Knowledge-based systems for IT audits
|has title::Towards an Improved Integrated Audit: Analysis of integrated IT audit tasks using CommonKADS and Fault-Tree Models|
|Master:||project within::Information Sciences|
|Student name:||student name::Thomas Bosboom|
|Second reader:||has second reader::Jaap Gordijn|
|Company:||has company::Deloitte ERS|
Short specification of the company/department
The Enterprise Risk Services (ERS, or Risk Consulting) practice at Deloitte. ERS helps clients manage risk and uncertainty, from the boardroom to the network. ERS offers risk control of the organisation, information and communication technology. ERS also helps to secure E-business, systems such as SAP, PeopleSoft, BaaN, Oracle and Siebel. Deloitte ERS provides a broad array of services that allow clients to better measure, manage and control risk to enhance the reliability of systems and processes throughout the enterprise. One of the services Deloitte ERS provides for customers is auditing of their IT-environment. These audits can be performed to test the compliancy of organisations (like SOx-compliancy ) or as part of accountants integrated audit. Short problem formulation
In current practice, assessing information security risks relies on professional judgment. Consultants at Deloitte state that the reliance on professional judgment can cause issues. Two important issues are costs and consistency.
The cost of professional judgment is relatively high since experienced professionals are expensive. Due to changes in the ERS practice such as the SOx legislation, there is a tendency towards more frequent auditing. Making audits quicker and less costly to perform would help to make frequent audits possible. Consistency can be problematic since the judgments of different professionals can vary for reasons such as different backgrounds. Currently it is possible that the judgment of an auditor during an audit is worse then that of the colleague who performed an earlier audit, even though the organization has improved itself in several ways.
Thus, the problem is that audits will have to become less demanding on professional expertise and more consistent between auditors. Knowledge Based Systems (KBS) can support knowledge intensive tasks. They can help to ensure the consistency of results and assist in the distribution of expertise. (Martin et al) They can make knowledge more flexible by separating inference and knowledge. (Schreiber) Additionally, a KBS can offer explanation of solutions, which helps the transparency of a result. (Schreiber)
The role of the student in the project and his contribution
The research question is: Can we support the security auditing of information systems, more specifically the access management and configuration of a UNIX server, using a knowledge system.
To answer this research question I will determine the feasibility and possible structure of a KBS that can support the auditor. I will perform a knowledge level analysis for a KBS that provides support for information security auditing using CommonKADS.
The CommonKADS methodology offers a framework for knowledge system development
The CommonKADS methodology provides special techniques for investigating the context in which the knowledge system will operate, which makes it especially suited for this project in which the context is highly complex. CommonKADS offers tools for context analysis using an organizational model, task model and agent model. These models create the basis for the conceptual modeling phase. In this phase, a knowledge model and communication model are created. Based on the knowledge and communication models, a design model can be constructed that describes the structure of the resulting KBS.
To keep the complexity of the problem down to a manageable level for a six-month internship I would focus the research on the feasibility of developing a knowledge system that automatically assigns a score (classification) on the information security section of the general computer controls. My project will focus on the analysis of the configuration of a UNIX server. This subsection offers a good start since there are some basic tools (e.g. SekChek ) available on which the knowledge system could build. If the KBS support turns out viable for this limited application it can likely be extended to other sections later.