This Page Intentionally Left Blank This book is printed on acid-free paper @ Copyright 2001 by John Wiley and Sons, Inc All rights reserved Published simultaneously in Canada form or by any means, No part ofthis publicationmay be reproduced, stored in a retrieval system or transmitted anyin electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107ofor 108 the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through paymentof the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4744 Requests to the Publisherfor permission shouldbe addressed to the I, fax Permissions Department, John Wiley & Sons, Inc., 605 Third Avenue, New York, NY 10158-0012, (212) 850-601 (212) 850-6008, E-Mail:P E ~ ~ E Q ~ ~ E Y C O M This publication is designed to provide accurate and authoritative information in regard to the subject matter covered It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional be services If legal adviceor other expert assistanceis required, the servicesof a competent professional person should sought Musaji, YusufaliF Auditing and security: AS/400,W,UNIX, networks, and disaster recovery plans/ Yusufali F Musaji p cm ISBN 0-471-38371-6 (cloth: alk paper) Electronic data processing-Auditing Computer security I Title ~A76.9.A93M87 2001 005.84~21 Printed in the United States of America 10987654321 00-064922 This book is dedicated tomy g r a n ~ m o t h eMrs ~ ~ulsumbai ~urbhai, so I could grow who taught me to sacrgce Io my mot he^ Mrs ~ a t i m a ~ u swho a j i ,s a c r i ~ c e d h material er well-being so I could paymy school fees To my son, Ali Musaji, who taught me perseverance, patience, and the m a ~ e l s ofl~~ Io my w$e, ~ a oMusaji, ~ i for herlove, tolerance, and faith This Page Intentionally Left Blank nd the big picture, see their roles within it, continuo resources from hackers and computer thieves, corporations neglected the physical security aspects and as a result suffered financial loss from lack of physical security controls, thus becoming easy gamefor crooks In spite of this, physical security continued be toregarded as being limitedto the perimeter controls and bodyguards at the front doors Theft or damage to information processing resources, unauthorized disclos~eor erasure of proprietaryinformation,andinterruption of support for proprietarybusin processes are all risks that managers who own or are responsiblefor i n f o ~ a t i o nresources must evaluate Since physical access to information processing resources exposes a company to all of these risks, management must institute physical access controls that are commensurate with therisk and potential loss to the company The objective of the physical security audit is to determine if mana~ementprocesses have been implemented, are effective, and are in compliance with established ins~ctions and standards as formulated in the company security policy they ensure that the company’s information resources are protected from unauthorize Chapters 3, 4, 5, and discuss auditing the most advanced platforms:AS/400, crosoft NT, and Unix M y are system concepts and architecture important to understand? not startby choosing a computer platform They start by choosing map ss needs Becauseof this, the computer system is very often consideredfirst should the computer architecture matter? The accelerating rate of change of e and software technologies necessitates that the system selected has been designed with thefuture in mind Do the platforms accommodateinevitab~e,rapid, and draatic technology changes with m i ~ m u mrelative effort? Are the systemsfuture-oriented? aradoxically, the characteristic of the most advanced design and technologyis subtle It a c c o ~ o d a t e sthe rapidly changing hardware and softwarecompo~ents-permitting one to fully exploit the latest technologies Is the operating system conceived as single a entity? Are the facilities such as relational database, communications andnetwor~ngcapabilities, online help, and so on fully inte~ratedinto the operating system and the machine? Successful audits of computer platforms are intended to provide an analysisof the computing and network hardware components with potential risks and reco~endations If the computing platformis not secure, neitheris the company’s data Chapter continues the discussion of auditing networks ~ o ~ o r a t i o deploy ns networks to lower the total cost of network ownership,m ~ i m i their ~ e return onin~estment, provide seamless, enterprise-wide services, enable appli~ations,enhance their perfomance, control network resources, speed up project implementation, and minimi~erisk and riven by the rush to e-commerce, se rity has rapidly become a mission-critical component of the corporate IT infrast~cture protecting these mission-criticalnetwor~s from corruption and intrusion, network security has enabled new business applicationsby reducing risk and providing a foundation for expanding business with intranet, extranet, and electronic c o m e r c e applications Therefore, network security should be a continuous cycle, consisting of establis~ng a security policy thatdefines the security goalsof the enterprise, implementing security in a comprehensive and layered approach, and auditing the network on a recurrin sure that good network security is easier and more cost-effective, lso, network security should ensure that no irregularities have developed as the network evolves, and the results of the audits shouldbe used to modify the security policy and the technology implementation as needed i Chapter discusses auditing the disaster recovery plan Large pools of shared databases, t i m e - s h ~ nvast ~ , teleprocessing networks, t e l e c o ~ u ~ c a t i oconnections ns to noncompany facilities, multiple distributed printers and systems, and thousands of users characterize the state-of-the-art computer centers in corporations Disruption of service or the intentional orinadve~entdestruction of data could potentially bring business processes to a halt Across this entire computer i n f r a s ~ c ~ rthe e , Information Security (IS) processes must be implemented to ensure the confidentiality, integrity, and availabilityof the company’s information assets The responsibility for the implementationof an effectiveIS program is assigned according to the company’s goals and objectives Generally, this responsibility is delegated to the information system because of its traditional role as Provider of Service However, ISis often not the Provider of Service for smaller systems thatexist at a location Regardlessof the organizational roles and responsibilities, corporate the information officer (CIO)is responsible for the overall implementation With the emergence of disaster recovery planning, physical security is regarded as the cornerstone to developing a viable disaster recovery plan, The pundits have suddenly proureka,” and the dawnof physical security as the foundation on which the disaster recovery plan can be built has begun to take hold Protecting assets from disasters is now one edge of a double-edged sword with the other edge preventing losses from theft and human errors, which in fact pays partly if not wholly for the costs of disaster recovery planning The auditbr must ensure that the computing environmentssuppo~ingvital business processes are recoverable in the event of a disaster Auditing and Security has been developedfor IT managers, IT operations management, andpractitioners and students of IT audit The intent of this book is to highli~htthe areas of computer controls and to present them to the reader in a practical and pragmatic manner Eachchapter contains usable audit programs andcontrol methods that can be readily applied to information technology audits As an added value, two presentations are available onthe World Wide Web.The first presentation is a proposalfor investing in a disaster recovery plan and the second is a firewall selection guide Please visit www.wiley.co~musaji.The user password is: auditing These documents are in Powerpoint format