3

I work in the petroleum industry and I am 'the young geek'. As such, I am often tasked with writing VBA macros, a bit of JS for data visualization and so on.

Lately, I have been assigned the task of 'conducting systems audits'.

A few words of context:

  • The firm's information system (ie. 'office network') is under the responsibility of the IT division, which I am not a part of.
  • However, the 'industrial' systems (ie. Control Systems, Manufacturing Execution Systems, etc.) are under the responsibility of the industrial teams. A firewall separates these two worlds, managed by corporate IT. It is considered that this firewall isolates the industrial network from the office network, and a fortiori, from the Internet. Those industrial networks are the scope of the audit.
  • I am not by far a security expert. But it is clear for everyone (in particular my managers) that the 'security audits' are just a way to use buzzwords in newsletters, and that any serious audits would be handled by professionals.

This being said, I would like to use this as an opportunity to learn, and to have the plant's technicians learn as well.

What are the basic points I should check in a 'systems audit', that would be a good pretext to discuss about the basics of Information Security, and would allow me to catch the most obvious weaknesses?

I have on my list so far:

  • Checking if inputs (USB ports, floppy drives [old plants...], etc.) are disabled
  • Look out for admin passwords on a post-it on the screen
  • Check out is OSs used are still supported (I expect to see some pre-Windows XP systems), and if they are up-to-date.
Peter
  • 138
  • 3
  • Have you looked at any of the ISACA materials for the Certified Information Systems Auditor? That will do you much more good than a broad online query. Closed as waaaaay too broad. – Rory Alsop Apr 01 '18 at 10:04

1 Answers1

1

What are you auditing against? Audits are checks that systems are compliant with something. So, first of all, I'd try to find out what requirements exist for your systems. If those don't exist, your audit will basically consist of your deciding the standard and then determining if the systems follow your standards. That puts you in a losing position.

If your management insists on going with your "audit", I'd ask them what you are auditing against. Best Practice? ISO standards? I doubt that you have patient, corporate financial, or payment data on your industrial systems so that frees you from HIPAA, SOX, and PCI standards. That should be your first focus: get agreement on what your auditing against. Otherwise you're just filling out a checkbox.

Also, when completing the audit: who is responsible for remediating the variances you discover? (Hint: it isn't you. You're the auditor, not the system owner.) How will management support remediating those variances? Who will be held accountable?

This doesn't completely answer your question, but I think it's even more important than the questions you ask.

baldPrussian
  • 2,778
  • 2
  • 11
  • 14