ZeePedia

Audit trails and logs: Audit trails and types of errors, IS audit, Parameters of IS audit

<< Types of Controls: Access Controls, Cryptography, Biometrics
Risk Management: Phases, focal Point, System Characterization, Vulnerability Assessment >>
img
VU
Information System (CS507)
Audit trails and logs
An audit trail is a logical record of computer activities/usage/processing pertaining to an operating
or application system or user activities. An information system may have several audit trails, each
devoted to a particular type of activity. All these audit trails are primarily extracted from the audit
log recorded on chronological basis. The audit log is maintained only for the list of activities
specified for which the log is to be maintained. The information can be recorded varies including
but not limited to
1. Time stamp for the log in/out time
2. Terminal in use
3. Files accessed
4. Transactions performed
5. Amendments made
Audit trails can provide a means to help accomplish several security-related objectives, including
individual accountability, reconstruction of events (actions that happen on a computer system),
intrusion detection, and problem analysis, as well as evidence of the correct processing regimes
within a system
There are typically two kinds of audit records:
(1) An event-oriented log ---- this usually contain records describing system events, application
events, or user events. An audit trail should include sufficient information to establish what events
occurred and who (or what) caused them.
(2) A record of every keystroke---- often called keystroke monitoring. Keystroke monitoring is
the process used to view or record both the keystrokes entered by a computer user and the
computer's response during an interactive session. Keystroke monitoring is usually considered a
special case of audit trails.
35.1  Documentation
Audit trails and logs are a form of documentation which helps in reviewing various activities
undertaken by various users. Any alterations and modifications made in the documentation should
be logged as well for monitoring the integrity. Documentation may include program code of
application softwares, technical manuals, user manuals and any other system-related
documentation. This would help to see that data is not modified on the instructions of the users.
Log of all amendments should be supported by proper authorization by responsible officers.
Accountability through audit trails
Audit trails are technical mechanism that helps managers maintains individual accountability.
Users can be identified by the log being maintained. Users are informed of what the password
allows them to do and why it should be kept secure and confidential. Audit trails help to provide
variants from normal behavior which may lead to unauthorized usage of resources. For example
·  Audit trails can be used together with access controls to identify and provide
information about users suspected of improper modification of data (e.g., introducing
errors into a database).
·  An audit trail may record "before" and "after" images, also called snapshots of records.
149
img
VU
Information System (CS507)
This helps in audit evaluation work.
35.2  Audit trails and types of errors
Audit trail analysis can often distinguish between operator-induced errors (during which the system
may have performed exactly as instructed) or system-created errors (e.g., arising from a poorly
tested piece of replacement code). For Example a system fails or the integrity of a file (either
program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps
taken by the system, the users, and the application. Knowledge of the conditions that existed at the
time of, for example, a system crash, can be useful in avoiding future mishaps.
Intrusion detection
Intrusion detection refers to the process of identifying attempts to penetrate a system and gain
unauthorized access. If audit trails have been designed and implemented to record appropriate
information, they can assist in intrusion detection. Intrusion detection system can be made part of
the regular security system to effectively detect intrusion. Real time intrusion detection is technical
and complex to achieve but reasonable extent can be attained. Real-time intrusion detection is
primarily aimed at outsiders attempting to gain unauthorized access to the system.
Variance detection and audit trails
Trends/variance-detection tools look for anomalies in user or system behavior. It is possible to
monitor usage trends and detect major variations. The log can be detected and analyzed to detect
the irregularity. For example, if a user typically logs in at 9 a.m., but appears at 4:30 a.m. one
morning, this may indicate either a security problem or a malfunctioning of the system clock, that
may need to be investigated. The log can be sorted/filtered for all log ins befor 9 a.m. from that
particular terminal.
Audit trails and logs have significant importance in conducting audit of information system in a
computerized environment. Where computer equipment becomes a major component of
information management, auditing through the computer gets more delicate and sensitive. Audit
trail and logs help in auditing through the computer as against auditing around the computer.
35.3  Definition of Audit
In accounting and finance terms, audit is a process which includes an examination of records or
financial accounts to check their accuracy, an adjustment or correction of accounts an examined
and verified account. However the concept is a bit different in case of information systems. An
examination of systems, programming and datacenter procedures in order to determine the
efficiency of computer operations.
35.4  IS audit
Information systems include accounting and finance function as a critical part of the entire system.
Hence, these days audit of information systems as whole incisively focuses on finance and
accounting aspect as well. For example, all banks and financial institutions have soft wares
supporting interest computations. During the audit of IS, the integrity of the source code/program
instructions have to be checked and assurance obtained that these have not been tampered with or
altered in any manner.
An information technology (IT) audit or information systems (IS) audit is an examination of the
controls within an entity's Information technology infrastructure. When transactions are
150
img
VU
Information System (CS507)
executed and recorded through computers, the lack of physical audit trail requires
implementation of controls with the Information systems so as to give the same result as
controls are implemented in a manual information system IS audit focuses more on examining
the integrity of controls and ensuring whether they are properly working. Obtained evidence
evaluation can ensure whether the organization's information systems safeguard assets,
maintains data integrity, and is operating effectively and efficiently to achieve the organization's
goals or objectives.
35.5  Parameters of IS audit
Regarding Protection-of-Information-Assets, one purpose of an IT audit is to review and evaluate
an organization's information system's availability, confidentiality, and integrity by answering
questions such as:
1. Will the organization's computer systems be available for the business at all times when
required? (Availability)
2. Will the information in the systems be disclosed only to authorize users? (Confidentiality)
3. Will the information provided by the system always be accurate, reliable, and timely?
(Integrity)
4. Besides, the availability, confidentiality and integrity of information systems receiving IT
auditor consideration; it has been suggested by other authors that information system
utility, possession and authenticity also be considered by answering questions such as:
5. Will the organization's computer system provide useful information when required?
(Utility)
6. Will the physical aspects of the organization's computer systems be protected from the
threat of theft? (Possession)
7. Will the information provided by the system always be genuine, original without
unauthorized change? (Authenticity)
35.6  Risk Based Audit Approach
This approach to audit proceeds with following steps
1. Understanding the business process
2. Understanding the control structure built in the system
3. Understanding of inherent risks (risks which are covered through instituting) controls,
which can occur in the absence of controls e.g.
· Political legal factors affecting the business,
· Nature of industry the organization exists
4. Risk assessment
5. Categorization of risks identified
As in the case of other audits, an IS audit can also be streamlined based on this approach. The
purpose of ensuring a high level of IS security and conducting effective IS audit, presupposes
risk assessment which helps in implementation of security policy. Risk management is the core
line of this entire IT/IS audit. It is a very important concept, now we would discuss this
concept in detail.
151
Table of Contents:
  1. Need for information, Sources of Information: Primary, Secondary, Tertiary Sources
  2. Data vs. Information, Information Quality Checklist
  3. Size of the Organization and Information Requirements
  4. Hierarchical organization, Organizational Structure, Culture of the Organization
  5. Elements of Environment: Legal, Economic, Social, Technological, Corporate social responsibility, Ethics
  6. Manual Vs Computerised Information Systems, Emerging Digital Firms
  7. Open-Loop System, Closed Loop System, Open Systems, Closed Systems, Level of Planning
  8. Components of a system, Types of Systems, Attributes of an IS/CBIS
  9. Infrastructure: Transaction Processing System, Management Information System
  10. Support Systems: Office Automation Systems, Decision Support Systems, Types of DSS
  11. Data Mart: Online Analytical Processing (OLAP), Types of Models Used in DSS
  12. Organizational Information Systems, Marketing Information Systems, Key CRM Tasks
  13. Manufacturing Information System, Inventory Sub System, Production Sub System, Quality Sub system
  14. Accounting & Financial Information Systems, Human Resource Information Systems
  15. Decision Making: Types of Problems, Type of Decisions
  16. Phases of decision-making: Intelligence Phase, Design Phase, Choice Phase, Implementation Phase
  17. Planning for System Development: Models Used for and Types of System Development Life-Cycle
  18. Project lifecycle vs. SDLC, Costs of Proposed System, Classic lifecycle Model
  19. Entity Relationship Diagram (ERD), Design of the information flow, data base, User Interface
  20. Incremental Model: Evaluation, Incremental vs. Iterative
  21. Spiral Model: Determine Objectives, Alternatives and Constraints, Prototyping
  22. System Analysis: Systems Analyst, System Design, Designing user interface
  23. System Analysis & Design Methods, Structured Analysis and Design, Flow Chart
  24. Symbols used for flow charts: Good Practices, Data Flow Diagram
  25. Rules for DFD’s: Entity Relationship Diagram
  26. Symbols: Object-Orientation, Object Oriented Analysis
  27. Object Oriented Analysis and Design: Object, Classes, Inheritance, Encapsulation, Polymorphism
  28. Critical Success Factors (CSF): CSF vs. Key Performance Indicator, Centralized vs. Distributed Processing
  29. Security of Information System: Security Issues, Objective, Scope, Policy, Program
  30. Threat Identification: Types of Threats, Control Analysis, Impact analysis, Occurrence of threat
  31. Control Adjustment: cost effective Security, Roles & Responsibility, Report Preparation
  32. Physical vs. Logical access, Viruses, Sources of Transmissions, Technical controls
  33. Antivirus software: Scanners, Active monitors, Behavior blockers, Logical intrusion, Best Password practices, Firewall
  34. Types of Controls: Access Controls, Cryptography, Biometrics
  35. Audit trails and logs: Audit trails and types of errors, IS audit, Parameters of IS audit
  36. Risk Management: Phases, focal Point, System Characterization, Vulnerability Assessment
  37. Control Analysis: Likelihood Determination, Impact Analysis, Risk Determination, Results Documentation
  38. Risk Management: Business Continuity Planning, Components, Phases of BCP, Business Impact Analysis (BIA)
  39. Web Security: Passive attacks, Active Attacks, Methods to avoid internet attacks
  40. Internet Security Controls, Firewall Security SystemsIntrusion Detection Systems, Components of IDS, Digital Certificates
  41. Commerce vs. E-Business, Business to Consumer (B2C), Electronic Data Interchange (EDI), E-Government
  42. Supply Chain Management: Integrating systems, Methods, Using SCM Software
  43. Using ERP Software, Evolution of ERP, Business Objectives and IT
  44. ERP & E-commerce, ERP & CRM, ERP– Ownership and sponsor ship
  45. Ethics in IS: Threats to Privacy, Electronic Surveillance, Data Profiling, TRIPS, Workplace Monitoring