SESSION 3
Job Practice
Domain 5:
Protection of
Information Assets,
25%
Domain 4:
Information Systems
Operations,
Maintenance and
Service
Management, 20%
Domain 1: The
Process of Auditing
Information
Systems, 21%
Domain 2:
Governance and
Management of IT,
16%
Domain 3: Information
Systems Acquisition,
Development and
Implementation, 18%
Domain 5
Protection of Information Assets
Domain 5
Task 5.1
Security Objectives
Security objectives to meet an organizations business requirements
should ensure the following:
o Continued availability of information systems and data
o Integrity of the information stored on computer systems and
while in transit
o Confidentiality of sensitive data is preserved while stored and in
transit
o Conformity to applicable laws, regulations and standards
o Adherence to trust and obligation requirements in relation to any
information relating to an identified or identifiable individual (i.e.,
data subject) in accordance with internal privacy policy or
applicable privacy laws and regulations
o Adequate protection for sensitive data while stored and when in
transit, based on organizational requirements
Policies and
procedures
Risk management
Monitoring and
compliance
Organization
Security awareness
and education
Incident handling
and response
Privacy
Privacy means freedom from unauthorized intrusion or
disclosure of information about an individual (also
referred to as a data subject).
Management should perform a privacy impact analysis.
10
Security Controls
An effective control is one that prevents, detects, and/or
contains an incident and enables recovery from an
event.
Controls can be:
Proactive
Safeguards
Controls that attempt to
prevent an incident
11
Reactive
Countermeasures
Controls that allow the
detection, containment and
recovery from an incident
12
Control Methods
Managerial
Technical
Physical
13
Control Monitoring
To ensure controls are effective and properly monitored,
the IS auditor should:
o Validate that processes, logs and audit hooks have
been placed into the control framework.
o Ensure that logs are enabled, controls can be tested
and regular reporting procedures are developed.
o Ensure that control monitoring is built into the control
design.
14
15
16
Task 5.2
17
Blackmail
Embezzlement
18
19
Door locks
(cipher, biometric,
bolted, electronic)
Manual or
electronic logging
Identification
badges
CCTV
Security guards
Controlled visitor
access
Computer
workstation locks
Controlled single
entry point
Deadman doors
Alarm system
20
21
Environmental Exposures
Environmental exposures are due primarily to naturally occurring
events.
Common environmental exposures include:
Power failure
Water damage/flooding
Manmade concerns
Terrorist threats/attacks
Vandalism
Equipment failure
22
Environmental Controls
Environmental exposures should be afforded the same level of
protection as other types of exposures. Possible controls include:
Alarm control
panels
Water detectors
Fire extinguishers
Fire suppression
systems
Fireproof and
fire-resistant
building and office
materials
Strategically
located computer
rooms
Electrical surge
protectors
Emergency
power-off switch
Documented and
tested BCPs and
emergency
evacuation plans
Uninterruptible
power supply/
generator
23
24
Task 5.3
25
Logical Access
Logical access is the ability to interact with computer
resources, granted using identification, authentication
and authorization.
Logical access controls are the primary means used to
manage and protect information assets.
IS auditors should be able to analyze and evaluate the
effectiveness of a logical access control in accomplishing
information security objectives and avoiding losses
resulting from exposures.
26
27
28
29
30
32
33
Mandatory
access controls
(MACs)
Discretionary
access controls
(DACs)
LAN Security
To gain a full understanding of the LAN, the IS auditor
should identify and document the following:
o Users or groups with privileged access rights
o LAN topology and network design
o LAN administrator/LAN owner
o Functions performed by the LAN administrator/owner
o Distinct groups of LAN users
o Computer applications used on the LAN
o Procedures and standards relating to network design,
support, naming conventions and data security
35
Virtualization
IS auditors need to understand the advantages and
disadvantages of virtualization to determine whether the
enterprise has considered the applicable risk in its decision to
adopt, implement and maintain this technology.
Some common advantages and disadvantages include:
Advantages
Disadvantages
36
Client-Server Security
A client-server is a group of computers connected by a
communications network in which the client is the
requesting machine and the server is the supplying
machine.
Several access routes exist in a client-server
environment.
37
38
Wireless Security
Wireless security requirements include the following:
o AuthenticityA third party must be able to verify that
the content of a message has not been changed in
transit.
o NonrepudiationThe origin or the receipt of a specific
message must be verifiable by a third party.
o AccountabilityThe actions of an entity must be
uniquely traceable to that entity.
o Network availabilityThe IT resource must be
available on a timely basis to meet mission
requirements or to avoid substantial losses.
39
Internet Security
The IS auditor must understand the risk and security
factors needed to ensure that proper controls are in
place when a company connects to the Internet.
Network attacks involve probing for network information.
o Examples of passive attacks include network
analysis, eavesdropping and traffic analysis.
40
41
42
Encryption
Encryption generally is used to:
o Protect data in transit over networks from
unauthorized interception and manipulation.
o Protect information stored on computers from
unauthorized viewing and manipulation.
o Deter and detect accidental or intentional alterations
of data.
o Verify authenticity of a transaction or document.
43
Encryption (contd)
Key encryption elements include:
o Encryption algorithmA mathematically based
function that encrypts/decrypts data
o Encryption keysA piece of information that is used
by the encryption algorithm to make the encryption or
decryption process unique
o Key lengthA predetermined length for the key; the
longer the key, the more difficult it is to compromise
44
Encryption (contd)
There are two types of encryption schemes:
o Symmetrica unique key (usually referred to as the
secret key) is used for both encryption and decryption.
o Asymmetricthe decryption key is different than the one
used for encryption.
There are two main advantages of symmetric key systems
over asymmetric ones.
o The keys are much shorter and can be easily
remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.
45
Encryption (contd)
In a public key cryptography system, two keys work
together as a pair. One of the keys is kept private, while
the other one is publicly disclosed.
The underlying algorithm works even if the private key is
used for encryption and the public key for decryption.
46
Encryption (contd)
Digital signature schemes ensure:
o Data integrity Any change to the plaintext
message would result in the recipient failing to
compute the same document hash.
o AuthenticationThe recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o NonrepudiationThe claimed sender cannot later
deny generating the document.
The IS auditor should be familiar with how a digital
signature functions to protect data.
47
Malware
There are two primary methods to prevent and detect
malware that infects computers and network systems.
o Have sound policies and procedures in place
(preventive controls).
o Have technical controls (detective controls), such as
anti-malware software, including:
Scanners
Behavior blockers
Active monitors
Integrity CRC checkers
Immunizers
Neither method is effective without the other.
48
Task 5.4
49
Data Classification
In order to have effective controls, organizations must have a
detailed inventory of information assets.
Most organizations use a classification scheme with three to five
levels of sensitivity.
Data classification provides the following benefits:
o Defines level of access controls
o Reduces risk and cost of over- or under-protecting
information resources
o Maintains consistent security requirements
o Enables uniform treatment of data by applying level-specific
policies and procedures
o Identifies who should have access
50
51
Data Leakage
Data leakage involves the unauthorized transfer of sensitive
or proprietary information from an internal network to the
outside world.
Data leak prevention is a suite of technologies and associated
processes that locate, monitor and protect sensitive
information from unauthorized disclosure.
52
53
DLP Solutions
Data at
rest
Use crawlers to
search for and log
the location of
specific information
sets
54
Data in motion
Use specific
network appliances
or embedded
technology to
selectively capture
and analyze traffic
Data in
use
Use an agent to
monitor data
movement
stemming from
actions taken by
end users
55
56
Authentication Methods
Authentication Methods
Logon IDs and Passwords
Tokens
Biometrics
Multifactor authentication is the combination of more than one
authentication method.
Single sign-on (SSO) is the process for consolidating all of an
organizations platform-based administration, authentication and
authorization functions into a single centralized administrative
function.
The IS auditor should be familiar with the organizations
authentication policies.
57
Authorization
Authorization refers to the access rules that specify who
can access what.
Access control is often based on least privilege, which
refers to the granting to users of only those accesses
required to perform their duties.
The IS auditor needs to know what can be done with the
access and what is restricted.
The IS auditor must review access control lists (ACLs).
An ACL is a register of users who have permission to
use a particular system and the types of access
permitted.
58
Authorization Issues
Risks
Denial of service
Malicious third parties
Misconfigured
communications software
Misconfigured devices on the
corporate computing
infrastructure
Host systems not secured
appropriately
Physical security issues over
remote users computers
59
Controls
System Logs
Audit trail records should be protected by strong access
controls to help prevent unauthorized access.
The IS auditor should ensure that the logs cannot be
tampered with, or altered, without leaving an audit trail.
When reviewing or performing security access follow-up,
the IS auditor should look for:
o Patterns or trends that indicate abuse of access
privileges, such as concentration on a sensitive
application
o Violations (such as attempting computer file access
that is not authorized) and/or use of incorrect
passwords
60
61
Task 5.5
62
63
Media Storage
To help avoid potential damage to media during shipping and
storage, the following precautions must be present:
o Keep out of direct sunlight.
o Keep free of dust.
o Keep free of liquids.
o Minimize exposure to magnetic fields, radio equipment or any
sources of vibration.
o Do not air transport in areas and at times of exposure to a
strong magnetic storm.
64
Mobile Computing
Mobile computing refers to devices that are transported or moved
during normal usage, including tablets, smartphones and laptops.
Mobile computing makes it more difficult to implement logical and
physical access controls.
Common mobile computing vulnerabilities include the following:
o Information may travel across unsecured wireless networks.
o The enterprise may not be managing the device.
o Unencrypted information may be stored on the device.
o The device may have a lack of authentication requirements.
o The device may allow for the installation of unsigned
third-party applications.
65
66
Tagging
Physical
security
Data storage
Virus
detection and
control
Encryption
Compliance
Approval
Acceptable
use policy
Due care
Awareness
training
Network
authentication
Secure
transmission
Standard
applications
Geolocation
tracking
Remote wipe
and lock
BYOD
agreement
Secure
remote
support
Device
registration
67
Technology
Threat/Vulnerability
Controls
Peer-to-peer
computing
Instant messaging
(IM)
Social media
Cloud computing
Voice-Over IP (VoIP)
VoIP has a different architecture than traditional
circuit-based telephony, and these differences result in
significant security issues.
Security is needed to protect two assetsthe data and
the voice.
Backup communication plans are important because if
the computer system goes down, the telephone system
goes down too.
68
69
Task 5.6
70
Computer Crimes
It is important that the IS auditor knows and understands the
differences between computer crime and computer abuse to
support risk analysis methodologies and related control
practices. Examples of computer crimes include:
Hacking
Malware,
viruses and
worms
Fraud
Unauthorized
access
Phishing
Brute force
attacks
Malicious
codes
Network
analysis
Packet replay
Masquerading
Eavesdropping
Denial of
service (DoS)
Source: ISACA, CISA Review Manual, 26th Edition, figures 5.11 and 5.12
71
72
73
74
75
76
Terminal
identification
77
Investigation Techniques
If a computer crime occurs, it is very important that proper
procedures are used to collect evidence.
o Damaged evidence can hinder prosecution.
o After a computer crime, the environment and evidence
must be left unaltered and examined by specialist law
enforcement officials.
Any electronic document or data may be used as digital
evidence.
An IS auditor may be required or asked to be involved in a
forensic analysis to provide expert opinion or to ensure the
correct interpretation of information gathered.
79
Preserve
Refers to the practice of retrieving identified
information and preserving it as evidence
Analyze
Involves extracting, processing and interpreting the
evidence
Present
Involves a presentation to the various audiences, such
as management, attorneys, court, etc.
80
Computer Forensics
The IS auditor should give consideration to key elements of
computer forensics during audit planning, including the
following:
o Data protection
o Data acquisition
o Imaging
o Extraction
o Interrogation
o Ingestion/normalization
o Reporting
81
82
83
Penetration Testing
During penetration testing, an auditor attempts to circumvent the
security features of a system and exploits the vulnerabilities to
gain access that would otherwise be unauthorized.
Additional Discovery
Planning
Discovery
Reporting
84
Attack
85
External
testing
Internal
testing
Blind
testing
Double
blind
testing
Targeted
testing
Domain 5 Summary
Evaluate the information security and privacy policies,
standards and procedures.
Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls.
Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls.
86
87
Discussion Question
The CSIRT of an organization disseminates detailed
descriptions of recent threats. An IS auditors GREATEST
concern should be that the users may:
A. use this information to launch attacks.
B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.
88
Discussion Question
Which of the following is the BEST way for an IS auditor to
determine the effectiveness of a security awareness and
training program?
A. Review the security training program.
B. Ask the security administrator.
C. Interview a sample of employees.
D. Review the security reminders to employees.
89
Discussion Question
A hard disk containing confidential data was damaged
beyond repair. What should be done to the hard disk to
prevent access to the data residing on it?
A. Rewrite the hard disk with random 0s and 1s.
B. Low-level format the hard disk.
C. Demagnetize the hard disk.
D. Physically destroy the hard disk.
90
EXAM PRACTICE
91
Question 1
An IS auditor is developing an audit plan for an
environment that includes new systems. The companys
management wants the IS auditor to focus on recently
implemented systems. How should the IS auditor respond?
A. Audit the new systems as requested by
management.
B. Audit systems not included in last years scope
C. Determine the highest-risk systems and plan
accordingly.
D. Audit both the systems not in last years scope and
the new systems
92
Question 2
To ensure that audit resources deliver the best value to the
organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on
each audit.
B. train the IS audit staff on current technology used in
the company.
C. develop the audit plan on the basis of a detailed risk
assessment.
D. monitor progress of audits and initiate cost control
measures.
93
Question 3
The PRIMARY objective of the audit initiation meeting with
an IS audit client is to:
A. discuss the scope of the audit.
B. identify resource requirements of the audit.
C. select the methodology of the audit.
D. review requested evidence provided by the audit
client.
94
Question 4
The effect of which of the following should have priority in
planning the scope and objectives of an IS audit?
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry best practices
D. Organizational policies and procedures
95
Question 5
Why does an audit manager review the staffs audit papers,
even when the IS auditors have many years of experience?
A. internal quality requirements.
B. the audit guidelines.
C. the audit methodology.
D. professional standards.
96
Question 6
An IS audit department considers implementing continuous
auditing techniques for a multinational retail enterprise that
requires high availability of its key systems. A PRIMARY
benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
97
Question 7
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has asked
for copies of the scripts so that they can use them for setting up a continuous
monitoring process on key systems. Would sharing these scripts with IT affect
the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to
pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review
all programs and software that runs on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits
may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS
auditors who wrote the scripts would not be permitted to audit any IS
systems where the scripts are being used for monitoring.
98
Question 8
The success of control self-assessment (CSA) depends
highly on:
A. having line managers assume a portion of the
responsibility for control monitoring.
B. assigning staff managers the responsibility for
building, but not monitoring, controls.
C. the implementation of a stringent control policy and
rule-driven controls.
D. the implementation of supervision and the monitoring
of controls of assigned duties.
99
Question 9
When conducting an IT security risk assessment, the IS auditor
asked the IT security officer to participate in a risk identification
workshop with users and business unit representatives. What is
the MOST important recommendation that the IS auditor should
make to obtain successful results and avoid future conflicts?
A. Ensure that the IT security risk assessment has a clearly
defined scope.
B. Require the IT security officer to approve each risk rating
during the workshop.
C. Suggest that the IT security officer accept the business
unit risk and rating.
D. Select only commonly accepted risk with the highest
submitted rating.
100
Question 10
An IS auditor is performing an audit in the data center when
the fire alarm begins sounding. The audit scope includes
disaster recovery, so the auditor observes the data center
staff response to the alarm. Which of the following is the
MOST important action for the data center staff to complete
in this scenario?
A. Notify the local fire department of the alarm condition.
B. Prepare to activate the fire suppression system.
C. Ensure that all persons in the data center are
evacuated.
D. Remove all backup tapes from the data center.
101
Question 11
When evaluating the controls of an
electronic data interchange (EDI)
application, an IS auditor should
PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D. nonvalidated batch totals.
102
Question 12
An organization is replacing a payroll program that
it developed in-house, with the relevant subsystem
of a commercial enterprise resource planning
(ERP) system. Which of the following would
represent the HIGHEST potential risk?
A. Undocumented approval of some project
changes
B. Faulty migration of historical data from the
old system to the new system
C. Incomplete testing of the standard
functionality of the ERP subsystem
D. Duplication of existing payroll permissions on
the new ERP subsystem
103
Question 13
An IS auditor reviewing a series of completed projects finds
that the implemented functionality often exceeded
requirements and most of the projects ran significantly over
budget. Which of these areas of the organizations project
management process is the MOST likely cause of this
issue?
A. Project scope management
B. Project time management
C. Project risk management
D. Project procurement management
104
Question 14
Which of the following techniques would BEST help an
IS auditor gain reasonable assurance that a project can
meet its target date?
A. Estimation of the actual end date based on the
completion percentages and estimated time to
complete, taken from status reports
B. Confirmation of the target date based on
interviews with experienced managers and staff
involved in the completion of the project
deliverables
C. Extrapolation of the overall end date based on
completed work packages and current resources
D. Calculation of the expected end date based on
current resources and remaining available project
budget
105
Question 15
An IS auditor has been asked to participate in
project initiation meetings for a critical project.
The IS auditors MAIN concern should be that
the:
A. complexity and risk associated with the
project have been analyzed.
B. resources needed throughout the project
have been determined.
C. technical deliverables have been
identified.
D. a contract for external parties involved in
the project has been completed.
106
Question 16
The PRIMARY objective of service-level management
(SLM) is to:
A. define, agree on, record and manage the required
levels of service.
B. ensure that services are managed to deliver the
highest achievable level of availability.
C. keep the costs associated with any service at a
minimum.
D. monitor and report any legal noncompliance to
business management.
107
Question 17
The BEST audit procedure to determine if unauthorized
changes have been made to production code is to:
A. examine the change control system records and trace
them forward to object code files.
B. review access control permissions operating within
the production program libraries.
C. examine object code to find instances of changes and
trace them back to change control records.
D. review change approved designations established
within the change control system.
108
Question 18
Which of the following is the BEST method for determining
the criticality of each application system in the production
environment?
A. Interview the application programmers.
B. Perform a gap analysis.
C. Review the most recent application audits.
D. Perform a business impact analysis (BIA).
109
Question 19
Which of the following issues should be the GREATEST concern
to the IS auditor when reviewing an IT disaster recovery test?
A. Due to the limited test time window, only the most
essential systems were tested. The other systems were
tested separately during the rest of the year.
B. During the test, some of the backup systems were
defective or not working, causing the test of these systems
to fail.
C. The procedures to shut down and secure the original
production site before starting the backup site required far
more time than planned.
D. Every year, the same employees perform the test. The
recovery plan documents are not used because every step
is well known by all participants.
110
Question 20
Which of the following groups is the BEST source of
information for determining the criticality of application
systems as part of a business impact analysis (BIA)?
A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts
111
Question 21
While designing the business continuity plan (BCP) for an
airline reservation system, the MOST appropriate method
of data transfer/backup at an offsite location would be:
A. shadow file processing.
B. electronic vaulting.
C. hard-disk mirroring.
D. hot-site provisioning.
112
Question 22
The information security policy that states each individual
must have his/her badge read at every controlled door
addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
113
Question 23
An IS auditor discovers that uniform resource locators
(URLs) for online control self-assessment questionnaires
are sent using URL shortening services. The use of URL
shortening services would MOST likely increase the risk of
which of the following attacks?
A. Internet protocol (IP) spoofing
B. Phishing
C. Structured query language (SQL) injection
D. Denial-of-service (DoS)
114
Question 24
A company is planning to install a network-based intrusion
detection system (IDS) to protect the web site that it hosts.
Where should the device be installed?
A. On the local network
B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the web site
115
Question 25
What would be the MOST effective control for enforcing
accountability among database users accessing sensitive
information?
A. Implement a log management process.
B. Implement a two-factor authentication.
C. Use table views to access sensitive data.
D. Separate database and application servers.
116
Question 26
What is the BEST approach to mitigate the risk of a
phishing attack?
A. Implementation of an intrusion detection system (IDS)
B. Assessment of web site security
C. Strong authentication
D. User education
117
Question 27
Which of the following BEST encrypts data on mobile
devices?
A. Elliptical curve cryptography (ECC)
B. Data encryption standard (DES)
C. Advanced encryption standard (AES)
D. The Blowfish algorithm
118
Question 28
When protecting an organizations IT systems, which of the
following is normally the next line of defense after the
network firewall has been compromised?
A. Personal firewall
B. Antivirus programs
C. Intrusion detection system (IDS)
D. Virtual local area network (VLAN) configuration
119
Question 29
Which of the following would MOST effectively enhance the
security of a challenge-response based authentication
system?
A. Selecting a more robust algorithm to generate
challenge strings
B. Implementing measures to prevent session hijacking
attacks
C. Increasing the frequency of associated password
changes
D. Increasing the length of authentication strings
120
Question 30
An IS auditor is reviewing a software-based firewall
configuration. Which of the following represents the
GREATEST vulnerability? The firewall software:
A. is configured with an implicit deny rule as the last rule
in the rule base.
B. is installed on an operating system with default
settings.
C. has been configured with rules permitting or denying
access to systems or networks.
D. is configured as a virtual private network (VPN)
endpoint.
121
THANK YOU!