Auditing system and method
First Claim
Patent Images
1. A method for auditing an organization'"'"'s internal controls for handling information technology (IT) configurations and vulnerabilities comprising:
- receiving, with a processor, a technology summary summarizing a plurality of IT systems in an organization;
based on the technology summary, assigning, with the processor, a vulnerability risk value to each of the plurality of IT systems, wherein each vulnerability risk value represents the risk of the associated IT system compromising the integrity of sensitive information in the organization;
determining, with the processor, a risk threshold;
comparing the risk threshold to the vulnerability risk value associated with each of the plurality of IT systems;
based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of IT systems, selecting, with the processor, one or more of the plurality of IT systems to test;
for each of the selected one or more IT systems, identifying a first vulnerability and a second vulnerability that affect the respective IT system;
performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system;
accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system;
implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and
if the first vulnerability has been corrected, determining, based on the file, whether the second vulnerability was corrected when the first vulnerability was corrected.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for auditing information technology used to handle financial statement accounts to secure sensitive financial information against the exploitation of vulnerabilities and ineffective configuration standards. By working with the client organization, an audit team evaluates the way the client organization controls sensitive IT systems. The audit team is able to assess the client organization'"'"'s internal control processed and recommend improvements.
8 Citations
7 Claims
-
1. A method for auditing an organization'"'"'s internal controls for handling information technology (IT) configurations and vulnerabilities comprising:
-
receiving, with a processor, a technology summary summarizing a plurality of IT systems in an organization; based on the technology summary, assigning, with the processor, a vulnerability risk value to each of the plurality of IT systems, wherein each vulnerability risk value represents the risk of the associated IT system compromising the integrity of sensitive information in the organization; determining, with the processor, a risk threshold; comparing the risk threshold to the vulnerability risk value associated with each of the plurality of IT systems; based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of IT systems, selecting, with the processor, one or more of the plurality of IT systems to test; for each of the selected one or more IT systems, identifying a first vulnerability and a second vulnerability that affect the respective IT system; performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system; accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system; implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and if the first vulnerability has been corrected, determining, based on the file, whether the second vulnerability was corrected when the first vulnerability was corrected. - View Dependent Claims (2, 3)
-
-
4. A system for auditing an organization'"'"'s internal controls for handling information technology (IT) configurations and vulnerabilities comprising:
-
a processor; and a program storage device readable by the computer system, embodying a program of instructions executable by the processor, the program of instructions comprising; a receiving unit for receiving a technology summary summarizing IT systems in an organization; an assigning unit for assigning, based on the technology summary, a risk value to each of the IT systems, wherein each vulnerability risk value represents the risk of the IT system compromising the integrity of sensitive information in the organization; a determining unit for determining a risk threshold; a comparing unit for comparing the risk threshold to the vulnerability risk value associated with each of the plurality of IT systems; a selecting unit for selecting one or more of the plurality of IT systems to test based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of IT systems; an identifying unit for identifying, for each of the selected one or more IT systems, a first vulnerability and a second vulnerability that affect the respective IT system a performing unit for performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system; an accessing unit for accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system; a determining unit for implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and a determining unit for determining, based on the file, if the first vulnerability has been corrected, whether the second vulnerability was corrected when the first vulnerability was corrected. - View Dependent Claims (5)
-
-
6. A computer system comprising:
-
a processor; and a program storage device readable by the computer system, embodying a program of instructions executable by the processor to perform method steps for auditing an organization'"'"'s internal controls for handling information technology configurations and vulnerabilities comprising; receiving, a technology summary summarizing IT systems in an organization; based on the technology summary, assigning a vulnerability risk value to each of the IT systems, wherein each vulnerability risk value represents the risk of the IT system compromising the integrity of sensitive information in the organization; determining a risk threshold; comparing the risk threshold to the vulnerability risk value associated with each of the plurality of high-risk IT systems; based at least in part on the comparison between the risk threshold and the vulnerability risk value associated with each of the plurality of high-risk IT systems, selecting one or more of the plurality of IT systems to test; for each of the selected one or more IT systems, identifying a first vulnerability and a second vulnerability that affect the respective IT system; performing, with the processor, a test of each of the selected one or more IT systems, based on the first vulnerability and the second vulnerability that affect the respective IT system; accessing a file associated with the first vulnerability, the file identifying a patch that can correct the first vulnerability and/or the second vulnerability in the respective IT system; implementing the patch and determining whether the first vulnerability has been corrected using the patch identified in the file; and if the first vulnerability has been corrected, determining, based on the file, whether the second vulnerability was corrected when the first vulnerability was corrected. - View Dependent Claims (7)
-
Specification