This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
When someone is appointed to do auditing then he will do it either as part of the team or alone. When he works in the team, he must know each member's roles and responsibility. The role of auditor depends on which auditor he is. There are two types of auditors - Lead Auditor and Auditor.
When someone is assigned as lead auditor, his work starts immediately. "The lead auditor must meet the client, audit manager, or management of define objectives." (Helgeson 2010)
The lead auditor meets the project team to check its availability and come to know about the specialities of the team members.
Lead Auditor initially reviews the software documents when it arrives.
Lead auditor organises the meeting again to discuss the project before the auditing is started.
Lead auditor plans the auditing and sends its notice to all members of the team.
The communication with auditee management and client is handled by lead auditor.
Lead auditor's other roles include audit report writing; inform the auditee about the findings; mitigating clashes.
"In the event this is a small audit. If the audit is standard, the auditor must be familiar with it. If the audit is a part of an investigation of development problems, the auditor needs to know what prompted the audit." (Helgeson 2010)(http://books.google.co.uk/books?id=-yaU6vz69zkC&pg=PA76&dq=IS+Auditor's+role+in+software+project+team&hl=en&ei=B0KvTLGBIsqUOsWVnOQF&sa=X&oi=book_result&ct=result&resnum=5&ved=0CEcQ6AEwBA#)
This auditor gets a list from the Lead Auditor which specifies those parts of development that he needs to cover.
Using the checklist, auditor writes the answers and gathers the proofs to verify the conformance and non-conformance. At the end of the day auditor discusses the non-conformance and the problems with the leads.
Role of IS Auditor for security architectural principles
IS auditor checks whether information systems are effective or not. Generally they work with other employees in the department or organisation and put some efforts to make it certain that systems are secure and to determine that security systems safeguards organisation's assets; maintains data integrity; resources are used efficiently; and goals of the organisation are achieved effectively.
Critically assess the Software System Engineering for security.
System Software is software with utility programs that is used to operate and maintain a system in which it is used so that it will provide resources. In computer systems system software are operating systems. Examples of these operating systems are Windows, Linux, and MAC etc.
Features of secure Operating Systems:
To call an Operating System secure, they need to have some features which provide security.
Authentication of Users: Secure operating systems must authenticate users i.e. their identity must be verified by the operating system.
File and I/O Device access control: Only authorised users can have access to the files stored in the system and the Input-Output devices attached to it.
Enforcement of Sharing: Secure operating systems ensure the laws and policies of sharing.
Operating System Security Policies
Restricted Access: Secure operating must provide a restricted access to users according to their type of account or the permissions granted to the users. The restrictions that a secure operating system possesses are commands, file access, login times, network access, terminal access and inactive users.
Detection: Secure operating systems detect the changes like password changing immediately and deletion of some files especially after backup.
Basic Design Principles
Download free eBook Fenix Secure Operating System: Principles, Models, and Architecture
Path of least resistance: Most probably, secure way in which any task is done should be the most natural way.
Critically analyse the security architectural principles, and identify and critically discuss types of audits how that constitutes a security architectural principles and the source level of auditing tools used.
Security Architectural Principles
The principle of Least Privilege is used for controlling flow of information. Person or process is given the minimal authority to finish the given tasks.
Data Classification is a process that classifies the data into different classes (confidential, private, public, or unclassified) so that levels can be determined for security control.
Principle of Separation of duty allows dividing a job and authority among more than one user.
Confidentiality ensures that information is not disclosed to unauthorized users.
Integrity ensures that information or assets are not modified or harmed by unauthorised users.
Availability means data or assets are available and ready to use when required by authorised user.
Defence in Depth principle describes layer strategy for security. Each layer contains some components that work one after other to provide security.
[George Farah, 2004] [http://www.sans.org/reading_room/whitepapers/auditing/information-systems-security-architecture-approach-layered-protection_1527]
Constituting Security Architecture Principles
Lead architect develops the architecture principles; CIO, Architecture Board and some business stakeholders of the organisation are also involved in this development.
To implement the principles suitable policies and procedures are developed. Architecture principles are derived from overall IT principles and these principles aligns the IT strategy with strategies of business and visions. [The Open Group 1999-2006]
The Role of IS Auditor in Developing Architecture Principles
IS Auditor researches system software, application and databases.
IS Auditor reviews job descriptions of employees of organisation.
He also analyse data recovery plan of organisation.
He evaluates the IT budget and system planning documents.
He also reviews IT policies and procedures.
Identify and explore the various operating systems and programming languages.
"An Operating System is a software program or set of programs that mediate access between physical devices (such as a keyboard, mouse, monitor, disk drive or network connection) and application programs (such as a word processor, World-Wide Web browser or electronic mail client)." [Hitachi ID Systems, Inc. 2010]
Operating System is software that helps to communicate with hardware of computer system on the most fundamental level. No application is able to run on computer if it does not have operating system. It also does other essential works like allocation of memory, task processing, accessing all Input-Output devices and user interface is also provided by Operating System. [Techterms.com]
Various Operating Systems
DOS: DOS stands for Disk Operating System. This is one of the earliest system software for PC's. "When you turned the computer on all you saw was the command prompt which looked like c:\ >." Anything a user wanted to do was based on commands which were typed at this command prompt. Example: c:\>md Shergill where 'md' is the command to create a new directory and Shergill is the name of directory. This was the Command -Line Interface for the users. This was not very user-friendly operating system.
Windows: "The Windows operating system, a product of Microsoft, is a GUI (graphical user interface) operating system." Till now, Microsoft Windows has so many versions like Windows 3.0, Windows 95, Windows 98, Windows 2000, Windows XP, Windows vista and latest Windows operating system of Microsoft is Windows 7.
These Windows Operating Systems are said to have WIMP (windows, icons, menus, and pointing device (Mouse)) features.
Its Graphical User Interface is very user-friendly and it supports NTFS and FAT file systems.
Mac OS X: "Macintosh, a product of Apple, has its own operating system with a GUI and WIMP features." [Operating Systems, 2001] Mac OS is a Graphic User Interface developed, marketed and sold by Apple Inc. "Mac OS X is the successor to the original Mac OS, which had been Apple's primary operating system since 1984." [http://www.operating-system-type.com/]
Unix-Linux: "UNIX is a multi-user, multitasking operating system, and was designed to be a small, flexible system used by computer programmers." It was originally designed for the programmers. So it was considered as a user-friendly operating system. However, GUI feature was added in UNIX for user's ease.
Linux: This operating system was created as a hobby by Linux Torvalds who was a student of University of Helsinki, Finland. It is competing against very popular operating systems such as UNIX and Microsoft Windows because of its robustness, adaptability and functionality. It supports several hardware platforms so it is now accepted worldwide in many devices and equipments. [Rhoda L. Wilburn]
"A programming language is an artificial formalism in which algorithms can be expressed." (Maurizio Gabbrielli and Simone Martini, 2006)
"Programming or coding is a language that is used by operating systems to perform the task." As computer can understand only binary language (0's and 1's) which humans cannot easily understand. So we use an intermediate language instead of binary language. The programmer or developer writes the program or source code in high-level language that is read and translated by interpreter so that computer can understand it. (RoseIndia.net, 2008)
Different Programming Languages
Numbers of programming languages are available which are used for different purposes. Some of them may have some common purposes.
Critically evaluate the security of application programme in terms of authentication process.
In System Software of computer, numbers of application programs are installed and among these applications, some may not be allowed to access by everyone. Only selected users can access them according to the permissions given to them. To check these permissions, first process of Authentication is executed that checks whether the person trying to access the application is the right user or not. Guy Huntington, in his article, says about Authentication that "Authentication is the process of determining if a user or identity is who they claim to be. Authentication is accomplished using something the user knows (e.g. password), something the user has (e.g. security token) or something of the user (e.g. biometric)." (Guy Huntington; Oct 5, 2010) Without verification of identity, user cannot login or use the authorities or permissions that he has.
Types of Authentication to secure application programs
NTLM (NT LAN Manager) Authentication: This authentication type is what user knows. The user enters his/her identity when and where required and then he asked to enter a valid password to confirm his identity. If the user is failed to enter correct password the he cannot login or access the particular application.
Kerberos Authentication: Secret Key is shared in Kerberos Authentication. When the user login through the software called Authentication Management Software, the application generates a ticket using user ID and his password. That ticket is matched with the ticket stored on the server to which user is authenticating.
SPNEGO Authentication: SPNEGO stands for Simple and Protected Negotiation Mechanism. This authentication is used when authentication is needed by client application on remote server. None of them is aware of what authentication protocol is used on other end. Unlike other Windows authentication, the client application provides list of methods of authentication that are available. Then an authentication method is selected by service that will most probability work. (TamaraWilhite, 2010)