IT auditing and controls - Infrastructure general controls

Kenneth Magee
July 1, 2011 by
Kenneth Magee


Infrastructure General Controls

For this last article on IT Auditing and Controls, I want to focus on information systems operations.  I’ll talk a little about Management of IS Operations; IT Service Management; Infrastructure Operations; Monitoring the Use of Resources;  Change Management Process; Quality Assurance; and finally Media Sanitization.

When we look at Management of IS Operations from an auditing perspective, we typically look at three different areas; resource allocation; standards and procedures; and process monitoring.  So what are the roles and responsibilities of IS Management, IS Operations, and Information Security from a management control viewpoint?

IS Management is really responsible for ensuring adequate resources are allocated to support IT Operations.  They’re also responsible for planning the most efficient and effective use of those resources; authorizing and monitoring IT resource usage based on corporate policy and monitoring operations to ensure compliance with standards and procedures.

So as an IT auditor what should you be looking for?  To see if IS Management is in fact doing the things we just mentioned and can they provide proof that they are monitoring operations.  IS Management should be able to provide a timeline which includes monitoring activities and corrective action taken to correct deviations from corporate standards, following by a repeat of the cycle, which means they’re monitoring the corrections and taken additional corrective action if necessary.

IS Operations on the other hand has considerably more things to focus on than IS Management, in that they are the ones responsible for the day-to-day running of IT operations.  For example, they are responsible for:

  • Job schedules
  • Authorizing changes to job schedules
  • Reviewing changes to the network, system and applications
  • Ensuring that those changes do not negatively impact the normal processing
  • Monitoring system performance and resource utilization
  • Monitoring SLAs
  • Planning for equipment replacement/upgrades
  • Maintaining job accounting records and audit trails
  • Reviewing logs
  • Managing incidents
  • Ensuring disaster recovery, regardless of the scale of the disaster

What I look for when auditing IS Operations are four things, job schedules and are they being followed; SLAs and are they being monitored and reported; incidents and are they being recorded and managed; and disaster recovery, specifically is the backup media valid?  In other words could a system be restored from the backup media, has it been tested?

Information Security’s role is to ensure that confidentiality, integrity and availability of data is maintained.  In addition, this group’s role includes:

  • Monitoring the environment and security of the facility
  • Making sure that vulnerabilities are identified and resolved in a timely manner
  • Ensuring that security patches are identified and installed
  • Limiting logical and physical access to IT resources to those who require and are authorized to access it

The basic auditing question here, is, are they doing the things that are included in their roles and responsibilities?  Remember as an IT auditor you need to “Pull the Thread” and see where it leads.  For instance, in this case you would ask if they are ensuring that security patches are identified and installed.  If they say “NO” then it becomes your responsibility to find out why.  Is it because that role/responsibility is not in their job description?  Or is it because they don’t have the resources (training) to do that role?  Or is it simply that they aren’t doing it?  Remember “Root Cause Analysis” because when you make your audit report and you state that Information Security is not ensuring that security patches are identified and installed, you will need to also need to state what you found the root cause to be, and thus have a basis for your recommendation.  You might find that it wasn’t in their job description in which case you would state that and recommend that the job descriptions be updated, the people trained, and that a follow-up audit be performed in 90 days to determine if corrective action has been taken.

From an IT Service Management perspective the primary thing we want to look at are the service level agreements (SLA) and whether performance is being measured and reported against the requirements stated in the SLA.  Some sources of information to consider in auditing this area might include; exception reports, system and application logs, operator problem reports, and operator work schedules.

Infrastructure operations are processes and activities that support and manage the entire IT infrastructure, systems, applications and data, focusing on day-to-day activities.  Some of the tasks that you would expect IT operations staff to preform would be:

  • Executing and Monitoring scheduled jobs
  • Making sure backups run successfully
  • Participating in disaster recovery tests
  • Facilitating troubleshooting and incident handling

While this is not an exhaustive list, it does highlight some key areas of IT operations, namely daily execution of the schedule, making sure backups are successful and handling incidents.

Monitoring use of resources includes a number of different things including authorized use, logging of events, incident handling and problem management.  When operations monitors the use of resources, my experience has been that they are looking for anomalies, something out of the ordinary; a file that runs out of disk space; a job that runs much longer than expected; a job that aborts; a user that constantly calls to have their password reset; and so forth.  All of these errors should be logged regardless of whether they are application, system, operator, network, telecommunication, hardware, or user errors.

So as an IT auditor some of the things you would expect to find in the error log would be:

  • Error date
  • Error code
  • Error description
  • Source of error
  • Initials of the individual responsible for the entry and for the review of the entry
  • Status
  • Resolution description
  • Escalation date and time

In the change management area, suffice it to say, nothing gets changed without management approval (in writing).   Nothing gets changed directly in production without having gone through test and no programmer should have access to production.  Now I realize that this is not always possible, and in situations where shops are small and this isn’t possible there should be compensating controls which the IT auditor will need to look for.  There should be a documented change management/configuration control process which includes management sign-off.  As a personal note, I also require business process owner sign-off on all changes.  How else are we going to align IT and the business if the business process owner doesn’t know what changes are being made to their application?  One of the easiest ways of ensuring integrity is to insert a QA (quality assurance) group between development/test and production.  And by assigning roles specific to the QA group you can establish controls over who has access to production systems, data, and files and you can control when changes are made and whether they have been properly authorized.

One final parting comment on infrastructure general controls that everyone seems to leave to the last, and that is “Sanitization” or what happens when we no longer need that data, system, application or piece of hardware.  As an IT auditor you will want to make sure that the organization has a process in place to remove all sensitive data before a piece of equipment is recycled or disposed of in any form.  It has been my experience to see the best (actual shredding of hard drives) to the not so good (running the QUICK FORMAT command) when it comes to data sanitization.  The most fun I’ve had with sanitization is the time when I was told that “We recycle our computers to a local school and we ask them to format the hard drive before they let the students use the computers.”

I hope you’ve enjoyed this series of articles on IT Auditing and Controls.  If you would like to see articles on other topics please put your thoughts in a comment on this article.

You can find other articles on IT Auditing and Controls here.


Kenneth Magee
Kenneth Magee

Ken is President and owner of Data Security Consultation and Training, LLC. He has taught cybersecurity at the JAG school at the University of Virginia, KPMG Advisory University, Microsoft and several major federal financial institutions and government agencies. As CISO for the Virginia Community College System, Ken’s focus was the standardization of security around the ISO 27000 series framework. Writing is one of his passions and he has authored and/or co-authored several courses, including CISSP, CISA, CISM, CGEIT, CRISC, DoD Cloud Computing SRG and a course for training Security Control Assessors using NIST SP 800-53A. Ken has also achieved a number of certifications, including CISSP, SSCP, CCSP, CAP, ISSMP, ISSAP, ISSEP, CISM, CISA, CAC, CEH, ISO9000LA, ISO14001LA, ISO27001PA, Security+, CySA+, CASP, CTT+, CPT, GSEC, GSNA, GWAPT, CIA, CGAP, CFE, MCP, MCSA, MCSE and MCT.