GAO GAO Federal Information System Controls Audit Manual (FISCAM)

　こんにちは、丸山満彦です。GAOのシステム監査マニュアル・・・2月に公表されていました。。。忘れないうちに・・・
＝＝＝＝＝
FISCAM control activities are consistent with NIST Special Publication 800-53 and all SP800-53 controls have been mapped to the FISCAM.
＝＝＝＝＝
　ということですので、NIST Sp800-53とも対応がとれているということになっていますね。。。

　
・2009.02.09 GAO Federal Information System Controls Audit Manual (FISCAM)

　・・GAO-09-232G (Full Report)
　・・Summary (HTML)　・・ Download appendices 1-3 to enter data to support the gathering and analysis of audit evidence

【参考】
●セキュリティ関連（NIST）
・2009.02.05 (Rev.3 PD)
　・・800-53-rev3 (PD)
　・・800-53-rev3-markup-02-05-2009.pdf

・SP800 Rev.2
　・・sp800 53 rev2
　・・sp800 53 rev2 annex1
　・・sp800 53 rev2 annex2
　・・sp800 53 rev2 annex3

●会計監査関連（GAO）　
・GAO/PCIE Financial Audit Manual (FAM)　
　・・Volume 1 – Final GAO/PCIE Financial Audit Manual (July, 2008) GAO-08-585G
　・・Volume 2 – Final GAO/PCIE Financial Audit Manual (July, 2008) GAO-08-586G
　・・Volume 3 - Final GAO/PCIE Financial Audit Manual (August 28, 2007) GAO-07-1173G

概要
＝＝＝＝＝
INFORMATION SYSTEM CONTROLS OBJECTIVES GENERAL CONTROLS

Security Management
Controls provide reasonable assurance that security management is effective, including effective:
> security management program
> periodic assessments and validation of risk,
> security control policies and procedures,
> security awareness training and other security-related personnel issues,
> periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices,
> remediation of information security weaknesses, and
> security over activities performed by external third parties.

Access Controls
Controls provide reasonable assurance that access to computer resources (data, equipment, and facilities) is reasonable and restricted to authorized individuals, including effective
> protection of information system boundaries,
> identification and authentication mechanisms,
> authorization controls,
> protection of sensitive system resources,
> audit and monitoring capability, including incident handling, and
> physical security controls.

Configuration Management
Controls provide reasonable assurance that changes to information system resources are authorized and systems are configured and operated securely and as intended, including effective
> configuration management policies, plans, and procedures,
> current configuration identification information,
> proper authorization, testing, approval, and tracking of all configuration changes,
> routine monitoring of the configuration,
> updating software on a timely basis to protect against known vulnerabilities, and
> documentation and approval of emergency changes to the configuration.

Segregation of Duties
Controls provide reasonable assurance that incompatible duties are effectively segregated, including effective
> segregation of incompatible duties and responsibilities and related policies, and
> control of personnel activities through formal operating procedures, supervision, and review.

Contingency Planning
Controls provide reasonable assurance that contingency planning (1) protects information resources and minimizes the risk of unplanned interruptions and (2) provides for recovery of critical operations should interruptions occur, including effective
> assessment of the criticality and sensitivity of computerized operations and identification of supporting resources,
> steps taken to prevent and minimize potential damage and interruption,
> comprehensive contingency plan, and
> periodic testing of the contingency plan, with appropriate adjustments to the plan based on the testing.

BUSINESS PROCESS APPLICATION CONTROLS
Completeness – controls provide reasonable assurance that all transactions that occurred are input into the system, accepted for processing, processed once and only once by the system, and properly included in output.
Accuracy – controls provide reasonable assurance that transactions are properly recorded, with correct amount/data, and on a timely basis (in the proper period); key data elements input for transactions are accurate; data elements are processed accurately by applications that produce reliable results; and output is accurate.
Validity – controls provide reasonable assurance (1) that all recorded transactions and actually occurred (are real), relate to the organization, are authentic, and were properly approved in accordance with management’s authorization; and (2) that output contains only valid data.
Confidentiality – controls provide reasonable assurance that application data and reports and other output are protected against unauthorized access.
Availability – controls provide reasonable assurance that application data and reports and other relevant business information are readily available to users when needed.5

IS AUDIT METHODOLOGY STEPS

Plan the Information System Controls Audit
> Understand the Overall Audit Objectives and Related Scope of the Information System Controls Audit
> Understand the Entity’s Operations and Key Business Processes.
> Obtain a General Understanding of the Structure of the Entity’s Networks
> Identify Key Areas of Audit Interest
> Assess Information System Risk on a Preliminary Basis
> Identify Critical Control Points
> Obtain a Preliminary Understanding of Information System Controls
> Perform Other Audit Planning Procedures
o Relevant Laws and Regulations
o Consideration of the Risk of Fraud
o Previous Audits and Attestation Engagements
o Audit Resources
o Multiyear Testing Plans
o Communication with Entity Management and Those Charged with Governance
o Service Organizations
o Using the Work of Others
o Audit Plan

Perform Information System Controls Audit Tests
> Understand Information Systems Relevant to the Audit Objectives
> Determine which IS Control Techniques are Relevant to the Audit Objectives
> For each Relevant IS Control Technique Determine Whether it is Suitably Designed to Achieve the Critical Activity and has been Implemented
> Perform Tests to Determine Whether such Control Techniques are Operating Effectively
> Identify Potential Weaknesses in IS Controls and Consider Compensating Controls

Report Audit Results
> Evaluate the Effects of Identified IS Control Weaknesses
o Financial Audits, Attestation Engagements, and Performance Audits
> Consider Other Audit Reporting Requirements and Related Reporting Responsibilities
＝＝＝＝＝

目次
＝＝＝＝＝
Chapter 1. Introduction
1.0 Chapter 1 Overview
1.1 Purpose and Anticipated Users of the Manual
1.2 Nature of Information System Controls
1.3 Determining the Nature and Extent of Audit Procedures
1.4 Organization of This Manual
　1.4.1 Appendices

Chapter 2. Performing the InformationSystem Controls Audit
2.0 Introduction
2.1 Plan the Information System Controls Audit
　2.1.1 Overview
　2.1.2 Understand the Overall Audit Objectives and Related Scope of the Information System Controls Audit
　2.1.3 Understand the Entity’s Operations and Key Business Processes
　2.1.4 Obtain a General Understanding of the Structure of the Entity’s Networks
　2.1.5 Identify Key Areas of Audit Interest
　2.1.6 Assess Information System Risk on a Preliminary Basis
　2.1.7 Identify Critical Control Points
　2.1.8 Obtain a Preliminary Understanding of Information System Controls
　2.1.9 Perform Other Audit Planning Procedures
　　2.1.9.A Relevant Laws and Regulations
　　2.1.9.B Consideration of the Risk of Fraud
　　2.1.9.C Previous Audits and Attestation Engagements
　　2.1.9.D Audit Resources
　　2.1.9.E Multiyear Testing Plans
　　2.1.9.F Communication with Entity Management and Those Charged with Governance
　　2.1.9.G Service Organizations
　　2.1.9.H Using the Work of Others
　　2.1.9.I Audit Plan
　2.1.10 Documentation of Planning Phase
2.2 Perform Information System Controls Audit Tests
　2.2.1 Overview
　2.2.2 Nature, Timing, and Extent of Control Tests
　2.2.3 Documentation of Control Testing Phase
2.3 Report Audit Results
　2.3.1 Financial Audits and Attestation Engagements
　2.3.2 Performance Audits
　2.3.3 Other Audit Reporting Considerations
　2.3.4 Related Reporting Responsibilities
　2.3.5 Documentation of Reporting Phase
2.4 Documentation
2.5 Other Information System Controls Audit Considerations
　2.5.1 Additional IS Risk Factors
　　2.5.1.A Defense-In-Depth Strategy
　　2.5.1.B Web Applications
　　2.5.1.C ERP Systems
　　2.5.1.D Interface Controls
　　2.5.1.E Data Management Systems
　　2.5.1.F Network-based Access Control Systems
　　2.5.1.G Workstations
　2.5.2 Automated Audit Tools
　2.5.3 Use of Sampling Techniques

Chapter 3. Evaluating and Testing General Controls
3.0 Introduction

3.1. Security Management (SM)
Critical Element SM-1: Establish a Security Management Program
　SM-1.1. The security management program is adequately documented, approved, and up-todate
　SM-1.2. A security management structure has been established
　SM-1.3. Information security responsibilities are clearly assigned
　SM-1.4. Subordinate security plans are documented, approved, and kept up-to-date
　SM-1.5. An inventory of systems is developed, documented, and kept up-to-date
Critical Element SM-2. Periodically assess and validate risks
Critical Element SM-3. Document and implement security control policies and procedures
Critical Element SM-4. Implement effective security awareness and other security-related personnel policies
　SM-4.1 Ensure that resource owners, system administrators, and users are aware of security policies
　SM-4.2. Hiring, transfer, termination, and performance policies address security
　SM-4.3. Employees have adequate training and expertise
Critical Element SM-5. Monitor the effectiveness of the security program
Critical Element SM-6. Effectively Remediate Information Security Weaknesses
Critical Element SM-7. Ensure that Activities Performed by External Third Parties are Adequately Secure

3.2. Access Controls (AC)
Critical Element AC-1. Adequately protect information system boundaries
　AC-1.1. Appropriately control connectivity to system resources
　AC-1.2. Appropriately control network sessions
Critical Element AC-2. Implement effective identification and authentication mechanisms
　AC-2.1. Users are appropriately identified and authenticated
Critical Element AC-3. Implement effective authorization controls
　AC-3.1. User accounts are appropriately controlled
　AC-3.2. Processes and services are adequately controlled
Critical Element AC-4. Adequately protect sensitive system resources
　AC-4.1. Access to sensitive system resources is restricted and monitored
　AC-4.2. Adequate media controls have been implemented
　AC-4.3. Cryptographic controls are effectively used
Critical Element AC-5. Implement an effective audit and monitoring capability
　AC-5.1. An effective incident response program is documented and approved
　AC-5.2. Incidents are effectively identified and logged
　AC-5.3. Incidents are properly analyzed and appropriate actions taken
Critical Element AC-6. Establish adequate physical security controls
　AC-6.1. Establish a physical security management program based on risk
　AC-6.2. Establish adequate perimeter security based on risk
　AC-6.3. Establish adequate security at entrances and exits based on risk
　AC-6.4. Establish adequate interior security based on risk
　AC-6.5. Adequately protect against emerging threats based on risk

3.3. Configuration Management (CM)
Critical Element CM-1. Develop and document CM policies, plans, and procedures
Critical Element CM-2. Maintain current configuration identification information
Critical Element CM-3. Properly authorize, test, approve, track, and control all configuration changes
Critical Element CM-4. Routinely monitor the configuration
Critical Element CM-5. Update software on a timely basis to protect against known vulnerabilities
　> Vulnerability scanning
　> Patch management
　> Virus protection
　> Emerging threats
　> Noncurrent software
　> Software usage
Critical Element CM-6. Appropriately document and approve emergency changes to the configuration

3.4. Segregation of Duties (SD)
Critical Element SD-1. Segregate incompatible duties and establish related policies
　SD-1.1. Incompatible duties have been identified and policies implemented to segregate these duties
　SD-1.2. Job descriptions have been documented
　SD-1.3. Employees understand their duties and responsibilities
Critical Element SD-2. Control personnel activities through formal operating procedures, supervision, and review
　SD-2.1. Formal procedures guide personnel in performing their duties
　SD-2.2. Active supervision and review are provided for all personnel

3.5. Contingency Planning (CP)
Critical Element CP-1. Assess the criticality and sensitivity of computerized operations and identify supporting resources
　CP-1.1. Critical data and operations are identified and prioritized
　CP-1.2. Resources supporting critical operations are identified and analyzed
　CP-1.3. Emergency processing priorities are established
Critical Element CP-2. Take steps to prevent and minimize potential damage and interruption
　CP-2.1. Data and program backup procedures have been implemented
　CP-2.2. Adequate environmental controls have been implemented
　CP-2.3. Staff have been trained to respond to emergencies
　CP-2.4. Effective hardware maintenance, problem management, and change management help prevent unexpected interruptions
Critical Element CP-3. Develop and document a comprehensive contingency plan
　CP-3.1. An up-to-date contingency plan is documented
　CP-3.2. Arrangements have been made for alternate data processing, storage, and telecommunications facilities
Critical Element CP-4. Periodically test the contingency plan and adjust it as appropriate
　CP-4.1. The plan is periodically tested
　CP-4.2. Test results are analyzed and the contingency plan is adjusted accordingly

Chapter 4. Evaluating and Testing Business Process Application Controls
4.0 Overview
　4.0.1 The Auditor’s Consideration of Business Process Control Objectives
　4.0.2 Steps in Assessing Business Process Application Level Controls
　4.0.3 Plan the Information System Controls Audit of Business Process Application Level Controls
　　4.0.3.A Understand the overall audit objectives and related scope of the business process application　control assessment
　　4.0.3.B Understand the entity’s operations and key business processes
　　4.0.3.C Obtain a general understanding of the structure of the entity’s networks
　　4.0.3.D Identify key areas of audit interest (files, applications, systems, locations)
　　4.0.3.E Assess information system risk on a preliminary basis
　　4.0.3.F Identify critical control points
　　4.0.3.G Obtain a preliminary understanding of application controls
　　4.0.3.H Perform other audit planning procedures
　4.0.4 Perform Information System Controls Audit Tests of Business Process Application Level Controls
　4.0.5 Report Audit Results

4.1. Application Level General Controls (AS)
Critical Element AS-1. Implement effective application security management.
　> Establish an application security plan
　> Periodically assess and validate application security risks
　> Document and implement application security policies and procedures
　> Implement effective security awareness and other security-related personnel policies
　> Monitor the effectiveness of the security program Effectively remediate information security weaknesses
　> Ensure that activities performed by external third parties are adequately secure
Critical Element AS-2. Implement effectiveapplication access controls
　> Adequately protect application boundaries
　> Implement effective identification and authentication mechanisms
　> Implement effective authorization controls
　> Adequately protect sensitive application resources
　> Implement an effective audit and monitoring capability
　> Establish adequate physical security controls
Critical Element AS-3. Implement effective application configuration management
Critical Element AS-4. Segregate user access to conflicting transactions and activities and monitor
Critical Element AS-5. Implement effective application contingency planning
　> Assess the criticality and sensitivity of the application
　> Take steps to prevent and minimize potential damage and interruption
　> Develop and document an application contingency plan
　> Periodically test the contingency plan and adjust it as appropriate

4.2. Business Process Controls (BP)
Master Data vs. Transaction Data
Business Process Application Control Objectives
User Satisfaction Inquiry
NIST Guidance
Business Process Control Critical Elements
Critical Element BP-1. Transaction Data Input is complete, accurate, valid, and confidential
(Transaction Data Input Controls)
　> Implement an effective transaction data strategy and design
　> Establish Input Preparation (approval and review) Policies and Procedures
　> Build Data Validation and Edits within the Application
　> Implement Effective Auditing and Monitoring Capability
Critical Element BP-2. Transaction Data Processing is complete, accurate, valid, and confidential
(Transaction Data Processing Controls)
　> Formal Transaction Processing Procedures
　> Effective auditing and monitoring capability
Critical Element BP-3. Transaction data output is complete, accurate, valid, and confidential
(Transaction Data Output Controls)
　> Implementing a reporting strategy
　> Establishing security and controls over report generation and distribution
Critical Element BP-4. Master Data Setup and Maintenance is Adequately Controlled
　> Implementing an effective design of master data elements
　> Establishing master data maintenance procedures, including approval, review, and adequate support for changes to master data
　> Implementing an effective auditing and monitoring capability

4.3. Interface Controls (IN)
Critical Element IN-1. Implement an effective interface interface strategy and design.
Critical Element IN-2. Implement effective processing procedures

4.4 Data Management System Controls (DA)
Critical Element DA-1. Implement an Effective Data Management System Strategy and Design
Key Concepts - Database Management Systems
　> Authentication/Authorization
　> SQL Commands
　> System, Role, Object Privileges
　> Stored Procedures
Key Concepts – Middleware
　> Middleware Controls
Key Concepts – Cryptography
Key Concepts – Data Warehouse, Data Reporting and
　> Data Extraction Software
　> Segregation of Duties

Appendices
Appendix I - Information System Controls Audit Planning Checklist
Appendix II - Tables for Summarizing Work Performed in Evaluating and Testing General and Business Process Application Controls
Appendix III - Tables for Assessing the Effectiveness of General and Business Process Application Controls
Appendix IV - Mapping of FISCAM to NIST SP 800-53 And Other Related NIST Publications
Appendix V - Knowledge, Skills, and Abilities Needed to Perform Information System Controls Audits
Appendix VI - Scope of an Information System Controls Audit in Support of a Financial Audit
Appendix VII - Entity’s Use of Service Organizations
Appendix VIII - Application of FISCAM to Single Audits
Appendix IX - Application of FISCAM to FISMA
Appendix X - Information System Controls Audit Documentation
Appendix XI - Glossary
Appendix XII – Bibliography
＝＝＝＝＝