Today I would love to discuss completely different IT audit tools and techniques, that I take advantage of during performing info technology audits. Let’s have a look at the actual example of 1 IT audit from my recent practice.

The client background is following. The scale of the organizations is approximately 3000 workers located in numerous regions of one country. Consumer is using MS Windows environments for its servers and workstations. Main application systems is SAP R/three with all modules implemented several years ago and Oracle 10g as a DBMS.

So, what IT audit tools will be utilized in the method if information security audit for such shoppers?

1st of all let’s segregate different elements of the environment and find completely different IT audit tools for each of these parts. I would counsel the subsequent segregation:

1. System software, which includes server operating system, workstations operating systems

2. Application level, which, in our example, would come with SAP R/3 environment.

3. Database level, that Oracle in our case.

So, now we tend to have 3 utterly totally different areas for that we have a tendency to would like to seek out acceptable IT audit tools and perform our IT audit. Let’s start from the system software.

Whereas performing audit of operating systems I sometimes use the Microsoft Baseline Security Analyzer for Windows environments (as in our example). This IT audit tool, provided by Microsoft Company, can enable you to investigate all security-related settings in your Windows environment. This audit tool can scan your network, your domain controller and offer you with a whole report of security settings. Based mostly on this information you may be in a position to create a conclusion on the effectiveness of security controls during this explicit environment.

Another IT audit tool, which can be used for analysis of operating systems security settings, may be a SekCheck Security Evaluator. This IT audit tool is more powerful and has different versions for Windows, AS/four hundred, NetWare and every one UNIX-based mostly systems. Shortly, the process of using of this audit tool is similar to the above – you need to run some portion of the tool at the surroundings and the IT audit tool can manufacture a comprehensive simple-to-browse report concerning all security-related settings of the environment.

Let’s examine the application level portion of the security audit. This portion can be completely different for each consumer, as there are many completely different application systems within the market. However, there are some IT audit tools for well-known application systems, like SAP R/3. Most of such tools and techniques are the property of the corporate, who has developed it and is not accessible to the overall public. This is the case for my tool for SAP environment. My company has developed a distinctive SAP R/3 IT audit tool, which is guided by company IT audit methodology and allows to perform very comprehensive IT security audit of the SAP setting at any company.

A number of words about the database level. As is during the case with application level, there are variety of well-known Database Management Systems within the market (like Oracle), that are widely used across enterprises. In my follow I use an IT audit tool referred to as Oracle Security Analyzer for performing IT audit of Oracle databases. Really this is an SQL script, written specifically for Oracle databases. This script collects all security-connected Oracle settings and exports them into the file. When that special software read this file and generate an simple-to-browse report about accessible security settings at the database level. All potential weaknesses will be indicated during this report.

When using all of these IT audit tools for performing of comprehensive IT security audit, I will produce a list of concrete recommendations concerning what particular settings should be implemented at each of the three levels – operating system, application and database.