Audit of IT infrastructure

Hardware, Network and Telecommunications Devices

 What is IT Audit
• Examination of the controls within an Information
technology (IT) infrastructure.
• Process of collecting and evaluating evidence of an
organization's IT infrastructure.
• Understanding and evaluating each control.
• Assess compliance.
• Substantiate the risk of controls not being met.
 Why IT Audit?
• Ensuring servers to be properly configured for
both efficiency and security.
• Looking for hardware specific productivity drains.
• Obtain an asset listing of all hardware.
• Looking for causes of frequent problems.
• Ensuring backup systems are adequate,
monitored, tested regularly.
• Determining risks to information assets.
• Assessing controls in order to reduce or mitigate
these risks.
 Objectives of IT Audit?
• Continuity (consistent reliability and availability
of system -- back-up and ability to recover)
• Management and Maintenance (additions,
change procedures, upgrades, and
documentation)
• Security (appropriate physical and logical access
to network devices and hosts)
Perspectives of IS Audit
 ISACA - CobiT
• Generally applicable and accepted
international standard for good practices for
IT controls
• based on ISACA’s existing Control Objectives
• three specific audiences
• management,
• users, and
• auditors.
 ISACA - CobiT
• provides detailed Audit Guidelines for auditors to follow in
performing information systems audits
• Audit Guidelines provide a complementary tool to enable
the easy application of the Framework and Control
Objectives within audit activities
• objectives of auditing
1. provide management with reasonable assurance that control
objectives are being met
2. where there are significant control weaknesses, to substantiate
the resulting risks
3. Advise management on corrective actions needed
 ISO:IEC 27001 2005
• International Organisation for Standardization
• International Electrotechnical Commission

• Provided a model for

• Establishing
• Implementing
• Operating
• Monitoring
• Reviewing and
• Improving
– Information Security Management System
 ISO:IEC 27001 2005
• PDCA model
– Plan  Establish ISMS
– Do  Implement and Operate
– Check  Monitor and Review
– Act  Maintain and improve
 ISO:IEC 27001 2005
• Control Objectives
– Control
• The policies, procedures, practices and organisational structures
designed to provide reasonable assurance that business objectives
will be achieved and undesired events will be prevented or
detected and corrected
– Control Objective
• A statement of the desired result or purpose to be achieved by
implementing control practices in a particular IT activity
 ISO:IEC 27001 2005

A.5 Security policy

A.5.1 Information security policy

Objective: To provide management direction and support for information security in accordance with
business requirements and relevant laws and regulations.
Control
An information security policy document has been approved
Information security by management, and published and communicated to
A.5.1.1
policy document all employees and relevant external parties. The latest
version of this document is available for all employees
on the ABC Company’s internal network.
Control
Review of the
The information security policy is being reviewed at planned
A.5.1.2 information security
intervals or if significant changes occur to ensure its
policy
continuing suitability, adequacy, and effectiveness.
 ISO:IEC 27001 2005
A.7 Asset management

A.7.1 Responsibility for assets

Objective: To achieve and maintain appropriate protection of organizational assets.
Control
All assets are clearly identified and an inventory of all-important assets
drawn up and maintained. The Classification of Assets is as per
the guidelines laid out in Procedure on Risk Assessment. Rules
A.7.1.1 Inventory of assets of classification take asset value and importance into account. A
list of assets including the owner and relevant details is kept with
the respective functional departments. Additional asset details
are maintained by the Admin Department for the purposes of
audit and keeping track of assets.

Control
A.7.1.2 Ownership of assets All information and assets associated with information processing
facilities are ‘owned’ by a designated part of the organization.

Control
Rules for the acceptable use of information and assets associated with
A.7.1.3 Acceptable use of assets
information processing facilities are identified, documented, and
implemented.
Information Systems Hardware
Infrastructure
 Auditing Hardware
• Hardware asset listing (for your accounting/budgeting and equipment
lifecycle planning).
• Analysis of Environmental conditions for equipment including heat and
power protection.
• Network design analysis and network diagram (improves support
response times with your IT provider).
• Report on appropriateness of hardware in all PC-based equipment (and
how that impacts performance).
 Auditing Hardware
• Report on server hardware appropriateness, performance, levels of
redundancy (and any associated risks).
• Analysis of Server configuration (and any areas not done properly
and if/why they are important).
• Security Analysis on multiple levels.
• Backup systems hardware, software, data sets, disaster
readiness and risks.
 ISO:IEC 27001 2005
Control
A.9.2.3 Cabling security Power and telecommunications cabling carrying data or supporting information
services are protected from interception or damage.

Control
A.9.2.4 Equipment maintenance Equipment are correctly maintained to ensure its continued availability and
integrity.

A.10.6 Network security management

Objective: To ensure the protection of information in networks and the protection of the supporting infrastructure.

Control
Networks are adequately managed and controlled, in order to be protected from
A.10.6.1 Network controls
threats, and to maintain security for the systems and applications using the
network, including information in transit.

Control
Security features, service levels, and management requirements of all network
A.10.6.2 Security of network services
services are identified and included in any network services agreement, whether
these services are provided in-house or outsourced.
A.11.4 Network access control
Objective: To prevent unauthorized access to networked services.

Users shall only be provided with access to the

A.11.4.1 Policy on use of network services services that they have been specifically
authorized to use.

User authentication for external Appropriate authentication methods shall be used to

A.11.4.2
connections control access by remote users.
Automatic equipment identification is considered as a
Equipment identification in the
A.11.4.3 means to authenticate connections from specific
network
locations and equipment.

Remote diagnostic and Physical and logical access to diagnostic and

A.11.4.4
configuration port protection configuration ports shall be controlled.

Groups of information services, users, and information

A.11.4.5 Segregation in networks
systems are segregated on networks.

For shared networks, especially those extending

across the organization’s boundaries, the
A.11.4.6 Network connection control capability of users to connect to the network shall
be restricted, in line with the access control policy
and requirements of the business applications
Routing controls are implemented for networks to
ensure that computer connections and
A.11.4.7 Network routing control
information flows do not breach the access
control policy of the business applications.
 Information Systems Network &
Telecommunication Infrastructure
Auditing Networks
Network Vulnerabilities & Controls
 Auditing Networks

• Review network policies and procedures

• Review network diagrams (layer 1 & 2), design, and walk-
through, list of network equipment and IP address list
• Verify diagrams with Ping and Trace Route
• Review utilization, trouble reports & helpdesk procedures
 Auditing Networks

• Probe systems (Netscan tools and Portscanner)

• Interview network vendors, users, and network technicians
• Review software settings on network equipment
• Inspect computer room and network locations
• Evaluate back-up and operational procedures
• Identify the paths and equipment used to navigate the
network
• Identify TCP/IP infrastructure areas of concern
 Auditing Networks

• Break into manageable pieces

• Every network is different and the components and risks must
be fully understood
• Identify risks and prioritize
• Dedicate more upfront planning
• RELAX !! It’s not that bad !
 Routers
• Inappropriate addresses or dangerous
protocols accessing hosts/servers
• Inappropriate addresses conducting router
maintenance
• Unauthenticated or trusted services used for
maintenance
• Damaged router/network device
configuration
 Routers
• Failed upgrades or changes
• Not capturing network events
• Default passwords and clear text passwords
transmitted over the network
• No console password
 Firewalls
• Network Address Translation
• Intrusion Detection Systems (IDS)
• Virtual Private Networks (VPN)
• Demilitarised Zone (DMZ)
• Proxy Server
 Firewalls
• Obtain Firewall Security policy
• Identify the services
• Identify logging procedure
• Identify configuration management process
 Firewall
• Review
• Authentication controls
• DMZ
• Procedure for Device administration
• Procedure to review the logs
• Risk Management procedure
• Physical access control to firewall
Telecommunication Audit
 Telecommunication Audit
• Assessment of an organization’s
telecommunication environment.
• Telecom Audit defines the act of conducting a
review, examination and reconciliation of
– Telecom
– Wireless
– Network customer service records
– Invoicing
– Contract agreements
in order to ensure the accuracy of budgetary forecasting.
 Telecommunication Audit
Communications equipment such as
• PBX's
• Voice mail systems
• IVRs
• Telephone lines
• Leased lines
are assessed to determine if they meet current
business requirements and if possible alternate
solutions should be considered.