Secured View: Audit Compliance
Preparing for Audit
In this last installment of the BS 7799 series let's take
a look at the crucial issues one should consider when taking the prudent approach
to audit. by Avinash W. Kadam
We began the quest for an Information Security
Management system by stating the security goals. To achieve these goals, we
created a security organization. The imaginary security organization we devised
identified all the critical information assets that we possessed. It also defined
personnel security policies, physical and environmental security policies; communication
and operations management policies; access control policies; system development
and maintenance policies; business continuity management policies. But we need
to look at everything in a skeptical manner and step into a critic's shoes.
The critic could be an auditor, a government regulatory authority or even a
law enforcement authority. Let's assume that these hawk-eyed persons are eager
to know whether we have complied with every audit, statutory or legal provision
that falls within the jurisdiction of our country. This last article in the
BS 7799 series is about this crucial aspect.
Compliance with legal requirements
Let's begin by first identifying various
legislation that may govern the information systems we design and operate. An
advocate who happens to be a close friend was very helpful in giving me a 'partial'
list of the applicable laws. These are:
- IT Act 2000
- Trademark Act 1958
- Copyright Act 1957
- Law of Torts
- Indian Penal Code
- Indian Contracts Act 1887
- Sale of Goods Act
In addition to this if you have…
- …clients in Europe, the European Union's Data Protection
Directive for Protection of individual's data is applicable.
- …US based hospitals or HMO's as your clients, the
HIPAA (Health Insurance Portability and Accountability Act ) is applicable.And
if you are keeping data about any Californian resident in your database, California's
Security Breach Disclosure Law is applicable.
So, it's advisable to consult an advocate
for all the applicable legislation—that's if you don't want to be caught by
Intellectual property rights
One of the important acts, which finds
place as a specific control, is Intellectual Property Right (IPR). One needs
to ensure that one does not violate the software copyright in any form. This
simply means that one should use only authorized software. All employees should
read the copyright statement carefully before they download any software or
information from the Internet. Also ensure that your website does not breach
any copyright. There are a number of interesting cases, which prohibit you from
providing links to other sites, use the icons, use graphics or images, which
are available, freely on the Internet. In fact, some sites have protected even
the color schemes for their sites. So, be very careful against getting 'inspired'
by a website on Internet—you may be breaching an IPR.
Safeguarding organizational records
Ask your accounts department how long they
retain financial records. Every company has some musty store-room where records
are kept for seven years or more, depending on what is the statutory requirement.
Based on the guidelines, your predecessor has faithfully kept the old tapes
in the same store-room. If you get a summon from the Income Tax department to
produce the pay slip of an employee who was working for you seven years ago,
will you be able to produce it? Will you have the computer, the computer program,
and the tape drive to read that 9-track, 12-inch spool tape? Will the tape itself
be readable? Or has it got fungus deposited on it?
This and other crucial questions need to
be answered to satisfy this control. If you have selected an electronic storage
medium, you need to ensure that you have the ability to access data throughout
the desired retention period, and you should be able to retrieve the data in
a manner "acceptable to a court of law."
Prevention of misuse of information processing
Do you have MP3 songs on your hard disk?
Do you listen to these while working? Do you share these with colleagues? Beware!
This could be misuse of information processing facility, especially if you are
not in the business of recording, storing and distributing MP3 files. Your management
would have asked you to abide by the 'acceptable use policy' and indulging in
any activity contrary to it may invite disciplinary action.
There is a famous case of a hacker who
managed to get inside a corporate network and was caught by the vigilant security
officer. The hacker pleaded not guilty in the court. His argument was, when
he logged on the corporate network, a welcome sign greeted him. If he was welcome
to enter the network, then he has not broken any law by entering. After that,
the security officers have started putting a stern warning message forbidding
So, you have to ensure that there is no
misuse of the information processing facilities by any person, insider as well
as the outsider.
Cryptography immediately grabs our attention.
More so because it was placed under International Traffic in Arms Regulations
(ITAR) by USA and as such any export of cryptography was a crime treated on
par with exporting nuclear weapons. Phil Zimmerman was the crusader who took
up the crusade against the mighty USA for free use of cryptography to protect
privacy. His motto was, if privacy is outlawed, only outlaws have privacy. His
Pretty Good Privacy (PGP) e-mail security package is the most used e-mail encryption
Against this background, unless you are
a Zimmerman, check the government rules about use of cryptography. You may be
sending encrypted information to other countries that may have different laws.
In fact, some countries do not allow any data to be encrypted. So, if you are
traveling with your notebook PC where you have stored encrypted files, you may
be breaking a few laws of the land.
Collection of evidence
Cyber crime is a crime committed with the
help of a computer. The computer may have been used to carry out a cyber attack,
to send malicious e-mail, to store company confidential files before sending
them across, or to commit financial fraud. If you know that a particular computer
was used for criminal activities, how do you preserve all the telltale signs?
Computer forensics is a new branch of criminal
investigation. The computer evidence is very fragile. It can very easily lose
its credibility. Normal methods of taking backup do not work here as the date
and time stamps associated with the last access to a computer file change in
the next backup. The evidence thus collected will not be accepted in the court.
Special software is used to make a complete bit-by-bit image of the disk without
altering a single bit of information. The entire process of collecting evidence
has to be documented and witnessed. Multiple copies of the evidence should be
made so that one copy is always maintained in safe custody while the investigation
could be done using other copies. The concern here is to ensure that the evidence
is admissible in the court—the quality and completeness of evidence is beyond
doubt and you are really able to nail the cyber criminal.
Review of security policy and technical compliance
At the end of a BS 7799 exercise, an organization
establishes a number of security policies and standards. The initial audit has
the enthusiastic participation of all IT staff, end-users as well as senior
management. The real test of commitment is only after this initial euphoria
dies down. Does the organization always comply with all the policies? Is there
a mechanism to monitor the compliance? Is there a review mechanism? Are the
managers taking their responsibility seriously to ensure compliance with all
the security polices and procedures?
Existence of internal audit teams who are
regularly reviewing various areas of security policy compliance, as well as
review of internal audit teams' work by senior management, ensures that there
is a continued seriousness about security in the organization. For best results,
form peer review groups and try introducing healthy competition for being declared
"The Most Secured Department".
Apart from adherence to procedural aspects
of security, also ensure that periodic technical compliance checks are done.
This may require conducting tools-based vulnerability testing as well as penetration
testing. For best results, ask knowledgeable and trustworthy outsiders to carry
out these tests. Technical compliance gives additional assurance that all the
security holes have been plugged.
To quote Ron Weber, the author of the classic
book on Information Systems Control and Audit, information systems auditing
evaluates whether computer-based information systems safeguard assets, maintain
data integrity, achieve organizational objectives effectively, and consume resources
Auditing is a responsible task as it may
involve accessing live systems, and you have to ensure that there is minimum
interference to the business. The scope of the Audit should be very clearly
defined, and the entire audit process should be closely monitored and documented.
Audit may involve tools, which bypass the normal authentication mechanisms or
software controls. Care has to be taken that no data is altered or in any way
Access and use of the system audit tools
should be properly controlled and these should not be available to normal users.
You may use a password-cracking tool to check and report the strength of passwords.
Availability of this tool to general users may not be a good idea. In fact,
possession of these tools should be strictly forbidden as per the security policy.
Lastly, all audits should be conducted
only with prior approval of the management. You do not want to be 'caught' using
audit tools and be accused of theft, do you? It actually happened to Randall
L. Schwartz , a well-known security consultant and writer of two books on Perl.
He was employed by Intel to conduct a system audit. He ran a program called
'crack' to test the strength of passwords at another division of Intel where
he had previously worked. His actions were not covered by specific written scope
statements. Schwartz was charged with altering a computer and a computer network
without authorization; using a computer and computer network for the purpose
of committing a theft; committing theft of individual passwords. The jury convicted
him under Oregon's Computer Crime Law. His sentence included five years of probation,
480 hours of community service, 90 days of deferred jail time, and $68,000 of
restitution to Intel. At the end of trial, his legal bill exceeded $170,000.
Our own IT Act 2000 is also very clear
on the issue of computer crime. As per section 70 (3): Any person who secures
access or attempts to secure access, to a protected system, in contravention
of the provisions of this section shall be punished with imprisonment of either
description, for a term that may extend ten years, and shall also be liable
So, the moral of the story is: be very
careful when you conduct the system audits and ensure that it is covered by
the audit scope and authorized by the management in writing.
- Consult an advocate for all the applicable
legislationthat's if you don't want to be caught by surprise later.
- Ensure that one does not violate the software
copyright in any form.
- Ask the Accounts department how long they retain
- Ensure that there is no misuse of the information
processing facilities by any person, insider as well as the outsider.
- If you are traveling with your notebook PC
where you have stored encrypted files, you may be breaking a few laws
of the land.
- Ensure that the evidence is admissible in court.
The quality and completeness of evidence is beyond doubt, and you are
really able to nail the cyber criminal.
- Apart from adherence to procedural aspects
of security, also ensure that periodic technical compliance checks are
- Access and use of the system audit tools should
be properly controlled and these should not be available to users.
- All audits should be conducted only with prior
approval of the management.
Avinash Kadam is Director, Miel e-Security, Pvt. Ltd. He
can be reached at firstname.lastname@example.org