SlideShare a Scribd company logo

CISA Summary V1.0

C
christianreina

This document discusses IT governance and risk management practices. It outlines key aspects of IT governance including IT strategy committees, balanced scorecards, information security governance, and enterprise architecture. It also describes the components of a risk management program including identifying assets, analyzing risks through threat, vulnerability and impact assessments, and establishing a risk management process. The goal is to help organizations control IT from a strategic perspective, seek and manage risk, and ensure business needs are met.

1 of 20
Downloaded 1,349 times
1
2
Most read
3
4
Most read
5
6
7
Most read
8
9
10
11
12
13
14
15
16
17
18
19
20
  CISA summary  Version 1.0  Christian Reina, CISSP    This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author.  2010 ‐ Christian Reina, CISSP. 
Risk Management IT Management Practices “Collection of top-down activities intended to control the IT Seek, identify, and manage risk. organization from a strategic perspective.”  Accept 1. Personnel Management  Policy  Mitigate a. Hiring: Background check, Employee Policy  Priorities  Transfer Manual, Job Description  Standards  Avoid b. Employee Development: Training,  Vendor Management Performance evaluation, Career path  Program/Project Management Risk Management Program c. Mandatory vacations: Audit, cross training,  Objectives: reduce costs, incidents reduced risk IT Strategy Committee  Scope d. Termination Advise board of directors on strategies.  Authority: Executive level of commitment e. Transfers and reassignments 2. Sourcing  Resources: a. Insource Balanced Scorecard  Policies, processes, procedures, and records Measure performance and effectiveness. b. Outsource: risks, SLA, policy, governance  Business contribution: Perception from Non-IT (service level agreements, change Risk Management Process executives management, security, quality, audits), SaaS  User: Satisfaction 3. Change Management 1. Asset Identification: Equipment, information, records, a. Request  Operational excellence: downtime, defects, support reputation, personnel b. Review tickets o Grouping Assets c. Approve  Innovation: increase IT value w/ innovation o Sources of asset data: Interviews, IT d. Perform change systems, Online data e. Verify change Information Security Governance o Organizing data: Business process, 4. Financial Management Roles and responsibilities Geography, OU, Sensitivity, Regulated a. Develop  Board of Directors: risk appetite and risk management 2. Risk Analysis b. Purchase  Steering Committee: Operational strategy for security o Threat analysis: All threats with realistic c. Rent Domain 1 – IT Governance  and risk management opportunity of occurrence 5. Quality Management  CISO: conducting risk assessment, developing security o Vulnerability Identification: Ranked by a. Software development policy, vulnerability management, incident severity or criticality b. Software acquisition management, compliance o Probability analysis: Requires research to c. Service desk  Employees: Comply with policies develop best guesses d. IT operations o Impact analysis: Study of estimating the e. Security Enterprise Architecture (EA) impact of specific threats on specific assets f. Standards: Map business functions into the IT environment as a model. o Qualitative: Subjective using numeric scale i. ISO 9000: Superseded by ISO Activities to ensure business needs are met o Quantitative: 9001:2008 Quality Management  Asset Value (AV) System Zachman Model  Exposure Factor (EF) ii. ISO 20000: IT Service IT Systems and environments are described at a high, functional  Single Loss Expectancy (SLE): AV Management for organization level, and then in increasing detail x EF adopting ITIL  Annualized rate of occurrence iii. ITIL DFD (ARO) 1. Service Delivery Illustrate the flow of information  Annualized loss expectancy (ALE): 2. Control Processes SLE x ARO 3. Release Processes 3. Risk Treatments 4. Relationship Processes o Risk Mitigation 5. Resolution Processes o Risk Transfer 6. Security Management o Risk Avoidance a. Security Governance o Risk Acceptance b. Risk Assessment o Residual Risk c. Incident Management d. Vulnerability Management e. Access and Identity management f. Compliance management
g. BCP 3. Reviewing Outsourcing 7. Performance Management a. Distance a. COBIT b. Lack of audit contract terms b. SEI CMMI c. Lack of cooperation Roles and Responsibilities 1. Executive Management: CIO, CTO, CSO, CISO, CPO 2. Software Development: Architect, Analyst, developer, programmer, tester 3. Data Management: architect, DBA, analyst 4. Network Management: architect, engineer, administrator, telecom 5. Systems Management: architect, engineer, storage, systems administrator 6. Operations: manager, analyst, controls analyst, data entry, media librarian 7. Security Operations: architect, engineer, analyst, account management, auditor 8. Service Desk: Help desk, technical support Segregation of Duties Controls 1. Transaction authorization 2. Split custody Domain 1 – IT Governance  3. Workflow: extra approval 4. Periodic reviews Auditing IT Governance 1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f. Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i. Quality management documents 2. Reviewing Contracts a. Service levels b. Quality levels c. Right to audit rd d. 3 party audit e. Conformance to policies, laws, regulations f. Incident notification g. Liabilities h. Termination terms i. Protection of PII
Assess and evaluate the effectiveness of IT  Provide Appropriate Tools Required to Intercept and 3. Serve in the interest of stakeholders in a Obstruct Terrorism Act (PATRIOT) 2001 lawful and honest manner, while maintaining  Sarbanes-Oxley Act 2002 high standards of conduct and character, and AUDIT MANAGEMENT  Federal Information Security Management Act (FISMA) not engage in acts discreditable to the 2002 profession. The Audit Charter: Define roles and responsibilities. Sufficient  Controlling the Assault of Non-Solicited Pornography 4. Maintain the privacy and confidentiality of authority and Marketing Act (CAN-SPAM) 2003 information obtained in the course of their  California Privacy Act SB1386 2003 duties unless disclosure is required by legal The Audit Program: scope, objectives, resources, procedures  Identity Theft and Assumption Deterrence Act 2003 authority. Such information shall not be used  Basel II 2004 for personal benefit or released to Strategic Audit Planning: inappropriate parties.  Payment Card Industry Data Security Standard (PCI-  Factors: Business goals and objectives, Initiatives, DSS) 2004 5. Maintain competency in their respective fields market conditions, changes in technology, regulatory and agree to undertake only those activities,  North American Electric Reliability Corporation (NERC) requirements. which they can reasonably expect to 1968/2006  Changes in Audit Activities: New internal audits, new complete with professional competence.  Massachusetts Security Breach Law 2007 6. Inform appropriate parties of the results of external audits, increase in audit scope, impact on business process work performed; revealing all significant facts Canadian Regulations:  Resource planning: Budget and manpower known to them.  Interception of Communications Section 184 7. Support the professional education of  Unauthorized Use of Computer, Section 342.1 stakeholders in enhancing their Audit and Technology: Continue learning about new technologies  Privacy Act 1983 understanding of information systems security  Personal Information Protection and Electronic and control. Audit Laws and Regulations: Documents Act (PIPEDA)  Characteristics: Security, Integrity, Privacy European Regulations Audit Standards  Computer Security and Privacy Regulations: o Categories: Computer trespass, protection of  Convention for the Protection of Individuals with Regard sensitive information, collection and use of to Automatic Processing of Personal Data 1981  S1, Audit Charter information, law enforcement investigative  Computer Misuse Act (CMA) 1990  S2, Independence powers  Directive on the Protection of Personal Data 2003  S3, Professional Ethics and Standards European Union  S4, Professional Competence main 2 – The Audit Process  o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits,  Data Protection Act (DPA) 1998  S5, Planning fines, prosecution  Regulation of Investigatory Powers Act 2000  S6, Performance of Audit Work  Anti-Terrorism Crime and Security Act 2001  S7, Reporting “An organization should take a systematic approach to determine  Privacy and Electronic Communications Regulations  S8, Follow-up Activities the applicability of regulations as well as the steps required to 2003  S9, Irregularities and Illegal Acts attain compliance and remain in this state. “  Fraud Act 2006  S10, IT Governance  Police and Justice Act 2006  S11, Use of Risk Assessment in Audit Planning US Regulations:  S12, Audit Materiality  Access Device Fraud 1984 Other Regulations  S13, Use the Work of Other Experts  Computer Fraud and Abuse Act 1984  Cybercrime Act 2001 Australia  S14, Audit Evidence  Electronic Communications Act 1986  Information Technology Act 2000 India  S15, IT Controls  Electronic Communications Privacy Act (ECPA) 1986  S16, E-Commerce  Computer Security Act 1987 ISACA AUDITING STANDARS  Computer Matching and Privacy Protection Act 1988 Audit Guidelines  Communications Assistance for Law Enforcement Act Code of Ethics: (CALEA) 1994  G1, Using the Work of Other Auditors  Economic and Protection of Proprietary Information Act Members and ISACA certification holders shall:  G2, Audit Evidence Requirement 1996  G3, Use of Computer-Assisted Audit Techniques  Health Insurance Portability and Accountability Act 1. Support the implementation of, and encourage compliance with, appropriate (CAATs) (HIPPA) 1996  G4, Outsourcing of IS Activities to Other Organizations  Children’s Online Privacy Protection Act (COPPA) 1998 standards, procedures and controls for information systems.  G5, Audit Charter  Identity Theft and Assumption Deterrence Act 1998  G6, Materiality Concepts for Auditing IS 2. Perform their duties with objectivity, due  Gramm-Leach-Bliley Act 1999  G7, Due Professional Care diligence and professional care, in  Federal Energy Regulatory Commission (FERC) accordance with professional standards and  G8, Audit Documentation best practices.
 G9, Audit Considerations for Irregularities and Illegal  P10, Business Application Change Control PERFORMING AN AUDIT Acts  P11, Electronic Funds Transfer  G10, Audit Sampling  Formal Planning:  G11, Effect of Pervasive IS Controls RISK ANALYSIS o Purpose  G12, Organizational Relationship and Independence o Scope  G13, Use of Risk Assessment in Audit Planning  Evaluating Business Processes o Risk Analysis  G14, Application Systems Review  Identifying Business Risks o Audit procedures  G15, Planning  Risk Mitigation o Resources  G16, Effect of Third Parties on an Organization’s IT  Countermeasures Assessment o Schedule Controls  Monitoring  Types  G17, Efect of Nonaudit Role on the IS Auditor’s o Operational Independence INTERNAL CONTROLS o Financial o IS audit  G18, IT Governance o Administrative  G19, Irregularities and Illegal Acts o Compliance  G20, Reporting o Forensic  G21, Enterprise Resource Planning (ERP) Systems o Service provider Review o Pre-audit  G22, Business to Consumer (B2C) E-Commerce  Compliance vs. Substantive Testing Review o Compliance: Determine if control procedures  G23, SDLC Review have been properly designed and  G24, Internet Banking implemented and operating properly.  G25, Review of VPN o Substantive: Determine accuracy and  G26, Business Process Reengineering (BRP) Review integrity of transactions that flow through  G27, Mobile Computing processes and information systems  G28, Computer Forensics  Audit Methodology  G29, Post-implementation Review o Audit Subject Domain 2 – The Audit Process  G30, Competence o Audit Objective  G31, Privacy o Audit type  G32, BCP o Audit Scope  G33, General Consideration on the Use of the Internet o Pre-Audit planning  G34, Responsibility, Authority, and Accountability o Audit SoW  G35, Follow up Activities  Control Classification o Audit Procedures  G36, Biometric Controls o Types: Technical, Administrative, Physical o Communication plan o Classes: Preventative, Detective, Deterrent, o Report preparation  G37, Configuration Management Corrective, Compensating, Recovery o Wrap-up  G38, Access Controls o Categories: Manual, Automatic o Post-audit Follow-up  G39, IT Organization  Internal Control Objectives: Statements of desired  Audit Evidence  G40, Review of Security Management Practices outcomes from business operations. Protection of IT o Independence of the evidence provider  assets, Availability of IT systems o Qualifications of the evidence provider Audit Procedures o IS Control Objectives: Protection of o Objectivity information from unauthorized personnel,  P1, Risk Assessment Integrity of Operating Systems o Timing  P2, Digital Signature and Key management  Gathering Evidence  General Computing Controls: GCCs are controls that Org Chart  P3, IDS apply across all applications and services. Passwords o  P4, Viruses o Review dept and project charters are encrypted, Strong passwords o rd Review 3 party contracts  P5, Control Risk Self-Assessment  IS Controls: Each GCC is mapped to a specific IS o Review IS policies and procedures  P6, Firewall control on each system type. o Review IS Standards  P7, Irregularities and Illegal Acts  P8, Security Assessment (Pen test, vulnerability analysis)  P9, Encryption    
o Review IS documentation o Ownership of controls o Personnel Interviews o Improved employee awareness o Passive observation o Improved relationship between  Observing Personnel departments and auditors o Real tasks  Disadvantages o Skills and experience o Mistaken as a substitute for internal audit o Security awareness o May be considered extra work o Segregation of Duties o May be considered an attempt by an  Sampling auditor to shrug off responsibilities o Statistical: Reflect the entire population o Lack of employee involvement has no o Judgmental: Subjectively selects samples results based on established criteria  Life Cycle o Attribute: Samples are examined and a o Identify and assess risks specific attribute is chosen o Identify and assess controls o Variable: Determine the characteristic of a o Develop questionnaire or workshop given population to determine total value o Analyze completed questionnaire o Stop-or-go: Sampling can stop at the earliest o Control remediation possible time due to low risk and rate of o Awareness training exceptions o Discovery: Trying to find at least one exception in a population o Stratified: Create different classes and review one attribute common to all classes  Computer-Assisted Audit: CAATs help examine and evaluate data across complex environments Domain 2 – The Audit Process  Reporting Audit Results o Cover letter o Intro o Summary o Description o Listing of systems and processes examined o Listing of interviewees o Listing of evidence obtained o Explanation of sampling technique o Description of findings and recommendations  Audit Risk o Control risk: undetected error by an internal control o Detection risk: IS auditor will overlook errors o Inherent risk: Inherent risks exist independent of the audit. o Overall audit risk: summation of all of the residual risks o Sampling risk: sampling technique will not detect  Materiality: A monetary threshold in financial audits CONTROL SELF-ASSESSMENT Methodology used by an organization to review key business objectives, and the key controls designed to manage those risks.  Advantages o Risks detected earlier o Improvement of internal controls
Organization’s methodologies and practices for the development  Managing Projects  Other costs: development tools, and management of software, infrastructure, and business o Managing the project schedule workstations, servers, software processes. o Recording task completion licenses, network devices, training, o Running project meetings equipment PORTFOLIO AND PROGRAM MANAGEMENT: o Tracking project expenditures o Scheduling Project Tasks: Critical phase o Communicating project status  Gantt Chart A program is an organization of many large, complex activities,  Project Roles and Responsibilities  Program Evaluation and Review and can be thought of as a set of projects that work to fulfill one or o Senior management: support the approval of Technique (PERT) more key business objectives or goals. the project  Critical path Methodology (CPM): It o IT steering committee: Commission the is important to identify the critical  Starting a Program: feasibility study, approve project path in a project, because this o Program charter o Project manager allows the project manager to o Identification of available resources o Project team members understand which tasks are most  Running a Program: o End-user management: Assign staff to the likely to impact the project schedule o Monitoring project schedules project team. Support development of cases and to determine when the project o Managing project budgets o End users will finally conclude. o Managing resources o Project sponsor: define project objectives,  Timebox Management: A period in o Identifying and managing conflicts provide budget which a project must be completed. o Creating status reports o Systems development management o Project Records:  Project Portfolio Management o System developers  Project plans Security manager  Project changes Domain 3 – IT Life­Cycle Management o Executive sponsor o o Program manager o IT Operations  Meetings agendas and minutes o Project manager  Project Planning  Resource consumption o Start and end dates  Task identification  Task information o Names of participants  Task estimation o Project Documentation: Helps users, support o Objectives or goals that the project supports  Task resources staff, IT operations, developers, and auditors o Budget  Task dependencies o Project Change Management: The o Resources  Milestone tracking procedures for making changes to the project o Dependencies  Task tracking should be done in two basic steps:  Business Case development o Estimating and sizing software projects  The project team should identify the o Business problem  Object Breakdown Structure (OBS) specific use, impact, and remedy. o Feasibility study results  Work Breakdown Structure (WBS) Make a formal request o High-level project plan  Source Lines of Code (SLOC):  This change request should be o Budget accurate estimate based on presented to management along o Metrics previous analysis for the time to with its impact. Management o Risks develop a program. should make a decision.  COCOMO: Constructive Cost o Project closure PROJECT MANAGEMENT Model method for estimating  Project debrief software development projects  Project documentation archival  Organizing Projects  Management review  Direct report: Project team leader  Training  Influencer: Influence members but  Formal turnover to users, does not manage them directly operations and support  Pure project: Given authority o Methodologies  Matrix: Authority over each project  Project Management Body of team member Knowledge (PMBOK): Process o Initiating a project based  Developing Project Objectives  Processes: o Object Breakdown Structure (OBS): Visual  Function Point Analysis (FPA): o Inputs representation of the system, software, or time-proven estimation technique o Techniques application, in a hierarchical form. for larger software projects. It o Outputs o Work Breakdown Structure (WBS): Logical studies the detailed design representation of the high-level and detailed specifications for an application tasks that must be performed to complete the program and counts the number of project. user inputs, user outputs, user queries, files, and external interfaces.
 Process groups  Access control o Unit testing: by developers during the coding  Initiating  Encryption phase. Should be a part of the development  Planning  Data validation of each module in the application.  Executing  Audit logging o System testing: end to end testing. Includes  Controlling and  Security operational requirements interface testing, migration testing. monitoring o DR/BCP Requirements o Functional testing: Verification of functional  Closing o Privacy Requirements requirements o Projects IN Controlled Environments o RFP Process: Request For Proposal o User Acceptance Testing (UAT): In most (PRINCE2): Project management framework  Requirements cases, it is a formal step to find out if  Starting up a project (SU)  Vendor financial stability organization accepts the software developed rd  Planning (PL)  Product roadmap by a 3 party.  Initiating a project (IP)  Experience o Quality Assurance Testing (QAT):  Directing a project (DP)  Vision 6. Implementation  Controlling a stage (CS)  References o Planning:  Managing product delivery (MP)  Questions for clients:  Prepare physical space for  Managing Stage Boundaries (SB)  Satisfaction with production systems  Closing a project (CP) installation  Build production systems  Scrum: Iterative and incremental  Satisfaction with  Install application software process most commonly used to migration  Migrate data project manage an agile software  Satisfaction with support o Training: development effort.  Satisfaction with long-  End users  Domain 3 – IT Life­Cycle Management   Scrum master: this is the term roadmap Customers project manager  What went well  Support staff  Product owner: This is  What did not go well  Trainers the customer  Contract negotiation o Data migration   Record counts  Team Closing the RFP  Batch totals  Users 3. Design: A top down approach  Checksums  Stakeholders 4. Development: o Cutover  Managers  Coding the application  Developing program and system  Parallel level documents  Geographic SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)  Module by module  Developing user procedures  Working with users  Roll-back 1. Feasibility Study: Determine whether a specific o Rollback Planning change or set of changes in business processes and  Developing in a software acquisition setting: 7. Post Implementation underlying applications is practical to undertake. o Implementation review o Time required to develop / acquire software  Customizations  System adequacy o A comparison between the cost of developing  Interfaces of other  Security review the application vs buying systems  Issues o Whether an existing system can meet the  Authentication  ROI business need  Reports o Software maintenance o Whether the application supports strategic  Debugging business objectives  Correct operations  Development Risks o Whether a solution can be developed that is  Input validation o Application inadequacy compatible with other IT systems  Proper output validation o Project risk o The impact of the proposed changes to the  Resource usage o Business inefficiency business on regulatory compliance  Source Code Management (SCM) o Market changes o Whether future requirements can be met by  Protection the system  Control  Development Approaches and Techniques 2. Requirements: Characteristics of a new application or  Version control o Agile Development changes being made.  Recordkeeping o Prototyping o Business functional requirements: Must have 5. Testing to support the business o Technical requirements and standards: Use the same basic technologies already in use as well as formal technical standards. o Security and Regulatory Requirements:  Authentication  Authorization
o Rapid Application Development (RAD) 4. Development o Existence o Data Oriented System Development (DOSD) 5. Testing o Consistency o Object-Oriented System Development (OO) 6. Implementation o Length o Component based development: CORBA, 7. Monitoring o Check digits DCOM, SOA 8. Post-implementation o Spelling o Web-Based Application Development: HTML, o Unwanted characters SOAP, XML Benchmarking a Process o Batch controls o Reverse Engineering  Plan  Error handling  Research o Batch rejection  System Development Tools  Measure and observe o Transaction rejection o Computer-Aided Software Engineering  Analyze o Request re-input (CASE)  Adapt: understand the fundamental reasons why other  Upper CASE: requirements organizations’ measurements are better than its own. gathering, DFDs, interfaces  Improve Processing Controls  Lower CASE: Creation of program source code and data schemas Capability Maturity Models  Editing Fourth Generation Languages Domain 3 – IT Life­Cycle Management  o  Calculations  Software Engineering Institute Capability Maturity Model o Run-to-run totals INFRASTRUCTURAL DEVELOPMENT AND (SEI CMM) IMPLEMENTATION o Limit checking o Initial o Batch totals o Repeatable o Manual recalculation 1. Review of existing architecture o Defined 2. Requirements o Reconciliation o Managed o Hash values a. Business functional requirements Optimizing b. Technical requirements and standards o  Data file controls  Capability Maturity Model Integration (CMMI): An o Data file security c. Security and regulatory requirements aggregation of these other models into an overall d. Privacy requirements o Error handling maturity model. o Internal and external labeling 3. Design  ISO 15504: Software Process Improvement and o Data file version a. Procurement Capability dEtermination (SPICE). o Source files 4. Testing o Level 0 incomplete o Transaction logs 5. Implementation 6. Maintenance o Level 1 performed  Processing errors o Level 2 managed o Level 3 established MAINTAINING INFORMATION SYSTEMS o Level 4 predictable Output Controls o Level 5 optimizing Change Management Process  Change request APPLICATION CONTROLS  Controlling special forms  Change review  Report distribution and receipt  Perform change Input Controls  Reconciliation  Emergency changes  Authorization  Retention o User access controls Configuration Management o Workstation identification  Recovery: stored independent of the systems o Approved transactions and batches themselves o Source documents  Consistency: It will simplify administration, reduce  Input validation mistakes, and result in less unscheduled downtime. o Type checking o Range and value checking BUSINESS PROCESSES Business Process Life Cycle (BPLC) 1. Feasibility study 2. Requirements definition 3. Design
Auditing Software Acquisition AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Change Management Auditing Project Management Auditing Development Auditing Configuration Management Auditing the Feasibility Study Domain 3 – IT Life­Cycle Management Auditing Requirements AUDITING BUSINESS CONTROLS Auditing Implementation Identify the key processes in an organization and to understand the controls that are in place or should be in place that govern the integrity of those processes AUDITING APPLICATION CONTROLS Transaction Flow Auditing Post-Implementation Auditing Design Observations
Data Integrity Testing: Used to confirm whether an application properly accepts, processes, and stores information. Testing Online Processing Systems: Auditing Applications Domain 3 – IT Life­Cycle Management Continuous Auditing: Several techniques are available to perform online auditing:
IT organizations are effective if their operations are effective. IT o Program checkout o Cloud Computing: dynamically scalable and organizations are service organizations – their existence is to o Program check in usually virtualized serve the organization and support its business processes. o Version control  Data Communication Software o Code analysis  File Systems: Directories, files, FAT, NTFS, HFS INFORMATION SYSTEMS OPERATIONS  Quality Assurance (Hierarchical File System) ISO 9660 (CD-ROM, DVD),  Security Management UDF (Universal Disk Format)   Domain 4 – IT Service Delivery & Infrastructure  Management and control of operations o Policies, procedures, processes, and Database Management Systems o Process and procedures standards o Relational DB Management (rDBMS): o Standards o Risk Assessments Primary key, one or more indexes, referential o Resource allocation o Impact analysis integrity, Encryption, Audit logging, access o Process management o Vulnerability management controls,  IT Service management (ITSM) o Object Database (ODBMS): Represented as o Service desk objects, Data and the programming method o Incident mgt INFORMATION SYSTEMS HARDWARE are contained in an object, o Problem mgt o Hierarchical Database : Top-down o Change mgt  Computer usage  Media Management System: Tape management o Configuration mgt o Types: supercomputer, mainframe, midrange, systems (TMS) or Disk Management Systems (DMS) o Release mgt: ITIL terms used to describe server, desktop, laptop, mobile  Utility software SDLC. Used for changes in a system such o Uses: app server, web server, file server, db o Software and data design as: server, print server, test server, thin client, o Software development  Incidents and problem resolution thick client, workstation o Software testing  Enhancements  Computer architecture o Security testing  Subsystem patches and changes o CPU: CISC (Complex Instruction Set o Data management o Service-level mgt Computer), RISC (Reduced Instruction Set o System health o Financial mgt Computer), Single processor, Multi-processor o Network o Capacity mgt o Bus: PCI, PC Card, MBus, Sbus  Periodic measurements o Main Storage NETWORK INFRASTRUCTURE  Considering planned changes o Secondary Storage: Program storage, data  Understanding long-term strategies storage, temporary files, OS, virtual memory,  Network Architecture  Changes in technology o Firmware: Flash, EPROM, PROM, ROM, o Physical network architecture o Service continuity mgt EEPROM o Logical network architecture o Availability mgt o I/O and Networking o Data flow architecture  Effective change mgt o Multi-computer: Blade computers, grid o Network standards and services  Effective application testing computing, server clusters, virtual servers  Types of networks  Resilient architecture  Hardware maintenance o Personal Area Network (PAN): up to 3 meters  Serviceable components  Hardware monitoring and use to connect peripherals for use by an  Infrastructure Operations individual o Running scheduled jobs o LAN o Restarting failed jobs/processes INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE o Campus Area Network (CAN) o Facilitating backup jobs o Metropolitan Area Network (MAN) o Monitoring systems/apps/networks  Computer Operating Systems o WAN  Monitoring  Access to peripherals  Network-based Services: email, print, file storage,  Software Program Library Management: System that  Storage mgt remote access, directory, terminal emulation, time is used to store and manage access to an  Process mgt synch, network authentication, web security, anti- organization’s application source and object code  Resource allocation malware, network management o Access and authorization controls  Communication  Network Models  Security o OSI: Application, presentation, session, o OS Virtualization transport, network, data link, physical o Clustering: using special software o TCP/IP: Link, internet, transport, application o Grid Computing: a form of distributed  Network Technologies computing o LAN  Physical topology: Star, Ring, Bus
 Cable types: Shield twisted pair  FTP o Change mgt: requested, reviewed prior to (STP), screened unshielded twisted  FTPS approval pair (S/UTP), screened shielded  SFTP  Auditing OSs twisted pair (S/STP), unshielded  SCP o Standards: written stds twisted pair (UTP)  Rcp o Maintenance and support: support contracts  Other types: Fiber,  Messaging protocols o Change mgt coaxial, serial  SMTP o Configuration mgt: tools, recordkeeping,  Network Transport protocols  POP config processes  Ethernet: Broadcast or  IMAP o Security mgt: hardening  Domain 4 – IT Service Delivery & Infrastructure shared medium, collision  NNTP Auditing File Systems avoidance  File and directory sharing protocols o Capacity: storage o ATM: Synchronous network. Connection o Access control  NFS oriented link-layer protocol.  Auditing DB Management Systems  RPC o Token Ring o Configuration mgt: centrally controlled  Session protocols o Universal Serial Bus o Change mgt: changes should be consistent FDDI: Fiber distributed data interface. Range  TELNET o and systematic up to 200km and capable of 200mb/sec  rlogin o Capacity mgt: ability to support business o WAN  SSH processes  MPLS  HTTP o Security mgt: access controls, logs  SONET  HTTPS  Auditing Network Infrastructure  Frame Relay  Management protocols o Network architecture  ISDN  SNMP o Security architecture  X.25  NTP o Standards o Wireless  Directory service protocols o Change mgt  Wi-Fi  DNS o Capacity mgt  Bluetooth  LDAP o Configuration mgt  Wireless USB  X.500 o Administrative access management  NFC (Near Field Communication):  Global Internet: Email, IM, VPN, WWW o Network components extremely short distance radio  Network Management o Log management frequencies that are commonly o Tools o User access management used for merchant payment  Network management systems  Auditing Network Operating Controls applications.  Network management agents o Network operating procedures  IrDA: Infrared Data Association.  Incident management systems o Restart procedures  TCP/IP Protocols  Protocol analyzers o Troubleshooting procedures o Link Layer / network access layer  Sniffers o Security controls  ARP (Address resolution)  Networked Applications o Change management  RARP (Reverse address o Client–Server  Auditing computer operations resolution) o Web-based o System configuration standards  OSPF (Open Shortest Path First) o System build procedures  L2TP (Layer 2 Tunneling Protocol) o System recovery procedures  PPP AUDITING IS INFRASTRUCTURE AND OPERATIONS o System update procedures  Media Access Control (MAC) o Patch management o Internet Layer / Layer 3  Auditing IS Hardware o Daily tasks  IP o Standards: procurement stds o Backup  ICMP o Maintenance: records, service contracts o Media control  IGMP o Capacity: system’s capacity monitoring o Monitoring  IPSec  Auditing Data Entry o Internet Layer o Data entry procedures  IP Addresses, subnets, masks, o Input verification gateway, classless and classful o Batch verification networks. o Transport Layer  TCP  UDP o Application layer  File Transfer Protocols
o Correction procedures  Auditing Lights-Out operations o Remote administration procedures o Remote monitoring procedures  Auditing Problem Management Operations o Problem management policy and processes o Problem management records Domain 4 – IT Service Delivery & Infrastructure o Problem management timelines o Problem management reports o Problem resolution o Problem recurrence  Auditing Monitoring Operations o Monitoring plan o Problem log o Preventative maintenance o Management review and action  Auditing Procurement o Requirements definition: functional, technical, and security requirements approved by management. Policies, procedures, and records. o Feasibility studies
INFORMATION SECURITY MANAGEMENT  HR Security  Patch management o Screening  System hardening  Aspects o Agreements  IDS o Executive support o Job descriptions o Chain of custody: o Policies and procedures o Transfer and termination  Identification o Security Awareness o Contractors and temps  Preservation o Security monitoring and auditing  Computer Crime  Analysis o Incident response o Roles  Presentation o Corrective and preventive action.  Target of a crime  Roles and responsibilities  Instrument of a crime LOGICAL ACCESS CONTROLS: Subject access controls are in o Executive mgt: support and overall  Support of a crime place to determine the identity of the subject. Service access is responsibility for asset protection o Categories used to control the types of messages that are allowed to pass o Security steering committee: approval of  Military through a control point. security policies, risk related matters.  Political Domain 5 – Information Asset Protection  o CISO: development and enforcement of  Terrorist  Models policy and asset protection  Financial o MAC: Mandatory Access Control: Access to o Chief privacy officer  Business objects by subjects o Security auditor: monitoring and testing  Grudge o DAC: Discretionary Access Control: Owner of security controls  Amusement an object is able to determine how and by o Security administrator o Perpetrators whom the object may be accessed. o Security analyst: implementing security policy  Hackers  Threats by designing and improving security controls  Cybercriminals o Malware and processes  Spies o Eavesdropping o Systems analyst: by designing application  Terrorists o Logic bombs software that includes adequate controls  Script kiddies o Scanning attacks o Software developers: coding applications that  Social engineers  Vulnerabilities include controls to prevent application misuse  Employees o Unpatched systems or bypass of controls  Former employees o Default system settings o Managers  Knowledgeable outsiders o Default passwords o Asset owners: responsible for protection and  Service providers employees o Incorrect permissions settings integrity of assets  Security Incident Management o Application logic o Employees o Incident Response  Points of Entry  Asset Inventory and Classification  Planning o Exposure to malware o Hardware  Detection o Eavesdropping o Information  Initiation o Open access  Access Control  Evaluation  Identification, Authentication, and Authorization o AC Management: request, review,  Eradication o Identification: asserting an identity without segregation of duties, transfer, termination  Remediation providing any proof of it. o Logs  Closure o Authentication: Subject asserts an identity,  Privacy  Post-Incident Review but some proof of the subject’s identity is o PII: DL, SSN, Passport, phone, address, o Testing Incident Response required DoB, Accounts  Document review o Authorization: System determines resource  3rd Party Management  Walkthrough access to the subject o rd 3 Party access countermeasures: logs,  Simulation  User account provisioning video, access controls, logical access, audits o Incident prevention o Factors: user location, system limitations, o Legal agreements: liabilities, controls  Vulnerability monitoring data sensitivity required, nondisclosure, security training, o Risks: Finding a password, eavesdropping steps for a security breach, steps to be taken  Two Factor authentication: Digital certificates, smart to reduce the likelihood of data loss caused cards, tokens by a disaster, right to inspect, compliance,  Something you are: Biometrics such as hand print, destroy copies of information on request. fingerprint, palm vein, voice, facial scan, handwriting, iris scan o Measurement variances: False reject rate, False accept rate, crossover error rate
 Reduced Sign On: changing from stand alone o Stealing data o Private Key Cryptosystem: Symmetric application authentication to centralized  Securing Wireless Networks cryptography authentication like LDAP, RADIUS, Active Directory o Threats and vulnerabilities  Challenges  Single Sign On: one login authentication for  Eavesdropping  Key exchange: Out of multiple authorized applications  War driving and chalking band method is required.  Access Control Lists: common way to administer  Encryption  Scalability access controls  Spoofing o Public Key Cryptosystem: Asymmetric  Protecting Information o Countermeasures cryptosystem o Access controls  Obscure SSID  Key pair: public and private keys o Access Logging  Stop SSID broadcast  Message security: no need to o Backups  Reduce transmit power establish and communicate  Automated tools  MAC filtering symmetric encryption keys through  Protection of backup data  WPA a secure channel.  Offsite backup media storage  Require VPN  Verifying public keys:  Restoration testing  Change default passwords  Certificate authority  Media inventory  Patches  Email address  Patch Management  Protecting Internet Communications  Key fingerprint: retrieve  Vulnerability Management o Threats and vulnerabilities the public key and o Subscribing to security alerts  Eavesdropping calculate the key Domain 5 – Information Asset Protection  o Scanning  Network analysis: reconnaissance fingerprint. o Patch management phase of some bigger effort o Hashing and Message Digests o Corrective action process  Targeted attacks o Digital Signatures: Seals a message or file  System Hardening: remove services, change  Malware using the sender’s identity functions to unique system function, changed default  Masquerading: forge messages that o Digital Envelopes: Combining private and password, non-predictable passwords, reduce have the appearance of originating public privileges, eliminate interserver trust elsewhere. o Public Key Infrastructure (PKI):  Managing User Access  DoS  Digital certificates o User Access Provisioning: Risk of errors  Fraud  Certificate Authority (CA) can be devastating for an organization o Countermeasures  Registration Authority (RA) o Termination: Some safeguards are  Firewalls  Certificate Revocation List (CRL) needed like review of terminated  Honeypots and Honeynets  Certification Practice Statement employee’s actions before and after,  IDS (CPS) periodic reviews, and review logs  Change management and o Key Management o Transfers: Risk is privilege creep configuration management  Key generation: system must be o Password management: provisioning,  Incident management highly protected, isolated, and used lockout, forgotten passwords. Password  Security awareness training by a few people. System should length, complexity, expiration, reuse,  Encryption include some randomness rechange o Terms:  Key protection  Protecting Mobile Devices: Encryption, strong  Plaintext  Key custody: policies, processes, access control, remote destruct, hardening, logical  Ciphertext and procedures regarding the locking system, physical locking system  Hash function management of keys.  Message digest  Key rotation: only when one of the NETWORK SECURITY CONTROLS  Digital signature following occurs:  Algorithm  Key compromise  Network Security  Decryption  Key expiration o Threats: access by unauthorized persons,  Encryption key  Rotation of staff spoofing, eavesdropping, malware, DoS,  Cryptanalysis  Key disposal access bypass, MITM  Key length o Encryption applications o Countermeasures: User authentication  Block cipher  SSL/TLS controls, machine authentication controls,  Stream cipher  S-HTTP anti-malware, encryption, switched  Initialization Vector (IV): random  S/MIME networks, IDS/IPS number to begin encryption process  SSH  Symmetric encryption  Securing Client-Server Applications  Asymmetric encryption o Access controls: strong authentication  Key exchange o Interception of client-server  Nonrepudiation communication: Network encryption o Network Failure o Change management o Disruption of client software updates
 SET  IDS o B: liquids and  Voice over IP (VoIP)  Spam filters gases o Threats and vulnerabilities  Blocking use of removable media o C: electrical  Eavesdropping  Information Leakage o D: combustible  Spoofing o Countermeasures metals  Malware  Outbound email filters o K: cooking oils  DoS  Block removable media and fats  Toll fraud  Blocking internet access o Protecting: IDS, access management,  Tighter access controls PHYSICAL SECURITY CONTROLS firewalls, hardening, malware controls  Access logging  Private Branch Exchange (PBX)  Job rotation  Threats and vulnerabilities o Threats and vulnerabilities  Periodic background checks o Theft  Default passwords on o Sabotage administrator console ENVIRONMENTAL CONTROLS o Espionage Domain 5 – Information Asset Protection   Dial-in modem o Covert listening devices  Toll fraud  Threats and vulnerabilities o Tailgating  Espionage o Electric power vulnerabilities o Propped doors o Countermeasures  Spike: sharp increase o Poor visibility  Administrative access control  Inrush: sudden increase  Countermeasures  Physical access control  Noise: presence of other o Keycard systems  Regular log review electromagnetic signals o Cipher locks  Malware  Dropout: momentary loss o Fences, walls, and barbed wire o Threats and vulnerabilities  Brownout: sustained drop o Bollards and crash gates  Viruses  Blackout: complete loss o Video  Worms o Physical environment vulnerabilities o Visual notices  Trojan horses  Temperature o Bug sweeping  Spyware  Humidity o Guards  Root kits  Dust and dirt o Guard dogs  Bots  Smoke and fire  Missing patches  Sudden unexpected movement AUDITING ASSET PROTECTION  Unsecure configuration  Countermeasures  Faulty architecture o Electric power  Security Management  Faulty judgment  UPS o Policies, processes, procedures, and  Spam  Electric generator standards  Phishing  Dual power feeds o Records  DoS  Power distribution unit (PDU) o Training o Anti-Malware Administrative controls o Temperature and humidity controls: HVAC o Data ownership and management  Spam policy o Fire Prevention, detection, and suppression o Data custodians  Business related internet controls o Security administrators  No removable media  Prevention: o New and existing employees  No downloading  Combustibles: stored away  Logical Access controls  No personally owned computers  Cleanliness o Network access paths o Anti-Malware Technical controls  Electrical equipment  IT infrastructure  Anti-malware on email servers maintenance  Network architecture and access  On workstations  Detection: pull down stations, manual documentation  On web servers alarms, detectors o User Access Controls  Centralized malware console  Suppression:  User access controls:  Types: wet pipe, dry pipe, authentication, bypass, access pre-action, deluge, inert gas violations, user account lockout,  Classes: IDS/IPS, shared accounts, dormant o A: wood, paper accounts, system accounts  Password management: password standards, account lockout, access to encrypted passwords   
 Password vaulting  Alert management o User access provisioning:  Penetration testing  Access request process  Application scanning  Access approvals  Patch management  Segregation of duties (SOD)  Environmental Controls  Access reviews o Power conditioning o Employee terminations o Backup power  Termination process o HVAC  Timeliness o Water detection  Access reviews o Fire detection and suppression  Contractor access and termination o Cleanliness Access logs  Domain 5 – Information Asset Protection  o Physical Controls  Access log controls o Siting and Marking  Centralized access logs  Proximity to hazards  Access log protection o Physical access controls  Log review  Physical barriers  Log retention  Surveillance o Investigative procedures  Guards and dogs  Policies and procedures  Keycard systems  Computer crime investigations  Computer forensics o Internet points of presence  Search engines: what information is available  Social networking sites: what others are saying  Online sales sites: what’s being sold  Domain names  Network Security Controls o Architecture review  Diagrams  Documents  Support of business objectives  Compliance with security policy  Comparison of documented vs actual o Network access controls  User authentication: Active Directory, LDAP  Firewalls  IDS  Remote access  Dial-up modems o Change management  Change control policy  Change logs  Change control procedures  Emergency changes  Rolled-back changes  Linkage to SDLC: change management and SDLC
DISASTERS Establishing key targets  Emergency Response: evacuation,  Recovery Time Objective (RTO): Time from onset of an first aid, firefighting  Types outage until the resumption of service. ** An  Command and Control (Emergency o Natural: Earthquakes, volcanoes, landslides, organization could establish two RTO targets, one for Management) avalanches, wildfires, tropical cyclones, partial capacity and one for full capacity.  Scribe: Document the important tornadoes, windstorms, lighting, ice storms,  Recovery Point Objective (RPO): Time for which recent events during disaster response hail, flooding, tsunamis, pandemic, data will be irretrievably lost in a disaster. For critical operations extraterrestrial impacts transactions it is measure in minutes.  Internal Communications o Man-Made: Civil disturbances, Utility outages, Developing Recovery Strategies and Plans  External communications materials shortages, fires, hazardous  Strategies:  Legal and compliance materials spills, transportation accidents, o Site options: Hot, warm, cold, mobile,  Damage assessment security events, terrorism and wars reciprocal (at another company)  Salvage o How they affect organizations o Recovery and resilience technologies  Physical security  Direct damage: earthquakes etc  RAID: Redundant Array of  Supplies  Utility outage Independent Disks  Transportation  Transportation  RAID-0: stripped  Network  Services and supplier shortage  RAID-1: mirror  Network services  Staff availability  RAID-4: Data stripping.  Systems  Customer availability RAID 4-5 allows for  Databases BCP Process failure of one disk without  Data and records losing information  Applications Develop Policy: formal policy included in the overall  RAID-6: Withstands  Access management governance model failure of any two disks  Information security  BCP and COBIT Controls drives in the array.  Off-site storage o Develop IT continuity framework  User hardware  SAN: Storage Area o Conduct business impact analysis  Training Network o Develop and maintain IT continuity plans  Relocation  NAS: Network Attached o Identify and categorize IT resources based on  Contract Information Storage. recovery objectives o Recovery procedures: should be hand in o Replication: o Define and execute change control hand with the technologies that may have  Disk storage system procedures to ensure IT continuity plan is been added to IT systems to make them  Operating system current more resilient  Database management system o Regularly test IT continuity plan o Continuing Operations  Transaction management system o Develop follow-on action plan from test o Restoration procedures  Application Domain 6 – BC & DR results o Considerations: o Server clusters o Plan and conduct IT continuity training  Availability of personnel o Network connectivity and services o Plan IT services recovery and resumption  Emergency supplies  Redundant network connection o Plan and implement backup storage and  Communications: identifying Critical  Redundant network services protection personnel, suppliers, customers, o Backup and restoration o Establish procedures for conducting post- and other parties, call trees, wallet  Plans cards resumption reviews o Evacuation procedures  Transportation Business Impact Analysis (BIA) o Disaster declaration procedures  Inventory Key processes and systems  Core team o Documentation  Statement of impact: qualitative or quantitative  Supporting project documents  Declaration criteria  Analysis documents: BIA, RTP, description of the impact if the process or system were  Pulling the trigger: any single core incapacitated for a time RPO, Criticality analysis member  Response documents: Business Criticality Analysis: study of each system and process, a  Next Steps: Declaration will trigger consideration of the impact on the organization if it is recovery plan, Occupant other response procedures. emergency plan (OEP), Emergency incapacitated, the likelihood of incapacitation, and the  False alarms estimated cost of mitigating the risk or impact of communications plan, contact lists, o Responsibilities: injured, caring for family DR plan, incapacitation. (risk analysis) members, transportation unavailable, out of the area, communications, fear
 Continuity of operations plan (COOP), Security incident response plan (SIRT)  Test and review documents Testing Recovery Plans  Test preparation: schedule, facilities, scripting, participants, recordkeeping, contingency plan,  Document review  Walkthrough  Simulation  Parallel test  Cutover test  Documenting results  Improving recovery and continuity plans Training Personnel: Document review, participation in walkthroughs, participation in simulations, participation in parallel and cutover tests  Hard copy of plan  Soft copy of plan  Online access  Wallet cards Maintaining Recovery and Continuity Plans Auditing Business Continuity and Disaster Recovery: An audit of an organization’s BC program is a top-down analysis of key business objectives and a review of documentation and interviews to determine whether the BC strategy and program details support those key business objectives. o Reviewing Business Continuity and Disaster Domain 6 – BC & DR Recovery Plans o Reviewing Prior Test Results and Action Plans o Evaluating off-site storage o Evaluating alternate processing facilities o Interviewing key personnel o Reviewing service provider contracts o Reviewing insurance coverage

More Related Content

PPTX
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPTX
CISA exam 100 practice question
Arshad A Javed
 
PDF
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 
PDF
Cisa domain 4
ShivamSharma909
 
PDF
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA exam 100 practice question
Arshad A Javed
 
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 
Cisa domain 4
ShivamSharma909
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 

What's hot (20)

PDF
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
PDF
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
PPTX
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
PDF
Cisa domain 3
ShivamSharma909
 
PPTX
IT Audit For Non-IT Auditors
Ed Tobias
 
PDF
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
PDF
Cisa domain 1
Ismail aboulezz
 
PDF
Internal control and Control Self Assessment
Manoj Agarwal
 
PPTX
Integrating Strategy and Risk Management
Andrew Smart
 
PPTX
GRC Fundamentals
3Sixty Insights
 
PPTX
Risk indicators
Sravani Varma
 
PPTX
What is GRC – Governance, Risk and Compliance
BOC Group
 
PPT
business-continuity-management-awareness-presentation-for-mampu2929
Andy Willams
 
PPTX
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
PPS
Control Self Assessment
Manoj Agarwal
 
PDF
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
PPTX
Final presentation internal controls
Rishab Nahata
 
PDF
Governance, Risk, and Compliance Services
Capgemini
 
PDF
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
PPTX
Introduction to internal auditing
David Griffiths
 
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
ShivamSharma909
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
Cisa domain 3
ShivamSharma909
 
IT Audit For Non-IT Auditors
Ed Tobias
 
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
Cisa domain 1
Ismail aboulezz
 
Internal control and Control Self Assessment
Manoj Agarwal
 
Integrating Strategy and Risk Management
Andrew Smart
 
GRC Fundamentals
3Sixty Insights
 
Risk indicators
Sravani Varma
 
What is GRC – Governance, Risk and Compliance
BOC Group
 
business-continuity-management-awareness-presentation-for-mampu2929
Andy Willams
 
CISA Training - Chapter 4 - 2016
Hafiz Sheikh Adnan Ahmed
 
Control Self Assessment
Manoj Agarwal
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
Final presentation internal controls
Rishab Nahata
 
Governance, Risk, and Compliance Services
Capgemini
 
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
Introduction to internal auditing
David Griffiths
 
Ad

Similar to CISA Summary V1.0 (20)

PPTX
Managing The Portfolio
stuart1403
 
PDF
Business Governance Of Enterprise It
jponnoly
 
PPTX
SBS Group- Professional Services
SBS Group
 
PPTX
B2b Lead Generation - Roadmap to Success
SBI | Sales Benchmark Index
 
PPTX
Mace Introduction
MACE_Consulting
 
PPTX
SUIT Showdown 2010
pranalilad
 
PPSX
Acto It Consulting Presentation
guest6c269db
 
PPSX
Acto It Consulting Presentation
ArthurScheffer
 
PDF
Innovative Outsourcing Deal Structures
John Meyerson
 
PPT
Bpr Process Modeling
rlynes
 
PPTX
AdvisorAssist Compliance ROI
AdvisorAssist, LLC
 
PDF
4iiii Quick Overview
LarryBrothwood
 
PDF
Making IT Talent Work SFIA
SFIA User Forum
 
PPTX
Client compass 1.4
kkiyer
 
PDF
Partnership Performance In Fm
Martin Pickard
 
PDF
ITIL Benefits
QAI
 
PPSX
Acto.IT Consulting Presentation
Alex Bomjardim
 
PPTX
Business continuity management fundamentals update
Exo Futures
 
PPTX
APO 2.0
Computer Aid, Inc
 
PDF
Culture structure strategy_for_a_grc_program
Ramsés Gallego
 
Managing The Portfolio
stuart1403
 
Business Governance Of Enterprise It
jponnoly
 
SBS Group- Professional Services
SBS Group
 
B2b Lead Generation - Roadmap to Success
SBI | Sales Benchmark Index
 
Mace Introduction
MACE_Consulting
 
SUIT Showdown 2010
pranalilad
 
Acto It Consulting Presentation
guest6c269db
 
Acto It Consulting Presentation
ArthurScheffer
 
Innovative Outsourcing Deal Structures
John Meyerson
 
Bpr Process Modeling
rlynes
 
AdvisorAssist Compliance ROI
AdvisorAssist, LLC
 
4iiii Quick Overview
LarryBrothwood
 
Making IT Talent Work SFIA
SFIA User Forum
 
Client compass 1.4
kkiyer
 
Partnership Performance In Fm
Martin Pickard
 
ITIL Benefits
QAI
 
Acto.IT Consulting Presentation
Alex Bomjardim
 
Business continuity management fundamentals update
Exo Futures
 
APO 2.0
Computer Aid, Inc
 
Culture structure strategy_for_a_grc_program
Ramsés Gallego
 
Ad

CISA Summary V1.0

  • 1.   CISA summary  Version 1.0  Christian Reina, CISSP    This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author.  2010 ‐ Christian Reina, CISSP. 
  • 2. Risk Management IT Management Practices “Collection of top-down activities intended to control the IT Seek, identify, and manage risk. organization from a strategic perspective.”  Accept 1. Personnel Management  Policy  Mitigate a. Hiring: Background check, Employee Policy  Priorities  Transfer Manual, Job Description  Standards  Avoid b. Employee Development: Training,  Vendor Management Performance evaluation, Career path  Program/Project Management Risk Management Program c. Mandatory vacations: Audit, cross training,  Objectives: reduce costs, incidents reduced risk IT Strategy Committee  Scope d. Termination Advise board of directors on strategies.  Authority: Executive level of commitment e. Transfers and reassignments 2. Sourcing  Resources: a. Insource Balanced Scorecard  Policies, processes, procedures, and records Measure performance and effectiveness. b. Outsource: risks, SLA, policy, governance  Business contribution: Perception from Non-IT (service level agreements, change Risk Management Process executives management, security, quality, audits), SaaS  User: Satisfaction 3. Change Management 1. Asset Identification: Equipment, information, records, a. Request  Operational excellence: downtime, defects, support reputation, personnel b. Review tickets o Grouping Assets c. Approve  Innovation: increase IT value w/ innovation o Sources of asset data: Interviews, IT d. Perform change systems, Online data e. Verify change Information Security Governance o Organizing data: Business process, 4. Financial Management Roles and responsibilities Geography, OU, Sensitivity, Regulated a. Develop  Board of Directors: risk appetite and risk management 2. Risk Analysis b. Purchase  Steering Committee: Operational strategy for security o Threat analysis: All threats with realistic c. Rent Domain 1 – IT Governance  and risk management opportunity of occurrence 5. Quality Management  CISO: conducting risk assessment, developing security o Vulnerability Identification: Ranked by a. Software development policy, vulnerability management, incident severity or criticality b. Software acquisition management, compliance o Probability analysis: Requires research to c. Service desk  Employees: Comply with policies develop best guesses d. IT operations o Impact analysis: Study of estimating the e. Security Enterprise Architecture (EA) impact of specific threats on specific assets f. Standards: Map business functions into the IT environment as a model. o Qualitative: Subjective using numeric scale i. ISO 9000: Superseded by ISO Activities to ensure business needs are met o Quantitative: 9001:2008 Quality Management  Asset Value (AV) System Zachman Model  Exposure Factor (EF) ii. ISO 20000: IT Service IT Systems and environments are described at a high, functional  Single Loss Expectancy (SLE): AV Management for organization level, and then in increasing detail x EF adopting ITIL  Annualized rate of occurrence iii. ITIL DFD (ARO) 1. Service Delivery Illustrate the flow of information  Annualized loss expectancy (ALE): 2. Control Processes SLE x ARO 3. Release Processes 3. Risk Treatments 4. Relationship Processes o Risk Mitigation 5. Resolution Processes o Risk Transfer 6. Security Management o Risk Avoidance a. Security Governance o Risk Acceptance b. Risk Assessment o Residual Risk c. Incident Management d. Vulnerability Management e. Access and Identity management f. Compliance management
  • 3. g. BCP 3. Reviewing Outsourcing 7. Performance Management a. Distance a. COBIT b. Lack of audit contract terms b. SEI CMMI c. Lack of cooperation Roles and Responsibilities 1. Executive Management: CIO, CTO, CSO, CISO, CPO 2. Software Development: Architect, Analyst, developer, programmer, tester 3. Data Management: architect, DBA, analyst 4. Network Management: architect, engineer, administrator, telecom 5. Systems Management: architect, engineer, storage, systems administrator 6. Operations: manager, analyst, controls analyst, data entry, media librarian 7. Security Operations: architect, engineer, analyst, account management, auditor 8. Service Desk: Help desk, technical support Segregation of Duties Controls 1. Transaction authorization 2. Split custody Domain 1 – IT Governance  3. Workflow: extra approval 4. Periodic reviews Auditing IT Governance 1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f. Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i. Quality management documents 2. Reviewing Contracts a. Service levels b. Quality levels c. Right to audit rd d. 3 party audit e. Conformance to policies, laws, regulations f. Incident notification g. Liabilities h. Termination terms i. Protection of PII
  • 4. Assess and evaluate the effectiveness of IT  Provide Appropriate Tools Required to Intercept and 3. Serve in the interest of stakeholders in a Obstruct Terrorism Act (PATRIOT) 2001 lawful and honest manner, while maintaining  Sarbanes-Oxley Act 2002 high standards of conduct and character, and AUDIT MANAGEMENT  Federal Information Security Management Act (FISMA) not engage in acts discreditable to the 2002 profession. The Audit Charter: Define roles and responsibilities. Sufficient  Controlling the Assault of Non-Solicited Pornography 4. Maintain the privacy and confidentiality of authority and Marketing Act (CAN-SPAM) 2003 information obtained in the course of their  California Privacy Act SB1386 2003 duties unless disclosure is required by legal The Audit Program: scope, objectives, resources, procedures  Identity Theft and Assumption Deterrence Act 2003 authority. Such information shall not be used  Basel II 2004 for personal benefit or released to Strategic Audit Planning: inappropriate parties.  Payment Card Industry Data Security Standard (PCI-  Factors: Business goals and objectives, Initiatives, DSS) 2004 5. Maintain competency in their respective fields market conditions, changes in technology, regulatory and agree to undertake only those activities,  North American Electric Reliability Corporation (NERC) requirements. which they can reasonably expect to 1968/2006  Changes in Audit Activities: New internal audits, new complete with professional competence.  Massachusetts Security Breach Law 2007 6. Inform appropriate parties of the results of external audits, increase in audit scope, impact on business process work performed; revealing all significant facts Canadian Regulations:  Resource planning: Budget and manpower known to them.  Interception of Communications Section 184 7. Support the professional education of  Unauthorized Use of Computer, Section 342.1 stakeholders in enhancing their Audit and Technology: Continue learning about new technologies  Privacy Act 1983 understanding of information systems security  Personal Information Protection and Electronic and control. Audit Laws and Regulations: Documents Act (PIPEDA)  Characteristics: Security, Integrity, Privacy European Regulations Audit Standards  Computer Security and Privacy Regulations: o Categories: Computer trespass, protection of  Convention for the Protection of Individuals with Regard sensitive information, collection and use of to Automatic Processing of Personal Data 1981  S1, Audit Charter information, law enforcement investigative  Computer Misuse Act (CMA) 1990  S2, Independence powers  Directive on the Protection of Personal Data 2003  S3, Professional Ethics and Standards European Union  S4, Professional Competence main 2 – The Audit Process  o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits,  Data Protection Act (DPA) 1998  S5, Planning fines, prosecution  Regulation of Investigatory Powers Act 2000  S6, Performance of Audit Work  Anti-Terrorism Crime and Security Act 2001  S7, Reporting “An organization should take a systematic approach to determine  Privacy and Electronic Communications Regulations  S8, Follow-up Activities the applicability of regulations as well as the steps required to 2003  S9, Irregularities and Illegal Acts attain compliance and remain in this state. “  Fraud Act 2006  S10, IT Governance  Police and Justice Act 2006  S11, Use of Risk Assessment in Audit Planning US Regulations:  S12, Audit Materiality  Access Device Fraud 1984 Other Regulations  S13, Use the Work of Other Experts  Computer Fraud and Abuse Act 1984  Cybercrime Act 2001 Australia  S14, Audit Evidence  Electronic Communications Act 1986  Information Technology Act 2000 India  S15, IT Controls  Electronic Communications Privacy Act (ECPA) 1986  S16, E-Commerce  Computer Security Act 1987 ISACA AUDITING STANDARS  Computer Matching and Privacy Protection Act 1988 Audit Guidelines  Communications Assistance for Law Enforcement Act Code of Ethics: (CALEA) 1994  G1, Using the Work of Other Auditors  Economic and Protection of Proprietary Information Act Members and ISACA certification holders shall:  G2, Audit Evidence Requirement 1996  G3, Use of Computer-Assisted Audit Techniques  Health Insurance Portability and Accountability Act 1. Support the implementation of, and encourage compliance with, appropriate (CAATs) (HIPPA) 1996  G4, Outsourcing of IS Activities to Other Organizations  Children’s Online Privacy Protection Act (COPPA) 1998 standards, procedures and controls for information systems.  G5, Audit Charter  Identity Theft and Assumption Deterrence Act 1998  G6, Materiality Concepts for Auditing IS 2. Perform their duties with objectivity, due  Gramm-Leach-Bliley Act 1999  G7, Due Professional Care diligence and professional care, in  Federal Energy Regulatory Commission (FERC) accordance with professional standards and  G8, Audit Documentation best practices.
  • 5. G9, Audit Considerations for Irregularities and Illegal  P10, Business Application Change Control PERFORMING AN AUDIT Acts  P11, Electronic Funds Transfer  G10, Audit Sampling  Formal Planning:  G11, Effect of Pervasive IS Controls RISK ANALYSIS o Purpose  G12, Organizational Relationship and Independence o Scope  G13, Use of Risk Assessment in Audit Planning  Evaluating Business Processes o Risk Analysis  G14, Application Systems Review  Identifying Business Risks o Audit procedures  G15, Planning  Risk Mitigation o Resources  G16, Effect of Third Parties on an Organization’s IT  Countermeasures Assessment o Schedule Controls  Monitoring  Types  G17, Efect of Nonaudit Role on the IS Auditor’s o Operational Independence INTERNAL CONTROLS o Financial o IS audit  G18, IT Governance o Administrative  G19, Irregularities and Illegal Acts o Compliance  G20, Reporting o Forensic  G21, Enterprise Resource Planning (ERP) Systems o Service provider Review o Pre-audit  G22, Business to Consumer (B2C) E-Commerce  Compliance vs. Substantive Testing Review o Compliance: Determine if control procedures  G23, SDLC Review have been properly designed and  G24, Internet Banking implemented and operating properly.  G25, Review of VPN o Substantive: Determine accuracy and  G26, Business Process Reengineering (BRP) Review integrity of transactions that flow through  G27, Mobile Computing processes and information systems  G28, Computer Forensics  Audit Methodology  G29, Post-implementation Review o Audit Subject Domain 2 – The Audit Process  G30, Competence o Audit Objective  G31, Privacy o Audit type  G32, BCP o Audit Scope  G33, General Consideration on the Use of the Internet o Pre-Audit planning  G34, Responsibility, Authority, and Accountability o Audit SoW  G35, Follow up Activities  Control Classification o Audit Procedures  G36, Biometric Controls o Types: Technical, Administrative, Physical o Communication plan o Classes: Preventative, Detective, Deterrent, o Report preparation  G37, Configuration Management Corrective, Compensating, Recovery o Wrap-up  G38, Access Controls o Categories: Manual, Automatic o Post-audit Follow-up  G39, IT Organization  Internal Control Objectives: Statements of desired  Audit Evidence  G40, Review of Security Management Practices outcomes from business operations. Protection of IT o Independence of the evidence provider  assets, Availability of IT systems o Qualifications of the evidence provider Audit Procedures o IS Control Objectives: Protection of o Objectivity information from unauthorized personnel,  P1, Risk Assessment Integrity of Operating Systems o Timing  P2, Digital Signature and Key management  Gathering Evidence  General Computing Controls: GCCs are controls that Org Chart  P3, IDS apply across all applications and services. Passwords o  P4, Viruses o Review dept and project charters are encrypted, Strong passwords o rd Review 3 party contracts  P5, Control Risk Self-Assessment  IS Controls: Each GCC is mapped to a specific IS o Review IS policies and procedures  P6, Firewall control on each system type. o Review IS Standards  P7, Irregularities and Illegal Acts  P8, Security Assessment (Pen test, vulnerability analysis)  P9, Encryption    
  • 6. o Review IS documentation o Ownership of controls o Personnel Interviews o Improved employee awareness o Passive observation o Improved relationship between  Observing Personnel departments and auditors o Real tasks  Disadvantages o Skills and experience o Mistaken as a substitute for internal audit o Security awareness o May be considered extra work o Segregation of Duties o May be considered an attempt by an  Sampling auditor to shrug off responsibilities o Statistical: Reflect the entire population o Lack of employee involvement has no o Judgmental: Subjectively selects samples results based on established criteria  Life Cycle o Attribute: Samples are examined and a o Identify and assess risks specific attribute is chosen o Identify and assess controls o Variable: Determine the characteristic of a o Develop questionnaire or workshop given population to determine total value o Analyze completed questionnaire o Stop-or-go: Sampling can stop at the earliest o Control remediation possible time due to low risk and rate of o Awareness training exceptions o Discovery: Trying to find at least one exception in a population o Stratified: Create different classes and review one attribute common to all classes  Computer-Assisted Audit: CAATs help examine and evaluate data across complex environments Domain 2 – The Audit Process  Reporting Audit Results o Cover letter o Intro o Summary o Description o Listing of systems and processes examined o Listing of interviewees o Listing of evidence obtained o Explanation of sampling technique o Description of findings and recommendations  Audit Risk o Control risk: undetected error by an internal control o Detection risk: IS auditor will overlook errors o Inherent risk: Inherent risks exist independent of the audit. o Overall audit risk: summation of all of the residual risks o Sampling risk: sampling technique will not detect  Materiality: A monetary threshold in financial audits CONTROL SELF-ASSESSMENT Methodology used by an organization to review key business objectives, and the key controls designed to manage those risks.  Advantages o Risks detected earlier o Improvement of internal controls
  • 7. Organization’s methodologies and practices for the development  Managing Projects  Other costs: development tools, and management of software, infrastructure, and business o Managing the project schedule workstations, servers, software processes. o Recording task completion licenses, network devices, training, o Running project meetings equipment PORTFOLIO AND PROGRAM MANAGEMENT: o Tracking project expenditures o Scheduling Project Tasks: Critical phase o Communicating project status  Gantt Chart A program is an organization of many large, complex activities,  Project Roles and Responsibilities  Program Evaluation and Review and can be thought of as a set of projects that work to fulfill one or o Senior management: support the approval of Technique (PERT) more key business objectives or goals. the project  Critical path Methodology (CPM): It o IT steering committee: Commission the is important to identify the critical  Starting a Program: feasibility study, approve project path in a project, because this o Program charter o Project manager allows the project manager to o Identification of available resources o Project team members understand which tasks are most  Running a Program: o End-user management: Assign staff to the likely to impact the project schedule o Monitoring project schedules project team. Support development of cases and to determine when the project o Managing project budgets o End users will finally conclude. o Managing resources o Project sponsor: define project objectives,  Timebox Management: A period in o Identifying and managing conflicts provide budget which a project must be completed. o Creating status reports o Systems development management o Project Records:  Project Portfolio Management o System developers  Project plans Security manager  Project changes Domain 3 – IT Life­Cycle Management o Executive sponsor o o Program manager o IT Operations  Meetings agendas and minutes o Project manager  Project Planning  Resource consumption o Start and end dates  Task identification  Task information o Names of participants  Task estimation o Project Documentation: Helps users, support o Objectives or goals that the project supports  Task resources staff, IT operations, developers, and auditors o Budget  Task dependencies o Project Change Management: The o Resources  Milestone tracking procedures for making changes to the project o Dependencies  Task tracking should be done in two basic steps:  Business Case development o Estimating and sizing software projects  The project team should identify the o Business problem  Object Breakdown Structure (OBS) specific use, impact, and remedy. o Feasibility study results  Work Breakdown Structure (WBS) Make a formal request o High-level project plan  Source Lines of Code (SLOC):  This change request should be o Budget accurate estimate based on presented to management along o Metrics previous analysis for the time to with its impact. Management o Risks develop a program. should make a decision.  COCOMO: Constructive Cost o Project closure PROJECT MANAGEMENT Model method for estimating  Project debrief software development projects  Project documentation archival  Organizing Projects  Management review  Direct report: Project team leader  Training  Influencer: Influence members but  Formal turnover to users, does not manage them directly operations and support  Pure project: Given authority o Methodologies  Matrix: Authority over each project  Project Management Body of team member Knowledge (PMBOK): Process o Initiating a project based  Developing Project Objectives  Processes: o Object Breakdown Structure (OBS): Visual  Function Point Analysis (FPA): o Inputs representation of the system, software, or time-proven estimation technique o Techniques application, in a hierarchical form. for larger software projects. It o Outputs o Work Breakdown Structure (WBS): Logical studies the detailed design representation of the high-level and detailed specifications for an application tasks that must be performed to complete the program and counts the number of project. user inputs, user outputs, user queries, files, and external interfaces.
  • 8. Process groups  Access control o Unit testing: by developers during the coding  Initiating  Encryption phase. Should be a part of the development  Planning  Data validation of each module in the application.  Executing  Audit logging o System testing: end to end testing. Includes  Controlling and  Security operational requirements interface testing, migration testing. monitoring o DR/BCP Requirements o Functional testing: Verification of functional  Closing o Privacy Requirements requirements o Projects IN Controlled Environments o RFP Process: Request For Proposal o User Acceptance Testing (UAT): In most (PRINCE2): Project management framework  Requirements cases, it is a formal step to find out if  Starting up a project (SU)  Vendor financial stability organization accepts the software developed rd  Planning (PL)  Product roadmap by a 3 party.  Initiating a project (IP)  Experience o Quality Assurance Testing (QAT):  Directing a project (DP)  Vision 6. Implementation  Controlling a stage (CS)  References o Planning:  Managing product delivery (MP)  Questions for clients:  Prepare physical space for  Managing Stage Boundaries (SB)  Satisfaction with production systems  Closing a project (CP) installation  Build production systems  Scrum: Iterative and incremental  Satisfaction with  Install application software process most commonly used to migration  Migrate data project manage an agile software  Satisfaction with support o Training: development effort.  Satisfaction with long-  End users  Domain 3 – IT Life­Cycle Management   Scrum master: this is the term roadmap Customers project manager  What went well  Support staff  Product owner: This is  What did not go well  Trainers the customer  Contract negotiation o Data migration   Record counts  Team Closing the RFP  Batch totals  Users 3. Design: A top down approach  Checksums  Stakeholders 4. Development: o Cutover  Managers  Coding the application  Developing program and system  Parallel level documents  Geographic SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)  Module by module  Developing user procedures  Working with users  Roll-back 1. Feasibility Study: Determine whether a specific o Rollback Planning change or set of changes in business processes and  Developing in a software acquisition setting: 7. Post Implementation underlying applications is practical to undertake. o Implementation review o Time required to develop / acquire software  Customizations  System adequacy o A comparison between the cost of developing  Interfaces of other  Security review the application vs buying systems  Issues o Whether an existing system can meet the  Authentication  ROI business need  Reports o Software maintenance o Whether the application supports strategic  Debugging business objectives  Correct operations  Development Risks o Whether a solution can be developed that is  Input validation o Application inadequacy compatible with other IT systems  Proper output validation o Project risk o The impact of the proposed changes to the  Resource usage o Business inefficiency business on regulatory compliance  Source Code Management (SCM) o Market changes o Whether future requirements can be met by  Protection the system  Control  Development Approaches and Techniques 2. Requirements: Characteristics of a new application or  Version control o Agile Development changes being made.  Recordkeeping o Prototyping o Business functional requirements: Must have 5. Testing to support the business o Technical requirements and standards: Use the same basic technologies already in use as well as formal technical standards. o Security and Regulatory Requirements:  Authentication  Authorization
  • 9. o Rapid Application Development (RAD) 4. Development o Existence o Data Oriented System Development (DOSD) 5. Testing o Consistency o Object-Oriented System Development (OO) 6. Implementation o Length o Component based development: CORBA, 7. Monitoring o Check digits DCOM, SOA 8. Post-implementation o Spelling o Web-Based Application Development: HTML, o Unwanted characters SOAP, XML Benchmarking a Process o Batch controls o Reverse Engineering  Plan  Error handling  Research o Batch rejection  System Development Tools  Measure and observe o Transaction rejection o Computer-Aided Software Engineering  Analyze o Request re-input (CASE)  Adapt: understand the fundamental reasons why other  Upper CASE: requirements organizations’ measurements are better than its own. gathering, DFDs, interfaces  Improve Processing Controls  Lower CASE: Creation of program source code and data schemas Capability Maturity Models  Editing Fourth Generation Languages Domain 3 – IT Life­Cycle Management  o  Calculations  Software Engineering Institute Capability Maturity Model o Run-to-run totals INFRASTRUCTURAL DEVELOPMENT AND (SEI CMM) IMPLEMENTATION o Limit checking o Initial o Batch totals o Repeatable o Manual recalculation 1. Review of existing architecture o Defined 2. Requirements o Reconciliation o Managed o Hash values a. Business functional requirements Optimizing b. Technical requirements and standards o  Data file controls  Capability Maturity Model Integration (CMMI): An o Data file security c. Security and regulatory requirements aggregation of these other models into an overall d. Privacy requirements o Error handling maturity model. o Internal and external labeling 3. Design  ISO 15504: Software Process Improvement and o Data file version a. Procurement Capability dEtermination (SPICE). o Source files 4. Testing o Level 0 incomplete o Transaction logs 5. Implementation 6. Maintenance o Level 1 performed  Processing errors o Level 2 managed o Level 3 established MAINTAINING INFORMATION SYSTEMS o Level 4 predictable Output Controls o Level 5 optimizing Change Management Process  Change request APPLICATION CONTROLS  Controlling special forms  Change review  Report distribution and receipt  Perform change Input Controls  Reconciliation  Emergency changes  Authorization  Retention o User access controls Configuration Management o Workstation identification  Recovery: stored independent of the systems o Approved transactions and batches themselves o Source documents  Consistency: It will simplify administration, reduce  Input validation mistakes, and result in less unscheduled downtime. o Type checking o Range and value checking BUSINESS PROCESSES Business Process Life Cycle (BPLC) 1. Feasibility study 2. Requirements definition 3. Design
  • 10. Auditing Software Acquisition AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Change Management Auditing Project Management Auditing Development Auditing Configuration Management Auditing the Feasibility Study Domain 3 – IT Life­Cycle Management Auditing Requirements AUDITING BUSINESS CONTROLS Auditing Implementation Identify the key processes in an organization and to understand the controls that are in place or should be in place that govern the integrity of those processes AUDITING APPLICATION CONTROLS Transaction Flow Auditing Post-Implementation Auditing Design Observations
  • 11. Data Integrity Testing: Used to confirm whether an application properly accepts, processes, and stores information. Testing Online Processing Systems: Auditing Applications Domain 3 – IT Life­Cycle Management Continuous Auditing: Several techniques are available to perform online auditing:
  • 12. IT organizations are effective if their operations are effective. IT o Program checkout o Cloud Computing: dynamically scalable and organizations are service organizations – their existence is to o Program check in usually virtualized serve the organization and support its business processes. o Version control  Data Communication Software o Code analysis  File Systems: Directories, files, FAT, NTFS, HFS INFORMATION SYSTEMS OPERATIONS  Quality Assurance (Hierarchical File System) ISO 9660 (CD-ROM, DVD),  Security Management UDF (Universal Disk Format)   Domain 4 – IT Service Delivery & Infrastructure  Management and control of operations o Policies, procedures, processes, and Database Management Systems o Process and procedures standards o Relational DB Management (rDBMS): o Standards o Risk Assessments Primary key, one or more indexes, referential o Resource allocation o Impact analysis integrity, Encryption, Audit logging, access o Process management o Vulnerability management controls,  IT Service management (ITSM) o Object Database (ODBMS): Represented as o Service desk objects, Data and the programming method o Incident mgt INFORMATION SYSTEMS HARDWARE are contained in an object, o Problem mgt o Hierarchical Database : Top-down o Change mgt  Computer usage  Media Management System: Tape management o Configuration mgt o Types: supercomputer, mainframe, midrange, systems (TMS) or Disk Management Systems (DMS) o Release mgt: ITIL terms used to describe server, desktop, laptop, mobile  Utility software SDLC. Used for changes in a system such o Uses: app server, web server, file server, db o Software and data design as: server, print server, test server, thin client, o Software development  Incidents and problem resolution thick client, workstation o Software testing  Enhancements  Computer architecture o Security testing  Subsystem patches and changes o CPU: CISC (Complex Instruction Set o Data management o Service-level mgt Computer), RISC (Reduced Instruction Set o System health o Financial mgt Computer), Single processor, Multi-processor o Network o Capacity mgt o Bus: PCI, PC Card, MBus, Sbus  Periodic measurements o Main Storage NETWORK INFRASTRUCTURE  Considering planned changes o Secondary Storage: Program storage, data  Understanding long-term strategies storage, temporary files, OS, virtual memory,  Network Architecture  Changes in technology o Firmware: Flash, EPROM, PROM, ROM, o Physical network architecture o Service continuity mgt EEPROM o Logical network architecture o Availability mgt o I/O and Networking o Data flow architecture  Effective change mgt o Multi-computer: Blade computers, grid o Network standards and services  Effective application testing computing, server clusters, virtual servers  Types of networks  Resilient architecture  Hardware maintenance o Personal Area Network (PAN): up to 3 meters  Serviceable components  Hardware monitoring and use to connect peripherals for use by an  Infrastructure Operations individual o Running scheduled jobs o LAN o Restarting failed jobs/processes INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE o Campus Area Network (CAN) o Facilitating backup jobs o Metropolitan Area Network (MAN) o Monitoring systems/apps/networks  Computer Operating Systems o WAN  Monitoring  Access to peripherals  Network-based Services: email, print, file storage,  Software Program Library Management: System that  Storage mgt remote access, directory, terminal emulation, time is used to store and manage access to an  Process mgt synch, network authentication, web security, anti- organization’s application source and object code  Resource allocation malware, network management o Access and authorization controls  Communication  Network Models  Security o OSI: Application, presentation, session, o OS Virtualization transport, network, data link, physical o Clustering: using special software o TCP/IP: Link, internet, transport, application o Grid Computing: a form of distributed  Network Technologies computing o LAN  Physical topology: Star, Ring, Bus
  • 13. Cable types: Shield twisted pair  FTP o Change mgt: requested, reviewed prior to (STP), screened unshielded twisted  FTPS approval pair (S/UTP), screened shielded  SFTP  Auditing OSs twisted pair (S/STP), unshielded  SCP o Standards: written stds twisted pair (UTP)  Rcp o Maintenance and support: support contracts  Other types: Fiber,  Messaging protocols o Change mgt coaxial, serial  SMTP o Configuration mgt: tools, recordkeeping,  Network Transport protocols  POP config processes  Ethernet: Broadcast or  IMAP o Security mgt: hardening  Domain 4 – IT Service Delivery & Infrastructure shared medium, collision  NNTP Auditing File Systems avoidance  File and directory sharing protocols o Capacity: storage o ATM: Synchronous network. Connection o Access control  NFS oriented link-layer protocol.  Auditing DB Management Systems  RPC o Token Ring o Configuration mgt: centrally controlled  Session protocols o Universal Serial Bus o Change mgt: changes should be consistent FDDI: Fiber distributed data interface. Range  TELNET o and systematic up to 200km and capable of 200mb/sec  rlogin o Capacity mgt: ability to support business o WAN  SSH processes  MPLS  HTTP o Security mgt: access controls, logs  SONET  HTTPS  Auditing Network Infrastructure  Frame Relay  Management protocols o Network architecture  ISDN  SNMP o Security architecture  X.25  NTP o Standards o Wireless  Directory service protocols o Change mgt  Wi-Fi  DNS o Capacity mgt  Bluetooth  LDAP o Configuration mgt  Wireless USB  X.500 o Administrative access management  NFC (Near Field Communication):  Global Internet: Email, IM, VPN, WWW o Network components extremely short distance radio  Network Management o Log management frequencies that are commonly o Tools o User access management used for merchant payment  Network management systems  Auditing Network Operating Controls applications.  Network management agents o Network operating procedures  IrDA: Infrared Data Association.  Incident management systems o Restart procedures  TCP/IP Protocols  Protocol analyzers o Troubleshooting procedures o Link Layer / network access layer  Sniffers o Security controls  ARP (Address resolution)  Networked Applications o Change management  RARP (Reverse address o Client–Server  Auditing computer operations resolution) o Web-based o System configuration standards  OSPF (Open Shortest Path First) o System build procedures  L2TP (Layer 2 Tunneling Protocol) o System recovery procedures  PPP AUDITING IS INFRASTRUCTURE AND OPERATIONS o System update procedures  Media Access Control (MAC) o Patch management o Internet Layer / Layer 3  Auditing IS Hardware o Daily tasks  IP o Standards: procurement stds o Backup  ICMP o Maintenance: records, service contracts o Media control  IGMP o Capacity: system’s capacity monitoring o Monitoring  IPSec  Auditing Data Entry o Internet Layer o Data entry procedures  IP Addresses, subnets, masks, o Input verification gateway, classless and classful o Batch verification networks. o Transport Layer  TCP  UDP o Application layer  File Transfer Protocols
  • 14. o Correction procedures  Auditing Lights-Out operations o Remote administration procedures o Remote monitoring procedures  Auditing Problem Management Operations o Problem management policy and processes o Problem management records Domain 4 – IT Service Delivery & Infrastructure o Problem management timelines o Problem management reports o Problem resolution o Problem recurrence  Auditing Monitoring Operations o Monitoring plan o Problem log o Preventative maintenance o Management review and action  Auditing Procurement o Requirements definition: functional, technical, and security requirements approved by management. Policies, procedures, and records. o Feasibility studies
  • 15. INFORMATION SECURITY MANAGEMENT  HR Security  Patch management o Screening  System hardening  Aspects o Agreements  IDS o Executive support o Job descriptions o Chain of custody: o Policies and procedures o Transfer and termination  Identification o Security Awareness o Contractors and temps  Preservation o Security monitoring and auditing  Computer Crime  Analysis o Incident response o Roles  Presentation o Corrective and preventive action.  Target of a crime  Roles and responsibilities  Instrument of a crime LOGICAL ACCESS CONTROLS: Subject access controls are in o Executive mgt: support and overall  Support of a crime place to determine the identity of the subject. Service access is responsibility for asset protection o Categories used to control the types of messages that are allowed to pass o Security steering committee: approval of  Military through a control point. security policies, risk related matters.  Political Domain 5 – Information Asset Protection  o CISO: development and enforcement of  Terrorist  Models policy and asset protection  Financial o MAC: Mandatory Access Control: Access to o Chief privacy officer  Business objects by subjects o Security auditor: monitoring and testing  Grudge o DAC: Discretionary Access Control: Owner of security controls  Amusement an object is able to determine how and by o Security administrator o Perpetrators whom the object may be accessed. o Security analyst: implementing security policy  Hackers  Threats by designing and improving security controls  Cybercriminals o Malware and processes  Spies o Eavesdropping o Systems analyst: by designing application  Terrorists o Logic bombs software that includes adequate controls  Script kiddies o Scanning attacks o Software developers: coding applications that  Social engineers  Vulnerabilities include controls to prevent application misuse  Employees o Unpatched systems or bypass of controls  Former employees o Default system settings o Managers  Knowledgeable outsiders o Default passwords o Asset owners: responsible for protection and  Service providers employees o Incorrect permissions settings integrity of assets  Security Incident Management o Application logic o Employees o Incident Response  Points of Entry  Asset Inventory and Classification  Planning o Exposure to malware o Hardware  Detection o Eavesdropping o Information  Initiation o Open access  Access Control  Evaluation  Identification, Authentication, and Authorization o AC Management: request, review,  Eradication o Identification: asserting an identity without segregation of duties, transfer, termination  Remediation providing any proof of it. o Logs  Closure o Authentication: Subject asserts an identity,  Privacy  Post-Incident Review but some proof of the subject’s identity is o PII: DL, SSN, Passport, phone, address, o Testing Incident Response required DoB, Accounts  Document review o Authorization: System determines resource  3rd Party Management  Walkthrough access to the subject o rd 3 Party access countermeasures: logs,  Simulation  User account provisioning video, access controls, logical access, audits o Incident prevention o Factors: user location, system limitations, o Legal agreements: liabilities, controls  Vulnerability monitoring data sensitivity required, nondisclosure, security training, o Risks: Finding a password, eavesdropping steps for a security breach, steps to be taken  Two Factor authentication: Digital certificates, smart to reduce the likelihood of data loss caused cards, tokens by a disaster, right to inspect, compliance,  Something you are: Biometrics such as hand print, destroy copies of information on request. fingerprint, palm vein, voice, facial scan, handwriting, iris scan o Measurement variances: False reject rate, False accept rate, crossover error rate
  • 16. Reduced Sign On: changing from stand alone o Stealing data o Private Key Cryptosystem: Symmetric application authentication to centralized  Securing Wireless Networks cryptography authentication like LDAP, RADIUS, Active Directory o Threats and vulnerabilities  Challenges  Single Sign On: one login authentication for  Eavesdropping  Key exchange: Out of multiple authorized applications  War driving and chalking band method is required.  Access Control Lists: common way to administer  Encryption  Scalability access controls  Spoofing o Public Key Cryptosystem: Asymmetric  Protecting Information o Countermeasures cryptosystem o Access controls  Obscure SSID  Key pair: public and private keys o Access Logging  Stop SSID broadcast  Message security: no need to o Backups  Reduce transmit power establish and communicate  Automated tools  MAC filtering symmetric encryption keys through  Protection of backup data  WPA a secure channel.  Offsite backup media storage  Require VPN  Verifying public keys:  Restoration testing  Change default passwords  Certificate authority  Media inventory  Patches  Email address  Patch Management  Protecting Internet Communications  Key fingerprint: retrieve  Vulnerability Management o Threats and vulnerabilities the public key and o Subscribing to security alerts  Eavesdropping calculate the key Domain 5 – Information Asset Protection  o Scanning  Network analysis: reconnaissance fingerprint. o Patch management phase of some bigger effort o Hashing and Message Digests o Corrective action process  Targeted attacks o Digital Signatures: Seals a message or file  System Hardening: remove services, change  Malware using the sender’s identity functions to unique system function, changed default  Masquerading: forge messages that o Digital Envelopes: Combining private and password, non-predictable passwords, reduce have the appearance of originating public privileges, eliminate interserver trust elsewhere. o Public Key Infrastructure (PKI):  Managing User Access  DoS  Digital certificates o User Access Provisioning: Risk of errors  Fraud  Certificate Authority (CA) can be devastating for an organization o Countermeasures  Registration Authority (RA) o Termination: Some safeguards are  Firewalls  Certificate Revocation List (CRL) needed like review of terminated  Honeypots and Honeynets  Certification Practice Statement employee’s actions before and after,  IDS (CPS) periodic reviews, and review logs  Change management and o Key Management o Transfers: Risk is privilege creep configuration management  Key generation: system must be o Password management: provisioning,  Incident management highly protected, isolated, and used lockout, forgotten passwords. Password  Security awareness training by a few people. System should length, complexity, expiration, reuse,  Encryption include some randomness rechange o Terms:  Key protection  Protecting Mobile Devices: Encryption, strong  Plaintext  Key custody: policies, processes, access control, remote destruct, hardening, logical  Ciphertext and procedures regarding the locking system, physical locking system  Hash function management of keys.  Message digest  Key rotation: only when one of the NETWORK SECURITY CONTROLS  Digital signature following occurs:  Algorithm  Key compromise  Network Security  Decryption  Key expiration o Threats: access by unauthorized persons,  Encryption key  Rotation of staff spoofing, eavesdropping, malware, DoS,  Cryptanalysis  Key disposal access bypass, MITM  Key length o Encryption applications o Countermeasures: User authentication  Block cipher  SSL/TLS controls, machine authentication controls,  Stream cipher  S-HTTP anti-malware, encryption, switched  Initialization Vector (IV): random  S/MIME networks, IDS/IPS number to begin encryption process  SSH  Symmetric encryption  Securing Client-Server Applications  Asymmetric encryption o Access controls: strong authentication  Key exchange o Interception of client-server  Nonrepudiation communication: Network encryption o Network Failure o Change management o Disruption of client software updates
  • 17. SET  IDS o B: liquids and  Voice over IP (VoIP)  Spam filters gases o Threats and vulnerabilities  Blocking use of removable media o C: electrical  Eavesdropping  Information Leakage o D: combustible  Spoofing o Countermeasures metals  Malware  Outbound email filters o K: cooking oils  DoS  Block removable media and fats  Toll fraud  Blocking internet access o Protecting: IDS, access management,  Tighter access controls PHYSICAL SECURITY CONTROLS firewalls, hardening, malware controls  Access logging  Private Branch Exchange (PBX)  Job rotation  Threats and vulnerabilities o Threats and vulnerabilities  Periodic background checks o Theft  Default passwords on o Sabotage administrator console ENVIRONMENTAL CONTROLS o Espionage Domain 5 – Information Asset Protection   Dial-in modem o Covert listening devices  Toll fraud  Threats and vulnerabilities o Tailgating  Espionage o Electric power vulnerabilities o Propped doors o Countermeasures  Spike: sharp increase o Poor visibility  Administrative access control  Inrush: sudden increase  Countermeasures  Physical access control  Noise: presence of other o Keycard systems  Regular log review electromagnetic signals o Cipher locks  Malware  Dropout: momentary loss o Fences, walls, and barbed wire o Threats and vulnerabilities  Brownout: sustained drop o Bollards and crash gates  Viruses  Blackout: complete loss o Video  Worms o Physical environment vulnerabilities o Visual notices  Trojan horses  Temperature o Bug sweeping  Spyware  Humidity o Guards  Root kits  Dust and dirt o Guard dogs  Bots  Smoke and fire  Missing patches  Sudden unexpected movement AUDITING ASSET PROTECTION  Unsecure configuration  Countermeasures  Faulty architecture o Electric power  Security Management  Faulty judgment  UPS o Policies, processes, procedures, and  Spam  Electric generator standards  Phishing  Dual power feeds o Records  DoS  Power distribution unit (PDU) o Training o Anti-Malware Administrative controls o Temperature and humidity controls: HVAC o Data ownership and management  Spam policy o Fire Prevention, detection, and suppression o Data custodians  Business related internet controls o Security administrators  No removable media  Prevention: o New and existing employees  No downloading  Combustibles: stored away  Logical Access controls  No personally owned computers  Cleanliness o Network access paths o Anti-Malware Technical controls  Electrical equipment  IT infrastructure  Anti-malware on email servers maintenance  Network architecture and access  On workstations  Detection: pull down stations, manual documentation  On web servers alarms, detectors o User Access Controls  Centralized malware console  Suppression:  User access controls:  Types: wet pipe, dry pipe, authentication, bypass, access pre-action, deluge, inert gas violations, user account lockout,  Classes: IDS/IPS, shared accounts, dormant o A: wood, paper accounts, system accounts  Password management: password standards, account lockout, access to encrypted passwords   
  • 18. Password vaulting  Alert management o User access provisioning:  Penetration testing  Access request process  Application scanning  Access approvals  Patch management  Segregation of duties (SOD)  Environmental Controls  Access reviews o Power conditioning o Employee terminations o Backup power  Termination process o HVAC  Timeliness o Water detection  Access reviews o Fire detection and suppression  Contractor access and termination o Cleanliness Access logs  Domain 5 – Information Asset Protection  o Physical Controls  Access log controls o Siting and Marking  Centralized access logs  Proximity to hazards  Access log protection o Physical access controls  Log review  Physical barriers  Log retention  Surveillance o Investigative procedures  Guards and dogs  Policies and procedures  Keycard systems  Computer crime investigations  Computer forensics o Internet points of presence  Search engines: what information is available  Social networking sites: what others are saying  Online sales sites: what’s being sold  Domain names  Network Security Controls o Architecture review  Diagrams  Documents  Support of business objectives  Compliance with security policy  Comparison of documented vs actual o Network access controls  User authentication: Active Directory, LDAP  Firewalls  IDS  Remote access  Dial-up modems o Change management  Change control policy  Change logs  Change control procedures  Emergency changes  Rolled-back changes  Linkage to SDLC: change management and SDLC
  • 19. DISASTERS Establishing key targets  Emergency Response: evacuation,  Recovery Time Objective (RTO): Time from onset of an first aid, firefighting  Types outage until the resumption of service. ** An  Command and Control (Emergency o Natural: Earthquakes, volcanoes, landslides, organization could establish two RTO targets, one for Management) avalanches, wildfires, tropical cyclones, partial capacity and one for full capacity.  Scribe: Document the important tornadoes, windstorms, lighting, ice storms,  Recovery Point Objective (RPO): Time for which recent events during disaster response hail, flooding, tsunamis, pandemic, data will be irretrievably lost in a disaster. For critical operations extraterrestrial impacts transactions it is measure in minutes.  Internal Communications o Man-Made: Civil disturbances, Utility outages, Developing Recovery Strategies and Plans  External communications materials shortages, fires, hazardous  Strategies:  Legal and compliance materials spills, transportation accidents, o Site options: Hot, warm, cold, mobile,  Damage assessment security events, terrorism and wars reciprocal (at another company)  Salvage o How they affect organizations o Recovery and resilience technologies  Physical security  Direct damage: earthquakes etc  RAID: Redundant Array of  Supplies  Utility outage Independent Disks  Transportation  Transportation  RAID-0: stripped  Network  Services and supplier shortage  RAID-1: mirror  Network services  Staff availability  RAID-4: Data stripping.  Systems  Customer availability RAID 4-5 allows for  Databases BCP Process failure of one disk without  Data and records losing information  Applications Develop Policy: formal policy included in the overall  RAID-6: Withstands  Access management governance model failure of any two disks  Information security  BCP and COBIT Controls drives in the array.  Off-site storage o Develop IT continuity framework  User hardware  SAN: Storage Area o Conduct business impact analysis  Training Network o Develop and maintain IT continuity plans  Relocation  NAS: Network Attached o Identify and categorize IT resources based on  Contract Information Storage. recovery objectives o Recovery procedures: should be hand in o Replication: o Define and execute change control hand with the technologies that may have  Disk storage system procedures to ensure IT continuity plan is been added to IT systems to make them  Operating system current more resilient  Database management system o Regularly test IT continuity plan o Continuing Operations  Transaction management system o Develop follow-on action plan from test o Restoration procedures  Application Domain 6 – BC & DR results o Considerations: o Server clusters o Plan and conduct IT continuity training  Availability of personnel o Network connectivity and services o Plan IT services recovery and resumption  Emergency supplies  Redundant network connection o Plan and implement backup storage and  Communications: identifying Critical  Redundant network services protection personnel, suppliers, customers, o Backup and restoration o Establish procedures for conducting post- and other parties, call trees, wallet  Plans cards resumption reviews o Evacuation procedures  Transportation Business Impact Analysis (BIA) o Disaster declaration procedures  Inventory Key processes and systems  Core team o Documentation  Statement of impact: qualitative or quantitative  Supporting project documents  Declaration criteria  Analysis documents: BIA, RTP, description of the impact if the process or system were  Pulling the trigger: any single core incapacitated for a time RPO, Criticality analysis member  Response documents: Business Criticality Analysis: study of each system and process, a  Next Steps: Declaration will trigger consideration of the impact on the organization if it is recovery plan, Occupant other response procedures. emergency plan (OEP), Emergency incapacitated, the likelihood of incapacitation, and the  False alarms estimated cost of mitigating the risk or impact of communications plan, contact lists, o Responsibilities: injured, caring for family DR plan, incapacitation. (risk analysis) members, transportation unavailable, out of the area, communications, fear
  • 20. Continuity of operations plan (COOP), Security incident response plan (SIRT)  Test and review documents Testing Recovery Plans  Test preparation: schedule, facilities, scripting, participants, recordkeeping, contingency plan,  Document review  Walkthrough  Simulation  Parallel test  Cutover test  Documenting results  Improving recovery and continuity plans Training Personnel: Document review, participation in walkthroughs, participation in simulations, participation in parallel and cutover tests  Hard copy of plan  Soft copy of plan  Online access  Wallet cards Maintaining Recovery and Continuity Plans Auditing Business Continuity and Disaster Recovery: An audit of an organization’s BC program is a top-down analysis of key business objectives and a review of documentation and interviews to determine whether the BC strategy and program details support those key business objectives. o Reviewing Business Continuity and Disaster Domain 6 – BC & DR Recovery Plans o Reviewing Prior Test Results and Action Plans o Evaluating off-site storage o Evaluating alternate processing facilities o Interviewing key personnel o Reviewing service provider contracts o Reviewing insurance coverage