audit
Computer Security
Audit for UMUC ACCT 433
Table of Contents Summary of UMUC................................................ 3
UMUC Security ................................................ 4
Auditing Computer Security..................................... 5
Physical Location ............................................ 5
Disaster Recovery Plan & Site ................................ 7
Computer Access Audit ........................................ 8
Virus Prevention Audit ....................................... 9
Data Accuracy ................................................ 9
Audit Conclusion.............................................. 10
References.................................................... 12
Summary of UMUC University of Maryland University College provides online
education opportunities to people all over the world. The
information technology base of an online based college is
extremely important. In order for this business to run
successfully and efficiently, the information technology of the
institution must maintain personal information of students,
teachers, and other faculty while supporting the overwhelming
flow of traffic to their site. The center where students,
faculty, and staff share information is called MyUMUC. This
system allows the users, students, faculty, and staff, to access
their web portal which allows them access to their personal
information and classes (UMUC, About MyUMUC).
As an opportunity for online education and night-schooling,
UMUC provides its services to working adults. The online aspect
of the school also lends itself nicely to those enrolled in the
Armed Forces who are stationed all over the world and subject to
sudden changes of location. The benefits UMUC provides its
students is the freedom of schedule. Most online classes only
have one due date at the end of the week, so it is up to the
student to get the assigned work done, at any time or pace in
that week. This allows working people, those enrolled, and those
busy taking care of a family the opportunity to fit college into
their already hectic schedules.
UMUC Security The focus of the audit should be on the security of the
UMUC system. Computer security not only attempts to maintain
unauthorized access, but also tries to maintain the accuracy of
the data (Hall, 2010, p. 588). Since UMUC is primarily an online
educational institution, having adequate computer security is
imperative to the success of the college.
The MyUMUC system gives the users access to their portals
which shows their personal information, gives them access to
their classes, their class history and grades, and allows them
to pay tuition. The amount of sensitive information involved in
extraordinary in that most users have their social security
numbers, addresses, and/or credit card information. The
significance of preventing unauthorized access cannot be
overstated for the success of UMUC. Losing a student’s personal
information would create a serious inconvenience to the student
which would take time, money and hard work to repair. As
previously stated, UMUC students are typically already busy with
other engagements and do not have much free time. When
information is lost or stolen, the students will be upset with
the waste of their precious time and the other students may fear
their information could also be in jeopardy. A breach of the
UMUC system could be disastrous for the college as students will
steer clear of institutions of fraud.
The UMUC website acknowledges the importance of security in
its computer security policy. This policy stresses proper
etiquette and usage of computers and the maintenance of
computers and passwords (UMUC, Policy). This policy appears to
be intended for the users of the UMUC system more than the staff
which maintains it. It is presumable that the IT staff have a
more comprehensive policy pertaining to their computer
etiquette.
Auditing Computer Security To audit the security of a computer system, one must ensure
the physical safety of the hardware first. Then, accessibility
is checked by testing passwords and the security software. The
data is also tested for accuracy to ensure efficiency. Finally,
the back-up plan is tested in case of emergency.
Physical Location The physical location of system is very important to this
audit since the data can easily be destroyed or stolen due to a
lack of physical controls. Auditing the physical location of the
computer center involves testing the fireproof structure, the
flood drainage, and the location of the center. The location
should put the computer center away from any fire, civil unrest,
or other hazards (Hall, 2010, p. 49).
In the case of UMUC, it is recommended that the audit begin
with a test of the fire detection system. This system should be
capable of detecting and suppressing fires. The detection system
should also be capable and tested to detect smoke and flammable
gases. Typically, it is possible to review the tests of the fire
marshal which should be on record (Hall, 2010, p. 49).
The next step in the physical audit of the computer center
is to test the accessibility of the room. There should be a log
which records each access of the computer center. This log
should be cross referenced with cameras or work times of the
employees that access the room to verify those accessing the
room are authorized (Hall, 2010, p. 49). If the frequency of
visits to the computer center is very high, there are software
programs which can detect abnormalities in access times and
patterns once an audit trail is implemented (National Institute
of Standards and Technology).
Hall (2010, p. 49-50) also recommends testing the redundant
array of independent disks, RAID, and the continuous flow of
electricity. These two tests are to maintain that the computer
center properly backs up data and does not see an interrupted or
sudden spike in power. The backup power supply should have
enough power to runt the computer center and the air
conditioner. The test of the RAID will probably involve
consulting the system administrator (Hall, 2010, p. 49-50).
Disaster Recovery Plan & Site Auditing the Disaster Recovery Plan and the associated
backup site is the next logical step in the audit because of the
similarities to the physical location audit. The plan is a list
of procedure to be acted upon in case the computer center is
somehow compromised (Hall, 2010, p. 51). The purpose of auditing
this procedure is to verify the feasibility of the plan should a
disaster occur (Hall, 2010, p. 56).
The backup site should be audited similar to the physical
location of the computer center, if the firm has its own backup
site. If they have an agreement with another firm to help each
other in disaster, the other firms’ system should be tested for
enough storage and processing power to operate both companies
(Hall, 2010, p. 56). The backup data, software, supplies, and
documents should be stored at the backup site. Keeping separate
locations should keep any disaster from taking out the computer
center and the backup. There should also be a test of the
recovery team roster, which has the contact information for the
recovery team. Testing the accuracy of this information is vital
because it could be very costly if the information needs to be
found during a disastrous event. All of these tests should be
done by the auditor.
Computer Access Audit Auditing computer security relies on a good audit of the
access employees have to the computers. Since UMUC is an online
college, there are not physical assets. The access controls in
this case are to the computer system. The key parts of this
audit step are the passwords, data encryption, and segregation
of duties.
The password and multilevel password controls are ideal for
keeping unauthorized access from occurring. The passwords are
kept in a table and allow an employee to access his or her
applications and data. The passwords also keep unauthorized
people from viewing, inputting, modifying, or deleting data
(Hall, 2010, p. 103). To test the passwords, NIST says there are
tools for analyzing audit trails which will tell trend
detection, password strength, or attack-signature detection.
These tools will help the auditor recognize if attempts
penetrate the system are being made by unauthorized people
(NIST).
The auditor is responsible for testing the access
clearances. This involves the auditor logging onto accounts and
trying to access more information than the password is supposed
to allow. If the system allows the operation, there is a flaw in
the system which needs to be fixed.
Finally, the auditor should also review the organizational
charts and job descriptions to be positive that the proper
duties are segregated and that there is good supervision of the
critical operations (Hall, 2010, p. 104).
Virus Prevention Audit The audit of the antiviral software and the firewall are an
essential parts of this audit. In this case, it is wise to
employ an automated auditing tool to test the validity of the
firewall. Joel Snyder recommends a tool from Mu Dynamics Inc. or
Spirent Communications plc (Snyder, 2012). Once the firewall is
properly tested, the audit can move forward to the examination
of the virus software. Detecting a virus is important in
mitigating the damage caused. The auditor should not only test
the software, but also review the procedure for installation and
updates of the software (Hall, 2010, p. 105).
Data Accuracy Maintaining the accuracy of the data is one fraud and error
detection strategy. If there is an issue with the accuracy of
the data, there could have been an issue with intrusion or there
could be an error in the system. Detecting errors or
discrepancies in the data is difficult for an auditor to find
without implementing automated tools. An industry leader in
auditing tools is ACL, or audit command language. This software
provides access to data in a way that allows for substantive
tests (Hall, 2010, p. 370). One capability of generalized audit
software like ACL is the comparing files to identify
differences. This allows the auditor to be sure the data remains
free of doctoring or deleting. Maintaining the accuracy of the
data is a significant step as it can be a sign of software or
system malfunction or a sign of intrusion. Also, the data should
be accurate as the employees and students of UMUC do not wish to
continually correct flaws in the system.
Audit Conclusion The close of this audit will bring results of the current
state of affairs. It is possible that the security needs
improvement or is perfectly satisfactory. As with all business
decisions, UMUC should weigh the possible risk to the cost of
making any recommended changes. An audit of this magnitude will
take considerable time even though the use of automated auditing
tools is suggested. It will probably take 6-8 weeks to complete
this computer security audit because of the rigorous testing to
be done, especially to the firewall, passwords, and virus
detection software.
This audit relies on the use of Mu Dynamics Inc. for the
firewall test, ACL for the data accuracy test and the password
cross reference. Other tests by the auditor include location,
fire detection, segregation of duties as well as all the review
of procedures and policies. The audit should assess the accuracy
and accessibility of the data in the UMUC computer system. The
recommendations made at the end should be strongly considered by
the UMUC management.
References Hall, J.A. (2010). Information Technology Auditing (3
rd ed.).
Mason, OH: Cengage Learning.
National Institute of Standards and Technology. Audit Trails.
Retrieved from
http://csrc.nist.gov/publications/nistbul/itl97-03.txt
Snyder, J. (2012, April 9). How to test a firewall: A three-step
guide to testing firewalls. Retrieved from
http://searchsecurity.techtarget.com/tip/How-to-test-a-
firewall-A-three-step-guide-for-testing-firewalls
University of Maryland University College. About MyUMUC.
Retrieved from
http://www.umuc.edu/itsupport/bettermyumuc/index.cfm
University of Maryland University College. Policy 270.30-
Computer security. Retrieved from
http://www.umuc.edu/policies/fiscalpolicies/fisc27030.cfm