audit

profilejdeenn
example_audit_tool_paper.pdf

Computer Security

Audit for UMUC ACCT 433

Table of Contents Summary of UMUC................................................ 3

UMUC Security ................................................ 4

Auditing Computer Security..................................... 5

Physical Location ............................................ 5

Disaster Recovery Plan & Site ................................ 7

Computer Access Audit ........................................ 8

Virus Prevention Audit ....................................... 9

Data Accuracy ................................................ 9

Audit Conclusion.............................................. 10

References.................................................... 12

Summary of UMUC University of Maryland University College provides online

education opportunities to people all over the world. The

information technology base of an online based college is

extremely important. In order for this business to run

successfully and efficiently, the information technology of the

institution must maintain personal information of students,

teachers, and other faculty while supporting the overwhelming

flow of traffic to their site. The center where students,

faculty, and staff share information is called MyUMUC. This

system allows the users, students, faculty, and staff, to access

their web portal which allows them access to their personal

information and classes (UMUC, About MyUMUC).

As an opportunity for online education and night-schooling,

UMUC provides its services to working adults. The online aspect

of the school also lends itself nicely to those enrolled in the

Armed Forces who are stationed all over the world and subject to

sudden changes of location. The benefits UMUC provides its

students is the freedom of schedule. Most online classes only

have one due date at the end of the week, so it is up to the

student to get the assigned work done, at any time or pace in

that week. This allows working people, those enrolled, and those

busy taking care of a family the opportunity to fit college into

their already hectic schedules.

UMUC Security The focus of the audit should be on the security of the

UMUC system. Computer security not only attempts to maintain

unauthorized access, but also tries to maintain the accuracy of

the data (Hall, 2010, p. 588). Since UMUC is primarily an online

educational institution, having adequate computer security is

imperative to the success of the college.

The MyUMUC system gives the users access to their portals

which shows their personal information, gives them access to

their classes, their class history and grades, and allows them

to pay tuition. The amount of sensitive information involved in

extraordinary in that most users have their social security

numbers, addresses, and/or credit card information. The

significance of preventing unauthorized access cannot be

overstated for the success of UMUC. Losing a student’s personal

information would create a serious inconvenience to the student

which would take time, money and hard work to repair. As

previously stated, UMUC students are typically already busy with

other engagements and do not have much free time. When

information is lost or stolen, the students will be upset with

the waste of their precious time and the other students may fear

their information could also be in jeopardy. A breach of the

UMUC system could be disastrous for the college as students will

steer clear of institutions of fraud.

The UMUC website acknowledges the importance of security in

its computer security policy. This policy stresses proper

etiquette and usage of computers and the maintenance of

computers and passwords (UMUC, Policy). This policy appears to

be intended for the users of the UMUC system more than the staff

which maintains it. It is presumable that the IT staff have a

more comprehensive policy pertaining to their computer

etiquette.

Auditing Computer Security To audit the security of a computer system, one must ensure

the physical safety of the hardware first. Then, accessibility

is checked by testing passwords and the security software. The

data is also tested for accuracy to ensure efficiency. Finally,

the back-up plan is tested in case of emergency.

Physical Location The physical location of system is very important to this

audit since the data can easily be destroyed or stolen due to a

lack of physical controls. Auditing the physical location of the

computer center involves testing the fireproof structure, the

flood drainage, and the location of the center. The location

should put the computer center away from any fire, civil unrest,

or other hazards (Hall, 2010, p. 49).

In the case of UMUC, it is recommended that the audit begin

with a test of the fire detection system. This system should be

capable of detecting and suppressing fires. The detection system

should also be capable and tested to detect smoke and flammable

gases. Typically, it is possible to review the tests of the fire

marshal which should be on record (Hall, 2010, p. 49).

The next step in the physical audit of the computer center

is to test the accessibility of the room. There should be a log

which records each access of the computer center. This log

should be cross referenced with cameras or work times of the

employees that access the room to verify those accessing the

room are authorized (Hall, 2010, p. 49). If the frequency of

visits to the computer center is very high, there are software

programs which can detect abnormalities in access times and

patterns once an audit trail is implemented (National Institute

of Standards and Technology).

Hall (2010, p. 49-50) also recommends testing the redundant

array of independent disks, RAID, and the continuous flow of

electricity. These two tests are to maintain that the computer

center properly backs up data and does not see an interrupted or

sudden spike in power. The backup power supply should have

enough power to runt the computer center and the air

conditioner. The test of the RAID will probably involve

consulting the system administrator (Hall, 2010, p. 49-50).

Disaster Recovery Plan & Site Auditing the Disaster Recovery Plan and the associated

backup site is the next logical step in the audit because of the

similarities to the physical location audit. The plan is a list

of procedure to be acted upon in case the computer center is

somehow compromised (Hall, 2010, p. 51). The purpose of auditing

this procedure is to verify the feasibility of the plan should a

disaster occur (Hall, 2010, p. 56).

The backup site should be audited similar to the physical

location of the computer center, if the firm has its own backup

site. If they have an agreement with another firm to help each

other in disaster, the other firms’ system should be tested for

enough storage and processing power to operate both companies

(Hall, 2010, p. 56). The backup data, software, supplies, and

documents should be stored at the backup site. Keeping separate

locations should keep any disaster from taking out the computer

center and the backup. There should also be a test of the

recovery team roster, which has the contact information for the

recovery team. Testing the accuracy of this information is vital

because it could be very costly if the information needs to be

found during a disastrous event. All of these tests should be

done by the auditor.

Computer Access Audit Auditing computer security relies on a good audit of the

access employees have to the computers. Since UMUC is an online

college, there are not physical assets. The access controls in

this case are to the computer system. The key parts of this

audit step are the passwords, data encryption, and segregation

of duties.

The password and multilevel password controls are ideal for

keeping unauthorized access from occurring. The passwords are

kept in a table and allow an employee to access his or her

applications and data. The passwords also keep unauthorized

people from viewing, inputting, modifying, or deleting data

(Hall, 2010, p. 103). To test the passwords, NIST says there are

tools for analyzing audit trails which will tell trend

detection, password strength, or attack-signature detection.

These tools will help the auditor recognize if attempts

penetrate the system are being made by unauthorized people

(NIST).

The auditor is responsible for testing the access

clearances. This involves the auditor logging onto accounts and

trying to access more information than the password is supposed

to allow. If the system allows the operation, there is a flaw in

the system which needs to be fixed.

Finally, the auditor should also review the organizational

charts and job descriptions to be positive that the proper

duties are segregated and that there is good supervision of the

critical operations (Hall, 2010, p. 104).

Virus Prevention Audit The audit of the antiviral software and the firewall are an

essential parts of this audit. In this case, it is wise to

employ an automated auditing tool to test the validity of the

firewall. Joel Snyder recommends a tool from Mu Dynamics Inc. or

Spirent Communications plc (Snyder, 2012). Once the firewall is

properly tested, the audit can move forward to the examination

of the virus software. Detecting a virus is important in

mitigating the damage caused. The auditor should not only test

the software, but also review the procedure for installation and

updates of the software (Hall, 2010, p. 105).

Data Accuracy Maintaining the accuracy of the data is one fraud and error

detection strategy. If there is an issue with the accuracy of

the data, there could have been an issue with intrusion or there

could be an error in the system. Detecting errors or

discrepancies in the data is difficult for an auditor to find

without implementing automated tools. An industry leader in

auditing tools is ACL, or audit command language. This software

provides access to data in a way that allows for substantive

tests (Hall, 2010, p. 370). One capability of generalized audit

software like ACL is the comparing files to identify

differences. This allows the auditor to be sure the data remains

free of doctoring or deleting. Maintaining the accuracy of the

data is a significant step as it can be a sign of software or

system malfunction or a sign of intrusion. Also, the data should

be accurate as the employees and students of UMUC do not wish to

continually correct flaws in the system.

Audit Conclusion The close of this audit will bring results of the current

state of affairs. It is possible that the security needs

improvement or is perfectly satisfactory. As with all business

decisions, UMUC should weigh the possible risk to the cost of

making any recommended changes. An audit of this magnitude will

take considerable time even though the use of automated auditing

tools is suggested. It will probably take 6-8 weeks to complete

this computer security audit because of the rigorous testing to

be done, especially to the firewall, passwords, and virus

detection software.

This audit relies on the use of Mu Dynamics Inc. for the

firewall test, ACL for the data accuracy test and the password

cross reference. Other tests by the auditor include location,

fire detection, segregation of duties as well as all the review

of procedures and policies. The audit should assess the accuracy

and accessibility of the data in the UMUC computer system. The

recommendations made at the end should be strongly considered by

the UMUC management.

References Hall, J.A. (2010). Information Technology Auditing (3

rd ed.).

Mason, OH: Cengage Learning.

National Institute of Standards and Technology. Audit Trails.

Retrieved from

http://csrc.nist.gov/publications/nistbul/itl97-03.txt

Snyder, J. (2012, April 9). How to test a firewall: A three-step

guide to testing firewalls. Retrieved from

http://searchsecurity.techtarget.com/tip/How-to-test-a-

firewall-A-three-step-guide-for-testing-firewalls

University of Maryland University College. About MyUMUC.

Retrieved from

http://www.umuc.edu/itsupport/bettermyumuc/index.cfm

University of Maryland University College. Policy 270.30-

Computer security. Retrieved from

http://www.umuc.edu/policies/fiscalpolicies/fisc27030.cfm