FUNDAMENTAL OF COMPUTER AUDIT

click to edit

INTERNAL AUDIT

An independent, objective assurance and advisory
activity

Designed to add value and improve an organization’s
operations

Computing Audit & Risk Management

click to edit

 Incident management response process

 Classifying business value of data

 Risk assessments on internal systems

 Security Audits

 Governance, risk and compliance

AUDIT PROCESS

click to edit

Testing

Reporting

Follow-up

Planning

Annual Risk Assessment

Preliminary Audit Plan

Board of Visitors Approval

Notification and Request for Information

Understand Your Risks and Controls

Backup & Recovery

Resource Management

Web Site

Security

Remote Vulnerability Scans

On-Site, Follow-up Vulnerability Tests

Critical Data

Observation

Recommendation

To improve controls

When unexpected results are noted

Management Action Plan

Develop Plans, Schedules, and Priorities

Findings

Final Report sent to BOARD

click to edit

 Follow-Up Actions are Based on Your “Management

Action Plan”

 Progress is Monitored

 Some Re-Testing May be Necessary

 Board of Visitors is Updated

 Audit is closed

COMMON AUDIT OBSERVATIONS

Weak Security Settings

Windows Operating System

Missing Security Patches

click to edit

Operating Systems

Applications

Databases

Misconfigure Anti-Malware Tools

DO'S

Inadequate Access Controls

Open Communication Ports

The Hacker’s Point of Entry

Weak Passwords & File Permissions

click to edit

click to edit

Out-of-Date Threat Signatures
Scans Not Scheduled

click to edit

 Harden Security Settings

 Keep Everything Patched

 Install and Use Anti-Malware Tools

 Enforce Strong Passwords

 Close or Filter Communication Ports

 Test Your Systems

 Support Your System Administrator