What is an IT Audit?

System administrators who are working with publicly traded companies registered with the govt. firms, will frequently go through the process of IT audit. The purpose of these IT audit  is,  to require CEO/CFO of the companies to personally validate that all financial records accuracy and also to ensure that there are appropriate procedures in place for the internal control of the financial data.

If you are working with a US based public traded companies, you must have heard the term “SOX ( Sarbanes-Oxley) audit”. Similar Auditing agencies are existing in the countries like Japan, Germany, France, Italy, Australia, India, South Africa, and Turkey, to monitor the operations happening inside and outside of the publicly traded companies. you can find more about Sox Audit from here

How it happens -  Internal Audit vs External Audit?

Once the upcoming audit event is announced, there will be lot of pressure in the teams and the audit event will become highest priority task for every one. For every IT manager these audits are very serious stuff where they don’t have an option to fail.

In order avoid failures in “real audits from govt. agencies”, companies will hire third party auditing firms to perform “internal audit” in the way that “real audit” happens.  These internal auditors use same techniques and procedures of the real audits, but only difference is internal audits are conducted for own testing of our systems. During the internal audit , auditors will analyze the data and let the teams know where the systems are not compliant. In internal audit we will have an opportunity to go back and fix the issues identified, and  once the issues fixed the auditors will perform another scan of the systems to ensure that issues are corrected.

once  the management satisfied with the internal audit results, the real audit event will be announced. During the real audit, the auditors will sit with some system administrators ( chosen by management) and will ask to run some queries and commands against some random systems. And auditors will analyze the answers and will confirm for IT audit PASS or not ( remember, Failure is Not an option here).

What exactly Auditors looks for?

The Scope of IT auditing covers entire network infrastructure, but our focus is on unix environment alone. Below are some of the sample areas, related to Unix, where auditors want to scan and analyze.

1. Access Control Policies: 

- all accounts must have passwords. Passwords should have expire policy and must follow the complex password rules.

- all user accounts which are not in use must be disable within specific duration.

- All system default user accounts should be disabled … example : uucp.

- disable all unused network services on each host – like telnet, ssh, http ….etc

- user access to specific unix groups must be frequently reviewed  for addition and removals

- Disable direct remote access to the machines using the super user and privileged application accounts. And the SUDO kind should be setup for the users who want additional privileges for their tasks.

- Setup proper log mechanism to capture every user action on a production system.

2.  File and directory level permissions:

-  World Writable Files:- if you want to see how much you are compliant just go to a machine where there are several nfs mounts available, and run the command ls -R on any nfs mount. If you notice any files or directory which is having write permissions to the others then your machine is definitely not compliant with audit. And management should provide proper business risk acceptance certificate for those exceptions.

- Files with SetGID and SetUID permissions must be reviewed

- system configuration files like – /etc/passwd , /etc/shadow, /etc/services …etc must be having appropriate permissions

3. System Stability and Security compliance, in terms of patches and releases.

- All the machines must be updated with latest patches , tested and certified by the internal Unix engineering department.

- Any changes to the currently running machines should go through the proper approvals and procedures, before going for implementation.

- all the change requests related to the current production machines ( which are directly providing services to the core business applications) must be attached with testing details and back out procedures.

- all the systems should be configured with proper monitoring tools, and the proper notification process should setup in case of any malfunction of the system.

- Redundancy and Fail over Setups for the Critical Systems

How companies ensure that their systems are under compliance?

Most of the organizations who are eligible for the IT auditing, will setup a central configuration information servers. Which is collecting the system configuration information ( like software versions, package versions, operating system releases, hardware models …etc) about each and every system in the network .

And these Central configuration database Server will give the management a clear picture about what are the systems in the network are not compliant with the auditing.

What is system administrator role to keep the machines under compliance?

 Below are some of sample tasks that a system admin can look into, interm of Auditing. But, please remember that this never ends here.

- Ensure that every system you install , configure and manage reporting the Central Configuration Server without failure.

- Make sure the systems which are in your control are properly monitored and appropriate alert mechanism set for each host depending on the function of the system.

- When ever you are asked to implement a change to a production server, make sure proper approvals added to the change request, change has been tested earlier and appropriate backout procedure was added to the change request.

- Never do set lose permissions on files/directories without proper business justification added with appropriate business approvals.

What is your IT auditing experience? Please share with us.