Audit and Assurance

Expand all | Collapse all

Understanding Operating System, and Database concepts

  • 1.  Understanding Operating System, and Database concepts

    Posted 22 Jan, 2020 08:59
    Edited by Bader Abuhilal 22 Jan, 2020 09:00
    ​Hi everyone,

    Does anyone know of resources that can help explain / train me in Operating systems, and Databases for the purpose of completing audit work programs for:

    1) Unix and or Windows operating systems and
    2) Oracle and or SQL Databases

    I find that specialized work programs require knowledge of the underlying technologies and not to be treated as a check list. I also find that I need to understand certain concepts and technical knowledge to effectively execute and test security and configuration controls for the above mentioned platforms.

    Although there are tons of resources out there it can get confusing deciding on which one to take especially if your objective is to audit and not to administer these platforms.

    Thanks so much for your help.

    ------------------------------
    Bader Abuhilal
    Information Systems Auditor
    ------------------------------


  • 2.  RE: Understanding Operating System, and Database concepts

    Posted 22 Jan, 2020 11:17
    Hi Bader,

    Well its good to have knowledge for all but its not possible to digest at the same time. My view on this is, you can go and try certifications such as RHCE and certifications related to Oracle and SQL.

    Technology is something unless you work its difficult to get hand on. Also the implementation and controls varies industry to industry, case to case. You may have to spend considerable time in technology to get the context.

    Note: ISACA is vendor neutral body and above view is mine only.

    ------------------------------
    D Anand
    ------------------------------



  • 3.  RE: Understanding Operating System, and Database concepts

    Posted 23 Jan, 2020 01:03
    Hi Anand,

    Thanks for the reply, I guess certification is a good option.

    ------------------------------
    Bader Abuhilal
    Information Systems Auditor
    ------------------------------



  • 4.  RE: Understanding Operating System, and Database concepts

    Posted 23 Jan, 2020 02:56
    Hi Bader,

    Not sure if you have seen this - This maybe of help: https://www.isaca.org/Knowledge-Center/Research/Pages/Audit-Assurance-Programs.aspx


    Thanks

    ------------------------------
    Tanveer Bapari
    IT Audit Manager
    ------------------------------



  • 5.  RE: Understanding Operating System, and Database concepts

    Posted 23 Jan, 2020 04:00
    ​Hi Tanveer,

    Yes I have seen them. Let me try to explain.

    When auditing UNIX - AIX for example one would typically look among other things at:

     - ETC/PASSWD file
     - Shadowed Password file
     - User settings
     - Default Password Settings
     - UUCP permissions
     - NIS Config file
     - Accounting information
     - Log file permissions
     - NIS Config File
     - TCB definitions
     - Check Auditing
     - Users Allowed Cron Usage
     - Check for unpatched LQUERYPV command
     etc...

    I presume that one should have prior knowledge of UNIX - AIX to effectively audit these settings and configuration controls. To what level of knowledge does one need to have  to effectively audit such configuration and security controls?

    Thanks so much.

    ------------------------------
    Bader Abuhilal
    Information Systems Auditor
    ------------------------------



  • 6.  RE: Understanding Operating System, and Database concepts

    Posted 23 Jan, 2020 14:04
    Hello @Bader Abuhilal,

    In summary, you don't necessarily need to be extremely skilled in the particular OS to be able to perform an audit. ​This is highly dependent on the nature of the audit, but I make the assumption that you will be doing an IT General Controls audit or some similar audit without a deep technical component.

    What is extremely important is for you to understand the implications of certain controls/security settings and to know your expectations of the same (or industry or your firm or the regulator, etc). The reason for this is that ultimately whatever evidence you receive has to be identified and assessed against "something" and this is why you need to understand what that "something" is and what the findings mean in relation to it. This "something" could be the CIS Critical Security Controls for example.

    I believe the challenge you are having in the first instance is related to the technical understanding to obtain the audit evidence. I would suggest you find a good resource book on the OS or other platform and use that as a guide. Technical manuals are usually worth it. If your company has a sandbox or testing environment, you should take advantage of that as well to gain proficiency in using commands or scripts to extract what you may need.

    Aside from that, know your industry/firm expectations on the ability to rely on the auditee staff for guidance/feedback/support. They may know the systems intimately, especially very specialist systems, and may be able to point you in the right direction. Normally you are still expected to do your own vetting and validation of both their guidance and evidence they produce.

    As for the actual audit evaluation - you don't normally need deep technical expertise but to not have it may reduce your effort to a checklist approach. Using the technical manuals, getting hands on experience, doing research and relying on a community like this will help you to adjust your audit procedures, evaluations and suggestions to be more practical and realistic.

    Regards,


    ------------------------------
    Demetri Gittens
    IT Governance & Risk Assessment Officer
    ------------------------------



  • 7.  RE: Understanding Operating System, and Database concepts

    Posted 26 Jan, 2020 05:07
    ​Hi Demetri,

    Thanks so much for your accurate analysis and recommendations. I guess I would be interested to know what you mean by technical manuals? Give me an example, and where I can find them?

    Thanks again

    ------------------------------
    Bader Abuhilal
    Information Systems Auditor
    ------------------------------



  • 8.  RE: Understanding Operating System, and Database concepts

    Posted 28 Jan, 2020 06:32
    Hi Bader,

    The term may be a little generic, but what you're looking for is an administrator guide or manual. The developer of the system occasionally puts this together. Other times you'll find experts doing the same.

    You can search the websites/forums related to the platform/system you're interested in. You can also check Amazon.

    I remember O'Reilly publishing having some good ones, especially on *nix systems. IBM usually publishes their own material on the iSeries/AS400. Microsoft related guides shouldn't be hard to find but because of their relative dominance in the market, you can also find quite a bit of free/low cost information on their systems.

    Hope this helps.

    ------------------------------
    Demetri Gittens
    IT Governance & Risk Assessment Officer
    ------------------------------