Information Technology Auditing
Information Technology Auditing
Question 1
Final Audit Report
My final audit report would be written in a manner to ensure that it encompasses the critical aspect of Information Technology aspects of Westchester Hospital. The report will give a succinct insight into the IT infrastructure of the hospital by highlighting and categorizing the machines which have root accounts alongside the specific administrative privileges which are shared with other several system administrators. The report would further incorporate a comprehensive analysis of the general operations of the Westchester Hospital’s IT system by identifying the security concerns of the systems and the best measures to ensure that the shared privileges across the different system administrators do not compromise on the data and information integrity of the hospital’s IT system.
The regulatory requirements that would be violated include:
Secure functional requirements
This is an IT requirement which is concerned with security related element which is integrated into the various functional requirement. This level of security should be ascertained at all levels of the system functionality across the system so that those machines in Westchester Hospital, which share the administrative privileges of the root accounts with other various system administrators uphold high-security measures and can be accessed through specific logins. Moreover, this requirement stipulates clearly what should not just happen.
Functional Security Requirements
These IT standards entail security services which are set to be achieved by the hospitals information technology system under inspection. For instance, these would include authorization, server-clustering, backup, and authentication. The functional security requirements can be achieved from best policies, practices, and regulations.
Solution to reduce risk
The possible solution to reduce risk within the IT operations of the Westchester Hospital would be reviewing of the hospitals IT security policies. Reviewing the hospital’s IT security policies will ensure addressing the users and accounts with privilege access, for instance, application administrators, domain administrators, and DBAs (Hall, 2010). The system should ensure that the policies exist ad they state clearly on how access is requested, approved and justified. Additionally, the system must ensure that there is regular reviewing. The policies must be stated in an audit reporting which gives the description on how often the privileged passwords cover aspects like when is the passwords updated, any case of update failure, and the particular individual identities who performed the tasks under the shared account.
Steps to manage the risk of security breach
Step 1
Containment and recovery
Managing the risk of a security breach does not necessarily require just an initial response towards investigating and containing the situation but also ensure that there is a recovery plan which includes where necessary and damage limitation. This stage of IT security risk management entails input from specialists throughout the business and in some cases ensures keeping in contact with the external stakeholders suppliers (Hunton, Bryant & Bagranoff, 2013).
Step 2
This stage ensures that it assesses the risks which may be related to the security breach. Most importantly is the manner in which the system provides for undertaking the assessment of potential adverse consequences for different individuals, how substantial or serious the risks are and the impact they are likely to create in case they happen.
Step 3
Notification of breach
Making sure that the information about having experienced a security breach is a critical element in the system’s IT breach management strategy. Notifying people over the security breach should be done on a clear purpose, and enable individuals affected to take appropriate steps to protect themselves, or enable the appropriate regulatory agencies to provide advice, execute their functions, and deal with the complaints.
Step 4
Evaluation and response
The effectiveness of the response taken upon mitigating the breach is an extremely important aspect of the managing the breach (Hall, 2010). When a breach happens, continuing with business the normal way is not recommended, a proper evaluation of the policies, a review of the system’s operations and updating the policies to propel the process of manage any form of a security breach is highly significant in such regard.
Question 2
In order to ensure that I do not fail in the upcoming audit, I would ensure that I prepare adequately for the upcoming audit by ensuring that I am up-to-date with very vital information on upholding the continuous integrity of the system. This assertion should encompass assessing the security of critical system files, upholding high standards of application configuration files, and ensuring close monitoring of application logs (Hunton, Bryant & Bagranoff, 2013). Collecting such relevant information about the infrastructure of ACME Inc. will make me be well equipped with adequate information on the integrity aspects of the corporation’s system and deliver on the required aspects as required by the auditing exercising.
Steps to minimize risk of audit failures
The steps that I would follow to ensure that I minimize the risk of audit failures include:
Undertake a reduction of troublemakers and high-risk clients. Giving service to clients that are risky and thus requiring constant hand-holding, that proves to be uncooperative, or that create an argument over fees limits the success of audit process.
Making sure that I personally be in charge of accounts and engage members and the leaders of the organization to know what they are doing and do it perfectly in order to avoid any form of audit failures.
Tailor the engagement practice aids in order to meet the client’s needs (Hunton, Bryant & Bagranoff, 2013). There is need to uphold the high professional judgment of the reviews and audits.
Take a careful management of cookie-cutter measures to audits. Operating on standard approaches to demonstrate engagements with no careful consideration of the circumstances and facts would raise the possibility of fraud or errors going undetected.
Ensure that the engagement leaders do not delegate any of their quality control duties. Even when the staff personnel are highly experienced and qualified, the engagement leaders are to ensure that they are directly responsible for the management of performance, planning and completion.
PCI Regulatory Requirements
The PCI regulatory requirements which Mary need to cover include:
Installation and maintenance of a firewall configuration to ensure the protection of cardholders' data. In order for Mary to undertake a well-established maintenance of the infrastructure for ACME Inc., it is critical that she ensures that the data of credit cardholders across the various countries is upheld with integrity.
Avoid use of vendor-supplied defaults for the system passwords and any other security parameters. Mary should ensure that the management of infrastructure for the ACME Inc. does not at any point use the security default supplied by a vendor. This would ensure that the system is secure from access by unauthorized parties.
Question 3
I would ensure that I contact the vendor of the NIST SCAP (Security Content Automation Protocol) to ascertain on the critical aspects and the vulnerabilities of the VU#718152 alert.
Steps to reduce the CAAS Inc. security alert risk
Ascertain that the security alert is coming from authorized access points. The alert will then inform the relevant authorities to take appropriate measures.
Take a segmentation of the alerts to prioritize on the most appropriate actions. The system should be designed in that the alerts are segmented to ensure that they are easily reviewed to facilitate the process of creating security (Hunton, Bryant & Bagranoff, 2013).
Prioritizing on the help given by investigators in order to put a focus on the most critical alerts. The more the investigators to review the alerts the more the security of the system is enhanced.
Undertake an effective management of the security alerts in order to ensure an effective protection of the privacy of the corporation’s data, its reputation, and compliance standards.
System’s weaknesses
The kinds of weaknesses that Steve should sort out in order to be successful in the upcoming audits include:
Software vulnerabilities – the NIST SCAP (Security Content Automation Protocol) that Steve uses for managing and monitoring the corporation’s IT system in terms of security risk aspects experiences high levels of software vulnerabilities.
Security configuration aspects – the SCAP system exhibit numerous concerns on security configuration aspects.
Steps that Steve should take to ensure he passes the upcoming Audit
Step 1: Create an end user security awareness
Step 2: Formulate and implement an encryption policy.
Step 3: Deploy an intrusion detection and prevention framework.
Step 4: Content filtering to ensure access to websites is checked and ascertained for security standards.
Step 5: Undertake regular vulnerability assessments
Step 6: Formulate a framework to carry out a comprehensive patching management.
Step 7: Ensure effective system monitoring.
Step 8: Create a backup system that would ensure data is recovered after any data breach of the system
Multiple Questions
Question 1
Answer: d.
When the recent history of Mike’s log in account activity was reviewed in the audit log, it becomes necessary to undertake an audit to ascertain the login details and the possible alterations of such particulars.
Question 2
Answer: d.
The process of auditing is a highly involving task, and thus, it takes one to be observant of the system’s control standards. Likewise, using generalized audit software, control flowcharting, and internal control questionnaires are effective ways of undertaking an auditing process.
Question 3
Answer: c.
Addressing methods that could be used to prevent a similar misuse may not be considered important in a legal undertaking as per to the case in hand. Any explanation on how to prevent such happening again may remain an auditing inquiry for the Acme Inc. per sie.
Question 4
Answer: a.
The auditor should ensure that he/she inspects the policy manual which establishes the control activity in order to ascertain that the access authorization is within the security concerns and parameters.
Question 5
Answer: d.
Making sure that the number of duties assigned to the different teams is the same in order to gauge the level of effectiveness of the various teams and the competency levels of the team members.
References
Bierstaker, J. L., Burnaby, P., & Thibodeau, J. (2011). The impact of information technology on the audit process: an assessment of the state of the art and implications for the future. Managerial Auditing Journal, 16(3), 159-164.
Hall, J. (2010). Information technology auditing. Cengage Learning.
Hunton, J. E., Bryant, S., & Bagranoff, N. (2013). Core concepts of information technology auditing.