Mariano Gálvez University of Guatemala

School of Engineering in Information Systems

Master's in Information Security
IT Audit
Mr. Ing. Albino Cesare Buratti Aldana

Task 2
Audit simulation

Marvin Ronaldo Palma Rojas

José Manuel Contreras Molina
Randolfo Antonio de la Vega Osorio
Alberto José Caal Santisteban
Saturday Plan
Section "A"
January 28, 2022
 INDEX
INTRODUCTION

SUMMARY .............................................................................................................. 4

ACTIVITY 1– DEFINITION OF AUDIT OBJECTIVESA .................... 5

ACTIVITY 2– RESOURCES NEEDED FOR THE AUDITA..................... 5

Audit tools ................................................................................... 5

Tools to the systema .5

Involved personnelo ........................................................................................... 6

ACTIVITY 3– WORK SCHEDULE .................................................... 7

ACTIVITY 4– IDENTIFICATION OF POSSIBLE FINDINGS .......................... 9

CONCLUSIONS ................................................................................................. 13

RECOMMENDATIONS ......................................................................................... 14

REFERENCES..................................................................................................... 15

APPENDIX A. ....................................................................................................... 16

Questionnaire ...................................................................................................... 16

APPENDIX B. ....................................................................................................... 17

Check List.......................................................................................................... 17
 3

INTRODUCTION

In recent years, IT Management has identified deficiencies in the areas of

logical security and change management, these findings can trigger the
non-compliance with the regulatory requirements to which it adapts the
organization. Therefore, the area of physical and logical security, management will be evaluated.

changes, production controls, network management, IT governance and management of

end users.

Indeed, the objectives of the audit will be defined, and the resources will be established.
necessary to carry it out, the work schedule will be developed and
they will identify possible findings, evidence and recommendations, in the areas of
evaluate. For this, the good practices established in the standards will be followed
ISO 27002.
 4

summary
The activities carried out simulate the scenario of an organization that wishes to
evaluate the level of readiness to comply with the new requirements
regulatory. Derived from this general requirement, the evaluation is carried out of
different areas of IT Management.

As a starting point, the objectives are defined, and the resources are established.
required to carry out the audit, a schedule of activities is deployed
to carry out and establish possible findings in the areas to be evaluated.

The process of identifying findings is based on best practices.

detailed in the ISO 27002 standards. With the regulatory guidance of these standards
possible vulnerabilities that must be taken into account
preliminary form, as a starting point for a deeper investigation into the
audit process.

Palabras clave:auditoría, evaluación, objetivos, recursos, cronograma,

findings, ISO 27002
 5

ACTIVITY 1 - DEFINITION OF AUDIT OBJECTIVES

• Assess the organization's level of preparedness for compliance

the new regulatory requirements.
• Evaluate management reviews and the tests of the general environment of
IT control.
• Evaluate the areas of physical and logical security, change management, management
end users, production controls, and network management.
• Review and evaluation of the segregation of IT functions and its
documentation.
• Evaluate the process flows that describe the IT activities.

ACTIVITY 2 - RESOURCES NEEDED FOR THE AUDIT

The documentation and necessary means to carry out the

review and evaluation, procedures, tools and instruments are selected
for the resources and programs previously established for the audit. The
The objective is to systematically and orderly verify compliance with the
audit requirements, the tools to be used are:

Audit tools
• Questionnaires.
• Standards and protocols.
• Check List.

Tools to the system

• Backups and mirror copies of hard drives.
• File Recovery Software.
 6

Involved personnel
Audit team:

• Senior Auditor

Supervisor:

• Audit execution supervisor.

Interlocutor:

• Mediator between the auditing team and the audited.

 7

ACTIVITY 3–WORK SCHEDULE

ACTIVITY Month 1 Month 2 My 3 My 4 My 5 My 6

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

Meeting of
Opening and
Documentation

Definition of the
Scope,
Objectives
Generals and
Specific to the
Audit

Review of
Procedure
General

Identification of
Personal Key

Identification of
Factors of
Risk

Verification of the
taking of
Requirements

Definition of
Processes
Significant to
Audit

Definition of
Requirements

Meetings of
Understanding

Layout of
Understanding

Evaluation of
Internal Control of
Physical Security and
Logic

Evaluation of
Internal Control of
Management of
Changes
 8

Evaluation of
Internal Control of
Production and
Network Management

Evaluation of
Control of
IT Governance

Evaluation of
Control and Management
of Users
Finals

Review and
Discussion of the
Results of
Pre-Report

Corrections of
the Results of
the Findings,
Observations,
Recommendations
and Conclusions

Preparation of the
Report of
Audit

Presentation of the
Report

Table 1: Work schedule. (Own preparation)

 9

ACTIVITY 4 - IDENTIFICATION OF POSSIBLE FINDINGS

Macro aspects Num. Finding Evidence Recommendation

Equipment Maintenance: The update must be verified.

The servers need to be reviewed as the OS is partially functioning.
to verify that everything is effective in the appropriate of the
functioning physically as servers. servers to provide
it must maintenance of
cleaning to take advantage
to the maximum with the resource
1
physical with which it has
server, regarding the
established controls in
the ISO 27002 standard,
implementing control
Physical Security of maintenance of the
equipment (ISO, 2017)
Controls Physicists If it fails to reinforce to have a better
Entry: This to have a appropriate access control to
enhanced access control over the system can be included
system. access keys. some fingerprint reader
so that there is a unique
2 carrier of said
access regarding to the
Access control a
systems and applications
from the ISO 27002 standard
(ISO, 2017)
Password Management fails to reinforce Likewise for
User: This will allow a a suitable to have better management
better control over the control over the users that
collaborators that these access keys. they are active, it should be
assets within the system and create a document
your keys. about those users. The
users must have a
1 unique code that the
identify and the keys
they must comply with the
security standards
for which each key
must contain letters
Control of uppercase, lowercase
access to signs and numbers.
systems and Control Policy of Shared Elements must be developed.
applications Access: This policy accounts for providing documents.
y
Core will provide a more managerial concept. copy to each of the
broad about the proper use users about the
of the users. access policies, this
document will contain
norms y rules
stipulated which
2 must be fulfilled to the letter
the lyrics, among sayings
rules will be left in
of course it cannot be
to provide or to offer some
user account, in
especially if it is of a level
of higher access, this
 10

will avoid possible

sabotages o frauds
within the systems,
according to the control of
Access management of
ISO standard user
27002 (ISO, 2017)

Control Procedures have been identified. It must be established as

of Changes in the Systems: repeated one must proceed in the
This will detail the problems in the changes applied to
changes to be made within the system management area, must
outside the system. changes. train themselves and inform them
to the collaborators for
that the changes be
understandable y him
1
I managed the system of
appropriate way,
following the guidelines
raised in the control
of Security in the
Management of
development processes and
Changes
ISO standard support
27002 (ISO, 2017)
Technical Review of the Se failure in after the changes
applications after documenting the completed ones in the
changes: This will bring about changes. systems will be put to
log of changes and how test and review the
it has worked in the system. process flows, for
2 draft and verify that
continue working from
appropriate way y
even better, that the flow of
processes in the system
has improved.
Audit Controls of the will evaluate this control will keep the
Information Systems: degree of impact on the company regarding
This will provide knowledge preparation of the previous audits that
about previous audits and the organization for which they have been carried out,
system evaluation. to measure in the same way it will prepare
compliance of the company for the
the new audit that
1
requirements will verify if it is
regulation. complying with the
regulations, according
Management of the to the domain of Security
security in the operational of the
operative ISO 27002 standard (ISO,
2017)
Documentation It will be evaluated documentation
Procedures of revision will have all the
Operation: Will provide a managementy the information about the flow
general overview of the tests of the activities
2 process flow. general system environment the function
of control. main of the modules and
how to digitize the
information received by
collaborators, having
 11

a panorama del
environment and consequently
will be able to control better
way.

Network Controls: Download must be It must be done a

take into account the review updates y to have
restrictions that have been SO to servers. documented the
added to the network. restrictions for
make requests a
internet, since it is
you can download the OS,
1
but it shouldn't have
permission to download
games and/or applications
of chat, this is according
to Control of red
established in the standard
Management of
ISO 27002 (ISO, 2017)
Security in the
Network Segregation: This Downloads of The red should to be
Networks
It will allow a division of the current segmented network updates, this for
to have different operating system points to servers. to have divisions of
access and each one with their work and not interfere
restrictions. with each of the
areas, this means
that there will be a segment
2
dedicated to each area and
also for the
servers, they will have
different restrictions
to access content
on the internet or to limit the
downloads.
Responsibilities In previous years, it should to stay
Procedures: This has been reiterated and documented who
it will determine who will be in trouble, they are the ones responsible for
incident management and as security areas change management and
they must face them. logic and management of those who must provide
changes. support and how they should
proceed if it comes to exist
1
an incident in agreement
with logical security,
regarding the control of
Responsibilities y
procedures of the
Management of
ISO 27002 standard (ISO,
Incidents of
2017)
Security
Incident Learning: In previous years, after resolving the
This will help there
a have been repeated incidents, it must be
qualified personnel for problems in the one meeting of
future events. areas of security learning that will help
logic and management to understand better
changes. way what happened, and that
2
it must be done in those
cases, to have an idea
about the procedures
that must be carried out,
regarding the control of
Learning of
 12

computer incidents
from the ISO 27002 standard
(ISO, 2017)

Acceptance Tests: The evaluation must be carried out at the end of the change or
end users will be able to manage user implementation of the
tests to verify the finals. modules, the end user
proper functioning. must perform tests
1
to be able to verify the
process flow and give the
approval of your
Management of
functioning.
end users
Protection of Data must be evaluated; it will be guaranteed through
Used in Tests user management of a document, that the
finals. tests entered by
2 the end users will be
protected, since
this is already part of the flow
of system processes.
Table 2: Identification of possible findings, evidence, and recommendations. (Preparation
own)
 13

CONCLUSIONS
The possible findings were identified, with evidence based on the statement
of the problem, with the analysis of this starting point it is possible to establish a
context of the scope, necessary tools, work times and possible
areas and aspects to be explored. Therefore, it is concluded that the activities carried out
they must be part of the initial auditing process, establishing a starting point
with the aspects that will determine the evaluations to be carried out, as well as the
resources that will be necessary.

The necessary tools for a computer audit process can

vary according to the inquiry needs required by the evaluation process,
it was concluded that the fundamental tools for the proposed scenario are
questionnaires and checklists, due to their versatility for obtaining information
specific, due to the initial signs of the scenario.
 14

RECOMMENDATIONS
It is considered interesting to complement the audit process with the standards.
ISO 27001 establishes an Information Security Management System,
this with a more general plan and possible guidelines for documentation of
information processing procedures. The following are also proposed
points:

• Validation of documentation of existing processes, based on

the best practices established in the ISO 27001 standards.
• Establish the initial contexts of each area to be evaluated, as
indicated in the ISO 31000 standards.

• Perform risk analysis for the assessment of possible

threats or vulnerabilities, establishing their level of risk.
 15

REFERENCES
ISO. (2017). ISO 27002: Code of practice for information security controls
information.
 16

APPENDIX A.
Questionnaire
Could you tell us the procedure for developing a new one?
requirement?

2. Do you know the standards for a secure user key?

3. Do you have a formal document to request the necessary data for the
conducting tests?

4. Do the projects have a set schedule?

5. Does the project have a general testing plan?

6. Do you think that change management is carried out properly in

update the system?

7. Do you have physical access security, such as fingerprint readers or ID cards?

8. Once the requirement is in the hands of the assigned area, how

Is it being followed up?
 17

APPENDIX B.
Check List

CHECKLIST

DOMAIN PROCESS

OBJECT
DE User requirements
CONTROL

ACCORDINGLY
ID EVALUATED ASPECT OBSERVATIONS
YES NO

RQUIS-01

RQUIS-02

RQUIS-03

RQUIS-04

RQUIS-05

RQUIS-06

Table 3: Checklist for user requirements. (Self-made)

 18

CHECKLIST

DOMAIN PROCESS

OBJECT
DE Project planning.
CONTROL

IN ACCORDANCE
ID EVALUATED ASPECT OBSERVATIONS
YES NO

PLANP-01

PLANP-02

PLANP-03

PLANP-04

PLANP-05

Table 4: Project planning checklist. (Created by author)