Developing Your Audit Program

Developing proprietary audit programs is one of the challenges facing audit managers. There are several sources that should influence the program that will be designed by the audit manager and her team. Logically, the first place to begin is with the organization's risk management program. Attention should be paid to the structure and details encompassed in this document. Audit managers crafting their audit plan should see if the organization's critical assets have been identified, prioritized, and classified relative to their sensitivity and their criticality. They should also look to see if the organization has detailed relevant threats, their likelihood of occurrence, and systems vulnerabilities with accompanying safeguards.

It is very likely that pursuant to the risk management program, critical assets were divided into relevant pillars such as human resources, data, and physical facilities. The structure of the risk program may easily serve as one of the supporting documents of the audit program.

Audit managers and their teams are going to thoroughly review the organization's policies, procedures, and standards ascertaining if they address potential risks facing the business. From their review, the audit team will design their audit program. The program will have divided the organization's policies, procedures, and standards according to their relevance to the audit. It will also have determined the applicability of any laws and regulations and test to ascertain if they are being observed by the organization.

The organization's policies and procedures should be broken into the basic elements, and from there the audit program is drafted. For example, the organization has a policy governing the method that packet screen firewalls are going to be deployed on the network's perimeter and this policy states that there is an access control list for permissible computer traffic. The auditors should review this policy to determine the specific elements of permissible traffic. They should query the systems administrators to determine the appropriate protocols, e.g., FTP, POP3, DNS, etc. Audit managers will design their audit program to include sampling and testing those policies and relevant documentation. Included in the audit program will be all facets of firewall operation, development under the SDLC, and effectiveness. Connected to the firewall audit is a review of all aspects surrounding the management, selection, training, and deployment of firewall administrators.

Designing the audit program from the organization's operations, policies, procedures, and standards is the most effective means of completing a meaningful audit; however, it is probably the most time consuming. This means of crafting an audit program can be tedious and challenging but the resulting program, if skillfully done, will likely result in an on-target and highly effective audit report.

It is prudent for auditors to review and know the target's business operations, hardware, operating systems and applications so they may determine if updating and change management controls have been implemented in a timely and correct fashion.

Gaps, meaning areas of risk not addressed by existing policies and procedures, or policies and procedures that go unnoticed by employees, must be reported as findings in the audit report. For this reason it is imperative that the audit team be composed of broadly experienced individuals that will recognize and credibly articulate their findings.

Useful Internet Web Sites
Fruitful areas for drafting audit programs may be found at these Web sites:

These sites present the most-common system vulnerabilities and exploits (CVEs). Their purpose is the orientation of system managers and auditors in determining if their systems contain common security flaws and provide means addressing them. There are comprehensive lists, published by the above institutions, detailing commonly occurring system vulnerabilities. Some are named the "Ten Most Critical Vulnerabilities" or the "Twenty Most Critical Vulnerabilities." Regardless, they list the most commonly found vulnerabilities based primarily on surveyed systems administrators, security officers, or auditors. Many businesses use their lists to prioritize their efforts so the most commonly occurring risks are addressed first. They provide a basis of commonly exploitable system flaws allowing auditors to direct their efforts in these areas first with the prevailing logic being that these vulnerabilities comprise the majority of successful system attacks.

Common Attacks
Most attackers are opportunists who take advantage of the easiest and most convenient attack route. Commonly, attackers attempt to gain access through the best-known system flaws with readily available tools from the Internet. Because they count on organizations failing to address their system risks, attackers identify flawed systems and attack them using commonly known exploits. It is for these reasons that auditors may wish to pay particular attention to these vulnerability lists as the first place to concentrate their efforts.

Flawed Systems
There are many reasons for flawed systems. Auditors should be aware that some operating systems and applications were not initially designed as production software. Such was the case with UNIX. Over the past twenty years, it has been pinched, tweaked, and patched until we have the platform we have today. After all this development, you would naturally think UNIX and its accompanying applications are perfect. No, they're not.

Other programs are rushed to market with such speed; there was insufficient time to look at software vulnerabilities that programmers were not able to address. Another important fact is that approximately two million hosts are added to the Internet each month. Many of them do not have system administrators, auditors, and other support staffing, ensuring system security. For the most part, many administrators have become victims of the directive of "keep the system up, regardless of what it takes."

Because many businesses are understaffed and currently shorthanded, they get around to crafting and enforcing policies, risk management, and audits when they have the time. The responsible persons were too busy doing other things to pay attention to default configuration vulnerabilities.

Popular Posts