FUNDAMENTAL OF COMPUTER AUDIT
click to edit
INTERNAL AUDIT
An independent, objective assurance and advisory
activity
Designed to add value and improve an organization’s
operations
Computing Audit & Risk Management
click to edit
Incident management response process
Classifying business value of data
Risk assessments on internal systems
Security Audits
Governance, risk and compliance
AUDIT PROCESS
click to edit
Testing
Reporting
Follow-up
Planning
Annual Risk Assessment
Preliminary Audit Plan
Board of Visitors Approval
Notification and Request for Information
Understand Your Risks and Controls
Backup & Recovery
Resource Management
Web Site
Security
Remote Vulnerability Scans
On-Site, Follow-up Vulnerability Tests
Critical Data
Observation
Recommendation
To improve controls
When unexpected results are noted
Management Action Plan
Develop Plans, Schedules, and Priorities
Findings
Final Report sent to BOARD
click to edit
Follow-Up Actions are Based on Your “Management
Action Plan”
Progress is Monitored
Some Re-Testing May be Necessary
Board of Visitors is Updated
Audit is closed
COMMON AUDIT OBSERVATIONS
Weak Security Settings
Windows Operating System
Missing Security Patches
click to edit
Operating Systems
Applications
Databases
Misconfigure Anti-Malware Tools
DO'S
Inadequate Access Controls
Open Communication Ports
The Hacker’s Point of Entry
Weak Passwords & File Permissions
click to edit
click to edit
Out-of-Date Threat Signatures
Scans Not Scheduled
click to edit
Harden Security Settings
Keep Everything Patched
Install and Use Anti-Malware Tools
Enforce Strong Passwords
Close or Filter Communication Ports
Test Your Systems
Support Your System Administrator