Muema Lombe explores the area of IT audit and the questions that should be asked in an incident response scenario.
The problem: your organization has been subject to intellectual property theft, or stolen data, or inappropriate web surfing and/or emails. These problems pose potential risks including economic espionage, unauthorized access, unauthorized use and possibly civil liabilities, among other risks. IT audit procedures can help facilitate an understanding of both the computing environment and corresponding controls, which can help with a forensics investigation. What follows are six IT audit areas of inquiry.
1. IT Standards, Policies and Procedures – In the event of inappropriate activity by employees, one area to audit are IT standards, policies and procedures with a specific focus on the acceptable use or end user policy. Questions to address in the review include:
- Is an acceptable use policy in place?
- Is it formally documented?
- Has the policy been formally communicated to all employees?
- Are employees required to formally sign an acknowledgement of receipt and review of said policy?
- Does the policy explicitly denote what behavior is acceptable and unacceptable?
- Does the policy address the various methods of computing use, e.g. email, web surfing, social media use, etc.
2. User Access Monitoring – The IT auditor should also gain an understanding of the user access monitoring. Consider the following:
- Is both traditional user and privileged user access subject to monitoring?
- At what layer is access monitored (e.g. database, application, network layers)?
- What type of activity is monitored (e.g. direct data access, etc.)?
- Does monitoring include a review of unsuccessful login attempts?
- Does monitoring include a review of unusual access attempts (e.g. weekends, off-hours, etc.)?
- Are inactive accounts disabled?
3. Web Access Monitoring –
- Is user activity on web surfing tracked by computer? By user?
- Is web access filtered (blocked) by keyword and/or URL?
4. Password Controls –
- Are password required for system access?
- Is a password policy in place and enforced?
- Are passwords required to be complex?
- Are password periodically changed?
5. Backup Procedures –
- Are backups being performed?
- What is being backed up? Application? Database? Configuration settings?
- Has a restore been performed to ensure backups operate as intended?
6. Audit Trails –
- Determine if automatic logging of activity takes place?
- Gain an understanding of what activity is logged?
- Determine if audit trails are in place at the OS, application or database layer.
- Determine if audit trails are periodically reviewed.
These six areas of inquiry are meant to begin a conversation and provide a framework of understanding to a computer forensics team conducting an investigation.
By Muema Lombe, CRISC, CSSLP, CGEIT, CISA