IT auditing and controls: Infrastructure general controls for CISA professionals

Understanding IT auditing and controls for information systems is crucial. Specifically, the management of information systems (IS) operations, IT service management, infrastructure operations, monitoring the use of resources, change management process, quality assurance and media sanitization.

Auditing the general controls of an organization's infrastructure plays a critical role in ensuring your clients' cybersecurity as a CISA professional.

Earn your CISA, guaranteed!

Get your CISA live online or on-site, backed with an Exam Pass Guarantee!

View Pricing

Managing IS operations: Roles and responsibilities

When we look at managing IS operations from an auditing perspective, we typically examine three different areas: resource allocation, standards and procedures, and process monitoring. So, what are the roles and responsibilities of IS management, IS operations and information security from a management control viewpoint?

IS management ensures adequate resources are allocated to support IT operations. They're also responsible for planning the most efficient and effective use of those resources, authorizing and monitoring IT resource usage based on corporate policy and monitoring operations to ensure compliance with standards and procedures.

So, as an IT auditor, you look to see if IS management is doing the things we just mentioned and if they can provide proof that they are monitoring operations. IS management should be able to provide a timeline, which includes monitoring activities and corrective action taken to correct deviations from corporate standards. They should also be able to demonstrate that they can repeat the cycle, which means they're monitoring the corrections and taking additional corrective action if necessary.

IS operations, on the other hand, have considerably more responsibilities because they handle the day-to-day running of IT operations. Their responsibilities include:

• Job schedules
• Authorizing changes to job schedules
• Reviewing changes to the network, system and applications
• Ensuring that those changes do not negatively impact the normal processing
• Monitoring system performance and resource utilization
• Monitoring SLAs
• Planning for equipment replacement/upgrades
• Maintaining job accounting records and audit trails
• Reviewing logs
• Managing incidents
• Ensuring disaster recovery, regardless of the scale of the disaster

When auditing IS operations, look for four things: job schedules and whether the team is following them, SLAs and how they are being monitored and reported, incidents and how they're being recorded and managed and the organization's disaster recovery system, specifically whether its backup media is valid. In other words, could a system be restored from the backup media, and has this been tested?

Earn your CISA, guaranteed!

Get your CISA live online or on-site, backed with an Exam Pass Guarantee!

View Pricing

Information security's role is to ensure that confidentiality, integrity and availability of data is maintained. In addition, the role includes:

• Monitoring the environment and security of the facility
• Making sure that vulnerabilities are identified and resolved in a timely manner
• Ensuring that security patches are identified and installed
• Limiting logical and physical access to IT resources to those who require and are authorized to access it

The basic auditing question is simple: are they doing what's included in their roles and responsibilities?

Remember, as an IT auditor, you must "pull the thread" and see where it leads.

For instance, in this case, you would ask if they ensured that security patches are identified and installed. If they say no, it becomes your responsibility to find out why. Is it because that role/responsibility is not in their job description? Or is it because they don't have the resources (training) to perform that role? Or is it simply that they aren't doing it?

Determining how an organization handles root cause analysis is another crucial element of the auditing process. When you make your audit report and state that information security is not ensuring that security patches are identified and installed, you will also need to explain what you found the root cause to be and have a basis for your conclusion. You might find that it wasn't in their job description in which case you would state that and recommend that the job descriptions be updated, the people trained, and that a follow-up audit be performed in 90 days to determine if corrective action has been taken.

IT service management and SLAs

From an IT service management perspective, we want to look at the service level agreements (SLA) and whether performance is being measured and reported against the requirements stated in the SLA. Some sources of information to consider in auditing this area might include:

• Exception reports
• System and application logs
• Operator problem reports
• Operator work schedules

Earn your CISA, guaranteed!

Get your CISA live online or on-site, backed with an Exam Pass Guarantee!

View Pricing

Infrastructure operations and day-to-day activities

Infrastructure operations include processes and activities that support and manage an organization's IT infrastructure, systems, applications and data, focusing on day-to-day activities. Some of the tasks that you would expect IT operations staff to perform would be:

• Executing and monitoring scheduled jobs
• Making sure backups run successfully
• Participating in disaster recovery tests
• Facilitating troubleshooting and incident handling

While this is not an exhaustive list, it does highlight some key areas of IT operations, namely daily execution of the schedule, making sure backups are successful and handling incidents.

Monitoring resource use and error logging

Monitoring resource use includes several things, including authorized use, logging of events, incident handling and problem management. When operations monitor the use of resources, my experience has been that they are looking for anomalies, something out of the ordinary: a file that runs out of disk space, a job that runs much longer than expected, a job that aborts, a user that constantly calls to have their password reset and so forth. All of these errors should be logged regardless of whether they are application, system, operator, network, telecommunication, hardware or user errors.

So, as an IT auditor, some of the things you would expect to find in the error log would be:

• Error date
• Error code
• Error description
• Source of error
• Initials of the individual responsible for the entry and for the review of the entry
• Status
• Resolution description
• Escalation date and time

Change management: Maintaining control and integrity

Nothing should be changed without management approval (in writing) in the change management area. Nothing should be changed directly in production without having gone through testing. Also, no programmer should have access to production.

Now I realize that this is not always possible, and in situations where shops are small, and this isn't possible, there should be compensating controls that the IT auditor will need to look for. There should also be a documented change management/configuration control process which includes management sign-off.

As a personal note, I also require the business process owner to sign off on all changes. How else will we align IT and the business if the business process owner doesn't know what changes are being made to their application? One of the easiest ways to ensure integrity is to insert a QA (quality assurance) group between development/test and production. By assigning roles specific to the QA group, you can establish controls over who has access to production systems, data and files. You can also control when the team makes changes and whether they have been properly authorized.

Media sanitization: The often-overlooked control

One final parting comment on infrastructure general controls that everyone seems to leave to the last: "Sanitization" or what happens when we no longer need data, a system, an application or a piece of hardware.

As an IT auditor, you will want to ensure that the organization has a process in place to remove all sensitive data before a piece of equipment is recycled or disposed of. It has been my experience to see the best (actual shredding of hard drives) to the not-so-good (running the QUICK FORMAT command) when it comes to data sanitization. The most fun I've had with sanitization is when I was told, "We recycle our computers at a local school, and we ask them to format the hard drive before they let the students use the computers."

Earn your CISA, guaranteed!

Get your CISA live online or on-site, backed with an Exam Pass Guarantee!

View Pricing

Take your IT auditing career further

You can find other articles on IT Auditing and Controls here.

Cybersecurity certification and skills roadmap: Map out your ideal cybersecurity career path and learn the skills you need to qualify for rewarding roles.

And if you're ready to take your auditing and general cybersecurity career to the next level, check out some of Infosec's resources, including:

• Cybersecurity salary guide: See how much you can earn in different cybersecurity roles.
• ISACA career path: The highest paying certifications in the industry: Find out which certifications earn you the most, common job roles and the best certifications for your career in this webinar.
• CISA Boot Camp: Prepare to take the CISA exam to earn your certification in this intensive, five-day course.