what you need to know as an IT auditor is that even when powered off, some memory still contains sensitive data and needs to be protected. When we talk about hardware, several things come to mind that I as an IT auditor want to make sure of. First, is the hardware being maintained, does the vendor still support the hardware or has it reached EOL (end-of-life) and is unsupported, which can be interpreted as “If it breaks it can’t be fixed, so Mr. Client you’re out of luck because the system can’t be recovered.” Next, just like software, the hardware has something called BIOS (Basic Input Output System) which is being updated by the vendor, typically to support new functions and/or features. Your question, is, “Is the BIOS current, and is the BIOS protected?” Why do you ask if it is protected? Because if a hacker can get to the BIOS, they can alter the boot sequence, boot from a LINUX CD and copy all your sensitive information off to a gigabyte thumb drive in less than ten minutes. Reboot your machine, and you’ll have no evidence that the data has been copied, except an entry in the log that says the machine was rebooted and that might not even be there if the hacker covers their tracks. But enough about hardware, let’s look at software, programming, and processing. This too must be protected from malicious mischief. As an example let me use the following well-known example of a disgruntled application programmer. This individual, who will remain unnamed had not gotten a pay raise for the last two years, although in this economy that’s not uncommon. Since this individual was responsible for the payroll system, they added some code to the program which generated the checks to do a simple thing. Each time the net amount ended in $.13 (thirteen cents), a second check made out to this individual’s alter ego would be added to the check run, then direct deposited to a separate account at an out-of-state bank. Since this didn’t happen every payroll if was almost a year before the company discovered the error and still another year before they could identify the guilty. So as an IT auditor, where is your concern? Unauthorized software changes, lack of change management, lack of reconciliation (wait a minute that’s the financial auditors job), separation of duties (the individual had to add his own alter ego employee record to the master file and add the out-of-state bank direct deposit). So you can see some of the concerns when it comes to software, programming and processing. Distributed systems and client/server technology offer the IT auditor some distinct challenges when it comes to CIA (Confidentiality, Integrity, and Availability). Take for example a point-of-sale system in a retail store; and let’s suppose that the POS system allows for data entry even when connectivity to the host server at home office is interrupted. How do you as an IT auditor ensure confidentiality of the data (customer paid with a credit card) when the data is transmitted once the home office system comes back online? How do you ensure integrity of the data being transmitted and last but not least what do you need to check to make sure the local store system is available if the home office system goes down? These are just a few of the considerations you as an IT auditor will need to be familiar with in a distributed environment and in a client/server architecture. Just as an example of how easy it is to social engineer a distributed system, consider this example. In the shoe department of a retailer, the store clerk is signed on to the cash register; the customer asks the clerk to get a specific size and style from the back room and states they are in a hurry and flashes a wad of cash, stating “There’s an extra $20 if you can hurry.” The clerk literally runs to the back room, but forgot to sign off. When they come back, not only is the customer gone, so is the cash from the cash drawer. The IT audit concern? The obvious one here is security awareness training. You’ll hear a lot about man-in-the-middle (MITM) attacks as they relate to network connectivity and it represents a real security issue. But that’s just one aspect of network connectivity. Another better even more common basic security issue is remote access. With the price of gasoline approaching $4.50/gallon a lot of employee are putting pressure on their bosses to let them work from home, to access the system remotely, and to let them take their company laptop home with them so they can work more efficiently. OK, so put on your IT auditor hat and let’s look at some issues:
Was remote access approved? Is remote access via an encrypted communication link? Is the laptop protected (key lock, hard disk encryption)? Is there a screen saver and is it password protected? Is two-factor authentication required to access the network? Is network access restricted from known locations? If modems are used is call-back employed?
When we talk about IT system maintenance, patch management, and security, we speak of change management and configuration control. Are the systems being maintained and are patches being applied (after they have been tested of course) in a timely manner? What is the security that surrounds system maintenance? Can anyone, for example, update the anti-virus definition file? Who checks to see if this is done, assuming that the end-user is the one responsible for updating the .dat file? And the most basic and fundamental question of all, “Do all and I repeat ALL changes go through change management?” Remember, your IT technology audit strategy is to look at what the company says they are going to do; then perform an audit to see if they are in fact doing what they said they were going to do; including asking the company or auditee to prove that they did the action and then to report any discrepancies to management. However, you should also keep in mind that it might be in the company’s best interest if you include in your report if something is not being done and it could potentially affect the confidentiality, integrity, and availability of the company’s systems and data. Just because a company says, we’re not going to review login attempts because it’s a waste of time, doesn’t mean you shouldn’t point out the risk of not doing this activity. After all, isn’t that what IT auditing is all about – making management aware of the risks they are taking by doing or not doing a particular action? Until next time, happy reading. Kenneth P.S. You can find other articles related it IT Auditing and Controls here.