Audit of information security: goals, methods and tools, example. Audit of information security of the bank

Today, everyone knows almost a sacred phrase that the owner of information owns the world. That is why in our time, everyone is trying to steal confidential information . In this connection, unprecedented steps are taken to introduce means of protection against possible attacks. However, sometimes it may be necessary to audit the information security of the enterprise. What is it and why is it all needed, now and try to figure it out.

What is an information security audit in a general definition?

Now we will not touch upon abstruse scientific terms, but we will try to define the basic concepts for ourselves, describing them in the simplest language (in the people it could be called an audit for "dummies").

The name of this complex of events speaks for itself. Information security audit is an independent verification or expert assessment of the security of the information system (IS) of an enterprise, institution or organization on the basis of specially developed criteria and indicators.

In simple terms, for example, the audit of information security of a bank is reduced to assessing the level of protection of customer databases, conducted banking transactions, the preservation of electronic funds, the safety of bank secrecy, etc. in the case of interference in the activities of the institution by outsiders from outside, using Electronic and computer facilities.

For sure, among readers there will be at least one person who was called home or on a mobile phone with a proposal for a loan or deposit, and from a bank with which he is not connected. The same applies to the offer of purchases from some stores. Where did your number come up?

It's simple. If a person previously borrowed money or invested money in a deposit account, naturally, his data was saved in a single client base. When calling from another bank or store, you can draw a single conclusion: information about him illegally fell into third hands. How? In general, we can distinguish two options: either it was stolen, or handed over by employees of the bank to third parties consciously. In order that such things do not happen, and you need to conduct an audit of the information security of the bank in time, and this applies not only to computer or "iron" means of protection, but the entire staff of the banking institution.

The main directions of information security audit

As for the scope of such an audit, as a rule, they are distinguished by several:

• Full check of the objects involved in the informatization processes (computer automated systems, means of communication, reception, transmission and processing of information data, technical facilities, premises for holding confidential meetings, surveillance systems, etc.);
• Verification of the reliability of the protection of confidential information with limited access (identification of possible leakage channels and potential security holes that allow access to it from outside using standard and non-standard methods);
• Verification of all electronic technical means and local computer systems for the effect of electromagnetic radiation and pickups on them, which make it possible to disconnect them or render them unusable;
• The project part, which includes work on the creation of the concept of security and its application in practical implementation (protection of computer systems, facilities, communications, etc.).

When does it become necessary to carry out an audit?

Not to mention critical situations, when protection has already been violated, an audit of information security in an organization can be conducted in some other cases.

Typically, this includes expanding the company, mergers, acquisitions, mergers with other enterprises, changing the concept of the course of business or management, changes in international legislation or in legal acts within a single country, rather serious changes in the information infrastructure.

Types of audit

Today the very classification of this type of audit, according to many analysts and experts, is not settled. Therefore, the division into classes in some cases can be very conditional. Nevertheless, in the general case, the audit of information security can be divided into external and internal.

An external audit conducted by independent experts eligible for this is usually a one-time audit, which can be initiated by the company's management, shareholders, law enforcement agencies, etc. It is believed that an external information security audit is recommended (and not mandatory) for conducting regularly for a specified period of time. But for some organizations and enterprises, according to the legislation, it is mandatory (for example, financial institutions and organizations, joint-stock companies, etc.).

Internal audit of information security is a constant process. It is based on a special "Regulation on internal audit". What it is? In fact, these are certification activities conducted in the organization, within the timeframes approved by management. The audit of information security is provided by special structural subdivisions of the enterprise.

Alternative classification of audit types

In addition to the above described division into classes in the general case, it is possible to distinguish several more components adopted in the international classification:

• Expert check of the state of security of information and information systems on the basis of personal experience of experts conducting it;
• Attestation of systems and security measures for compliance with international standards (ISO 17799) and state legal documents governing this field of activity;
• Analysis of the security of information systems using technical means, aimed at identifying potential vulnerabilities in the software and hardware complex.

Sometimes a so-called complex audit can be applied, which includes all of the above types. By the way, it is he who gives the most objective results.

Set goals and objectives

Any verification, whether internal or external, begins with setting goals and objectives. If to speak easier, it is necessary to define, what for, what and how it will be checked. This will predetermine the further method of carrying out the entire process.

The set tasks, depending on the specifics of the structure of the enterprise itself, organization, institution and its activities, can be quite a lot. However, among all this, the unified goals of the audit of information security are singled out:

• The assessment of the state of security of information and information systems;
• An analysis of the possible risks associated with the threat of penetration into IP from outside and possible methods for implementing such an intervention;
• Localization of holes and gaps in the security system;
• An analysis of the compliance of the level of security of information systems with existing standards and regulations;
• The development and issuance of recommendations to eliminate existing problems, as well as the improvement of existing remedies and the introduction of new developments.

Methods and means of conducting the audit

Now a few words about how the test is being carried out and what stages and means it includes.

The audit of information security consists of several main stages:

• Initiation of the verification procedure (clear definition of the auditor's rights and responsibilities, preparation of the audit plan by the auditor and its approval with management, resolution of the issue of the boundaries of the research, imposition of assistance obligations on the organization's employees and timely provision of necessary information);
• The collection of the initial data (the structure of the security system, the distribution of security equipment, the levels of the functioning of the security system, the analysis of methods for obtaining and providing information, the identification of communication channels and the interaction of IP with other structures, the hierarchy of users of computer networks, the definition of protocols, etc.);
• Carrying out an integrated or partial verification;
• The analysis of the received data (the analysis of risks of any type and conformity to standards);
• Issuing recommendations for the elimination of possible problems;
• Creation of reporting documentation.

The first stage is the simplest, since its decision is taken exclusively between the company's management and the auditor. The boundaries of the analysis can be considered at a general meeting of employees or shareholders. All this applies more to the legal field.

The second stage of collecting initial data, whether it is an internal audit of information security or external independent certification, is the most resource intensive. This is due to the fact that at this stage it is necessary not only to study the technical documentation relating to the entire software and hardware complex, but also to conduct a narrow interview of the company's employees, and in most cases even with filling out special questionnaires or questionnaires.

As for the technical documentation, it is important to obtain data on the structure of IP and the priority levels of access rights for employees, identify system-wide and application software (operating systems, applications for business, management and accounting), as well as software protection tools And non-program type (antivirus, firewall, etc.). In addition, this includes the full verification of networks and providers that provide communication services (networking, used protocols for connection, types of communication channels, methods of transmission and reception of information flows and much more). As it is already clear, it takes quite a lot of time.

At the next stage, methods for auditing information security are defined. They are distinguished by three:

• Risk analysis (the most complex methodology based on the auditor's determination of the possibility of penetrating IP and breaching its integrity using all possible methods and means);
• Assessment of compliance with standards and legislative acts (the simplest and most practical method, based on a comparison of the current state of affairs and the requirements of international standards and national documents in the field of information security);
• Combined method, combining the first two.

After receiving the results of the inspection, their analysis begins. The means of auditing information security, which are used for analysis, can be quite diverse. It all depends on the specifics of the enterprise's activities, such as information, software used, means of protection, etc. However, as can be seen from the first method, the auditor will mainly have to rely on his own experience.

And this only means that he must have the appropriate qualifications in the field of information technology and data protection. Based on this analysis, the auditor also calculates possible risks.

Note that it must deal not only with operating systems or programs used, for example, for business or accounting purposes, but also clearly understand how an intruder can enter the information system for the purpose of stealing, corrupting and destroying data, creating prerequisites for violations In the work of computers, the spread of viruses or malware.

Evaluation of audit results and recommendations for resolving problems

On the basis of the analysis, the expert makes a conclusion on the state of protection and issues recommendations for eliminating existing or potential problems, upgrading the security system, etc. In this case, the recommendations should be not only objective, but also clearly tied to the realities of the specifics of the enterprise. In other words, there are no tips for upgrading the configuration of computers or software. Equally, this applies to advice on the dismissal of "untrustworthy" employees, the installation of new tracking systems without specific indication of their purpose, location and feasibility.

Based on the analysis, as a rule, there are several groups of risks. At the same time, two main indicators are used to compile the consolidated report: the likelihood of an attack and the damage caused to the company as a result (loss of assets, loss of reputation, loss of image, etc.). However, the indicators for the groups do not coincide. For example, a low score for the attack probability is the best. For damage - on the contrary.

Only after this, a report is prepared, in which all steps, methods and tools of the studies are detailed. It is agreed with the management and signed by two parties - the enterprise and the auditor. If the audit is internal, the head of the relevant structural unit makes up such a report, after which he, again, is signed by the head.

Audit of information security: an example

Finally, consider the simplest example of a situation that has already happened. To many, by the way, it may seem very familiar.

So, for example, a certain employee of the company, engaged in procurement in the United States, installed an ICQ messenger on the computer (the name of the employee and the name of the company is not called for understandable reasons). Negotiations were conducted through this program. But "ICQ" is quite vulnerable in terms of security. The employee when registering the number at that time either did not have an e-mail address, or simply did not want to give it. Instead, he indicated something similar to e-mail, even with a non-existent domain.

What would an attacker do? As the information security audit showed, he would register the exact same domain and create another registration terminal in it, after which he could send a message to Mirabilis, which owns the ICQ service, with a request to restore the password due to its loss (which would have been done ). Because the recipient's server was not a mail server, it included a redirect to the existing mail of the attacker.

As a result, he gets access to the correspondence with the specified ICQ number and informs the supplier about changing the address of the recipient of the goods in a certain country. Thus, the cargo is sent to no one knows where. And this is the most innocuous example. So, petty hooliganism. And what about more serious hackers who are capable of much more ...

Conclusion

Here in brief and all that concerns the audit of IP security. Of course, not all of its aspects are touched upon here. The reason is only that a lot of factors influence the formulation of tasks and methods of its implementation, therefore the approach in each specific case is strictly individual. In addition, methods and tools for auditing information security can be different for different IP. However, it seems that the general principles of such checks for many will become clear even at the initial level.