Information Technology Reference
In-Depth Information
uses, malware, Trojans, and other intrusive rogue programs. Other audit objectives would
include checking whether the firewalls are being monitored, recovery of a firewall in the
event of a disaster, safe storage of firewall configuration, and replacement of firewall
devices.
Firewalls can also be used to create VPN links with other offices such as branch offices
or business partners. Where there are many branch offices and partners, the installation of
firewall stacks may be complex and require an expert in firewalls to understand the archi-
tecture in order to carry out an effective IS audit.
There are various guidelines which are developed by firewall manufacturers for installing
and operating firewall devices. The guidelines include how the firewall software should be
configured. Many advanced firewalls use command line configuration, which require train-
ing to master in addition to using web interfaces.
The IS auditor should be aware that there are software- and hardware-based firewalls.
There are also vendor-specific firewalls such as CISCO, Cyberoam, Check Point, and
Fortinet. Each firewall type has its own standards. There are also generic standards which
are developed by professional associations and standards organisations, such as the Inter-
national Standards Organisation.
ISACA has developed guidelines which IS auditors can use to conduct firewall audits. The
guidelines are generic and not specific to any vendor. The guidelines cover most common
points which are found in most firewall configurations.
The expert can use various tools to audit firewalls, such as penetration testing tools, firewall
monitors, and command line interrogation of the firewall.
The major challenge of firewalls is that there are many brands, and a firewall expert can
only specialise in a few brands. It might be difficult to find experts for certain types of fire-
walls. This may make it difficult to perform a detailed and highly technical audit if the IS
audit team cannot find a qualified and competent expert.
Since firewall configurations and installations can be complex, it is recommended to use
firewall specialists as other experts to audit firewalls so that relevant data can be collected,
analysed and appropriate conclusions and recommendations made.
SAP ERP System Auditing
SAP is a popular ERP system used by many enterprises worldwide. It is a powerful ERP
system and able to produce good results for an enterprise. SAP requires good training to
be able to use its functions effectively. The same applies to IS auditors who are assigned to
audit the system. If the IS audit team does not have SAP-trained auditors, they will need to
use other experts. These experts should have appropriate qualifications and competencies
Search WWH ::
Custom Search