Things to watch

When a software project is being undertaken in an organisation, be it a purchase, modification or a new development, security is often the last thing that is considered in the project life cycle. The Auditor will check to see that for a range of developments the control requirements have been specified at the start of the project and are considered at all stages of the lifecycle. The input from this should be driven by the business that will determine the criticality and sensitivity of the information and then define what protection they require. This should be translated into controls requirements by the security advisors to the project. The Auditor will be looking for proof that this process has been gone through and typically look for signatures signing off.

Where there are in-house developments the Auditor will be checking to see that there are reasonable tests for input, output and processing. Typically this could be the inspection of test packs showing actual results and expected results. Where there are variations the Auditor will be looking for proof that these have been investigated and that the discrepancy resolved. The Auditor will inspect all of the available test results to prove that the programs are actually working properly and if there are no test results available the Auditor will start to wonder what degree of testing was actually carried out. Test packs should be retained, they prove that the testing process has been carried out properly.

Where an organisation uses cryptography for any purpose the Auditor will want to ensure that it is being used appropriately and securely. The whole process surrounding the use of cryptography will be inspected to gain assurance that this is indeed the case.

One of the areas that many organisations find very difficult to control is that of change management. The rule of thumb is that any change to an operational system or document must go through change management and this will include any promotion of code to the operational (or production) system. Many organisations have poor control over the number of staff with physical access to the computer rooms and the amount of users who have the ability to change any software in the operational environment. (e.g. How many people have access to the computer rooms? Are they all necessary? How many staff has privileged access? Does the organisation actually know and have these details recorded somewhere?)

The Auditor will select a number of change requests at random and follow them through to conclusion to determine that they were appropriately managed. This will include ensuring that the risks of the change were fully considered, all possible impacted parties were present, appropriate back out plans were in place in case of failure, full handover documentation exists and that such other documentation (such as DRP/BCP) is updated.

Test data is often not looked after to the same degree as its operational counterpart. By its very name it does not imply that it is as important as the 'live' data, but often it is just a copy of recent 'live' data, and can contain sensitive or critical information. Often the data can contain personal data that is subject to the Data Protection Act and this is overlooked, as this is 'only' test data. The Auditor will check that appropriate controls are in place to protect any test data and that the Data Protection Act is not being breached.

A number of organisations outsource software development and there are often project failures or overruns because of poor management. The Auditor will be looking for evidence of appropriate contractual terms, quality of deliverables and appropriate management of the outsourced project. The sorts of problems that occur in outsourced developments are similar to those that happen internally, but they are usually worse as they are not under the direct control and observation of the organisation. Typical things that will be inspected are the contract, minutes of management meetings, audit results for interim quality audits performed during the development, documentation, signoff from the organisation at each stage of the development life cycle and proof of adequate testing.

The Auditor will check that the organisation is in receipt of up to date vulnerability information and that there are processes in place to patch software to address the identified vulnerabilities.

An Introduction To Information, Network and Internet Security
Things to watch When a software project is being undertaken in an organisation, be it a purchase, modification or a new development, security is often the last thing that is considered in the project life cycle. The Auditor will check to see that for a range of developments the control requirements have been specified at the start of the project and are considered at all stages of the lifecycle. The input from this should be driven by the business that will determine the criticality and sensitivity of the information and then define what protection they require. This should be translated into controls requirements by the security advisors to the project. The Auditor will be looking for proof that this process has been gone through and typically look for signatures signing off. Where there are in-house developments the Auditor will be checking to see that there are reasonable tests for input, output and processing. Typically this could be the inspection of test packs showing actual results and expected results. Where there are variations the Auditor will be looking for proof that these have been investigated and that the discrepancy resolved. The Auditor will inspect all of the available test results to prove that the programs are actually working properly and if there are no test results available the Auditor will start to wonder what degree of testing was actually carried out. Test packs should be retained, they prove that the testing process has been carried out properly. Where an organisation uses cryptography for any purpose the Auditor will want to ensure that it is being used appropriately and securely. The whole process surrounding the use of cryptography will be inspected to gain assurance that this is indeed the case. One of the areas that many organisations find very difficult to control is that of change management. The rule of thumb is that any change to an operational system or document must go through change management and this will include any promotion of code to the operational (or production) system. Many organisations have poor control over the number of staff with physical access to the computer rooms and the amount of users who have the ability to change any software in the operational environment. (e.g. How many people have access to the computer rooms? Are they all necessary? How many staff has privileged access? Does the organisation actually know and have these details recorded somewhere?) The Auditor will select a number of change requests at random and follow them through to conclusion to determine that they were appropriately managed. This will include ensuring that the risks of the change were fully considered, all possible impacted parties were present, appropriate back out plans were in place in case of failure, full handover documentation exists and that such other documentation (such as DRP/BCP) is updated. Test data is often not looked after to the same degree as its operational counterpart. By its very name it does not imply that it is as important as the 'live' data, but often it is just a copy of recent 'live' data, and can contain sensitive or critical information. Often the data can contain personal data that is subject to the Data Protection Act and this is overlooked, as this is 'only' test data. The Auditor will check that appropriate controls are in place to protect any test data and that the Data Protection Act is not being breached. A number of organisations outsource software development and there are often project failures or overruns because of poor management. The Auditor will be looking for evidence of appropriate contractual terms, quality of deliverables and appropriate management of the outsourced project. The sorts of problems that occur in outsourced developments are similar to those that happen internally, but they are usually worse as they are not under the direct control and observation of the organisation. Typical things that will be inspected are the contract, minutes of management meetings, audit results for interim quality audits performed during the development, documentation, signoff from the organisation at each stage of the development life cycle and proof of adequate testing. The Auditor will check that the organisation is in receipt of up to date vulnerability information and that there are processes in place to patch software to address the identified vulnerabilities.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security