3

Jan Fasswald, Federal Court of Audit (Bundesrechnungshof), Audit Unit IV 3 June 13 th, 2004

2nd Seminar on IT-Audit

September 1st to 4th, 2004 in Nanjing

IT security audit standards of the Bundesrechnungshof (Germany’s Supreme Audit Institution)

Role and functions of the Bundesrechnungshof vis-à vis federal departments and agencies

The Bundesrechnungshof is a supreme federal authority. As an independent body of government auditing it is subject only to the law. The status of the Bundesrechnungshof, its members and its essential functions are guaranteed by the German Constitution (art. 114 section 2 of basic law). Further details are regulated by other legislation (i.e. Bundesrechnungshof act, Federal Budget Code).

The Bundesrechnungshof examines the financial management of the Federation, its separate property funds and federal undertakings; the Bundesrechnungshof carries out sample audits of revenue and expenditure totalling over 500 million Euro. Its audit mandate also covers social security institutions and the activities of the Federation in private-law enterprises of which it is a shareholder.

The Bundesrechnungshof makes recommendations on the basis of its audit experiences and provides advice to the audited bodies, to Parliament and the Federal Government. Its consultant activities set out significant recommendations for quality improvement, pointing up the potential for savings or increases in revenue.

Timing and nature of audits are determined by the Bundesrechnungshof´s free discretion. No one can give the Bundesrechnungshof audit assignments. It possesses no executive power and therefore the Bundesrechnungshof needs to convince on the basis of its arguments.

The Bundesrechnungshof has about 600 staff. It is currently composed of 9 audit divisions with 50 audit units. Administrative assignments are performed by a presidial division. Since 1January 1998 the Bundesrechnungshof has been supported by regional audit offices staffed with some 500 employees.. Regional audit offices are subordinate to the Bundesrechnungshof. Decisions are taken by collegiate bodies. Normally decisions are taken by the appropriate college of two (Senior Audit Director and Audit Director). In some cases the President or the Vice-President joins this college (college of three). Decisions in the college of two and three have to be taken unanimously.

Function of audit unit IV 3

Audit unit IV 3 (audit director plus 5 audit officers) is responsible for general and fundamental IT security affairs in federal departments and agencies. It examines both IT security in federal offices and cross-sectional aspects of IT Security.

IT-Baseline Protection

The use of information technology is continually increasing. On the one hand this means new chances to apply, evaluate and collect information in a more effective way but on the other hand there are also some new risks. Today a lot of federal offices are not able to perform their tasks incumbent on them without relying on properly functioning IT assets. For this reason information as well as used IT systems has to be protected to avoid

·  unauthorised disclosure (loss of confidentiality),

·  unauthorised alteration (loss of integrity) and

·  degradation or loss of functions (loss of availability).

IT security planning, realisation and controlling shall consider the areas of infrastructure, organisation, personnel and technology. It is designed to ensure reasonable confidentiality, integrity and availability of IT systems and information. For federal offices a degradation of these basic values in IT security can result in

·  violation of laws, regulations or contracts,

·  impaired mission performance ,

·  financial damages or

·  loss of reputation.

The protection requirement of an IT system is geared towards the extent of potential damages.

Protection Requirement Categories
Basic to moderate / The impact of any loss or damage is limited.
High / The impact of any loss or damage may be considerable.
Very high / The impact of any damage can attain catastrophic proportions which could threaten the very existence of the agency/company.

To determine adequate security measures in relation with the protection requirements it is necessary to do a risk assessment. This entails ascertaining the IT assets to be protected (IT systems, information …) and examining the threats they are exposed to. The next step is to assess the probability of security incidents and the likely extent of damages. After that a security concept – describing reasonable IT security measures and the remained residual risk have to be implemented.

As a risk assessment is associated with high costs and takes up a lot of time, many federal offices are not able to perform it. Considering the fact that IT-Systems mostly have basic to moderate (“normal”) protection requirements, the Federal Office for Information Security (BSI, http://www.bsi.de/english/) created a Standard to support IT Security Officers working out IT security concepts: the IT-Baseline Protection Manual.

The IT Baseline Protection Manual supports federal offices (but also companies) in implementing IT security concepts easily, economically and effectively. The idea of IT baseline protection is based on the assumption, that a packet of IT security measures, which have to be up to date, accepted and field-proven, cover a large part of existing threats and risks. Comprehensive risk assessments are therefore no longer necessary.

The IT Baseline Security Manual contains:

·  standard security safeguards[1] for typical IT systems with "normal" protection requirements

·  a description of the threat scenario that is globally assumed

·  detailed descriptions of safeguards to assist with their implementation

·  a description of the process involved in attaining and maintaining an appropriate level of IT security and

·  a simple procedure for ascertaining the level of IT security attained in the form of a target versus actual comparison.

It is structured in a modular fashion and provides the following individual modules, which reflect typical areas in which IT assets are employed:

·  generic components (IT security management, organisation, personnel, contingency planning concept, data back up policy, handling of security incidents, …)

·  infrastructure (buildings, rooms, cabling, computer centres, working place at home,…)

·  non-networked systems (DOS-PC, laptop PC, UNIX-system, Windows 2000 Client,…)

·  networked systems (UNIX server, Windows-NT network, Windows 2000 Server, Nowell-Netware,…)

·  data transmission systems (modem, firewall, e-Mail, Exchange 2000, Outlook 2000,…)

·  telecommunication (fax machine, telecommunications systems / PBX, fax server, mobile telephones…)

·  other IT components (u.a. databases, telecommuting, archiving..)

Each module of the IT Baseline Protection Manual contains a brief description of the subject and a list containing references to the relevant threats in question and to the relevant standard security measures in each case.

The BSI continuously updates the manual and expands it to include new subjects on the basis of user surveys.

Instructions for using the IT Baseline Protection Manual in brief [2]

1.  IT structure analysis
This entails gathering information about the information technology assets in the area under consideration. It is important to record applications, IT systems and IT rooms and demonstrate dependencies. Here one should limit oneself to the most important components and present the results clearly.

2.  Assessment of protection requirements
The aim of the assessment of protection requirements is to ascertain how much effort needs to go into protecting IT applications, IT systems, communications connections and rooms against impairment of confidentiality, integrity and availability. Only in this way is it possible to achieve an adequate level of protection at the lowest possible cost.

3.  Modelling
Modelling is central to the methodology set forth in the IT Baseline Protection Manual. During modelling, the modules in the IT Baseline Protection Manual are assigned to the existing processes and components ("target objects"). The IT Baseline Protection Manual contains a precise description of how a real set of IT assets can be modelled as accurately as possible using the existing modules. Thus, for example, the chapter "IT Security Management" is applied once to the entire set of IT assets, while the "Fax Machine" module is applied to every fax machine. Every chapter contains a description of the relevant threats and IT security measures for the relevant target object. The outcome of the modelling is an extensive list with IT security measures.

4.  Basic Security Check
If the IT Baseline Protection Manual is applied to an existing set of IT assets, it is necessary to check which standard security measures that have been identified as necessary during modelling have already been implemented and where shortcomings still exist (target versus actual comparison). To this end, interviews are carried out with those responsible and spot checks are performed. This operation is referred to as the Basic Security Check.

In case of using IT systems and information with higher protection requirements a supplementary security analysis has to be carried out, weighing up the cost effectiveness of implementing additional measures. It is generally sufficient to supplement the recommendations made in the IT Baseline Protection Manual by appropriately tailored and more rigorous measures. After that IT baseline protection measures and more rigorous measures have to be consolidated to get a general view of all necessary measures arises.

Auditing standards of audit unit IV 3

When auditing IT security in federal offices the IT Baseline Protection Manual is used as a standard for IT systems with “normal” protection requirements. If all recommendations made in the Baseline Protection Manual are consistently carried out, the security measures will often be able to meet the demands of IT systems with higher protection requirements. In the annex of this paper there are some checklists relating to selected IT security areas. They allow a rapid overview of the vulnerabilities in an organisation.

3 annex

Checklists (Excerpt from the „IT Security Guidelines – IT Baseline Protection in brief“, © BSI 2003)

IT security management

·  Has management defined the IT security objectives and accepted that they are responsible for IT security? Have all the legal and contractual issues been considered?

·  Is there an IT Security Officer?

·  Are IT security requirements considered early on every project (e.g. during planning of a new network, new purchases of IT systems and applications, outsourcing and service agreements)?

·  Is there a summary of the most important applications and IT systems and their protection requirements?

·  Is there an action plan that prioritises security objectives and sets forth how the agreed IT security measures should be implemented?

·  Has it been determined in the case of all IT security measures whether they have to be carried out once only or at regular intervals (e.g. updates to the virus scanner)?

·  Have responsibilities been defined for all the IT security measures?

·  Are appropriate deputisation arrangements in place for persons in positions of responsibility and are the stand-ins familiar with the tasks they have to perform in this capacity? Have the most important passwords been securely deposited for emergencies?

·  Are all the target persons familiar with the existing policy and responsibilities?

·  Are there any checklists covering factors that need to be considered when new staff join or existing staff leave the company (authorisations, keys, training etc.)?

·  Is the effectiveness of IT security measures checked regularly?

·  Is there a documented IT security concept?

Security of IT systems

·  Are protection mechanisms in applications and programs used?

·  Is anti-virus software used across the board?

·  Have roles and profiles been assigned to all the system users?

·  Are there controls in place as to which data each member of staff is allowed to access? Are there sensible restrictions?

·  Are there different roles and profiles for administrators, or is every administrator allowed to do everything?

·  Are the privileges and permissions of programs known and controlled?

·  Are security-relevant standard settings of programs and IT systems suitably adapted or is the delivery state retained?

·  Are unnecessary security-relevant programs and functions systematically uninstalled or disabled?

·  Are manuals and product documentation read promptly?

·  Is detailed installation and system documentation created and updated regularly?

Networking and internet connection

·  Is there a firewall?

·  Are the configuration and functionality of the firewall monitored and critically examined at regular intervals?

·  Is there a concept as to which data has to be offered to the outside world?

·  Has it been specified how dangerous add-on programs (plug-ins) and active content should be avoided?

·  Have all unnecessary services and program functions been disabled?

·  Are web browsers and e-mail programs securely configured?

·  Have all staff been adequately trained?

Compliance with security requirements

·  Are confidential information and data media stored carefully?

·  Is confidential information deleted from data media or IT systems prior to maintenance and repair work?

·  Do staff receive regular training on security-relevant subjects?

·  Are there any measures in place that are aimed at raising the security awareness of the workforce?

·  Are existing security objectives monitored and security breaches disciplined?

Maintenance of IT systems: handling updates

·  Are security updates regularly installed?

·  Has someone been appointed to keep up-to-date on security characteristics of the software used and relevant security updates?

·  Is there a test concept for software modifications?

Passwords and encryption

·  Do programs and applications provide security mechanisms like password protection and encryption? Have the security mechanisms been activated?

·  Have default or blank passwords been changed?

·  Are all staff trained at choosing secure passwords?

·  Are workstations protected in the absence of their owner by a password protected screensaver?

·  Are confidential data and systems that are especially at risk such as notebooks adequately protected using encryption or other safeguards?

Contingency planning

·  Is there a contingency plan with instructions and contact addresses?

·  Are all the necessary contingency situations covered?

·  Is every member of staff familiar with the contingency plan and is this easy to access?

Data backup

·  Is there a backup strategy?

·  Have rules been laid down as to what data should be backed up and for how long?

·  Do backups also include laptop computers and non-networked systems?