cisa exam prep course: session 3...domain 3: information systems acquisition, development and...

CISA EXAM PREP COURSE:

SESSION 3

Job Practice

Domain 1: The

Process of Auditing

Information

Systems, 21%

Domain 2:

Governance and

Management of IT,

Domain 3: Information

Systems Acquisition,

Development and

Implementation, 18%

Domain 5:

Protection of

Information Assets,

Domain 4:

Information Systems

Operations,

Maintenance and

Service

Management, 20%

Domain 5

Protection of Information Assets

Domain 5

Provide assurance that the enterprise’s

security policies, standards, procedures

and controls ensure the confidentiality,

integrity and availability (CIA) of

information assets.

Task 5.1

Evaluate the information security and

privacy policies, standards and

procedures for completeness, alignment

with generally accepted practices and

compliance with applicable external

requirements.

Security Objectives

Security objectives to meet an organization’s business requirements

should ensure the following:

o Continued availability of information systems and data

o Integrity of the information stored on computer systems and

while in transit

o Confidentiality of sensitive data is preserved while stored and in

transit

o Conformity to applicable laws, regulations and standards

o Adherence to trust and obligation requirements in relation to any

information relating to an identified or identifiable individual (i.e.,

data subject) in accordance with internal privacy policy or

applicable privacy laws and regulations

o Adequate protection for sensitive data while stored and when in

transit, based on organizational requirements

Information Security Management

Information security management is the most critical

factor in protecting information assets and privacy.

Key elements include:

Senior management leadership,

commitment and support

Policies and procedures

Organization Security awareness

and education

Risk management Monitoring and

compliance Incident handling

and response

Source: ISACA, CISA Review Manual 26th Edition, figure 5.2

Privacy

Privacy means freedom from unauthorized intrusion or

disclosure of information about an individual (also

referred to as a “data subject”).

Management should perform a privacy impact analysis.

Human Resources Security

Security roles and responsibilities of employees,

contractors and third-party users should be defined and

documented in accordance with the organization’s

information security policy.

Third Party Access

Third party access to an organization’s information

processing facilities and processing and communication

of information must be controlled.

These controls must be agreed to and defined in a

contract with the third party.

Security Controls

An effective control is one that prevents, detects, and/or

contains an incident and enables recovery from an

event.

Controls can be:

Proactive

• Safeguards

• Controls that attempt to prevent an incident

Reactive

• Countermeasures

• Controls that allow the detection, containment and recovery from an incident

Security Awareness Training

An active security awareness program can greatly reduce risk

by addressing the behavioral element of security through

education and consistent application of awareness

techniques.

All employees of an organization and third-party users must

receive appropriate training and regular updates on the

importance of security policies, standards and procedures in

the organization.

In addition, all personnel must be trained in their specific

responsibilities related to information security.

Control Methods

Managerial Controls related to the oversight, reporting, procedures and operations of a process. These include policy, procedures, balancing, employee development and compliance reporting.

Technical Controls also known as logical controls and are provided through the use of technology, piece of equipment or device. Examples include firewalls, network or host-based intrusion detection systems (IDSs), passwords and antivirus software. A technical control requires proper managerial (administrative) controls to operate correctly.

Physical Controls that are locks, fences, closed-circuit TV (CCTV) and devices that are installed to physically restrict access to a facility or hardware. Physical controls require maintenance, monitoring and the ability to assess and react to an alert should a problem be indicated.

Control Monitoring

To ensure controls are effective and properly monitored,

the IS auditor should:

o Validate that processes, logs and audit hooks have

been placed into the control framework.

o Ensure that logs are enabled, controls can be tested

and regular reporting procedures are developed.

o Ensure that control monitoring is built into the control

design.

System Access Permission

System access permission generally refers to a technical

privilege, such as the ability to read, create, modify or delete a

file or data; execute a program; or open or use an external

connection.

System access to computerized information resources is

established, managed and controlled at the physical and/or

logical level.

Physical access controls

• Restrict the entry and exit of personnel to an area, such as an office building, suite, data center or room, containing information processing equipment.

Logical access controls

• Restrict the logical resources of the system (transactions, data, programs, applications) and are applied when the subject resource is needed.

System Access Reviews

Roles should be assigned by the information owner or manager.

Access authorization should be regularly reviewed to ensure they

are still valid.

The IS auditor should evaluate the following criteria for defining

permissions and granting access:

o Need-to-know

o Accountability

o Traceability

o Least privilege

Task 5.2

Evaluate the design, implementation,

maintenance, monitoring and reporting

of physical and environmental controls to

determine whether information assets

are adequately safeguarded.

Physical Access Issues

Physical access exposures may originate from natural and

man-made hazards, and can result in unauthorized access and

interruptions in information availability.

Exposures include:

Unauthorized entry

Damage, vandalism or theft to equipment or documents

Copying or viewing of sensitive or copyrighted information

Alteration of sensitive equipment and information

Public disclosure of sensitive information

Abuse of data processing resources

Blackmail

Embezzlement

Physical Access Controls

Door locks (cipher, biometric, bolted, electronic)

Manual or electronic logging

Identification badges

Security guards Controlled visitor

access Computer

workstation locks Controlled single

entry point

Alarm system Deadman doors

Physical Access Audit

The IS auditor should begin with a tour of the site and

then test physical safeguards.

Physical tests can be completed through visual

observations and review of documents such as fire

system tests, inspection tags and key lock logs.

Physical Access Audit (cont’d)

The test should include all paths of physical entry, as well as

the following locations:

o Computer and printer rooms

o UPS/generator

o Operator consoles

o Computer storage rooms

o Communication equipment

o Offsite backup storage facility

o Media storage

Environmental Exposures

Environmental exposures are due primarily to naturally occurring

events.

Common environmental exposures include:

Power failure

• Total failure (blackout)

• Severely reduced voltage (brownout)

• Sags, spikes and surges

• Electromagnetic interference (EMI)

Water damage/flooding

Manmade concerns

• Terrorist threats/attacks

• Vandalism

• Equipment failure

Environmental Controls

Environmental exposures should be afforded the same level of

protection as other types of exposures. Possible controls include:

Alarm control panels

Water detectors Fire extinguishers Fire alarms and smoke detectors

Fire suppression systems

Fireproof and fire-resistant

building and office materials

Strategically located computer

Electrical surge protectors

Uninterruptible power supply/

generator

Power leads from two substations

Emergency power-off switch

Documented and tested BCPs and

emergency evacuation plans

Environmental Control Audit

The IS auditor should first establish the environmental risk by assessing

the location of the data center.

In addition, the IS auditor should verify that the following safeguards are

in place:

o Water and smoke detectors

o Strategic and visible location of handheld fire extinguishers

o Fire suppression system documentation and inspection by fire

department

o UPS/generator test reports

o Electrical surge protectors

o Documentation of fireproof building materials, use of redundant

power lines and wiring located in fire-resistant panels

o Documented and tested emergency evacuation plans and BCPs

o Humidity and temperature controls

Task 5.3

Evaluate the design, implementation,

maintenance, monitoring and reporting

of system and logical security controls to

verify the confidentiality, integrity and

availability of information.

Logical Access

Logical access is the ability to interact with computer

resources, granted using identification, authentication

and authorization.

Logical access controls are the primary means used to

manage and protect information assets.

IS auditors should be able to analyze and evaluate the

effectiveness of a logical access control in accomplishing

information security objectives and avoiding losses

resulting from exposures.

Logical Access (cont’d)

For IS auditors to effectively assess logical access

controls, they first need to gain a technical and

organizational understanding of the organization’s IT

environment, including the following security layers:

o Network

o OS platform

o Database

o Application

Paths of Logical Access

Access or points of entry to an organization’s IS

infrastructure can be gained through the following paths:

o Direct

o Local network

o Remote

General points of entry to either front-end or back-end

systems occur through network connectivity or remote

access.

Paths of Logical Access (cont’d)

Any point of entry not appropriately controlled can

potentially compromise the security of an organization’s

sensitive and critical information resources.

The IS auditor should determine whether all points of

entry are identified and managed.

Logical Access Exposures

Technical exposures are the unauthorized activities

interfering with normal processing.

They include:

o Data leakage—Involves siphoning or leaking

information out of the computer

o Wiretapping—Involves eavesdropping on information

being transmitted over telecommunications lines

o Computer shutdown—Initiated through terminals or

personal computers connected directly (online) or

remotely (via the Internet) to the computer

Access Control Software

Access control software is used to prevent the

unauthorized access and modification to an

organization’s sensitive data and the use of system

critical functions.

Access controls must be applied across all layers of an

organization’s IS architecture, including networks,

platforms or OSs, databases and application systems.

Each access control usually includes:

o Identification and authentication

o Access authorization

o Verification of specific information resources

o Logging and reporting of user activities

Access Control Software Functions

General operating and/or application systems access control functions

• Create or change user profiles.

• Assign user identification and authentication.

• Apply user logon limitation rules.

• Notification concerning proper use and access prior to initial login.

• Create individual accountability and auditability by logging user activities.

• Establish rules for access to specific information resources (e.g., system-level application resources and data).

• Log events.

• Report capabilities.

Database and/or application-level access control functions

• Create or change data files and database profiles.

• Verify user authorization at the application and transaction level.

• Verify user authorization within the application.

• Verify user authorization at the field level for changes within a database.

• Verify subsystem authorization for the user at the file level.

• Log database/data communications access activities for monitoring access violations.

Access Control Types

• Logical access control filters used to validate access credentials

• Cannot be controlled or modified by normal users or data owners

• Act by default

• Prohibitive; anything that is not expressly permitted is forbidden

Mandatory access controls

(MACs)

• Logical access controls that may be configured or modified by the users or data owners

• Cannot override MACs

• Act as an additional filter, prohibiting still more access with the same exclusionary principle

Discretionary access controls

(DACs)

Network Infrastructure Security

The IS auditor should be familiar with risk and exposures related

to network infrastructure.

Network control functions should:

o Be performed by trained professionals, and duties should be

rotated on a regular basis.

o Maintain an audit trail of all operator activities.

o Restrict operator access from performing certain functions.

o Periodically review audit trails to detect unauthorized

activities.

o Document standards and protocols.

o Analyze workload balance, response time and system

efficiency.

o Encrypt data, where appropriate, to protect messages from

disclosure during transmission.

LAN Security

To gain a full understanding of the LAN, the IS auditor

should identify and document the following:

o Users or groups with privileged access rights

o LAN topology and network design

o LAN administrator/LAN owner

o Functions performed by the LAN administrator/owner

o Distinct groups of LAN users

o Computer applications used on the LAN

o Procedures and standards relating to network design,

support, naming conventions and data security

Virtualization

IS auditors need to understand the advantages and

disadvantages of virtualization to determine whether the

enterprise has considered the applicable risk in its decision to

adopt, implement and maintain this technology.

Some common advantages and disadvantages include:

Advantages Disadvantages

• Decreased server hardware costs.

• Shared processing capacity and storage

space.

• Decreased physical footprint.

• Multiple versions of the same OS.

• Inadequate host configuration could

create vulnerabilities that affect not only

the host, but also the guests.

• Data could leak between guests.

• Insecure protocols for remote access

could result in exposure of

administrative credentials.

Client-Server Security

A client-server is a group of computers connected by a

communications network in which the client is the

requesting machine and the server is the supplying

machine.

Several access routes exist in a client-server

environment.

Client-Server Security (cont’d)

The IS auditor should ensure that:

o Application controls cannot be bypassed.

o Passwords are always encrypted.

o Access to configuration or initialization files is kept to

a minimum.

o Access to configuration or initialization files are

audited.

Wireless Security

Wireless security requirements include the following:

o Authenticity—A third party must be able to verify that

the content of a message has not been changed in

transit.

o Nonrepudiation—The origin or the receipt of a specific

message must be verifiable by a third party.

o Accountability—The actions of an entity must be

uniquely traceable to that entity.

o Network availability—The IT resource must be

available on a timely basis to meet mission

requirements or to avoid substantial losses.

Internet Security

The IS auditor must understand the risk and security

factors needed to ensure that proper controls are in

place when a company connects to the Internet.

Network attacks involve probing for network information.

o Examples of passive attacks include network

analysis, eavesdropping and traffic analysis.

Internet Security (cont’d)

Once enough network information has been gathered,

an intruder can launch an actual attack against a

targeted system to gain control.

o Examples of active attacks include denial of service

(DoS), phishing, unauthorized access, packet replay,

brute force attacks and email spoofing.

The IS auditor should have a good understanding of the

following types of firewalls:

o Packet filtering

o Application firewall systems

o Stateful inspections

Internet Security (cont’d)

The IS auditor should also be familiar with common

firewall implementations, including:

o Screened-host firewall

o Dual-homed firewall

o Demilitarized zone (DMZ) or screened-subnet firewall

The IS auditor should be familiar with the types, features

and limitations of intrusion detection systems and

intrusion prevention systems.

Encryption

Encryption generally is used to:

o Protect data in transit over networks from

unauthorized interception and manipulation.

o Protect information stored on computers from

unauthorized viewing and manipulation.

o Deter and detect accidental or intentional alterations

of data.

o Verify authenticity of a transaction or document.

Encryption (cont’d)

Key encryption elements include:

o Encryption algorithm—A mathematically based

function that encrypts/decrypts data

o Encryption keys—A piece of information that is used

by the encryption algorithm to make the encryption or

decryption process unique

o Key length—A predetermined length for the key; the

longer the key, the more difficult it is to compromise

There are two types of encryption schemes:

o Symmetric—a unique key (usually referred to as the

“secret key”) is used for both encryption and decryption.

o Asymmetric—the decryption key is different than the one

used for encryption.

There are two main advantages of symmetric key systems

over asymmetric ones.

o The keys are much shorter and can be easily

remembered.

o Symmetric key cryptosystems are generally less

complicated and, therefore, use less processing power.

In a public key cryptography system, two keys work

together as a pair. One of the keys is kept private, while

the other one is publicly disclosed.

The underlying algorithm works even if the private key is

used for encryption and the public key for decryption.

Digital signature schemes ensure:

o Data integrity— Any change to the plaintext

message would result in the recipient failing to

compute the same document hash.

o Authentication—The recipient can ensure that the

document has been sent by the claimed sender

because only the claimed sender has the private key.

o Nonrepudiation—The claimed sender cannot later

deny generating the document.

The IS auditor should be familiar with how a digital

signature functions to protect data.

Malware

There are two primary methods to prevent and detect

malware that infects computers and network systems.

o Have sound policies and procedures in place

(preventive controls).

o Have technical controls (detective controls), such as

anti-malware software, including:

• Scanners

• Behavior blockers

• Active monitors

• Integrity CRC checkers

• Immunizers

Neither method is effective without the other.

Task 5.4

Evaluate the design, implementation and

monitoring of the data classification

processes and procedures for alignment

with the organization’s policies,

standards, procedures and applicable

external requirements.

Data Classification

In order to have effective controls, organizations must have a

detailed inventory of information assets.

Most organizations use a classification scheme with three to five

levels of sensitivity.

Data classification provides the following benefits:

o Defines level of access controls

o Reduces risk and cost of over- or under-protecting

information resources

o Maintains consistent security requirements

o Enables uniform treatment of data by applying level-specific

policies and procedures

o Identifies who should have access

Data Classification (cont’d)

The information owner should decide on the appropriate

classification, based on the organization’s data classification and

handling policy.

Data classification should define:

o The importance of the information asset

o The information asset owner

o The process for granting access

o The person responsible for approving the access rights and

access levels

o The extent and depth of security controls

Data classification must also take into account legal, regulatory,

contractual and internal requirements for maintaining privacy,

confidentiality, integrity and availability.

Data Leakage

Data leakage involves the unauthorized transfer of sensitive

or proprietary information from an internal network to the

outside world.

Data leak prevention is a suite of technologies and associated

processes that locate, monitor and protect sensitive

information from unauthorized disclosure.

Data Leakage (cont’d)

DLPs have three key objectives:

o Locate and catalog sensitive information stored throughout

the enterprise.

o Monitor and control the movement of sensitive information

across enterprise networks.

o Monitor and control the movement of sensitive information

on end-user systems.

DLP Solutions

Data at rest

Use crawlers to search for and log

the location of specific information

Data in motion

Use specific network appliances

or embedded technology to

selectively capture and analyze traffic

Use deep packet inspection (DPI) to

read contents within a packet’s

payload

Data in use

Use an agent to monitor data movement

stemming from actions taken by

end users

Identification and Authentication

Logical access identification and authentication (I&A) is

the process of establishing and proving a user’s identity.

For most systems, I&A is the first line of defense

because it prevents unauthorized people (or

unauthorized processes) from entering a computer

system or accessing an information asset.

Identification and Authentication (cont’d)

Some common I&A vulnerabilities include:

o Weak authentication methods

o Use of simple or easily guessed passwords

o The potential for users to bypass the authentication

mechanism

o The lack of confidentiality and integrity for the stored

authentication information

o The lack of encryption for authentication and

protection of information transmitted over a network

o The user’s lack of knowledge on the risk associated

with sharing authentication elements

Authentication Methods

Multifactor authentication is the combination of more than one

authentication method.

Single sign-on (SSO) is the process for consolidating all of an

organization’s platform-based administration, authentication and

authorization functions into a single centralized administrative

function.

The IS auditor should be familiar with the organization’s

authentication policies.

Authentication Methods

Logon IDs and Passwords

Tokens

Biometrics

Authorization

Authorization refers to the access rules that specify who

can access what.

Access control is often based on least privilege, which

refers to the granting to users of only those accesses

required to perform their duties.

The IS auditor needs to know what can be done with the

access and what is restricted.

The IS auditor must review access control lists (ACLs).

An ACL is a register of users who have permission to

use a particular system and the types of access

permitted.

Authorization Issues

• Denial of service

• Malicious third parties

• Misconfigured communications software

• Misconfigured devices on the corporate computing infrastructure

• Host systems not secured appropriately

• Physical security issues over remote users’ computers

Controls

• Policy and standards

• Proper authorizations

• Identification and authentication mechanisms

• Encryption tools and techniques such as use of a VPN

• System and network management

System Logs

Audit trail records should be protected by strong access

controls to help prevent unauthorized access.

The IS auditor should ensure that the logs cannot be

tampered with, or altered, without leaving an audit trail.

When reviewing or performing security access follow-up,

the IS auditor should look for:

o Patterns or trends that indicate abuse of access

privileges, such as concentration on a sensitive

application

o Violations (such as attempting computer file access

that is not authorized) and/or use of incorrect

passwords

Review of Access Controls

Access controls and password administration are reviewed to

determine that:

o Procedures exist for adding individuals to the access list,

changing their access capabilities and deleting them from the

o Procedures exist to ensure that individual passwords are not

inadvertently disclosed.

o Passwords issued are of an adequate length, cannot be easily

guessed and do not contain repeating characters.

o Passwords are periodically changed.

o User organizations periodically validate the access capabilities.

o Procedures provide for the suspension of user IDs or the

disabling of systems after a particular number of security

procedure violations.

Task 5.5

Evaluate the processes and procedures

used to store, retrieve, transport and

dispose of assets to determine whether

information assets are adequately

safeguarded.

Data Access Procedures

Management should define and implement procedures to prevent

access to, or loss of, sensitive information when it is stored,

disposed of or transferred to another user.

Such procedures must be created for the following:

o Backup files of databases

o Data banks

o Disposal of media previously used to hold confidential

information

o Management of equipment sent for offsite maintenance

o Public agencies and organizations concerned with sensitive,

critical or confidential information

o E-token electronic keys

o Storage records

Media Storage

To help avoid potential damage to media during shipping and

storage, the following precautions must be present:

o Keep out of direct sunlight.

o Keep free of dust.

o Keep free of liquids.

o Minimize exposure to magnetic fields, radio equipment or any

sources of vibration.

o Do not air transport in areas and at times of exposure to a

strong magnetic storm.

Mobile Computing

Mobile computing refers to devices that are transported or moved

during normal usage, including tablets, smartphones and laptops.

Mobile computing makes it more difficult to implement logical and

physical access controls.

Common mobile computing vulnerabilities include the following:

o Information may travel across unsecured wireless networks.

o The enterprise may not be managing the device.

o Unencrypted information may be stored on the device.

o The device may have a lack of authentication requirements.

o The device may allow for the installation of unsigned

third-party applications.

Mobile Computing Controls

The following controls will reduce the risk of disclosure of

sensitive data stored on mobile devices:

Device registration

Tagging Physical security

Data storage Virus

detection and control

Encryption Compliance Approval Acceptable use policy

Due care

Awareness training

Network authentication

Secure transmission

Standard applications

Geolocation tracking

Remote wipe and lock

BYOD agreement

Secure remote support

Other Data Controls

Other technologies that should be reviewed by the IS auditor

include:

Technology Threat/Vulnerability Controls

Peer-to-peer

computing

• Viruses and malware

• Copyrighted content

• Excessive use

• Eavesdropping

• Antivirus and anti-malware

• Block P2P traffic

• Restrict P2P exposure

• Establish policies or standards

Instant messaging

• Viruses and malware

• Excessive use

• IP address exposure

• Antivirus and anti-malware

• Encrypt IM traffic

• Block IM traffic

• Restrict IM usage

• Establish policies or standards

Social media • Viruses and malware

• Undefined content rights

• Data exposure

• Excessive use

• Establish clear policies

• Capture and log all communications

• Content filtering

Cloud computing • Lack of control and visibility

• Physical security

• Data disposal

• Right to audit the contract

• Restricted contract terms

• Encryptions

Voice-Over IP (VoIP)

VoIP has a different architecture than traditional

circuit-based telephony, and these differences result in

significant security issues.

Security is needed to protect two assets—the data and

the voice.

Backup communication plans are important because if

the computer system goes down, the telephone system

goes down too.

Private Branch Exchange

A private branch exchange (PBX) is a sophisticated computer-based

switch that may be thought of as a small, in-house phone company.

Failure to secure a PBX can result in:

o Theft of service

o Disclosure of information

o Data modification

o Unauthorized access

o Denial of service

o Traffic analysis

The IS auditor should know the design implementation to determine

how an intruder could exploit weaknesses or normal functions.

Task 5.6

Evaluate the information security

program to determine its effectiveness

and alignment with the organization’s

strategies and objectives.

Computer Crimes

It is important that the IS auditor knows and understands the

differences between computer crime and computer abuse to

support risk analysis methodologies and related control

practices. Examples of computer crimes include:

Denial of

service (DoS) Hacking

Malware, viruses and

worms Fraud

Unauthorized access

Phishing Brute force

attacks Malicious

Network analysis

Packet replay Masquerading Eavesdropping

Source: ISACA, CISA Review Manual, 26th Edition, figures 5.11 and 5.12

Security Incident Handling

To minimize damage from security incidents, a formal

incident response capability should be established.

Ideally, an organizational computer security incident

response team (CSIRT) or computer emergency

response team (CERT) should be formed with clear lines

of reporting and responsibilities.

Security Incident Handling (cont’d)

The IS auditor should:

o Ensure that the CSIRT is actively involved with users

to assist them in the mitigation of risk arising from

security failures and also to prevent security

incidents.

o Ensure that there is a formal, documented plan and

that it contains vulnerabilities identification, reporting

and incident response procedures to common,

security-related threats/issues.

Auditing ISM Framework

The IS auditor should review the following elements of the information

security management framework:

o Written policies, procedures and standards

o Logical access security policies

o Formal security awareness and training

o Data ownership

o Data owners

o Data custodians

o Security administrator

o New IT users

o Data users

o Documented authorizations

o Terminated employee access

o Security baselines

o Access standards

Auditing Logical Access

When evaluating logical access controls, the IS auditor should:

o Obtain a clear understanding of the security risk facing

information processing through a review of relevant

documentation, interviews, physical walk-throughs and risk

assessments.

o Document and evaluate controls over potential access paths into

the system to assess their adequacy, efficiency and

effectiveness by reviewing appropriate hardware and software

security features and identifying any deficiencies or

redundancies.

o Test controls over access paths to determine whether they are

functioning and effective by applying appropriate audit

techniques.

Auditing Logical Access (cont’d)

In addition, the IS auditor should do the following when auditing

logical access:

o Evaluate the access control environment to determine if the

control objectives are achieved by analyzing test results and

other audit evidence.

o Evaluate the security environment to assess its adequacy and

compare it with appropriate security standards or practices and

procedures used by other organizations.

o Interview the IS manager and security administrator and review

organizational charts and job descriptions.

o Review access control software reports to monitor adherence to

security policies.

o Review application systems operations manual.

Security Testing Techniques

Terminal cards and keys

• The IS auditor can use sample cards and keys to attempt to gain access beyond what is authorized.

• The IS auditor should follow up on any unsuccessful attempted violations.

Terminal identification

• The IS auditor can inventory terminals to look for incorrectly logged, missing or additional terminals.

Logon IDs and passwords

• To test confidentiality, the IS auditor can attempt to guess passwords, find passwords by searching the office or get a user to divulge a password.

• To test encryption, the IS auditor should attempt to view the internal password table.

• To test authorization, the IS auditor should review a sample of authorization documents to determine if proper authority was provided.

Security Testing Techniques (cont’d)

Computer access controls

• The IS auditor should work with the system software analyst to determine if all access is on a need-to-know basis.

Computer access

violations logging and

reporting

• The IS auditor should attempt to access computer transactions or data for which access is not authorized. The unsuccessful attempts should be identified on security reports.

Follow-up access

violations

• The IS auditor should select a sample of security reports and look for evidence of follow-up and investigation of access violations.

Bypassing security and

compensating controls

• The IS auditor should work with the system software analyst, network manager, operations manager and security administrator to determine ways to bypass security.

Investigation Techniques

If a computer crime occurs, it is very important that proper

procedures are used to collect evidence.

o Damaged evidence can hinder prosecution.

o After a computer crime, the environment and evidence

must be left unaltered and examined by specialist law

enforcement officials.

Any electronic document or data may be used as digital

evidence.

An IS auditor may be required or asked to be involved in a

forensic analysis to provide expert opinion or to ensure the

correct interpretation of information gathered.

Investigation Techniques (cont’d)

Identify

• Refers to the identification of information that is available and might form the evidence of an incident

Preserve

• Refers to the practice of retrieving identified information and preserving it as evidence

Analyze

• Involves extracting, processing and interpreting the evidence

Present

• Involves a presentation to the various audiences, such as management, attorneys, court, etc.

Computer Forensics

The IS auditor should give consideration to key elements of

computer forensics during audit planning, including the

following:

o Data protection

o Data acquisition

o Imaging

o Extraction

o Interrogation

o Ingestion/normalization

o Reporting

Auditing Network Infrastructure

When performing an audit of the network infrastructure, the IS auditor

should:

o Review the following documents:

• Network diagrams

• SLAs

• Network administrator procedures

• Network topology design

o Identify the network design implemented.

o Determine that applicable security policies, standards, procedures and

guidance on network management and usage exist and have been

distributed.

o Identify who is responsible for security and operation of Internet

connections.

o Determine whether consideration has been given to the legal problems

arising from use of the Internet.

o Determine whether a vulnerability scanning process is in place.

Auditing Remote Access

IS auditors should determine that all remote access

capabilities used by an organization provide for effective

security of the organization’s information resources.

This includes:

o Ensuring that remote access security controls are

documented and implemented for authorized users

o Reviewing existing remote access architectures for points

of entry

o Testing access controls

Penetration Testing

During penetration testing, an auditor attempts to circumvent the

security features of a system and exploits the vulnerabilities to

gain access that would otherwise be unauthorized.

Planning Discovery Attack

Additional Discovery

Reporting

Types of Penetration Tests

External testing

Refers to attacks and control circumvention attempts on the target’s network perimeter from outside the target’s system

Internal testing

Refers to attacks and control circumvention attempts on the target from within the perimeter

Blind testing

Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems

Double blind testing

Refers to an extension of blind testing, because the administrator and security staff at the target are also not aware of the test

Targeted testing

Refers to attacks and control circumvention attempts on the target, while both the target’s IT team and penetration testers are aware of the testing activities

Domain 5 Summary

Evaluate the information security and privacy policies,

standards and procedures.

Evaluate the design, implementation, maintenance,

monitoring and reporting of physical and environmental

controls.

Evaluate the design, implementation, maintenance,

monitoring and reporting of system and logical security

controls.

Domain 5 Summary (cont’d)

Evaluate the design, implementation and monitoring of

the data classification processes and procedures.

Evaluate the processes and procedures used to store,

retrieve, transport and dispose of assets.

Evaluate the information security program.

The CSIRT of an organization disseminates detailed

descriptions of recent threats. An IS auditor’s GREATEST

concern should be that the users may:

A. use this information to launch attacks.

B. forward the security alert.

C. implement individual solutions.

D. fail to understand the threat.

Discussion Question

Which of the following is the BEST way for an IS auditor to

determine the effectiveness of a security awareness and

training program?

A. Review the security training program.

B. Ask the security administrator.

C. Interview a sample of employees.

D. Review the security reminders to employees.

Discussion Question

A hard disk containing confidential data was damaged

beyond repair. What should be done to the hard disk to

prevent access to the data residing on it?

A. Rewrite the hard disk with random 0s and 1s.

B. Low-level format the hard disk.

C. Demagnetize the hard disk.

D. Physically destroy the hard disk.

Discussion Question

EXAM PRACTICE

An IS auditor is developing an audit plan for an

environment that includes new systems. The company’s

management wants the IS auditor to focus on recently

implemented systems. How should the IS auditor respond?

A. Audit the new systems as requested by

management.

B. Audit systems not included in last year’s scope

C. Determine the highest-risk systems and plan

accordingly.

D. Audit both the systems not in last year’s scope and

the new systems

Question 1

To ensure that audit resources deliver the best value to the

organization, the FIRST step would be to:

A. schedule the audits and monitor the time spent on

each audit.

B. train the IS audit staff on current technology used in

the company.

C. develop the audit plan on the basis of a detailed risk

assessment.

D. monitor progress of audits and initiate cost control

measures.

Question 2

The PRIMARY objective of the audit initiation meeting with

an IS audit client is to:

A. discuss the scope of the audit.

B. identify resource requirements of the audit.

C. select the methodology of the audit.

D. review requested evidence provided by the audit

client.

Question 3

The effect of which of the following should have priority in

planning the scope and objectives of an IS audit?

A. Applicable statutory requirements

B. Applicable corporate standards

C. Applicable industry best practices

D. Organizational policies and procedures

Question 4

Why does an audit manager review the staff’s audit papers,

even when the IS auditors have many years of experience?

A. internal quality requirements.

B. the audit guidelines.

C. the audit methodology.

D. professional standards.

Question 5

An IS audit department considers implementing continuous

auditing techniques for a multinational retail enterprise that

requires high availability of its key systems. A PRIMARY

benefit of continuous auditing is that:

A. effective preventive controls are enforced.

B. system integrity is ensured.

C. errors can be corrected in a timely fashion.

D. fraud can be detected more quickly.

Question 6

The internal audit department has written some scripts that are used for

continuous auditing of some information systems. The IT department has asked

for copies of the scripts so that they can use them for setting up a continuous

monitoring process on key systems. Would sharing these scripts with IT affect

the ability of the IS auditors to independently and objectively audit the IT

function?

A. Sharing the scripts is not permitted because it would give IT the ability to

pre-audit systems and avoid an accurate, comprehensive audit.

B. Sharing the scripts is required because IT must have the ability to review

all programs and software that runs on IS systems regardless of audit

independence.

C. Sharing the scripts is permissible as long as IT recognizes that audits

may still be conducted in areas not covered in the scripts.

D. Sharing the scripts is not permitted because it would mean that the IS

auditors who wrote the scripts would not be permitted to audit any IS

systems where the scripts are being used for monitoring.

Question 7

The success of control self-assessment (CSA) depends

highly on:

A. having line managers assume a portion of the

responsibility for control monitoring.

B. assigning staff managers the responsibility for

building, but not monitoring, controls.

C. the implementation of a stringent control policy and

rule-driven controls.

D. the implementation of supervision and the monitoring

of controls of assigned duties.

Question 8

When conducting an IT security risk assessment, the IS auditor

asked the IT security officer to participate in a risk identification

workshop with users and business unit representatives. What is

the MOST important recommendation that the IS auditor should

make to obtain successful results and avoid future conflicts?

A. Ensure that the IT security risk assessment has a clearly

defined scope.

B. Require the IT security officer to approve each risk rating

during the workshop.

C. Suggest that the IT security officer accept the business

unit risk and rating.

D. Select only commonly accepted risk with the highest

submitted rating.

Question 9

An IS auditor is performing an audit in the data center when

the fire alarm begins sounding. The audit scope includes

disaster recovery, so the auditor observes the data center

staff response to the alarm. Which of the following is the

MOST important action for the data center staff to complete

in this scenario?

A. Notify the local fire department of the alarm condition.

B. Prepare to activate the fire suppression system.

C. Ensure that all persons in the data center are

evacuated.

D. Remove all backup tapes from the data center.

Question 10

When evaluating the controls of an

electronic data interchange (EDI)

application, an IS auditor should

PRIMARILY be concerned with the risk of:

A. excessive transaction turnaround time.

B. application interface failure.

C. improper transaction authorization.

D.nonvalidated batch totals.

Question 11

An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk?

A. Undocumented approval of some project changes

B. Faulty migration of historical data from the old system to the new system

C. Incomplete testing of the standard functionality of the ERP subsystem

D. Duplication of existing payroll permissions on the new ERP subsystem

Question 12

An IS auditor reviewing a series of completed projects finds

that the implemented functionality often exceeded

requirements and most of the projects ran significantly over

budget. Which of these areas of the organization’s project

management process is the MOST likely cause of this

issue?

A. Project scope management

B. Project time management

C. Project risk management

D. Project procurement management

Question 13

Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?

A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports

B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables

C. Extrapolation of the overall end date based on completed work packages and current resources

D. Calculation of the expected end date based on current resources and remaining available project budget

Question 14

An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor’s MAIN concern should be that the:

A. complexity and risk associated with the project have been analyzed.

B. resources needed throughout the project have been determined.

C. technical deliverables have been identified.

D. a contract for external parties involved in the project has been completed.

Question 15

The PRIMARY objective of service-level management

(SLM) is to:

A. define, agree on, record and manage the required

levels of service.

B. ensure that services are managed to deliver the

highest achievable level of availability.

C. keep the costs associated with any service at a

minimum.

D. monitor and report any legal noncompliance to

business management.

Question 16

The BEST audit procedure to determine if unauthorized

changes have been made to production code is to:

A. examine the change control system records and trace

them forward to object code files.

B. review access control permissions operating within

the production program libraries.

C. examine object code to find instances of changes and

trace them back to change control records.

D. review change approved designations established

within the change control system.

Question 17

Which of the following is the BEST method for determining

the criticality of each application system in the production

environment?

A. Interview the application programmers.

B. Perform a gap analysis.

C. Review the most recent application audits.

D. Perform a business impact analysis (BIA).

Question 18

Which of the following issues should be the GREATEST concern

to the IS auditor when reviewing an IT disaster recovery test?

A. Due to the limited test time window, only the most

essential systems were tested. The other systems were

tested separately during the rest of the year.

B. During the test, some of the backup systems were

defective or not working, causing the test of these systems

to fail.

C. The procedures to shut down and secure the original

production site before starting the backup site required far

more time than planned.

D. Every year, the same employees perform the test. The

recovery plan documents are not used because every step

is well known by all participants.

Question 19

Which of the following groups is the BEST source of

information for determining the criticality of application

systems as part of a business impact analysis (BIA)?

A. Business processes owners

B. IT management

C. Senior business management

D. Industry experts

Question 20

While designing the business continuity plan (BCP) for an

airline reservation system, the MOST appropriate method

of data transfer/backup at an offsite location would be:

A. shadow file processing.

B. electronic vaulting.

C. hard-disk mirroring.

D. hot-site provisioning.

Question 21

The information security policy that states “each individual

must have his/her badge read at every controlled door”

addresses which of the following attack methods?

A. Piggybacking

B. Shoulder surfing

C. Dumpster diving

D. Impersonation

Question 22

An IS auditor discovers that uniform resource locators

(URLs) for online control self-assessment questionnaires

are sent using URL shortening services. The use of URL

shortening services would MOST likely increase the risk of

which of the following attacks?

A. Internet protocol (IP) spoofing

B. Phishing

C. Structured query language (SQL) injection

D. Denial-of-service (DoS)

Question 23

A company is planning to install a network-based intrusion

detection system (IDS) to protect the web site that it hosts.

Where should the device be installed?

A. On the local network

B. Outside the firewall

C. In the demilitarized zone (DMZ)

D. On the server that hosts the web site

Question 24

What would be the MOST effective control for enforcing

accountability among database users accessing sensitive

information?

A. Implement a log management process.

B. Implement a two-factor authentication.

C. Use table views to access sensitive data.

D. Separate database and application servers.

Question 25

What is the BEST approach to mitigate the risk of a

phishing attack?

A. Implementation of an intrusion detection system (IDS)

B. Assessment of web site security

C. Strong authentication

D. User education

Question 26

Which of the following BEST encrypts data on mobile

devices?

A. Elliptical curve cryptography (ECC)

B. Data encryption standard (DES)

C. Advanced encryption standard (AES)

D. The Blowfish algorithm

Question 27

When protecting an organization’s IT systems, which of the

following is normally the next line of defense after the

network firewall has been compromised?

A. Personal firewall

B. Antivirus programs

C. Intrusion detection system (IDS)

D. Virtual local area network (VLAN) configuration

Question 28

Which of the following would MOST effectively enhance the

security of a challenge-response based authentication

system?

A. Selecting a more robust algorithm to generate

challenge strings

B. Implementing measures to prevent session hijacking

attacks

C. Increasing the frequency of associated password

changes

D. Increasing the length of authentication strings

Question 29

An IS auditor is reviewing a software-based firewall

configuration. Which of the following represents the

GREATEST vulnerability? The firewall software:

A. is configured with an implicit deny rule as the last rule

in the rule base.

B. is installed on an operating system with default

settings.

C. has been configured with rules permitting or denying

access to systems or networks.

D. is configured as a virtual private network (VPN)

endpoint.

Question 30

THANK YOU!

cisa exam prep course: session 3...domain 3: information systems acquisition, development and...

Documents

certified information systems auditor (cisa)

cisa domain 1 - is auditing (day 1)

information security standards luděk novák, cisa, cissp 2...

jae gianelloni, cpa, cisa, cissp -...

cisa lecture domain 1

cisa certified information systems auditor quick review...

center for (cisa) - jacksonville state · pdf filecenter for...

cisa dumps isaca cisa - vcecollection.net

cisa domain 1 manual

1 today and future healthcare information security threats...

cross-media information spaces and architectures (cisa)

cisa : chapter #1the information systems audit process1

cisa: certified information system auditor study guide...

certified information systems auditor (cisa) course 1 - the...

nipf report - · pdf filecisa for affairs . cisa . cisa ....

information sharing: cisa and beyond

certified information systems auditor (cisa) course 1 ... ·...

cisa lecture domain 11

technical assistance (ta) evaluation form · (cisa)...

€¦ · the certified information systems auditor (cisa@ )...