Using Open-AudIT for Efficient IT Auditing

ADVANCED CLOUD SECURITY COURSE

 Advanced Cloud Security course

GRC – Governance, Risk and Compliance

 IT GRC and Audit: Understanding the Basics

 IT auditing
 is the process of evaluating and reviewing an organization's information technology infrastructure, policies, and operations to
determine whether they align with the organization's goals, comply with industry standards and regulations, and are secure and
reliable.
 IT auditing involves examining various aspects of an organization's IT systems, including hardware, software, networks, data
storage, and security protocols.
 The primary goal of IT auditing is to identify potential risks and vulnerabilities in an organization's IT systems and provide
recommendations for improving the effectiveness and efficiency of the IT operations. IT auditors assess the adequacy and
effectiveness of the controls in place to manage the risks associated with the use of technology.
 IT auditing is an essential component of corporate governance and risk management, and it helps organizations to ensure the
confidentiality, integrity, and availability of their information assets. IT auditors typically have specialized knowledge and
training in technology, accounting, and risk management.
 What is IT GRC

 IT GRC refers to the management of Governance, Risk, and Compliance in the context of IT or information
technology. It is a framework that enables organizations to align their IT processes and activities with business
objectives and regulatory requirements.

 The purpose of IT GRC is to establish a structured approach to managing the risks and compliance obligations
associated with IT operations. By implementing IT GRC, organizations can ensure that their IT systems and
processes are aligned with their business objectives and compliant with relevant laws and regulations. This, in
turn, helps to reduce the risk of security breaches, data loss, and other IT-related incidents that could harm the
organization.
 Components of IT GRC

 Governance:
 IT governance refers to the framework of policies, procedures, and decision-making processes that guide the management of
IT systems and infrastructure. It includes the strategic planning, performance management, and resource allocation
necessary to ensure that IT resources are effectively deployed to support the organization's objectives. IT governance also
involves defining roles and responsibilities, establishing accountability, and ensuring that there are appropriate controls and
oversight mechanisms in place to manage risks.

 Risk:
 IT risk management involves the identification, assessment, and mitigation of potential risks associated with IT operations.
This includes risks related to data security, system failures, and regulatory compliance. Risk management aims to minimize
the negative impact of IT-related risks on the organization by implementing controls and processes to reduce the likelihood
of a risk occurring or mitigate the consequences of a risk event.
 Components of IT GRC

 Compliance:
 IT compliance refers to the adherence of IT systems and processes to applicable laws, regulations, and standards. This
includes regulatory requirements related to data privacy, security, and other IT-related matters. Compliance involves
ensuring that IT systems are designed and operated in a manner that meets the relevant compliance requirements, and that
adequate measures are in place to monitor and report on compliance. Compliance is essential to prevent legal and financial
penalties and to maintain the organization's reputation.
 IT Governance

 IT governance refers to the framework of policies, procedures, and decision-making processes that guide the
management of IT systems and infrastructure within an organization. IT governance is essential for ensuring that IT
resources are used in a way that supports the organization's objectives, priorities, and strategies.

 The role of IT governance in IT GRC is to provide the framework and structure for managing IT-related risks and
compliance obligations. IT governance helps to ensure that there is appropriate oversight and control of IT systems
and processes to mitigate the risks associated with IT operations. IT governance also helps to ensure that IT systems
are aligned with the organization's business objectives and are compliant with relevant laws and regulations.

 Effective IT governance involves defining roles and responsibilities, establishing policies and procedures, and
ensuring that there are appropriate controls and oversight mechanisms in place. By implementing IT governance as
part of IT GRC, organizations can ensure that their IT systems and processes are managed in a way that supports
their business objectives, minimizes risks, and ensures compliance with regulatory requirements.
 IT Risk Management

 IT risk management is the process of identifying, assessing, and mitigating risks associated with IT systems and
processes. The goal of IT risk management is to minimize the likelihood and impact of negative events that could
affect the confidentiality, integrity, or availability of IT resources.

 The role of IT risk management in IT GRC is to help organizations understand and manage the risks associated with
their IT operations. IT risk management helps organizations to identify potential risks, assess the likelihood and
impact of those risks, and prioritize mitigation efforts to reduce the overall risk exposure.

 Effective IT risk management involves a structured approach to identifying and assessing risks, implementing
appropriate controls and safeguards to mitigate risks, and monitoring and reporting on risk management activities.
By incorporating IT risk management into IT GRC, organizations can ensure that they are effectively managing the
risks associated with their IT operations and are aligning their risk management efforts with their business
objectives and compliance obligations.
 IT Compliance

 IT compliance refers to the adherence of IT systems and processes to relevant laws, regulations, and standards. IT
compliance involves ensuring that IT systems and processes are designed and operated in a way that meets the
applicable compliance requirements.
 The role of IT compliance in IT GRC is to ensure that organizations are meeting their legal, regulatory, and
contractual obligations related to IT operations. This includes requirements related to data privacy, security, and
other IT-related matters. IT compliance involves understanding the relevant compliance requirements, developing
policies and procedures to meet those requirements, and implementing controls and safeguards to ensure ongoing
compliance.
 Effective IT compliance involves a structured approach to compliance management that includes risk assessments,
compliance audits, and ongoing monitoring and reporting. By incorporating IT compliance into IT GRC,
organizations can ensure that they are meeting their legal and regulatory obligations related to IT operations and are
reducing the risk of legal and financial penalties. Additionally, effective IT compliance helps to maintain the
organization's reputation and builds trust with customers and stakeholders
 IT Audit

 IT audit refers to the process of evaluating an organization's IT systems and processes to ensure that they are operating effectively,
efficiently, and securely. The primary objective of IT audit is to provide an independent assessment of an organization's IT operations,
including the identification of any deficiencies or areas for improvement.

 The purpose of IT audit is to assess the effectiveness of an organization's IT systems and processes and to provide assurance that they are
operating in accordance with relevant laws, regulations, and standards. IT audit also helps to identify potential risks and vulnerabilities in
IT systems and processes, and provides recommendations for improvements to enhance the effectiveness, efficiency, and security of IT
operations.

 IT audit covers a wide range of areas, including IT governance, risk management, and compliance, as well as specific IT systems and
processes such as network security, data management, and software development. IT auditors use a variety of techniques, including
interviews, documentation reviews, and technical testing, to evaluate IT systems and processes.

 Overall, the purpose of IT audit is to provide independent assurance that an organization's IT operations are effective, efficient, and
secure, and to identify opportunities for improvement that can help the organization to achieve its objectives and mitigate IT-related risks.
 IT GRC Tools

 GRC
 ThreadFIX

 Audit
 Open-Audit
 Advanced Cloud Security course

Using Open-AudIT for Efficient IT Auditing

 Advanced Cloud Security course

Presented By:-
- Hossam Shaaban Eissa
- Moatasem Ali
- Saber Abdel wahab

Presented To :-
Dr. Nour Mohamed
Agenda

 Microsoft Hyper-V
 Oracle VM VirtualBox
 Red Hat Enterprise Virtualization
 XenServer / Citrix Hypervisor
 Kernel Virtual Machine
 VMware Fusion
 Nutanix Hyperconverged Infrastructure
 Parallels Desktop
 QEMU
 Virtuozzo
 Introduction

 IT auditing
 is the process of evaluating and reviewing an organization's information technology infrastructure, policies, and operations to
determine whether they align with the organization's goals, comply with industry standards and regulations, and are secure and
reliable.
 IT auditing involves examining various aspects of an organization's IT systems, including hardware, software, networks, data
storage, and security protocols.
 The primary goal of IT auditing is to identify potential risks and vulnerabilities in an organization's IT systems and provide
recommendations for improving the effectiveness and efficiency of the IT operations. IT auditors assess the adequacy and
effectiveness of the controls in place to manage the risks associated with the use of technology.
 IT auditing is an essential component of corporate governance and risk management, and it helps organizations to ensure the
confidentiality, integrity, and availability of their information assets. IT auditors typically have specialized knowledge and
training in technology, accounting, and risk management.
Introduction

 IT auditing is critical for organizations to ensure their IT infrastructure is secure and in

compliance with regulatory requirements.
 Open-AudIT is an open-source software that can help organizations streamline their IT
auditing process.
 This presentation provides an overview of Open-AudIT and its capabilities for IT
auditing.
 Introduction

 Open-AudIT is an application to tell you exactly

 what is on your network.
 how it is configured
 and when it changes.
 Open-AudIT will run on Windows and Linux systems. Essentially,
 Data about the network is inserted via a Bash Script (Linux) or VBScript (Windows).
 The entire application is written in php, bash and vbscript. These are all 'scripting' languages - no compiling and
human readable source code. Making changes and customizations is both quick and easy.
 Open-AudIT is a database of information, that can be queried via a web interface.
 Introduction

 Windows PCs can be queried for hardware, software, operating system settings, security settings, IIS
settings, services, users & groups and much more.
 Linux systems can be queried for a similar amount of information.
 Network devices (printers, switches, routers, etc) can have data recorded such as IP-Address, MAC
Address, open ports, serial number, etc..
 Output is available in PDF, CSV and webpages.
 There are export options for Dia and Inkscape.
 Open-AudIT can be configured to scan your network and devices automatically.
 A daily scan is recommended for systems, with network scans every couple of hours. That way, you
can be assured of being notified if something changes (day to day) on a PC, or even sooner, if
something "new" appears on your network.
 Open-AudIT Benefits

 IT Asset management:
 Open-Audit helps organizations manage their assets, including hardware and software, by providing a complete inventory of all assets on the
network. This allows organizations to keep track of all their assets, and to identify which assets are in use or not in use.
 License management
 Open-Audit helps organizations manage their software licenses by providing information on software installations and licenses. This helps
organizations avoid non-compliance issues and optimize their software licensing expenses.
 Security:
 Open-Audit provides real-time visibility into network assets, and can help organizations identify security vulnerabilities and potential risks.
 This allows organizations to proactively address these issues, and prevent potential security breaches.
 Cost-effective:
 Open-Audit is an open-source tool, which means that it is available for free. This makes it a cost-effective solution for organizations looking
to manage their assets, software licenses, and security.
 Open-AudIT Benefits

 Customizable:
 Open-Audit is highly customizable, allowing organizations to configure it to meet their specific needs and requirements. This makes it a versatile tool that can be
used across a wide range of industries and businesses.
 Scalable:
 Open-Audit is designed to scale, allowing organizations to use it to manage any number of assets on their network, from small businesses to large enterprises.
 Compliance:
 Open-Audit can help organizations achieve compliance with regulatory requirements such as HIPAA, GDPR, and PCI DSS, by providing real-time visibility into
network assets and software installations, tracking changes to the network, and generating compliance reports.
 Overall,
 Open-Audit is a versatile, cost-effective, customizable, and scalable tool that can help organizations manage their assets, software licenses, security, and
compliance requirements effectively.
 PCI DSS : - Payment Card Industry Data Security Standard
 GDPR :- General Data Protection Regulation
 HIPAA :- Health Insurance Portability and Accountability Act
 Open-AudIT Features

 Open-Audit offers a wide range of features to help organizations manage their assets, software licenses, and
security. Some of the key features of Open-Audit include:
 Network discovery: Open-Audit can automatically discover all assets on the network, including servers, workstations,
mobile devices, and other endpoints.

 Asset inventory: Open-Audit provides a complete inventory of all assets on the network, including hardware and software.

 Software auditing: Open-Audit can audit software installations and licenses, providing information on which software is
installed and whether it is properly licensed.

 Customizable reporting: Open-Audit provides customizable reporting that allows organizations to generate reports on all
aspects of their network infrastructure.
Open-AudIT Features

 Alerts and notifications: Open-Audit can send alerts and notifications when specific events occur, such as when new
software is installed or when a security vulnerability is detected.

 Integration with other security tools: Open-Audit can integrate with other security tools such as SIEMs and vulnerability
scanners, providing additional layers of security and risk management.

 Compliance support: Open-Audit can help organizations achieve compliance with regulations such as HIPAA, GDPR, and
PCI DSS by providing real-time visibility into network assets and software installations, tracking changes to the network,
and generating compliance reports.

 Access control: Open-Audit provides access control features that allow organizations to control who has access to network
assets and data.
 Open-AudIT Features

 API integration: Open-Audit provides an API that allows organizations to integrate it with other systems and tools.

 Mobile device management: Open-Audit provides mobile device management features that allow organizations to manage
and track mobile devices on the network.

 Overall, Open-Audit offers a comprehensive set of features that can help organizations manage their assets,
software licenses, and security effectively, while also providing compliance support and integration with other
security tools.
Open-AudIT Discovery

 Open-AudIT uses several protocols such as SNMP, WMI, SSH, and HTTP to collect data
from devices.
 Open-AudIT can discover and inventory devices such as servers, workstations, printers,
and network devices.
Inventory

 Open-AudIT collects detailed hardware and software information from devices such as
manufacturer, model, serial number, CPU, memory, disk, installed software, and operating
system.
 Open-AudIT provides accurate and up-to-date information on an organization's IT assets.
 Integrations

 Integrations can help organizations automate their IT management processes and improve
efficiency.
 Open-AudIT integrates with other IT management tools such as Nagios, OCS Inventory,
and GLPI.
Which version of Open-AudIT is right for you?
Which version of Open-AudIT is right for you?
Reports

 Open-AudIT provides a wide range of reports to help organizations analyze the data
collected from their IT assets.
 Reports can be generated on hardware, software, licenses, vulnerabilities, and
compliance.
 Reports can be customized and scheduled to meet an organization's specific needs.
Open-AudIT Screenshots
Open-AudIT Screenshots
Open-AudIT Screenshots
Open-AudIT Screenshots
Conclusion

 Open-AudIT is a powerful tool for IT auditing that can help organizations streamline their
IT auditing process.
 Organizations considering Open-AudIT should carefully evaluate their IT auditing needs
and resources before implementing the software.
 Open-AudIT can provide significant benefits to organizations, but it can also pose some
challenges.
Open-AudIT Enterprise

 Opmantek offer very attractive 12 month subscription licenses for Open-AudIT

Enterprise.
 100 devices is just $249 US and 500 devices is just $799 US
 Challenges

 Open-AudIT can be complex to configure and deploy, requiring IT expertise.

 Integrating Open-AudIT with other IT management tools can be challenging.
 References

 Open-Audit Documentation: https://docs.open-audit.org/

 "Open-AudIT Overview" by Opmantek: https://opmantek.com/network-discovery-tools/open-audit/
 "How to Install Open-Audit on Ubuntu 20.04" by TechRepublic: https://www.techrepublic.com/article/how-to-
install-open-audit-on-ubuntu-20-04/
 "Open-AudIT vs. OCS Inventory" by Opmantek: https://opmantek.com/open-audit-vs-ocs-inventory/
 "Open-Audit vs. Spiceworks" by Opmantek: https://opmantek.com/open-audit-vs-spiceworks/
 "Open-Audit vs. Lansweeper" by Opmantek: https://opmantek.com/open-audit-vs-lansweeper/
 "Open-Audit vs. ManageEngine AssetExplorer" by Opmantek: https://opmantek.com/open-audit-vs-manageengine-
assetexplorer/
 "Open-Audit: The Perfect Network Inventory Solution" by Opmantek: https://opmantek.com/open-audit-the-
perfect-network-inventory-solution/
Thank You
 Questions
HOSSAM SHAABAN EISSA