|
|
|
|
|
|
Lesson#35
|
Audit trails and logs
|
|
|
|
Audit trails and logs
An audit trail is a logical record of computer
activities/usage/processing pertaining to an operating
or application system or user activities. An information system
may have several audit trails, each
devoted to a particular type of activity. All these audit trails
are primarily extracted from the audit
log recorded on chronological basis. The audit log is maintained
only for the list of activities
specified for which the log is to be maintained. The information
can be recorded varies including
but not limited to
1. Time stamp for the log in/out time
2. Terminal in use
3. Files accessed
4. Transactions performed
5. Amendments made
Audit trails can provide a means to help accomplish several
security-related objectives, including
individual accountability, reconstruction of events (actions
that happen on a computer system),
intrusion detection, and problem analysis, as well as evidence
of the correct processing regimes
within a system
There are typically two kinds of audit records:
(1) An event-oriented log ----
this usually contain records describing system events, application
events, or user events. An audit trail should include sufficient
information to establish what events
occurred and who (or what) caused them.
(2) A record of every keystroke----
often called keystroke monitoring. Keystroke monitoring is
the process used to view or record both the keystrokes entered
by a computer user and the
computer's response during an interactive session. Keystroke
monitoring is usually considered a
special case of audit trails.
35.1 Documentation
Audit trails and logs are a form of documentation which helps in
reviewing various activities
undertaken by various users. Any alterations and modifications
made in the documentation should
be logged as well for monitoring the integrity. Documentation
may include program code of
application softwares, technical manuals, user manuals and any
other system-related
documentation. This would help to see that data is not modified
on the instructions of the users.
Log of all amendments should be supported by proper
authorization by responsible officers.
Accountability through audit trails
Audit trails are technical mechanism that helps managers
maintains individual accountability.
Users can be identified by the log being maintained. Users are
informed of what the password
allows them to do and why it should be kept secure and
confidential. Audit trails help to provide
variants from normal behavior which may lead to unauthorized
usage of resources. For example
• Audit trails can be used together
with access controls to identify and provide
information about users suspected of improper modification of
data (e.g., introducing
errors into a database).
• An audit trail may record
"before" and "after" images, also called snapshots of records.
150
This helps in audit evaluation work.
35.2 Audit trails and types of errors
Audit trail analysis can often distinguish between
operator-induced errors (during which the system
may have performed exactly as instructed) or system-created
errors (e.g., arising from a poorly
tested piece of replacement code). For Example a system fails or
the integrity of a file (either
program or data) is questioned, an analysis of the audit trail
can reconstruct the series of steps
taken by the system, the users, and the application. Knowledge
of the conditions that existed at the
time of, for example, a system crash, can be useful in avoiding
future mishaps.
Intrusion detection
Intrusion detection refers to the process of identifying
attempts to penetrate a system and gain
unauthorized access. If audit trails have been designed and
implemented to record appropriate
information, they can assist in intrusion detection. Intrusion
detection system can be made part of
the regular security system to effectively detect intrusion.
Real time intrusion detection is technical
and complex to achieve but reasonable extent can be attained.
Real-time intrusion detection is
primarily aimed at outsiders attempting to gain unauthorized
access to the system.
Variance detection and audit trails
Trends/variance-detection tools look for anomalies in user or
system behavior. It is possible to
monitor usage trends and detect major variations. The log can be
detected and analyzed to detect
the irregularity. For example, if a user typically logs in at 9
a.m., but appears at 4:30 a.m. one
morning, this may indicate either a security problem or a
malfunctioning of the system clock, that
may need to be investigated. The log can be sorted/filtered for
all log ins befor 9 a.m. from that
particular terminal.
Audit trails and logs have significant importance in conducting
audit of information system in a
computerized environment. Where computer equipment becomes a
major component of
information management, auditing through the computer gets more
delicate and sensitive. Audit
trail and logs help in auditing through the computer as against
auditing around the computer.
35.3 Definition of Audit
In accounting and finance terms, audit is a process which
includes an examination of records or
financial accounts to check their accuracy, an adjustment or
correction of accounts an examined
and verified account. However the concept is a bit different in
case of information systems. An
examination of systems, programming and datacenter procedures in
order to determine the
efficiency of computer operations.
35.4 IS audit
Information systems include accounting and finance function as a
critical part of the entire system.
Hence, these days audit of information systems as whole
incisively focuses on finance and
accounting aspect as well. For example, all banks and financial
institutions have soft wares
supporting interest computations. During the audit of IS, the
integrity of the source code/program
instructions have to be checked and assurance obtained that
these have not been tampered with or
altered in any manner.
An information technology (IT) audit or information systems (IS)
audit is an examination of the
controls within an entity's Information technology
infrastructure. When transactions are
151
executed and recorded through computers, the lack of physical
audit trail requires
implementation of controls with the Information systems so as to
give the same result as
controls are implemented in a manual information system IS audit
focuses more on examining
the integrity of controls and ensuring whether they are properly
working. Obtained evidence
evaluation can ensure whether the organization's information
systems safeguard assets,
maintains data integrity, and is operating effectively and
efficiently to achieve the organization's
goals or objectives.
35.5 Parameters of IS audit
Regarding Protection-of-Information-Assets, one purpose of an IT
audit is to review and evaluate
an organization's information system's availability,
confidentiality, and integrity by answering
questions such as:
1. Will the organization's computer systems be available for the
business at all times when
required? (Availability)
2. Will the information in the systems be disclosed only to
authorize users? (Confidentiality)
3. Will the information provided by the system always be
accurate, reliable, and timely?
(Integrity)
4. Besides, the availability, confidentiality and integrity of
information systems receiving IT
auditor consideration; it has been suggested by other authors
that information system
utility, possession and authenticity also be considered by
answering questions such as:
5. Will the organization's computer system provide useful
information when required?
(Utility)
6. Will the physical aspects of the organization's computer
systems be protected from the
threat of theft? (Possession)
7. Will the information provided by the system always be
genuine, original without
unauthorized change? (Authenticity)
35.6 Risk Based Audit Approach
This approach to audit proceeds with following steps
1. Understanding the business process
2. Understanding the control structure built in the system
3. Understanding of inherent risks (risks which are covered
through instituting) controls,
which can occur in the absence of controls e.g.
• Political legal factors affecting
the business,
• Nature of industry the
organization exists
4. Risk assessment
5. Categorization of risks identified
As in the case of other audits, an IS audit can also be
streamlined based on this approach. The
purpose of ensuring a high level of IS security and conducting
effective IS audit, presupposes
risk assessment which helps in implementation of security
policy. Risk management is the core
line of this entire IT/IS audit. It is a very important concept,
now we would discuss this
concept in detail. |
|
|
|
|
|
|