Professional Documents
Culture Documents
Introduction—The specialised nature of information systems (IS) auditing, and the skills necessary to perform such audits, require standards
that apply specifically to IS auditing. One of the goals of the Information Systems Audit and Control Association (ISACA) is to advance globally
applicable standards to meet this need. The development and dissemination of the IS Auditing Standards are a cornerstone of the ISACA
professional contribution to the audit community.
Scope and Authority of IS Auditing Standards—The framework for the IS Auditing Standards provides multiple levels of guidance:
Standards define mandatory requirements for IS auditing and reporting.
Guidelines provide guidance in applying IS Auditing Standards. The IS auditor should consider them in determining how to achieve
implementation of the standards, use professional judgment in their application and be prepared to justify any departure.
Procedures provide examples of procedures an IS auditor might follow in an audit engagement. Procedures should not be considered
inclusive of any proper procedures and tests or exclusive of other procedures and tests that are reasonably directed to obtain the same
results. In determining the appropriateness of any specific procedure, group of procedures or test, IS auditors should apply their own
professional judgment to the specific circumstances presented by the particular information systems or technology environment. The
procedure documents provide information on how to meet the standards when performing IS auditing work, but do not set requirements.
The words audit and review are used interchangeably. A full glossary of terms can be found on the ISACA web site at
www.isaca.org/glossary.htm.
®
Holders of the Certified Information Systems Auditor (CISA ) designation are to comply with IS Auditing Standards adopted by ISACA.
Failure to comply with these standards may result in an investigation into the CISA holder’s conduct by the ISACA Board of Directors or
appropriate ISACA committee and, ultimately, in disciplinary action.
Development of Standards, Guidelines and Procedures—The ISACA Standards Board is committed to wide consultation in the
preparation of the IS Auditing Standards, Guidelines and Procedures. Prior to issuing any documents, the Standards Board issues exposure
drafts internationally for general public comment. The Standards Board also seeks out those with a special expertise or interest in the topic
under consideration for consultation where necessary.
The following COBIT resources should be used as a source of best practice guidance:
Control Objectives—High-level and detailed generic statements of minimum good control
Control Practices—Practical rationales and how-to-implement guidance for the control objectives
Audit Guidelines—Guidance for each control area on how to: obtain an understanding, evaluate each control, assess compliance, and
substantiate the risk of controls not being met
Management Guidelines—Guidance on how to assess and improve IT process performance, using maturity models, metrics and
critical success factors
Each of these is organised by the IT management process, as defined in the COBIT Framework. COBIT is intended for use by businesses
and IT management as well as IS auditors. Its usage allows for the understanding of business objectives and for the communication of best
practices and recommendations around a commonly understood and well-respected standard reference.
The Standards Board has an ongoing development programme and welcomes the input of ISACA members and other interested parties to
help identify emerging issues requiring new standards. Any suggestions should be e-mailed (research@isaca.org), faxed (+1.847.253.1443)
or mailed (address provided at the end of this guideline) to ISACA International Headquarters, for the attention of the director of research
standards and academic relations.
1.3.3
rd
This procedure also defines IDS controls within the existing COBIT 3 Edition, Framework, published in 2000 by the IT
Governance Institute.
2. WHAT IS AN IDS?
2.1 Definition
2.1.1 Intrusion detection is the process of detecting unauthorised use of systems and networks through the use of specialised software
and/or hardware. The primary purpose of an IDS is to provide the ability to view network and system activity in real time and to
identify unauthorised activity. In addition, it can provide a nearly real-time automated response. IDS products also provide the
ability to analyse today's activity in relation to past activity to identify larger trends and problems.
Suggested Procedures 3
Planning the An integral part of planning is understanding the organisation’s information system environment to a
review sufficient extent for the IS auditor to determine the size and complexity of the systems and the extent of the
organisation’s dependence on information systems. The IS auditor should gain an understanding of the
organisation’s mission and business objectives, the level and manner in which information technology and
information systems are used to support the organisation, and the risks and exposures associated with the
organisation’s objectives and its information systems. Also, an understanding of the organisational
structure including roles and responsibilities of key IT staff responsible for maintaining the IDS should be
obtained.
Evaluate IDS configuration parameters to scan for attacks. Certain parameters can crash a system or
application, rendering a system unusable.
Provide reasonable assurance that:
The IDS is configured to identify suspicious files and database modifications or even unexplained files
that have been added.
User accounts, system files and log files are monitored for tampering.
The IDS is configured to send alerts when high-level intrusions occur and to minimise alerting resulting
from false positives and low level attacks
The IDS operates based on attack signatures (misuse detection).
Alerts either by page, e-mail or other means can be sent.
A reporting module exists to aggregate attacks over a given period (i.e., hourly, weekly, monthly).
Filters are positioned based upon security policy to minimise false positives.
Relationship Determine that the IDS does not require software to be installed on the firewall.
to firewalls Provide reasonable assurance that appropriate actions are taken when intrusion incidents are identified.
Incident response procedures should be developed in conjunction with IDS implementation. The basic
approach to responding to network attacks should include preparation, detection, containment, eradication,
recovery and follow-up.
Performance Document the system flow process by gathering information including both the computerised and manual
of audit aspects of the system. The focus should be on the processing related to data flows that are of significance
to the audit objective. The IS auditor may find, depending upon the processes and the use of technology,
work that documenting the transaction flow may not be practical. In that event, the IS auditor should prepare a
high level diagram or narrative and/or utilise quality system documentation if provided.
Identify and test the IDS controls. Identify specific controls to mitigate risks and obtain sufficient audit
evidence to determine that the controls are operating as intended. This can be accomplished through
procedures such as:
Inquiry and observation
Review of documentation
Testing of IDS controls
Determine whether:
A third party provides information and assists in incident response
The system communicates with firewalls/routers and that this communication is secured, or is a
separate channel/network required for secure communications (a parallel control network)
The IDS includes a tool for generating written reports that summarise the daily event log
Automated response mechanisms are available
Provide reasonable assurance that:
Signatures are updated often.
Updates are distributed via a secure method (such as encrypted or digitally sealed).
The IDS can detect many different types of attacks.
The false-positives are managed based on the level of risk.
The IDS requires updates to its rules.
A specialised figure is in place for providing/updating IDS rules.
Information about the latest attacks is used to keep the IDS updated.
The IDS is effectively scalable (such as many sensors can be monitored/managed at a time).
The product has a low effect on network/host performance.
Other performance issues the IDS raises can be controlled.
The maximum bandwidth the system has been measured to analyse without loss, so that it provides
100 percent analysis coverage, is compatible with organisation needs.
The IDS analyses all network protocols in place if the organisation is network-based.
The IDS has the capability to analyse the upper level application protocols with sufficient detail.
The IDS does not require software to be installed on the host.
The communications between the sensor and the central manager are robust enough.
Alarm capture is reliable. If a high volume of alarms is generated, all of them are to be captured and
put into a database.
Data obtained from the IDS are appropriately and effectively managed (i.e., data visualisation is a key
issue).
A detailed procedure is in place explaining the actions to be taken when the IDS detects a problem.
The operating mechanism of the IDS is known by personnel.
The IDS can be used to accomplish other adjunct network management activity such as network
device management.
The IDS is appropriate for deployment on the perimeter of the network as well as inside the network.
Product detects internally-generated abuse by authorised users over a long period of time.
The IDS is customised or configured to meet specific site policies and requirements.
List of people having access to the IDS is small and controlled.
Expertise and training are conducted to set up and maintain the IDS and analyse the results on a
regular basis.
The IDS takes advantage of logs produced by other systems.
The IDS integrates with other vulnerability assessment products.
The IDS can respond reactively (communicate with firewalls/routers to block packets from a presumed
attacker's IP net address).
The IDS reporting tools are efficient and accurate (lists of events, GUIs with icons representing
events).
The methods for alerting the IDS operator/security manager are efficient and effective.
4. EFFECTIVE DATE
4.1 This guideline is effective for all information systems audits beginning on or after 1 August 2003. A full glossary of terms can be
found on the ISACA web site at www.isaca.org/glossary.htm.
APPENDIX
COBIT Reference
Selection of the most relevant material in COBIT applicable to the scope of the particular audit is based on the choice of specific COBIT IT
processes and consideration of COBIT’s information criteria.
PO6—Communicate Management Aims and Direction
PO9—Assess Risks
AI3—Acquire and Maintain Technology Infrastructure
DS5—Ensure Systems Security
DS7—Educate and Train Users
DS10—Manage Problems and Incidents
Copyright 2003
Information Systems Audit and Control Association
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Telephone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: research@isaca.org
Web site: www.isaca.org