cisa exam prep course: session 3...domain 3: information systems acquisition, development and...
TRANSCRIPT
CISA EXAM PREP COURSE:
SESSION 3
2 © Copyright 2016 ISACA. All rights reserved.
Job Practice
Domain 1: The
Process of Auditing
Information
Systems, 21%
Domain 2:
Governance and
Management of IT,
16%
Domain 3: Information
Systems Acquisition,
Development and
Implementation, 18%
Domain 5:
Protection of
Information Assets,
25%
Domain 4:
Information Systems
Operations,
Maintenance and
Service
Management, 20%
©Copyright 2016 ISACA. All rights reserved.
Domain 5
Protection of Information Assets
4 © Copyright 2016 ISACA. All rights reserved.
Domain 5
Provide assurance that the enterprise’s
security policies, standards, procedures
and controls ensure the confidentiality,
integrity and availability (CIA) of
information assets.
5 © Copyright 2016 ISACA. All rights reserved.
Task 5.1
Evaluate the information security and
privacy policies, standards and
procedures for completeness, alignment
with generally accepted practices and
compliance with applicable external
requirements.
6 © Copyright 2016 ISACA. All rights reserved.
Security Objectives
Security objectives to meet an organization’s business requirements
should ensure the following:
o Continued availability of information systems and data
o Integrity of the information stored on computer systems and
while in transit
o Confidentiality of sensitive data is preserved while stored and in
transit
o Conformity to applicable laws, regulations and standards
o Adherence to trust and obligation requirements in relation to any
information relating to an identified or identifiable individual (i.e.,
data subject) in accordance with internal privacy policy or
applicable privacy laws and regulations
o Adequate protection for sensitive data while stored and when in
transit, based on organizational requirements
7 © Copyright 2016 ISACA. All rights reserved.
Information Security Management
Information security management is the most critical
factor in protecting information assets and privacy.
Key elements include:
Senior management leadership,
commitment and support
Policies and procedures
Organization Security awareness
and education
Risk management Monitoring and
compliance Incident handling
and response
Source: ISACA, CISA Review Manual 26th Edition, figure 5.2
8 © Copyright 2016 ISACA. All rights reserved.
Privacy
Privacy means freedom from unauthorized intrusion or
disclosure of information about an individual (also
referred to as a “data subject”).
Management should perform a privacy impact analysis.
9 © Copyright 2016 ISACA. All rights reserved.
Human Resources Security
Security roles and responsibilities of employees,
contractors and third-party users should be defined and
documented in accordance with the organization’s
information security policy.
10 © Copyright 2016 ISACA. All rights reserved.
Third Party Access
Third party access to an organization’s information
processing facilities and processing and communication
of information must be controlled.
These controls must be agreed to and defined in a
contract with the third party.
11 © Copyright 2016 ISACA. All rights reserved.
Security Controls
An effective control is one that prevents, detects, and/or
contains an incident and enables recovery from an
event.
Controls can be:
Proactive
• Safeguards
• Controls that attempt to prevent an incident
Reactive
• Countermeasures
• Controls that allow the detection, containment and recovery from an incident
12 © Copyright 2016 ISACA. All rights reserved.
Security Awareness Training
An active security awareness program can greatly reduce risk
by addressing the behavioral element of security through
education and consistent application of awareness
techniques.
All employees of an organization and third-party users must
receive appropriate training and regular updates on the
importance of security policies, standards and procedures in
the organization.
In addition, all personnel must be trained in their specific
responsibilities related to information security.
13 © Copyright 2016 ISACA. All rights reserved.
Control Methods
Managerial Controls related to the oversight, reporting, procedures and operations of a process. These include policy, procedures, balancing, employee development and compliance reporting.
Technical Controls also known as logical controls and are provided through the use of technology, piece of equipment or device. Examples include firewalls, network or host-based intrusion detection systems (IDSs), passwords and antivirus software. A technical control requires proper managerial (administrative) controls to operate correctly.
Physical Controls that are locks, fences, closed-circuit TV (CCTV) and devices that are installed to physically restrict access to a facility or hardware. Physical controls require maintenance, monitoring and the ability to assess and react to an alert should a problem be indicated.
Source: ISACA, CISA Review Manual 26th Edition, figure 5.5
14 © Copyright 2016 ISACA. All rights reserved.
Control Monitoring
To ensure controls are effective and properly monitored,
the IS auditor should:
o Validate that processes, logs and audit hooks have
been placed into the control framework.
o Ensure that logs are enabled, controls can be tested
and regular reporting procedures are developed.
o Ensure that control monitoring is built into the control
design.
15 © Copyright 2016 ISACA. All rights reserved.
System Access Permission
System access permission generally refers to a technical
privilege, such as the ability to read, create, modify or delete a
file or data; execute a program; or open or use an external
connection.
System access to computerized information resources is
established, managed and controlled at the physical and/or
logical level.
Physical access controls
• Restrict the entry and exit of personnel to an area, such as an office building, suite, data center or room, containing information processing equipment.
Logical access controls
• Restrict the logical resources of the system (transactions, data, programs, applications) and are applied when the subject resource is needed.
16 © Copyright 2016 ISACA. All rights reserved.
System Access Reviews
Roles should be assigned by the information owner or manager.
Access authorization should be regularly reviewed to ensure they
are still valid.
The IS auditor should evaluate the following criteria for defining
permissions and granting access:
o Need-to-know
o Accountability
o Traceability
o Least privilege
o SoD
17 © Copyright 2016 ISACA. All rights reserved.
Task 5.2
Evaluate the design, implementation,
maintenance, monitoring and reporting
of physical and environmental controls to
determine whether information assets
are adequately safeguarded.
18 © Copyright 2016 ISACA. All rights reserved.
Physical Access Issues
Physical access exposures may originate from natural and
man-made hazards, and can result in unauthorized access and
interruptions in information availability.
Exposures include:
Unauthorized entry
Damage, vandalism or theft to equipment or documents
Copying or viewing of sensitive or copyrighted information
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement
19 © Copyright 2016 ISACA. All rights reserved.
Physical Access Controls
Door locks (cipher, biometric, bolted, electronic)
Manual or electronic logging
Identification badges
CCTV
Security guards Controlled visitor
access Computer
workstation locks Controlled single
entry point
Alarm system Deadman doors
20 © Copyright 2016 ISACA. All rights reserved.
Physical Access Audit
The IS auditor should begin with a tour of the site and
then test physical safeguards.
Physical tests can be completed through visual
observations and review of documents such as fire
system tests, inspection tags and key lock logs.
21 © Copyright 2016 ISACA. All rights reserved.
Physical Access Audit (cont’d)
The test should include all paths of physical entry, as well as
the following locations:
o Computer and printer rooms
o UPS/generator
o Operator consoles
o Computer storage rooms
o Communication equipment
o Offsite backup storage facility
o Media storage
22 © Copyright 2016 ISACA. All rights reserved.
Environmental Exposures
Environmental exposures are due primarily to naturally occurring
events.
Common environmental exposures include:
Power failure
• Total failure (blackout)
• Severely reduced voltage (brownout)
• Sags, spikes and surges
• Electromagnetic interference (EMI)
Water damage/flooding
Manmade concerns
• Terrorist threats/attacks
• Vandalism
• Equipment failure
23 © Copyright 2016 ISACA. All rights reserved.
Environmental Controls
Environmental exposures should be afforded the same level of
protection as other types of exposures. Possible controls include:
Alarm control panels
Water detectors Fire extinguishers Fire alarms and smoke detectors
Fire suppression systems
Fireproof and fire-resistant
building and office materials
Strategically located computer
rooms
Electrical surge protectors
Uninterruptible power supply/
generator
Power leads from two substations
Emergency power-off switch
Documented and tested BCPs and
emergency evacuation plans
24 © Copyright 2016 ISACA. All rights reserved.
Environmental Control Audit
The IS auditor should first establish the environmental risk by assessing
the location of the data center.
In addition, the IS auditor should verify that the following safeguards are
in place:
o Water and smoke detectors
o Strategic and visible location of handheld fire extinguishers
o Fire suppression system documentation and inspection by fire
department
o UPS/generator test reports
o Electrical surge protectors
o Documentation of fireproof building materials, use of redundant
power lines and wiring located in fire-resistant panels
o Documented and tested emergency evacuation plans and BCPs
o Humidity and temperature controls
25 © Copyright 2016 ISACA. All rights reserved.
Task 5.3
Evaluate the design, implementation,
maintenance, monitoring and reporting
of system and logical security controls to
verify the confidentiality, integrity and
availability of information.
26 © Copyright 2016 ISACA. All rights reserved.
Logical Access
Logical access is the ability to interact with computer
resources, granted using identification, authentication
and authorization.
Logical access controls are the primary means used to
manage and protect information assets.
IS auditors should be able to analyze and evaluate the
effectiveness of a logical access control in accomplishing
information security objectives and avoiding losses
resulting from exposures.
27 © Copyright 2016 ISACA. All rights reserved.
Logical Access (cont’d)
For IS auditors to effectively assess logical access
controls, they first need to gain a technical and
organizational understanding of the organization’s IT
environment, including the following security layers:
o Network
o OS platform
o Database
o Application
28 © Copyright 2016 ISACA. All rights reserved.
Paths of Logical Access
Access or points of entry to an organization’s IS
infrastructure can be gained through the following paths:
o Direct
o Local network
o Remote
General points of entry to either front-end or back-end
systems occur through network connectivity or remote
access.
29 © Copyright 2016 ISACA. All rights reserved.
Paths of Logical Access (cont’d)
Any point of entry not appropriately controlled can
potentially compromise the security of an organization’s
sensitive and critical information resources.
The IS auditor should determine whether all points of
entry are identified and managed.
30 © Copyright 2016 ISACA. All rights reserved.
Logical Access Exposures
Technical exposures are the unauthorized activities
interfering with normal processing.
They include:
o Data leakage—Involves siphoning or leaking
information out of the computer
o Wiretapping—Involves eavesdropping on information
being transmitted over telecommunications lines
o Computer shutdown—Initiated through terminals or
personal computers connected directly (online) or
remotely (via the Internet) to the computer
31 © Copyright 2016 ISACA. All rights reserved.
Access Control Software
Access control software is used to prevent the
unauthorized access and modification to an
organization’s sensitive data and the use of system
critical functions.
Access controls must be applied across all layers of an
organization’s IS architecture, including networks,
platforms or OSs, databases and application systems.
Each access control usually includes:
o Identification and authentication
o Access authorization
o Verification of specific information resources
o Logging and reporting of user activities
32 © Copyright 2016 ISACA. All rights reserved.
Access Control Software Functions
General operating and/or application systems access control functions
• Create or change user profiles.
• Assign user identification and authentication.
• Apply user logon limitation rules.
• Notification concerning proper use and access prior to initial login.
• Create individual accountability and auditability by logging user activities.
• Establish rules for access to specific information resources (e.g., system-level application resources and data).
• Log events.
• Report capabilities.
Database and/or application-level access control functions
• Create or change data files and database profiles.
• Verify user authorization at the application and transaction level.
• Verify user authorization within the application.
• Verify user authorization at the field level for changes within a database.
• Verify subsystem authorization for the user at the file level.
• Log database/data communications access activities for monitoring access violations.
33 © Copyright 2016 ISACA. All rights reserved.
Access Control Types
• Logical access control filters used to validate access credentials
• Cannot be controlled or modified by normal users or data owners
• Act by default
• Prohibitive; anything that is not expressly permitted is forbidden
Mandatory access controls
(MACs)
• Logical access controls that may be configured or modified by the users or data owners
• Cannot override MACs
• Act as an additional filter, prohibiting still more access with the same exclusionary principle
Discretionary access controls
(DACs)
34 © Copyright 2016 ISACA. All rights reserved.
Network Infrastructure Security
The IS auditor should be familiar with risk and exposures related
to network infrastructure.
Network control functions should:
o Be performed by trained professionals, and duties should be
rotated on a regular basis.
o Maintain an audit trail of all operator activities.
o Restrict operator access from performing certain functions.
o Periodically review audit trails to detect unauthorized
activities.
o Document standards and protocols.
o Analyze workload balance, response time and system
efficiency.
o Encrypt data, where appropriate, to protect messages from
disclosure during transmission.
35 © Copyright 2016 ISACA. All rights reserved.
LAN Security
To gain a full understanding of the LAN, the IS auditor
should identify and document the following:
o Users or groups with privileged access rights
o LAN topology and network design
o LAN administrator/LAN owner
o Functions performed by the LAN administrator/owner
o Distinct groups of LAN users
o Computer applications used on the LAN
o Procedures and standards relating to network design,
support, naming conventions and data security
36 © Copyright 2016 ISACA. All rights reserved.
Virtualization
IS auditors need to understand the advantages and
disadvantages of virtualization to determine whether the
enterprise has considered the applicable risk in its decision to
adopt, implement and maintain this technology.
Some common advantages and disadvantages include:
Advantages Disadvantages
• Decreased server hardware costs.
• Shared processing capacity and storage
space.
• Decreased physical footprint.
• Multiple versions of the same OS.
• Inadequate host configuration could
create vulnerabilities that affect not only
the host, but also the guests.
• Data could leak between guests.
• Insecure protocols for remote access
could result in exposure of
administrative credentials.
Source: ISACA, CISA Review Manual 26th Edition, figure 5.14
37 © Copyright 2016 ISACA. All rights reserved.
Client-Server Security
A client-server is a group of computers connected by a
communications network in which the client is the
requesting machine and the server is the supplying
machine.
Several access routes exist in a client-server
environment.
38 © Copyright 2016 ISACA. All rights reserved.
Client-Server Security (cont’d)
The IS auditor should ensure that:
o Application controls cannot be bypassed.
o Passwords are always encrypted.
o Access to configuration or initialization files is kept to
a minimum.
o Access to configuration or initialization files are
audited.
39 © Copyright 2016 ISACA. All rights reserved.
Wireless Security
Wireless security requirements include the following:
o Authenticity—A third party must be able to verify that
the content of a message has not been changed in
transit.
o Nonrepudiation—The origin or the receipt of a specific
message must be verifiable by a third party.
o Accountability—The actions of an entity must be
uniquely traceable to that entity.
o Network availability—The IT resource must be
available on a timely basis to meet mission
requirements or to avoid substantial losses.
40 © Copyright 2016 ISACA. All rights reserved.
Internet Security
The IS auditor must understand the risk and security
factors needed to ensure that proper controls are in
place when a company connects to the Internet.
Network attacks involve probing for network information.
o Examples of passive attacks include network
analysis, eavesdropping and traffic analysis.
41 © Copyright 2016 ISACA. All rights reserved.
Internet Security (cont’d)
Once enough network information has been gathered,
an intruder can launch an actual attack against a
targeted system to gain control.
o Examples of active attacks include denial of service
(DoS), phishing, unauthorized access, packet replay,
brute force attacks and email spoofing.
The IS auditor should have a good understanding of the
following types of firewalls:
o Packet filtering
o Application firewall systems
o Stateful inspections
42 © Copyright 2016 ISACA. All rights reserved.
Internet Security (cont’d)
The IS auditor should also be familiar with common
firewall implementations, including:
o Screened-host firewall
o Dual-homed firewall
o Demilitarized zone (DMZ) or screened-subnet firewall
The IS auditor should be familiar with the types, features
and limitations of intrusion detection systems and
intrusion prevention systems.
43 © Copyright 2016 ISACA. All rights reserved.
Encryption
Encryption generally is used to:
o Protect data in transit over networks from
unauthorized interception and manipulation.
o Protect information stored on computers from
unauthorized viewing and manipulation.
o Deter and detect accidental or intentional alterations
of data.
o Verify authenticity of a transaction or document.
44 © Copyright 2016 ISACA. All rights reserved.
Encryption (cont’d)
Key encryption elements include:
o Encryption algorithm—A mathematically based
function that encrypts/decrypts data
o Encryption keys—A piece of information that is used
by the encryption algorithm to make the encryption or
decryption process unique
o Key length—A predetermined length for the key; the
longer the key, the more difficult it is to compromise
45 © Copyright 2016 ISACA. All rights reserved.
Encryption (cont’d)
There are two types of encryption schemes:
o Symmetric—a unique key (usually referred to as the
“secret key”) is used for both encryption and decryption.
o Asymmetric—the decryption key is different than the one
used for encryption.
There are two main advantages of symmetric key systems
over asymmetric ones.
o The keys are much shorter and can be easily
remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.
46 © Copyright 2016 ISACA. All rights reserved.
Encryption (cont’d)
In a public key cryptography system, two keys work
together as a pair. One of the keys is kept private, while
the other one is publicly disclosed.
The underlying algorithm works even if the private key is
used for encryption and the public key for decryption.
47 © Copyright 2016 ISACA. All rights reserved.
Encryption (cont’d)
Digital signature schemes ensure:
o Data integrity— Any change to the plaintext
message would result in the recipient failing to
compute the same document hash.
o Authentication—The recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o Nonrepudiation—The claimed sender cannot later
deny generating the document.
The IS auditor should be familiar with how a digital
signature functions to protect data.
48 © Copyright 2016 ISACA. All rights reserved.
Malware
There are two primary methods to prevent and detect
malware that infects computers and network systems.
o Have sound policies and procedures in place
(preventive controls).
o Have technical controls (detective controls), such as
anti-malware software, including:
• Scanners
• Behavior blockers
• Active monitors
• Integrity CRC checkers
• Immunizers
Neither method is effective without the other.
49 © Copyright 2016 ISACA. All rights reserved.
Task 5.4
Evaluate the design, implementation and
monitoring of the data classification
processes and procedures for alignment
with the organization’s policies,
standards, procedures and applicable
external requirements.
50 © Copyright 2016 ISACA. All rights reserved.
Data Classification
In order to have effective controls, organizations must have a
detailed inventory of information assets.
Most organizations use a classification scheme with three to five
levels of sensitivity.
Data classification provides the following benefits:
o Defines level of access controls
o Reduces risk and cost of over- or under-protecting
information resources
o Maintains consistent security requirements
o Enables uniform treatment of data by applying level-specific
policies and procedures
o Identifies who should have access
51 © Copyright 2016 ISACA. All rights reserved.
Data Classification (cont’d)
The information owner should decide on the appropriate
classification, based on the organization’s data classification and
handling policy.
Data classification should define:
o The importance of the information asset
o The information asset owner
o The process for granting access
o The person responsible for approving the access rights and
access levels
o The extent and depth of security controls
Data classification must also take into account legal, regulatory,
contractual and internal requirements for maintaining privacy,
confidentiality, integrity and availability.
52 © Copyright 2016 ISACA. All rights reserved.
Data Leakage
Data leakage involves the unauthorized transfer of sensitive
or proprietary information from an internal network to the
outside world.
Data leak prevention is a suite of technologies and associated
processes that locate, monitor and protect sensitive
information from unauthorized disclosure.
53 © Copyright 2016 ISACA. All rights reserved.
Data Leakage (cont’d)
DLPs have three key objectives:
o Locate and catalog sensitive information stored throughout
the enterprise.
o Monitor and control the movement of sensitive information
across enterprise networks.
o Monitor and control the movement of sensitive information
on end-user systems.
54 © Copyright 2016 ISACA. All rights reserved.
DLP Solutions
Data at rest
Use crawlers to search for and log
the location of specific information
sets
Data in motion
Use specific network appliances
or embedded technology to
selectively capture and analyze traffic
Use deep packet inspection (DPI) to
read contents within a packet’s
payload
Data in use
Use an agent to monitor data movement
stemming from actions taken by
end users
55 © Copyright 2016 ISACA. All rights reserved.
Identification and Authentication
Logical access identification and authentication (I&A) is
the process of establishing and proving a user’s identity.
For most systems, I&A is the first line of defense
because it prevents unauthorized people (or
unauthorized processes) from entering a computer
system or accessing an information asset.
56 © Copyright 2016 ISACA. All rights reserved.
Identification and Authentication (cont’d)
Some common I&A vulnerabilities include:
o Weak authentication methods
o Use of simple or easily guessed passwords
o The potential for users to bypass the authentication
mechanism
o The lack of confidentiality and integrity for the stored
authentication information
o The lack of encryption for authentication and
protection of information transmitted over a network
o The user’s lack of knowledge on the risk associated
with sharing authentication elements
57 © Copyright 2016 ISACA. All rights reserved.
Authentication Methods
Multifactor authentication is the combination of more than one
authentication method.
Single sign-on (SSO) is the process for consolidating all of an
organization’s platform-based administration, authentication and
authorization functions into a single centralized administrative
function.
The IS auditor should be familiar with the organization’s
authentication policies.
Authentication Methods
Logon IDs and Passwords
Tokens
Biometrics
58 © Copyright 2016 ISACA. All rights reserved.
Authorization
Authorization refers to the access rules that specify who
can access what.
Access control is often based on least privilege, which
refers to the granting to users of only those accesses
required to perform their duties.
The IS auditor needs to know what can be done with the
access and what is restricted.
The IS auditor must review access control lists (ACLs).
An ACL is a register of users who have permission to
use a particular system and the types of access
permitted.
59 © Copyright 2016 ISACA. All rights reserved.
Authorization Issues
Risks
• Denial of service
• Malicious third parties
• Misconfigured communications software
• Misconfigured devices on the corporate computing infrastructure
• Host systems not secured appropriately
• Physical security issues over remote users’ computers
Controls
• Policy and standards
• Proper authorizations
• Identification and authentication mechanisms
• Encryption tools and techniques such as use of a VPN
• System and network management
60 © Copyright 2016 ISACA. All rights reserved.
System Logs
Audit trail records should be protected by strong access
controls to help prevent unauthorized access.
The IS auditor should ensure that the logs cannot be
tampered with, or altered, without leaving an audit trail.
When reviewing or performing security access follow-up,
the IS auditor should look for:
o Patterns or trends that indicate abuse of access
privileges, such as concentration on a sensitive
application
o Violations (such as attempting computer file access
that is not authorized) and/or use of incorrect
passwords
61 © Copyright 2016 ISACA. All rights reserved.
Review of Access Controls
Access controls and password administration are reviewed to
determine that:
o Procedures exist for adding individuals to the access list,
changing their access capabilities and deleting them from the
list.
o Procedures exist to ensure that individual passwords are not
inadvertently disclosed.
o Passwords issued are of an adequate length, cannot be easily
guessed and do not contain repeating characters.
o Passwords are periodically changed.
o User organizations periodically validate the access capabilities.
o Procedures provide for the suspension of user IDs or the
disabling of systems after a particular number of security
procedure violations.
62 © Copyright 2016 ISACA. All rights reserved.
Task 5.5
Evaluate the processes and procedures
used to store, retrieve, transport and
dispose of assets to determine whether
information assets are adequately
safeguarded.
63 © Copyright 2016 ISACA. All rights reserved.
Data Access Procedures
Management should define and implement procedures to prevent
access to, or loss of, sensitive information when it is stored,
disposed of or transferred to another user.
Such procedures must be created for the following:
o Backup files of databases
o Data banks
o Disposal of media previously used to hold confidential
information
o Management of equipment sent for offsite maintenance
o Public agencies and organizations concerned with sensitive,
critical or confidential information
o E-token electronic keys
o Storage records
64 © Copyright 2016 ISACA. All rights reserved.
Media Storage
To help avoid potential damage to media during shipping and
storage, the following precautions must be present:
o Keep out of direct sunlight.
o Keep free of dust.
o Keep free of liquids.
o Minimize exposure to magnetic fields, radio equipment or any
sources of vibration.
o Do not air transport in areas and at times of exposure to a
strong magnetic storm.
65 © Copyright 2016 ISACA. All rights reserved.
Mobile Computing
Mobile computing refers to devices that are transported or moved
during normal usage, including tablets, smartphones and laptops.
Mobile computing makes it more difficult to implement logical and
physical access controls.
Common mobile computing vulnerabilities include the following:
o Information may travel across unsecured wireless networks.
o The enterprise may not be managing the device.
o Unencrypted information may be stored on the device.
o The device may have a lack of authentication requirements.
o The device may allow for the installation of unsigned
third-party applications.
66 © Copyright 2016 ISACA. All rights reserved.
Mobile Computing Controls
The following controls will reduce the risk of disclosure of
sensitive data stored on mobile devices:
Device registration
Tagging Physical security
Data storage Virus
detection and control
Encryption Compliance Approval Acceptable use policy
Due care
Awareness training
Network authentication
Secure transmission
Standard applications
Geolocation tracking
Remote wipe and lock
BYOD agreement
Secure remote support
67 © Copyright 2016 ISACA. All rights reserved.
Other Data Controls
Other technologies that should be reviewed by the IS auditor
include:
Technology Threat/Vulnerability Controls
Peer-to-peer
computing
• Viruses and malware
• Copyrighted content
• Excessive use
• Eavesdropping
• Antivirus and anti-malware
• Block P2P traffic
• Restrict P2P exposure
• Establish policies or standards
Instant messaging
(IM)
• Viruses and malware
• Excessive use
• IP address exposure
• Antivirus and anti-malware
• Encrypt IM traffic
• Block IM traffic
• Restrict IM usage
• Establish policies or standards
Social media • Viruses and malware
• Undefined content rights
• Data exposure
• Excessive use
• Establish clear policies
• Capture and log all communications
• Content filtering
Cloud computing • Lack of control and visibility
• Physical security
• Data disposal
• Right to audit the contract
• Restricted contract terms
• Encryptions
68 © Copyright 2016 ISACA. All rights reserved.
Voice-Over IP (VoIP)
VoIP has a different architecture than traditional
circuit-based telephony, and these differences result in
significant security issues.
Security is needed to protect two assets—the data and
the voice.
Backup communication plans are important because if
the computer system goes down, the telephone system
goes down too.
69 © Copyright 2016 ISACA. All rights reserved.
Private Branch Exchange
A private branch exchange (PBX) is a sophisticated computer-based
switch that may be thought of as a small, in-house phone company.
Failure to secure a PBX can result in:
o Theft of service
o Disclosure of information
o Data modification
o Unauthorized access
o Denial of service
o Traffic analysis
The IS auditor should know the design implementation to determine
how an intruder could exploit weaknesses or normal functions.
70 © Copyright 2016 ISACA. All rights reserved.
Task 5.6
Evaluate the information security
program to determine its effectiveness
and alignment with the organization’s
strategies and objectives.
71 © Copyright 2016 ISACA. All rights reserved.
Computer Crimes
It is important that the IS auditor knows and understands the
differences between computer crime and computer abuse to
support risk analysis methodologies and related control
practices. Examples of computer crimes include:
Denial of
service (DoS) Hacking
Malware, viruses and
worms Fraud
Unauthorized access
Phishing Brute force
attacks Malicious
codes
Network analysis
Packet replay Masquerading Eavesdropping
Source: ISACA, CISA Review Manual, 26th Edition, figures 5.11 and 5.12
72 © Copyright 2016 ISACA. All rights reserved.
Security Incident Handling
To minimize damage from security incidents, a formal
incident response capability should be established.
Ideally, an organizational computer security incident
response team (CSIRT) or computer emergency
response team (CERT) should be formed with clear lines
of reporting and responsibilities.
73 © Copyright 2016 ISACA. All rights reserved.
Security Incident Handling (cont’d)
The IS auditor should:
o Ensure that the CSIRT is actively involved with users
to assist them in the mitigation of risk arising from
security failures and also to prevent security
incidents.
o Ensure that there is a formal, documented plan and
that it contains vulnerabilities identification, reporting
and incident response procedures to common,
security-related threats/issues.
74 © Copyright 2016 ISACA. All rights reserved.
Auditing ISM Framework
The IS auditor should review the following elements of the information
security management framework:
o Written policies, procedures and standards
o Logical access security policies
o Formal security awareness and training
o Data ownership
o Data owners
o Data custodians
o Security administrator
o New IT users
o Data users
o Documented authorizations
o Terminated employee access
o Security baselines
o Access standards
75 © Copyright 2016 ISACA. All rights reserved.
Auditing Logical Access
When evaluating logical access controls, the IS auditor should:
o Obtain a clear understanding of the security risk facing
information processing through a review of relevant
documentation, interviews, physical walk-throughs and risk
assessments.
o Document and evaluate controls over potential access paths into
the system to assess their adequacy, efficiency and
effectiveness by reviewing appropriate hardware and software
security features and identifying any deficiencies or
redundancies.
o Test controls over access paths to determine whether they are
functioning and effective by applying appropriate audit
techniques.
76 © Copyright 2016 ISACA. All rights reserved.
Auditing Logical Access (cont’d)
In addition, the IS auditor should do the following when auditing
logical access:
o Evaluate the access control environment to determine if the
control objectives are achieved by analyzing test results and
other audit evidence.
o Evaluate the security environment to assess its adequacy and
compare it with appropriate security standards or practices and
procedures used by other organizations.
o Interview the IS manager and security administrator and review
organizational charts and job descriptions.
o Review access control software reports to monitor adherence to
security policies.
o Review application systems operations manual.
77 © Copyright 2016 ISACA. All rights reserved.
Security Testing Techniques
Terminal cards and keys
• The IS auditor can use sample cards and keys to attempt to gain access beyond what is authorized.
• The IS auditor should follow up on any unsuccessful attempted violations.
Terminal identification
• The IS auditor can inventory terminals to look for incorrectly logged, missing or additional terminals.
Logon IDs and passwords
• To test confidentiality, the IS auditor can attempt to guess passwords, find passwords by searching the office or get a user to divulge a password.
• To test encryption, the IS auditor should attempt to view the internal password table.
• To test authorization, the IS auditor should review a sample of authorization documents to determine if proper authority was provided.
78 © Copyright 2016 ISACA. All rights reserved.
Security Testing Techniques (cont’d)
Computer access controls
• The IS auditor should work with the system software analyst to determine if all access is on a need-to-know basis.
Computer access
violations logging and
reporting
• The IS auditor should attempt to access computer transactions or data for which access is not authorized. The unsuccessful attempts should be identified on security reports.
Follow-up access
violations
• The IS auditor should select a sample of security reports and look for evidence of follow-up and investigation of access violations.
Bypassing security and
compensating controls
• The IS auditor should work with the system software analyst, network manager, operations manager and security administrator to determine ways to bypass security.
79 © Copyright 2016 ISACA. All rights reserved.
Investigation Techniques
If a computer crime occurs, it is very important that proper
procedures are used to collect evidence.
o Damaged evidence can hinder prosecution.
o After a computer crime, the environment and evidence
must be left unaltered and examined by specialist law
enforcement officials.
Any electronic document or data may be used as digital
evidence.
An IS auditor may be required or asked to be involved in a
forensic analysis to provide expert opinion or to ensure the
correct interpretation of information gathered.
80 © Copyright 2016 ISACA. All rights reserved.
Investigation Techniques (cont’d)
Identify
• Refers to the identification of information that is available and might form the evidence of an incident
Preserve
• Refers to the practice of retrieving identified information and preserving it as evidence
Analyze
• Involves extracting, processing and interpreting the evidence
Present
• Involves a presentation to the various audiences, such as management, attorneys, court, etc.
81 © Copyright 2016 ISACA. All rights reserved.
Computer Forensics
The IS auditor should give consideration to key elements of
computer forensics during audit planning, including the
following:
o Data protection
o Data acquisition
o Imaging
o Extraction
o Interrogation
o Ingestion/normalization
o Reporting
82 © Copyright 2016 ISACA. All rights reserved.
Auditing Network Infrastructure
When performing an audit of the network infrastructure, the IS auditor
should:
o Review the following documents:
• Network diagrams
• SLAs
• Network administrator procedures
• Network topology design
o Identify the network design implemented.
o Determine that applicable security policies, standards, procedures and
guidance on network management and usage exist and have been
distributed.
o Identify who is responsible for security and operation of Internet
connections.
o Determine whether consideration has been given to the legal problems
arising from use of the Internet.
o Determine whether a vulnerability scanning process is in place.
83 © Copyright 2016 ISACA. All rights reserved.
Auditing Remote Access
IS auditors should determine that all remote access
capabilities used by an organization provide for effective
security of the organization’s information resources.
This includes:
o Ensuring that remote access security controls are
documented and implemented for authorized users
o Reviewing existing remote access architectures for points
of entry
o Testing access controls
84 © Copyright 2016 ISACA. All rights reserved.
Penetration Testing
During penetration testing, an auditor attempts to circumvent the
security features of a system and exploits the vulnerabilities to
gain access that would otherwise be unauthorized.
Source: ISACA, CISA Review Manual 26th Edition, figure 5.22
Planning Discovery Attack
Additional Discovery
Reporting
85 © Copyright 2016 ISACA. All rights reserved.
Types of Penetration Tests
External testing
Refers to attacks and control circumvention attempts on the target’s network perimeter from outside the target’s system
Internal testing
Refers to attacks and control circumvention attempts on the target from within the perimeter
Blind testing
Refers to the condition of testing when the penetration tester is provided with limited or no knowledge of the target’s information systems
Double blind testing
Refers to an extension of blind testing, because the administrator and security staff at the target are also not aware of the test
Targeted testing
Refers to attacks and control circumvention attempts on the target, while both the target’s IT team and penetration testers are aware of the testing activities
86 © Copyright 2016 ISACA. All rights reserved.
Domain 5 Summary
Evaluate the information security and privacy policies,
standards and procedures.
Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls.
Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls.
87 © Copyright 2016 ISACA. All rights reserved.
Domain 5 Summary (cont’d)
Evaluate the design, implementation and monitoring of
the data classification processes and procedures.
Evaluate the processes and procedures used to store,
retrieve, transport and dispose of assets.
Evaluate the information security program.
88 © Copyright 2016 ISACA. All rights reserved.
The CSIRT of an organization disseminates detailed
descriptions of recent threats. An IS auditor’s GREATEST
concern should be that the users may:
A. use this information to launch attacks.
B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.
Discussion Question
89 © Copyright 2016 ISACA. All rights reserved.
Which of the following is the BEST way for an IS auditor to
determine the effectiveness of a security awareness and
training program?
A. Review the security training program.
B. Ask the security administrator.
C. Interview a sample of employees.
D. Review the security reminders to employees.
Discussion Question
90 © Copyright 2016 ISACA. All rights reserved.
A hard disk containing confidential data was damaged
beyond repair. What should be done to the hard disk to
prevent access to the data residing on it?
A. Rewrite the hard disk with random 0s and 1s.
B. Low-level format the hard disk.
C. Demagnetize the hard disk.
D. Physically destroy the hard disk.
Discussion Question
91 © Copyright 2016 ISACA. All rights reserved.
EXAM PRACTICE
92 © Copyright 2016 ISACA. All rights reserved.
An IS auditor is developing an audit plan for an
environment that includes new systems. The company’s
management wants the IS auditor to focus on recently
implemented systems. How should the IS auditor respond?
A. Audit the new systems as requested by
management.
B. Audit systems not included in last year’s scope
C. Determine the highest-risk systems and plan
accordingly.
D. Audit both the systems not in last year’s scope and
the new systems
Question 1
93 © Copyright 2016 ISACA. All rights reserved.
To ensure that audit resources deliver the best value to the
organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on
each audit.
B. train the IS audit staff on current technology used in
the company.
C. develop the audit plan on the basis of a detailed risk
assessment.
D. monitor progress of audits and initiate cost control
measures.
Question 2
94 © Copyright 2016 ISACA. All rights reserved.
The PRIMARY objective of the audit initiation meeting with
an IS audit client is to:
A. discuss the scope of the audit.
B. identify resource requirements of the audit.
C. select the methodology of the audit.
D. review requested evidence provided by the audit
client.
Question 3
95 © Copyright 2016 ISACA. All rights reserved.
The effect of which of the following should have priority in
planning the scope and objectives of an IS audit?
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry best practices
D. Organizational policies and procedures
Question 4
96 © Copyright 2016 ISACA. All rights reserved.
Why does an audit manager review the staff’s audit papers,
even when the IS auditors have many years of experience?
A. internal quality requirements.
B. the audit guidelines.
C. the audit methodology.
D. professional standards.
Question 5
97 © Copyright 2016 ISACA. All rights reserved.
An IS audit department considers implementing continuous
auditing techniques for a multinational retail enterprise that
requires high availability of its key systems. A PRIMARY
benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
Question 6
98 © Copyright 2016 ISACA. All rights reserved.
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has asked
for copies of the scripts so that they can use them for setting up a continuous
monitoring process on key systems. Would sharing these scripts with IT affect
the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to
pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review
all programs and software that runs on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits
may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS
auditors who wrote the scripts would not be permitted to audit any IS
systems where the scripts are being used for monitoring.
Question 7
99 © Copyright 2016 ISACA. All rights reserved.
The success of control self-assessment (CSA) depends
highly on:
A. having line managers assume a portion of the
responsibility for control monitoring.
B. assigning staff managers the responsibility for
building, but not monitoring, controls.
C. the implementation of a stringent control policy and
rule-driven controls.
D. the implementation of supervision and the monitoring
of controls of assigned duties.
Question 8
100 © Copyright 2016 ISACA. All rights reserved.
When conducting an IT security risk assessment, the IS auditor
asked the IT security officer to participate in a risk identification
workshop with users and business unit representatives. What is
the MOST important recommendation that the IS auditor should
make to obtain successful results and avoid future conflicts?
A. Ensure that the IT security risk assessment has a clearly
defined scope.
B. Require the IT security officer to approve each risk rating
during the workshop.
C. Suggest that the IT security officer accept the business
unit risk and rating.
D. Select only commonly accepted risk with the highest
submitted rating.
Question 9
101 © Copyright 2016 ISACA. All rights reserved.
An IS auditor is performing an audit in the data center when
the fire alarm begins sounding. The audit scope includes
disaster recovery, so the auditor observes the data center
staff response to the alarm. Which of the following is the
MOST important action for the data center staff to complete
in this scenario?
A. Notify the local fire department of the alarm condition.
B. Prepare to activate the fire suppression system.
C. Ensure that all persons in the data center are
evacuated.
D. Remove all backup tapes from the data center.
Question 10
102 © Copyright 2016 ISACA. All rights reserved.
When evaluating the controls of an
electronic data interchange (EDI)
application, an IS auditor should
PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D.nonvalidated batch totals.
Question 11
103 © Copyright 2016 ISACA. All rights reserved.
An organization is replacing a payroll program that it developed in-house, with the relevant subsystem of a commercial enterprise resource planning (ERP) system. Which of the following would represent the HIGHEST potential risk?
A. Undocumented approval of some project changes
B. Faulty migration of historical data from the old system to the new system
C. Incomplete testing of the standard functionality of the ERP subsystem
D. Duplication of existing payroll permissions on the new ERP subsystem
Question 12
104 © Copyright 2016 ISACA. All rights reserved.
An IS auditor reviewing a series of completed projects finds
that the implemented functionality often exceeded
requirements and most of the projects ran significantly over
budget. Which of these areas of the organization’s project
management process is the MOST likely cause of this
issue?
A. Project scope management
B. Project time management
C. Project risk management
D. Project procurement management
Question 13
105 © Copyright 2016 ISACA. All rights reserved.
Which of the following techniques would BEST help an IS auditor gain reasonable assurance that a project can meet its target date?
A. Estimation of the actual end date based on the completion percentages and estimated time to complete, taken from status reports
B. Confirmation of the target date based on interviews with experienced managers and staff involved in the completion of the project deliverables
C. Extrapolation of the overall end date based on completed work packages and current resources
D. Calculation of the expected end date based on current resources and remaining available project budget
Question 14
106 © Copyright 2016 ISACA. All rights reserved.
An IS auditor has been asked to participate in project initiation meetings for a critical project. The IS auditor’s MAIN concern should be that the:
A. complexity and risk associated with the project have been analyzed.
B. resources needed throughout the project have been determined.
C. technical deliverables have been identified.
D. a contract for external parties involved in the project has been completed.
Question 15
107 © Copyright 2016 ISACA. All rights reserved.
The PRIMARY objective of service-level management
(SLM) is to:
A. define, agree on, record and manage the required
levels of service.
B. ensure that services are managed to deliver the
highest achievable level of availability.
C. keep the costs associated with any service at a
minimum.
D. monitor and report any legal noncompliance to
business management.
Question 16
108 © Copyright 2016 ISACA. All rights reserved.
The BEST audit procedure to determine if unauthorized
changes have been made to production code is to:
A. examine the change control system records and trace
them forward to object code files.
B. review access control permissions operating within
the production program libraries.
C. examine object code to find instances of changes and
trace them back to change control records.
D. review change approved designations established
within the change control system.
Question 17
109 © Copyright 2016 ISACA. All rights reserved.
Which of the following is the BEST method for determining
the criticality of each application system in the production
environment?
A. Interview the application programmers.
B. Perform a gap analysis.
C. Review the most recent application audits.
D. Perform a business impact analysis (BIA).
Question 18
110 © Copyright 2016 ISACA. All rights reserved.
Which of the following issues should be the GREATEST concern
to the IS auditor when reviewing an IT disaster recovery test?
A. Due to the limited test time window, only the most
essential systems were tested. The other systems were
tested separately during the rest of the year.
B. During the test, some of the backup systems were
defective or not working, causing the test of these systems
to fail.
C. The procedures to shut down and secure the original
production site before starting the backup site required far
more time than planned.
D. Every year, the same employees perform the test. The
recovery plan documents are not used because every step
is well known by all participants.
Question 19
111 © Copyright 2016 ISACA. All rights reserved.
Which of the following groups is the BEST source of
information for determining the criticality of application
systems as part of a business impact analysis (BIA)?
A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts
Question 20
112 © Copyright 2016 ISACA. All rights reserved.
While designing the business continuity plan (BCP) for an
airline reservation system, the MOST appropriate method
of data transfer/backup at an offsite location would be:
A. shadow file processing.
B. electronic vaulting.
C. hard-disk mirroring.
D. hot-site provisioning.
Question 21
113 © Copyright 2016 ISACA. All rights reserved.
The information security policy that states “each individual
must have his/her badge read at every controlled door”
addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
Question 22
114 © Copyright 2016 ISACA. All rights reserved.
An IS auditor discovers that uniform resource locators
(URLs) for online control self-assessment questionnaires
are sent using URL shortening services. The use of URL
shortening services would MOST likely increase the risk of
which of the following attacks?
A. Internet protocol (IP) spoofing
B. Phishing
C. Structured query language (SQL) injection
D. Denial-of-service (DoS)
Question 23
115 © Copyright 2016 ISACA. All rights reserved.
A company is planning to install a network-based intrusion
detection system (IDS) to protect the web site that it hosts.
Where should the device be installed?
A. On the local network
B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the web site
Question 24
116 © Copyright 2016 ISACA. All rights reserved.
What would be the MOST effective control for enforcing
accountability among database users accessing sensitive
information?
A. Implement a log management process.
B. Implement a two-factor authentication.
C. Use table views to access sensitive data.
D. Separate database and application servers.
Question 25
117 © Copyright 2016 ISACA. All rights reserved.
What is the BEST approach to mitigate the risk of a
phishing attack?
A. Implementation of an intrusion detection system (IDS)
B. Assessment of web site security
C. Strong authentication
D. User education
Question 26
118 © Copyright 2016 ISACA. All rights reserved.
Which of the following BEST encrypts data on mobile
devices?
A. Elliptical curve cryptography (ECC)
B. Data encryption standard (DES)
C. Advanced encryption standard (AES)
D. The Blowfish algorithm
Question 27
119 © Copyright 2016 ISACA. All rights reserved.
When protecting an organization’s IT systems, which of the
following is normally the next line of defense after the
network firewall has been compromised?
A. Personal firewall
B. Antivirus programs
C. Intrusion detection system (IDS)
D. Virtual local area network (VLAN) configuration
Question 28
120 © Copyright 2016 ISACA. All rights reserved.
Which of the following would MOST effectively enhance the
security of a challenge-response based authentication
system?
A. Selecting a more robust algorithm to generate
challenge strings
B. Implementing measures to prevent session hijacking
attacks
C. Increasing the frequency of associated password
changes
D. Increasing the length of authentication strings
Question 29
121 © Copyright 2016 ISACA. All rights reserved.
An IS auditor is reviewing a software-based firewall
configuration. Which of the following represents the
GREATEST vulnerability? The firewall software:
A. is configured with an implicit deny rule as the last rule
in the rule base.
B. is installed on an operating system with default
settings.
C. has been configured with rules permitting or denying
access to systems or networks.
D. is configured as a virtual private network (VPN)
endpoint.
Question 30
THANK YOU!