...United States Government Accountability Office GAO February 2009 GAO-09-232G FEDERAL INFORMATION SYSTEM CONTROLS AUDIT MANUAL (FISCAM) This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. United States Government Accountability Office Washington, DC 20548 February 2009 TO AUDIT OFFICIALS, CIOS, AND OTHERS INTERESTED IN FEDERAL AND OTHER GOVERNMENTAL INFORMATION SYSTEM CONTROLS AUDITING AND REPORTING This letter transmits the revised Government Accountability Office (GAO) Federal Information System Controls Audit Manual (FISCAM). The FISCAM presents a methodology for performing information system (IS) control 1 audits of federal and other governmental entities in accordance with professional standards, and was originally issued in January 1999. We have updated the FISCAM for significant changes affecting IS audits. This revised FISCAM reflects consideration of public comments received from professional accounting and auditing organizations, independent public accounting firms, state and local audit organizations, and interested individuals on the FISCAM Exposure Draft issued on July 31, 2008 (GAO-08-1029G)...
Words: 174530 - Pages: 699
...Assignment 1&2 Enhance an existing it security policy framework Security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network that includes computers running Windows 7 or Windows Server 2008 R2. Organizations invest a large portion of their information technology budgets on security applications and services, such as antivirus software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or carefully you configure security permissions on your data, you should not consider the job complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. To be well defined and timely, an auditing strategy must provide useful tracking data on an organization's most important resources, critical behaviors, and potential risks. In a growing number of organizations, it must also provide absolute proof that IT operations comply with corporate and regulatory requirements. Unfortunately, no organization has unlimited resources to monitor every single resource and activity on a network. If you do not plan well enough, you will likely have gaps in your auditing strategy. However, if you try to audit every resource and activity, you may find yourself with far too much monitoring data, including thousands of benign audit entries that an analyst would need to...
Words: 1876 - Pages: 8
...Information Systems Audit Information Systems Audit An information system audit examines and evaluates an organization’s information systems, practices, and operations. The audit is designed to confirm that the information system is safeguarding the organization’s assets, ensuring data integrity, and performing in an efficient way so as to meet the organization’s goals. Information system audit plans seek to evaluate the robustness of the organization’s information system. Is the system available at all times when needed by the organization? What are the security mechanisms in place to ensure confidentiality and security of data? Is the information provided by the systems accurate? Audits of information systems may be initiated to address these individual specific issues within the overall IS environment. Information Systems Audit Program The elements of an information systems audit will address the effectiveness of controls in the following general areas: * Physical and environment review that includes physical property security, power supply, air conditioning, etc. * System administration review encompassing operating systems, databases, and system administration policies and procedures. * Application software review which is an encompassing examination of the applications being used by the organization as well as the access controls, authorizations, process flows, error and exception handling, and similar activities that effect software applications including...
Words: 2359 - Pages: 10
...to intricate aspects of a Government established information systems security features. The process of auditing will need to be completed by trained and experienced professional in order to be successful and make the end project survive the current changes in the information technology field. Most of the information technology communities fall within the parameters of two types of auditing, which are information technology auditing and information security auditing. We first discuss the concept of information technology auditing. Information technology management is the process of examining the controls within an information technology infrastructure. The information technology auditing process conduct an extensive evaluation and can determine if the established information system are doing their jobs. The process ensures the current information systems safeguarding stored assets, maintaining its system integrity and last but not least meeting the objectives and goals of the company deploying the system. This audit can be done at anytime encompassed with any other auditing going on within the organization; it is one of the items to come up for audit when an organization is looking for financial cuts within an organization. The primary goal of the information technology audit is to ensure an organization’s system is effective for the environment it is functioning in. The purpose of an information security audit is to only focus on the policies and functions...
Words: 886 - Pages: 4
...IT Audit Seminar organized by National Audit Office, China 1 to 4 September 2004 Paper on “Formulation of IT Auditing Standards” By -- Ms.Puja S Mandol and Ms. Monika Verma Supreme Audit Institution of India Introduction The use of computers and computer based information systems have pervaded deep and wide in every modern day organization. An organization must exercise control over these computer based information systems because the cost of errors and irregularities that may arise in these systems can be high and can even challenge the very existence of the organization. An organizations ability to survive can be severely undermined through corruption or destruction of its database; decision making errors caused by poor-quality information systems; losses incurred through computer abuses; loss of computer assets and their control on how the computers are used within the organization. Therefore managements across the world have deployed specialized auditors to audit their information systems to find out gaps between declared policies and actual use and shortcomings in the information system design and usage. Information Systems Audit is the process of collecting and evaluating evidence to determine whether a computer system has been designed to maintain data integrity, safeguard assets, allows organizational goals to be achieved effectively and uses the resources efficiently. The IS Auditor should see that not only adequate internal controls exist...
Words: 6839 - Pages: 28
...IT255 Introduction to Information Systems Security Unit 5 Importance of Testing, Auditing, and Monitoring © ITT Educational Services, Inc. All rights reserved. Learning Objective Explain the importance of security audits, testing, and monitoring to effective security policy. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 2 Key Concepts Role of an audit in effective security baselining and gap analysis Importance of monitoring systems throughout the IT infrastructure Penetration testing and ethical hacking to help mitigate gaps Security logs for normal and abnormal traffic patterns and digital signatures Security countermeasures through auditing, testing, and monitoring test results IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 3 EXPLORE: CONCEPTS IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 4 Purpose of an IT Security Assessment Check effectiveness of security measures. Verify access controls. Validate established mechanisms. IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved. Page 5 IT Security Audit Terminology Verification Validation Testing Evaluation IT255 Introduction to Information Systems Security © ITT Educational Services, Inc. All rights reserved...
Words: 799 - Pages: 4
...Information Security Audit Name Institution Information Security Audit When conducting information security audit may people tends to confuse it with information systems audit. Information system audit is a substantial, expansive term that envelops boundary of obligations, equipment an server administration, incidents and problem administration, safety, network division, privacy and security assurance (Pathak, 2004). Then again, as the name suggests, information security audit has a one point plan and that is the security of information and data when it is at the point of being transmitted and stored. Here, information should not be mistaken for just electronic information as print information is similarly critical and its security is secured during the audit process. There is a process that is followed when conducting information security audit. The first step in the information security audit is identifying assets and classifying them. This is the methodology of distinguishing valuable resources and classifying them into groups that are manageable. There are different approaches to assemble this information, including talking with key IT staff, inspecting any past reviews, and exploring stock records. In the wake of distinguishing resources, group them in relation to availability, integrity and confidentiality. Example of resources that need confidentiality that is strict are under study grades, bank records, and health records. Resources that oblige integrity (significance...
Words: 1075 - Pages: 5
...------------------------------------------------- In accordance with our IT audit plan, the Foods Fantastic Company (FFC) Audit Team has performed an ITGC review of the 5 critical ITGC areas and in-scope applications so as to enable the audit team to follow a controls-based audit approach and be able to rely on the IT controls in place at FFC. FFC is a publicly traded, regional grocery store located in the mid-Atlantic region which relies on many state-of-the-art IT systems and software and which are all managed in-house. Purpose: We hope to gain comfort that FFC’s systems, IT practices, and risk management procedures are working properly and are operationally effective within a well-controlled IT environment and to meet the requirements that are outlined in SAS 109 and SOX Section 404 Management Assessment of Internal Controls. Considering that the FFC IT environment has a direct impact on the account balances and financial statements, it is imperative that we provide assurance over IT controls prior to the financial statement audit and assess the risk of material misstatement in the different areas of the IT environment. Scope: ------------------------------------------------- Our team initially reviewed key provisions included in SAS 109, SOX Section 404, PCAOB Auditing Standard No.5, and FFC policies. To provide the financial auditors with a complete and accurate review of the critical ITGC areas, we reviewed FFC’s IT and security procedures, interviewed relevant FFC client personnel...
Words: 1551 - Pages: 7
...The Australian Cyber Security Capability Framework (CSCF) & Mapping of ISM Roles by Australian Government Information Management Office (AGIMO) formalizes training, certification, competency and development requirements for staff employed within the IT Security profession [14]. The 20- pages Framework has a two level structure with six main categories of capability: Service Delivery; IT Business Management; Business Change; Solutions Development; Solutions Implementation; and Service Support. The Security domain sits within the Service Delivery area and it is broken down into four capability groupings: Service Delivery; IS; Technology Audit; and Emerging Technology Monitoring. The competencies are mapped onto the Framework based on complexity...
Words: 911 - Pages: 4
...Security Awareness Policy (statement 1) The Information Security (IS) team is responsible for promoting ongoing security awareness to all information system users. A Security Awareness program must exist to establish formal methods by which secure practices are communicated throughout the corporation. Security guidance must exist in the form of formal written policies and procedures that define the principles of secure information system use and the responsibility of users to follow them. Security awareness articles, posters, and bulletins should be periodically created and distributed throughout the corporation to educate employees about new and existing threats to security and how to cope with them. All employees are responsible for promptly reporting to their management and Information Systems (IS) management any suspected insecure conditions or security violations they encounter. All employees must be made aware of their security responsibilities on their first day of employment as part of the newhire orientation program. All employees must comply with IS security policies by signing a compliance agreement that is retained in their personnel file. IS Security policies and procedures must remain current and readily available (e.g., via the intranet site) for Information System users to review and understand them. Information Systems (IS) management must ensure that the terms and conditions of authorized system access are clearly communi...
Words: 1815 - Pages: 8
...Hospital Risk Assessment & Security Audit Patton-Fuller Community Hospital Risk Assessment & Security Audit Risk assessment and threat assessment should go hand-in-hand.The outcome of the risk assessment and threat assessment should provide recommendations that maximize the protection of confidentiality, integrity and availability while still providing functionality and usability. The purpose of a risk assessment is to ensure sensitive data and valuable assets are protected. An organization should take a hard look at who has access to sensitive data and if those accesses are required. The security audit should monitor the companies systems and users to detect illicit activity.The security audit should include searches for security events and the abuse of user privileges, along with a review of directory permissions, payroll controls, accounting system configurations, ensure backup software is configured, and backups are completed as required, review network shares for sensitive information with wide-open permissions. During the security audit, a report of offices should be conducted to ensure security policies and procedures are followed. Security Management Currently, PFCH has a Chief Compliance Officer in place to ensure the hospital meets all laws and regulations regarding patient privacy. The CCO is responsible for developing, implementing, and maintaining a system-wide Corporate Compliance program. The COO also oversees the Security Officer, the Director of Medical...
Words: 3451 - Pages: 14
...University AUO1 – Auditing and Information Systems Additional Study Questions/ Study Guide 1. Accounting Information Systems Competency 302.1.1: Nature and Purpose The student understands the nature and purpose of information systems. * What is the difference between transaction processing systems, management information systems, and decision support systems? 2. Transaction processing systems - document financial activities 3. Management information systems - used to collect qualitative as well as quantitative information for decision making within organizations 4. Decision support systems - help the developers of an AIS identify what information they need for their planning, decision making, and control functions * How is a flowchart used? 5. A document flowchart traces the physical flow of documents through an organization—that is, the flow of documents from the departments, groups, or individuals who first created them to their final destinations. * How is the accounting information system documented? 6. An accounting information system is a collection of data and processing procedures that creates needed information for its users. An information system's components: Data or information is input, processed, and output as information for planning, decision-making, and control purposes. 1. Data flow diagrams provide both a physical and a logical view of a system, but concentrate more on the flow and transformation...
Words: 12288 - Pages: 50
...Win 7 thru Win 2012 This “Windows Logging Cheat Sheet” is intended to help you get started setting up basic and necessary Windows Audit Policy and Logging. By no means is this list extensive; but it does include some very common items that should be enabled, configured, gathered and harvested for any Log Management Program. Start with these settings and add to it as you understand better what is in your logs and what you need. DEFINITIONS:: ENABLE: Things you must do to enable logging to start collecting and keeping events. CONFIGURE: Configuration that is needed to refine what events you will collect. GATHER: Tools/Utilities that you can use locally on the system to set or gather log related information – AuditPol, WEvtUtil, Find, etc. HARVEST: Events that you would want to harvest into some centralized Event log management solution like syslog, SIEM, Splunk, etc. RESOURCES: Places to get information on EventID’s www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx - Better descriptions of Event OD’s www.EventID.Net – Most of the Event ID’s Google! – But of course IIS Error Codes - http://support.microsoft.com/kb/318380 - IIS Error Codes http://cryptome.org/2014/01/nsa-windows-event.pdf - Good Article http://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx – MS Adv Security Audit Policy Descriptions https://support.microsoft.com/en-us/kb/3004375 - Patch and Reg Tweak for KB3004375 Command Line Logging ENABLE:: ...
Words: 2520 - Pages: 11
...existing manual process is automated using computers and in the latter the existing process. In the latter absorption is more effectively achieved but can pose serious problems if some forms of basic controls are omitted. An IS Auditor being a part of this exercise to ensure that the basic controls required for business exist in the re-engineered process. The IT Security Policy: The IS Auditor due to extensive engagement with the organisation is able to say which parts of the policy are being complied with and can also offer suggestions on improving compliance and making suitable changes to the IT Policy. He can also offer guidance in those areas which may not be adequately addressed in the policy. Security Awareness: An effective IS Audit helps increase level of security awareness and compliance with security measures among IT users. This also provides motivation to security officers and system administrators to do their job effectively. Better Return on Investment: IS audits are not only considered for security nowadays but also performance management and value for IT investments. Therefore, an IS audit can be used for facilitating the effective and efficient use of IT for fulfilling business objectives. Risk Management: The domain of IS Auditing is moving towards risk Management and an IS auditor is being viewed as a risk management professional particularly in the area of operational risk. Effective risk management for the enterprise is vital, therefore the...
Words: 477 - Pages: 2
...Controls Tynisha Ellis Dr. James Francisco Systems Analysis and Development February 12, 2012 Abstract A company must do everything in its power to protect its data. This includes not only the firm’s own information, but that of its customers, employees, and suppliers. In this paper I will be describing four types of input controls, in user interface design, and their primary functions. Input control includes the necessary measures to ensure that input data is correct, complete and secure (Rosenblatt & Shelly, 2012). Some examples of input controls are audit trails, encryption, password security, and data security, just to name a few. Input Controls To begin, audit trails record the source of data each data item, and when that data enters the system (Rosenblatt & Shelly, 2012). It is a series of records of computer events, about an operating system, an application, or user activities (Gopalakrishna, 2000). It is generated by an auditing system that monitors system activity (Gopalakrishna, 2000). Audit trails have many uses in the realm of computer security (Gopalakrishna, 2000). The uses include: 1. Individual Accountability: A users actions are monitored and tracked giving them accountability of their own actions. This deters users from evading security policies and even if they do evade them, they will definitely be held accountable (Gopalakrishna, 2000). 2. Reconstructing Events: Audit trails can also be used to reconstruct events after...
Words: 821 - Pages: 4