S3 Presentation Slide Deck

CISA EXAM PREP COURSE:
SESSION 3
Job Practice
Domain 5:
Protection of
Information Assets,
25%
Domain 4:
Information Systems
Operations,
Maintenance and
Service
Management, 20%
Copyright 2016 ISACA. All rights reserved.
Domain 1: The
Process of Auditing
Information
Systems, 21%
Domain 2:
Governance and
Management of IT,
16%
Domain 3: Information
Systems Acquisition,
Development and
Implementation, 18%
Domain 5
Protection of Information Assets
Domain 5
Provide assurance that the enterprises

security policies, standards, procedures
and controls ensure the confidentiality,
integrity and availability (CIA) of
information assets.
Task 5.1
Evaluate the information security and

privacy policies, standards and
procedures for completeness, alignment
with generally accepted practices and
compliance with applicable external
requirements.
Security Objectives
Security objectives to meet an organizations business requirements
should ensure the following:
o Continued availability of information systems and data
o Integrity of the information stored on computer systems and
while in transit
o Confidentiality of sensitive data is preserved while stored and in
transit
o Conformity to applicable laws, regulations and standards
o Adherence to trust and obligation requirements in relation to any
information relating to an identified or identifiable individual (i.e.,
data subject) in accordance with internal privacy policy or
applicable privacy laws and regulations
o Adequate protection for sensitive data while stored and when in
transit, based on organizational requirements
Information Security Management

Information security management is the most critical
factor in protecting information assets and privacy.
Key elements include:
Senior management
leadership,
commitment and
support
Policies and
procedures
Risk management
Monitoring and
compliance
Source: ISACA, CISA Review Manual 26th Edition, figure 5.2
Organization
Security awareness
and education
Incident handling
and response
Privacy
Privacy means freedom from unauthorized intrusion or
disclosure of information about an individual (also
referred to as a data subject).
Management should perform a privacy impact analysis.
Human Resources Security

Security roles and responsibilities of employees,
contractors and third-party users should be defined and
documented in accordance with the organizations
information security policy.
Third Party Access

Third party access to an organizations information
processing facilities and processing and communication
of information must be controlled.
These controls must be agreed to and defined in a
contract with the third party.
10
Security Controls
An effective control is one that prevents, detects, and/or
contains an incident and enables recovery from an
event.
Controls can be:
Proactive
Safeguards
Controls that attempt to
prevent an incident
11
Reactive
Countermeasures
Controls that allow the
detection, containment and
recovery from an incident
Security Awareness Training

An active security awareness program can greatly reduce risk
by addressing the behavioral element of security through
education and consistent application of awareness
techniques.
All employees of an organization and third-party users must
receive appropriate training and regular updates on the
importance of security policies, standards and procedures in
the organization.
In addition, all personnel must be trained in their specific
responsibilities related to information security.
12
Control Methods
Managerial
Controls related to the oversight, reporting, procedures and

operations of a process. These include policy, procedures,
balancing, employee development and compliance reporting.
Technical
Controls also known as logical controls and are provided through

the use of technology, piece of equipment or device. Examples
include firewalls, network or host-based intrusion detection
systems (IDSs), passwords and antivirus software. A technical
control requires proper managerial (administrative) controls to
operate correctly.
Physical
Controls that are locks, fences, closed-circuit TV (CCTV) and

devices that are installed to physically restrict access to a facility
or hardware. Physical controls require maintenance, monitoring
and the ability to assess and react to an alert should a problem be
indicated.
13
Control Monitoring
To ensure controls are effective and properly monitored,
the IS auditor should:
o Validate that processes, logs and audit hooks have
been placed into the control framework.
o Ensure that logs are enabled, controls can be tested
and regular reporting procedures are developed.
o Ensure that control monitoring is built into the control
design.
14
System Access Permission

System access permission generally refers to a technical
privilege, such as the ability to read, create, modify or delete a
file or data; execute a program; or open or use an external
connection.
System access to computerized information resources is
established, managed and controlled at the physical and/or
logical level.
15
Physical access controls
Logical access controls
Restrict the entry and exit of

personnel to an area, such as an
office building, suite, data center or
room, containing information
processing equipment.
Restrict the logical resources of the

system (transactions, data, programs,
applications) and are applied when
the subject resource is needed.
System Access Reviews

Roles should be assigned by the information owner or manager.
Access authorization should be regularly reviewed to ensure they
are still valid.
The IS auditor should evaluate the following criteria for defining
permissions and granting access:
o Need-to-know
o Accountability
o Traceability
o Least privilege
o SoD
16
Task 5.2
Evaluate the design, implementation,

maintenance, monitoring and reporting
of physical and environmental controls to
determine whether information assets
are adequately safeguarded.
17
Physical Access Issues

Physical access exposures may originate from natural and
man-made hazards, and can result in unauthorized access and
interruptions in information availability.
Exposures include:
Unauthorized entry
Damage, vandalism or theft to equipment or documents

Copying or viewing of sensitive or copyrighted information
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement
18
Physical Access Controls
19
Door locks
(cipher, biometric,
bolted, electronic)
Manual or
electronic logging
Identification
badges
CCTV
Security guards
Controlled visitor
access
Computer
workstation locks
Controlled single
entry point
Deadman doors
Alarm system
Physical Access Audit

The IS auditor should begin with a tour of the site and
then test physical safeguards.
Physical tests can be completed through visual
observations and review of documents such as fire
system tests, inspection tags and key lock logs.
20
Physical Access Audit (contd)

The test should include all paths of physical entry, as well as
the following locations:
o Computer and printer rooms
o UPS/generator
o Operator consoles
o Computer storage rooms
o Communication equipment
o Offsite backup storage facility
o Media storage
21
Environmental Exposures
Environmental exposures are due primarily to naturally occurring
events.
Common environmental exposures include:
Power failure
Total failure (blackout)

Severely reduced voltage (brownout)
Sags, spikes and surges
Electromagnetic interference (EMI)
Water damage/flooding
Manmade concerns
Terrorist threats/attacks
Vandalism
Equipment failure
22
Environmental Controls
Environmental exposures should be afforded the same level of
protection as other types of exposures. Possible controls include:
Alarm control
panels
Water detectors
Fire extinguishers
Fire alarms and

smoke detectors
Fire suppression
systems
Fireproof and
fire-resistant
building and office
materials
Strategically
located computer
rooms
Electrical surge
protectors
Emergency
power-off switch
Documented and
tested BCPs and
emergency
evacuation plans
Uninterruptible
power supply/
generator
23
Power leads from

two substations
Environmental Control Audit

The IS auditor should first establish the environmental risk by assessing
the location of the data center.
In addition, the IS auditor should verify that the following safeguards are
in place:
o Water and smoke detectors
o Strategic and visible location of handheld fire extinguishers
o Fire suppression system documentation and inspection by fire
department
o UPS/generator test reports
o Electrical surge protectors
o Documentation of fireproof building materials, use of redundant
power lines and wiring located in fire-resistant panels
o Documented and tested emergency evacuation plans and BCPs
o Humidity and temperature controls
24
Task 5.3
Evaluate the design, implementation,

maintenance, monitoring and reporting
of system and logical security controls to
verify the confidentiality, integrity and
availability of information.
25
Logical Access
Logical access is the ability to interact with computer
resources, granted using identification, authentication
and authorization.
Logical access controls are the primary means used to
manage and protect information assets.
IS auditors should be able to analyze and evaluate the
effectiveness of a logical access control in accomplishing
information security objectives and avoiding losses
resulting from exposures.
26
Logical Access (contd)

For IS auditors to effectively assess logical access
controls, they first need to gain a technical and
organizational understanding of the organizations IT
environment, including the following security layers:
o Network
o OS platform
o Database
o Application
27
Paths of Logical Access

Access or points of entry to an organizations IS
infrastructure can be gained through the following paths:
o Direct
o Local network
o Remote
General points of entry to either front-end or back-end
systems occur through network connectivity or remote
access.
28
Paths of Logical Access (contd)

Any point of entry not appropriately controlled can
potentially compromise the security of an organizations
sensitive and critical information resources.
The IS auditor should determine whether all points of
entry are identified and managed.
29
Logical Access Exposures

Technical exposures are the unauthorized activities
interfering with normal processing.
They include:
o Data leakageInvolves siphoning or leaking
information out of the computer
o WiretappingInvolves eavesdropping on information
being transmitted over telecommunications lines
o Computer shutdownInitiated through terminals or
personal computers connected directly (online) or
remotely (via the Internet) to the computer
30
Access Control Software

Access control software is used to prevent the
unauthorized access and modification to an
organizations sensitive data and the use of system
critical functions.
Access controls must be applied across all layers of an
organizations IS architecture, including networks,
platforms or OSs, databases and application systems.
Each access control usually includes:
o Identification and authentication
o Access authorization
o Verification of specific information resources
o Logging and reporting of user activities
31
Access Control Software Functions
32
General operating and/or application

systems access control functions
Database and/or application-level

access control functions
Create or change user profiles.

Assign user identification and
authentication.
Apply user logon limitation rules.
Notification concerning proper use
and access prior to initial login.
Create individual accountability and
auditability by logging user
activities.
Establish rules for access to
specific information resources (e.g.,
system-level application resources
and data).
Log events.
Report capabilities.
Create or change data files and

database profiles.
Verify user authorization at the
application and transaction level.
Verify user authorization within the
application.
Verify user authorization at the field
level for changes within a database.
Verify subsystem authorization for
the user at the file level.
Log database/data communications
access activities for monitoring
access violations.
Access Control Types
33
Mandatory
access controls
(MACs)
Logical access control filters used to validate

access credentials
Cannot be controlled or modified by normal
users or data owners
Act by default
Prohibitive; anything that is not expressly
permitted is forbidden
Discretionary
access controls
(DACs)
Logical access controls that may be configured

or modified by the users or data owners
Cannot override MACs
Act as an additional filter, prohibiting still more
access with the same exclusionary principle
Network Infrastructure Security

The IS auditor should be familiar with risk and exposures related
to network infrastructure.
Network control functions should:
o Be performed by trained professionals, and duties should be
rotated on a regular basis.
o Maintain an audit trail of all operator activities.
o Restrict operator access from performing certain functions.
o Periodically review audit trails to detect unauthorized
activities.
o Document standards and protocols.
o Analyze workload balance, response time and system
efficiency.
o Encrypt data, where appropriate, to protect messages from
disclosure during transmission.
34
LAN Security
To gain a full understanding of the LAN, the IS auditor
should identify and document the following:
o Users or groups with privileged access rights
o LAN topology and network design
o LAN administrator/LAN owner
o Functions performed by the LAN administrator/owner
o Distinct groups of LAN users
o Computer applications used on the LAN
o Procedures and standards relating to network design,
support, naming conventions and data security
35
Virtualization
IS auditors need to understand the advantages and
disadvantages of virtualization to determine whether the
enterprise has considered the applicable risk in its decision to
adopt, implement and maintain this technology.
Some common advantages and disadvantages include:
Advantages
Disadvantages
Decreased server hardware costs.

Shared processing capacity and storage
space.
Decreased physical footprint.
Multiple versions of the same OS.
36
Inadequate host configuration could

create vulnerabilities that affect not only
the host, but also the guests.
Data could leak between guests.
Insecure protocols for remote access
could result in exposure of
administrative credentials.
Client-Server Security
A client-server is a group of computers connected by a
communications network in which the client is the
requesting machine and the server is the supplying
machine.
Several access routes exist in a client-server
environment.
37
Client-Server Security (contd)

The IS auditor should ensure that:
o Application controls cannot be bypassed.
o Passwords are always encrypted.
o Access to configuration or initialization files is kept to
a minimum.
o Access to configuration or initialization files are
audited.
38
Wireless Security
Wireless security requirements include the following:
o AuthenticityA third party must be able to verify that
the content of a message has not been changed in
transit.
o NonrepudiationThe origin or the receipt of a specific
message must be verifiable by a third party.
o AccountabilityThe actions of an entity must be
uniquely traceable to that entity.
o Network availabilityThe IT resource must be
available on a timely basis to meet mission
requirements or to avoid substantial losses.
39
Internet Security
The IS auditor must understand the risk and security
factors needed to ensure that proper controls are in
place when a company connects to the Internet.
Network attacks involve probing for network information.
o Examples of passive attacks include network
analysis, eavesdropping and traffic analysis.
40
Internet Security (contd)

Once enough network information has been gathered,
an intruder can launch an actual attack against a
targeted system to gain control.
o Examples of active attacks include denial of service
(DoS), phishing, unauthorized access, packet replay,
brute force attacks and email spoofing.
The IS auditor should have a good understanding of the
following types of firewalls:
o Packet filtering
o Application firewall systems
o Stateful inspections
41
Internet Security (contd)

The IS auditor should also be familiar with common
firewall implementations, including:
o Screened-host firewall
o Dual-homed firewall
o Demilitarized zone (DMZ) or screened-subnet firewall
The IS auditor should be familiar with the types, features
and limitations of intrusion detection systems and
intrusion prevention systems.
42
Encryption
Encryption generally is used to:
o Protect data in transit over networks from
unauthorized interception and manipulation.
o Protect information stored on computers from
unauthorized viewing and manipulation.
o Deter and detect accidental or intentional alterations
of data.
o Verify authenticity of a transaction or document.
43
Encryption (contd)
Key encryption elements include:
o Encryption algorithmA mathematically based
function that encrypts/decrypts data
o Encryption keysA piece of information that is used
by the encryption algorithm to make the encryption or
decryption process unique
o Key lengthA predetermined length for the key; the
longer the key, the more difficult it is to compromise
44
Encryption (contd)
There are two types of encryption schemes:
o Symmetrica unique key (usually referred to as the
secret key) is used for both encryption and decryption.
o Asymmetricthe decryption key is different than the one
used for encryption.
There are two main advantages of symmetric key systems
over asymmetric ones.
o The keys are much shorter and can be easily
remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.
45
Encryption (contd)
In a public key cryptography system, two keys work
together as a pair. One of the keys is kept private, while
the other one is publicly disclosed.
The underlying algorithm works even if the private key is
used for encryption and the public key for decryption.
46
Encryption (contd)
Digital signature schemes ensure:
o Data integrity Any change to the plaintext
message would result in the recipient failing to
compute the same document hash.
o AuthenticationThe recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o NonrepudiationThe claimed sender cannot later
deny generating the document.
The IS auditor should be familiar with how a digital
signature functions to protect data.
47
Malware
There are two primary methods to prevent and detect
malware that infects computers and network systems.
o Have sound policies and procedures in place
(preventive controls).
o Have technical controls (detective controls), such as
anti-malware software, including:
Scanners
Behavior blockers
Active monitors
Integrity CRC checkers
Immunizers
Neither method is effective without the other.
48
Task 5.4
Evaluate the design, implementation and

monitoring of the data classification
processes and procedures for alignment
with the organizations policies,
standards, procedures and applicable
external requirements.
49
Data Classification
In order to have effective controls, organizations must have a
detailed inventory of information assets.
Most organizations use a classification scheme with three to five
levels of sensitivity.
Data classification provides the following benefits:
o Defines level of access controls
o Reduces risk and cost of over- or under-protecting
information resources
o Maintains consistent security requirements
o Enables uniform treatment of data by applying level-specific
policies and procedures
o Identifies who should have access
50
Data Classification (contd)

The information owner should decide on the appropriate
classification, based on the organizations data classification and
handling policy.
Data classification should define:
o The importance of the information asset
o The information asset owner
o The process for granting access
o The person responsible for approving the access rights and
access levels
o The extent and depth of security controls
Data classification must also take into account legal, regulatory,
contractual and internal requirements for maintaining privacy,
confidentiality, integrity and availability.
51
Data Leakage
Data leakage involves the unauthorized transfer of sensitive
or proprietary information from an internal network to the
outside world.
Data leak prevention is a suite of technologies and associated
processes that locate, monitor and protect sensitive
information from unauthorized disclosure.
52
Data Leakage (contd)

DLPs have three key objectives:
o Locate and catalog sensitive information stored throughout
the enterprise.
o Monitor and control the movement of sensitive information
across enterprise networks.
o Monitor and control the movement of sensitive information
on end-user systems.
53
DLP Solutions
Data at
rest
Use crawlers to
search for and log
the location of
specific information
sets
54
Data in motion
Use specific
network appliances
or embedded
technology to
selectively capture
and analyze traffic
Use deep packet

inspection (DPI) to
read contents
within a packets
payload
Data in
use
Use an agent to
monitor data
movement
stemming from
actions taken by
end users
Identification and Authentication

Logical access identification and authentication (I&A) is
the process of establishing and proving a users identity.
For most systems, I&A is the first line of defense
because it prevents unauthorized people (or
unauthorized processes) from entering a computer
system or accessing an information asset.
55
Identification and Authentication (contd)

Some common I&A vulnerabilities include:
o Weak authentication methods
o Use of simple or easily guessed passwords
o The potential for users to bypass the authentication
mechanism
o The lack of confidentiality and integrity for the stored
authentication information
o The lack of encryption for authentication and
protection of information transmitted over a network
o The users lack of knowledge on the risk associated
with sharing authentication elements
56
Authentication Methods
Authentication Methods
Logon IDs and Passwords
Tokens
Biometrics
Multifactor authentication is the combination of more than one
authentication method.
Single sign-on (SSO) is the process for consolidating all of an
organizations platform-based administration, authentication and
authorization functions into a single centralized administrative
function.
The IS auditor should be familiar with the organizations
authentication policies.
57
Authorization
Authorization refers to the access rules that specify who
can access what.
Access control is often based on least privilege, which
refers to the granting to users of only those accesses
required to perform their duties.
The IS auditor needs to know what can be done with the
access and what is restricted.
The IS auditor must review access control lists (ACLs).
An ACL is a register of users who have permission to
use a particular system and the types of access
permitted.
58
Authorization Issues
Risks
Denial of service
Malicious third parties
Misconfigured
communications software
Misconfigured devices on the
corporate computing
infrastructure
Host systems not secured
appropriately
Physical security issues over
remote users computers
59
Controls
Policy and standards

Proper authorizations
Identification and
authentication mechanisms
Encryption tools and
techniques such as use of a
VPN
System and network
management
System Logs
Audit trail records should be protected by strong access
controls to help prevent unauthorized access.
The IS auditor should ensure that the logs cannot be
tampered with, or altered, without leaving an audit trail.
When reviewing or performing security access follow-up,
the IS auditor should look for:
o Patterns or trends that indicate abuse of access
privileges, such as concentration on a sensitive
application
o Violations (such as attempting computer file access
that is not authorized) and/or use of incorrect
passwords
60
Review of Access Controls

Access controls and password administration are reviewed to
determine that:
o Procedures exist for adding individuals to the access list,
changing their access capabilities and deleting them from the
list.
o Procedures exist to ensure that individual passwords are not
inadvertently disclosed.
o Passwords issued are of an adequate length, cannot be easily
guessed and do not contain repeating characters.
o Passwords are periodically changed.
o User organizations periodically validate the access capabilities.
o Procedures provide for the suspension of user IDs or the
disabling of systems after a particular number of security
procedure violations.
61
Task 5.5
Evaluate the processes and procedures

used to store, retrieve, transport and
dispose of assets to determine whether
information assets are adequately
safeguarded.
62
Data Access Procedures

Management should define and implement procedures to prevent
access to, or loss of, sensitive information when it is stored,
disposed of or transferred to another user.
Such procedures must be created for the following:
o Backup files of databases
o Data banks
o Disposal of media previously used to hold confidential
information
o Management of equipment sent for offsite maintenance
o Public agencies and organizations concerned with sensitive,
critical or confidential information
o E-token electronic keys
o Storage records
63
Media Storage
To help avoid potential damage to media during shipping and
storage, the following precautions must be present:
o Keep out of direct sunlight.
o Keep free of dust.
o Keep free of liquids.
o Minimize exposure to magnetic fields, radio equipment or any
sources of vibration.
o Do not air transport in areas and at times of exposure to a
strong magnetic storm.
64
Mobile Computing
Mobile computing refers to devices that are transported or moved
during normal usage, including tablets, smartphones and laptops.
Mobile computing makes it more difficult to implement logical and
physical access controls.
Common mobile computing vulnerabilities include the following:
o Information may travel across unsecured wireless networks.
o The enterprise may not be managing the device.
o Unencrypted information may be stored on the device.
o The device may have a lack of authentication requirements.
o The device may allow for the installation of unsigned
third-party applications.
65
Mobile Computing Controls

The following controls will reduce the risk of disclosure of
sensitive data stored on mobile devices:
66
Tagging
Physical
security
Data storage
Virus
detection and
control
Encryption
Compliance
Approval
Acceptable
use policy
Due care
Awareness
training
Network
authentication
Secure
transmission
Standard
applications
Geolocation
tracking
Remote wipe
and lock
BYOD
agreement
Secure
remote
support
Device
registration
Other Data Controls

Other technologies that should be reviewed by the IS auditor
include:
67
Technology
Threat/Vulnerability
Controls
Peer-to-peer
computing
Viruses and malware

Copyrighted content
Excessive use
Eavesdropping
Antivirus and anti-malware

Block P2P traffic
Restrict P2P exposure
Establish policies or standards
Instant messaging
(IM)
Viruses and malware

Excessive use
IP address exposure
Antivirus and anti-malware

Encrypt IM traffic
Block IM traffic
Restrict IM usage
Establish policies or standards
Social media
Viruses and malware

Undefined content rights
Data exposure
Excessive use
Establish clear policies

Capture and log all communications
Content filtering
Cloud computing
Lack of control and visibility

Physical security
Data disposal
Right to audit the contract

Restricted contract terms
Encryptions
Voice-Over IP (VoIP)
VoIP has a different architecture than traditional
circuit-based telephony, and these differences result in
significant security issues.
Security is needed to protect two assetsthe data and
the voice.
Backup communication plans are important because if
the computer system goes down, the telephone system
goes down too.
68
Private Branch Exchange

A private branch exchange (PBX) is a sophisticated computer-based
switch that may be thought of as a small, in-house phone company.
Failure to secure a PBX can result in:
o Theft of service
o Disclosure of information
o Data modification
o Unauthorized access
o Denial of service
o Traffic analysis
The IS auditor should know the design implementation to determine
how an intruder could exploit weaknesses or normal functions.
69
Task 5.6
Evaluate the information security

program to determine its effectiveness
and alignment with the organizations
strategies and objectives.
70
Computer Crimes
It is important that the IS auditor knows and understands the
differences between computer crime and computer abuse to
support risk analysis methodologies and related control
practices. Examples of computer crimes include:
Hacking
Malware,
viruses and
worms
Fraud
Unauthorized
access
Phishing
Brute force
attacks
Malicious
codes
Network
analysis
Packet replay
Masquerading
Eavesdropping
Denial of
service (DoS)
Source: ISACA, CISA Review Manual, 26th Edition, figures 5.11 and 5.12
71
Security Incident Handling

To minimize damage from security incidents, a formal
incident response capability should be established.
Ideally, an organizational computer security incident
response team (CSIRT) or computer emergency
response team (CERT) should be formed with clear lines
of reporting and responsibilities.
72
Security Incident Handling (contd)

The IS auditor should:
o Ensure that the CSIRT is actively involved with users
to assist them in the mitigation of risk arising from
security failures and also to prevent security
incidents.
o Ensure that there is a formal, documented plan and
that it contains vulnerabilities identification, reporting
and incident response procedures to common,
security-related threats/issues.
73
Auditing ISM Framework
74
The IS auditor should review the following elements of the information

security management framework:
o Written policies, procedures and standards
o Logical access security policies
o Formal security awareness and training
o Data ownership
o Data owners
o Data custodians
o Security administrator
o New IT users
o Data users
o Documented authorizations
o Terminated employee access
o Security baselines
o Access standards
Auditing Logical Access

When evaluating logical access controls, the IS auditor should:
o Obtain a clear understanding of the security risk facing
information processing through a review of relevant
documentation, interviews, physical walk-throughs and risk
assessments.
o Document and evaluate controls over potential access paths into
the system to assess their adequacy, efficiency and
effectiveness by reviewing appropriate hardware and software
security features and identifying any deficiencies or
redundancies.
o Test controls over access paths to determine whether they are
functioning and effective by applying appropriate audit
techniques.
75
Auditing Logical Access (contd)

In addition, the IS auditor should do the following when auditing
logical access:
o Evaluate the access control environment to determine if the
control objectives are achieved by analyzing test results and
other audit evidence.
o Evaluate the security environment to assess its adequacy and
compare it with appropriate security standards or practices and
procedures used by other organizations.
o Interview the IS manager and security administrator and review
organizational charts and job descriptions.
o Review access control software reports to monitor adherence to
security policies.
o Review application systems operations manual.
76
Security Testing Techniques

Terminal cards
and keys
Terminal
identification
Logon IDs and

passwords
77
The IS auditor can use sample cards and keys to

attempt to gain access beyond what is authorized.
The IS auditor should follow up on any unsuccessful
attempted violations.
The IS auditor can inventory terminals to look for

incorrectly logged, missing or additional terminals.
To test confidentiality, the IS auditor can attempt to

guess passwords, find passwords by searching the
office or get a user to divulge a password.
To test encryption, the IS auditor should attempt to
view the internal password table.
To test authorization, the IS auditor should review a
sample of authorization documents to determine if
proper authority was provided.
Security Testing Techniques (contd)

Computer
access controls
Computer
access
violations
logging and
reporting
Follow-up
access
violations
Bypassing
security and
compensating
controls
78
The IS auditor should work with the system software

analyst to determine if all access is on a need-to-know
basis.
The IS auditor should attempt to access computer

transactions or data for which access is not authorized.
The unsuccessful attempts should be identified on
security reports.
The IS auditor should select a sample of security

reports and look for evidence of follow-up and
investigation of access violations.
The IS auditor should work with the system software

analyst, network manager, operations manager and
security administrator to determine ways to bypass
security.
Investigation Techniques
If a computer crime occurs, it is very important that proper
procedures are used to collect evidence.
o Damaged evidence can hinder prosecution.
o After a computer crime, the environment and evidence
must be left unaltered and examined by specialist law
enforcement officials.
Any electronic document or data may be used as digital
evidence.
An IS auditor may be required or asked to be involved in a
forensic analysis to provide expert opinion or to ensure the
correct interpretation of information gathered.
79
Investigation Techniques (contd)

Identify
Refers to the identification of information that is
available and might form the evidence of an incident
Preserve
Refers to the practice of retrieving identified
information and preserving it as evidence
Analyze
Involves extracting, processing and interpreting the
evidence
Present
Involves a presentation to the various audiences, such
as management, attorneys, court, etc.
80
Computer Forensics
The IS auditor should give consideration to key elements of
computer forensics during audit planning, including the
following:
o Data protection
o Data acquisition
o Imaging
o Extraction
o Interrogation
o Ingestion/normalization
o Reporting
81
Auditing Network Infrastructure
82
When performing an audit of the network infrastructure, the IS auditor

should:
o Review the following documents:
Network diagrams
SLAs
Network administrator procedures
Network topology design
o Identify the network design implemented.
o Determine that applicable security policies, standards, procedures and
guidance on network management and usage exist and have been
distributed.
o Identify who is responsible for security and operation of Internet
connections.
o Determine whether consideration has been given to the legal problems
arising from use of the Internet.
o Determine whether a vulnerability scanning process is in place.
Auditing Remote Access

IS auditors should determine that all remote access
capabilities used by an organization provide for effective
security of the organizations information resources.
This includes:
o Ensuring that remote access security controls are
documented and implemented for authorized users
o Reviewing existing remote access architectures for points
of entry
o Testing access controls
83
Penetration Testing
During penetration testing, an auditor attempts to circumvent the
security features of a system and exploits the vulnerabilities to
gain access that would otherwise be unauthorized.
Additional Discovery
Planning
Discovery
Reporting
84
Attack
Types of Penetration Tests
85
External
testing
Refers to attacks and control circumvention attempts on the

targets network perimeter from outside the targets system
Internal
testing

target from within the perimeter
Blind
testing
Refers to the condition of testing when the penetration tester

is provided with limited or no knowledge of the targets
information systems
Double
blind
testing
Refers to an extension of blind testing, because the

administrator and security staff at the target are also not
aware of the test
Targeted
testing

target, while both the targets IT team and penetration testers
are aware of the testing activities
Domain 5 Summary
Evaluate the information security and privacy policies,
standards and procedures.
Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls.
Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls.
86
Domain 5 Summary (contd)

Evaluate the design, implementation and monitoring of
the data classification processes and procedures.
Evaluate the processes and procedures used to store,
retrieve, transport and dispose of assets.
Evaluate the information security program.
87
Discussion Question
The CSIRT of an organization disseminates detailed
descriptions of recent threats. An IS auditors GREATEST
concern should be that the users may:
A. use this information to launch attacks.
B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.
88
Discussion Question
Which of the following is the BEST way for an IS auditor to
determine the effectiveness of a security awareness and
training program?
A. Review the security training program.
B. Ask the security administrator.
C. Interview a sample of employees.
D. Review the security reminders to employees.
89
Discussion Question
A hard disk containing confidential data was damaged
beyond repair. What should be done to the hard disk to
prevent access to the data residing on it?
A. Rewrite the hard disk with random 0s and 1s.
B. Low-level format the hard disk.
C. Demagnetize the hard disk.
D. Physically destroy the hard disk.
90
EXAM PRACTICE
91
Question 1
An IS auditor is developing an audit plan for an
environment that includes new systems. The companys
management wants the IS auditor to focus on recently
implemented systems. How should the IS auditor respond?
A. Audit the new systems as requested by
management.
B. Audit systems not included in last years scope
C. Determine the highest-risk systems and plan
accordingly.
D. Audit both the systems not in last years scope and
the new systems
92
Question 2
To ensure that audit resources deliver the best value to the
organization, the FIRST step would be to:
A. schedule the audits and monitor the time spent on
each audit.
B. train the IS audit staff on current technology used in
the company.
C. develop the audit plan on the basis of a detailed risk
assessment.
D. monitor progress of audits and initiate cost control
measures.
93
Question 3
The PRIMARY objective of the audit initiation meeting with
an IS audit client is to:
A. discuss the scope of the audit.
B. identify resource requirements of the audit.
C. select the methodology of the audit.
D. review requested evidence provided by the audit
client.
94
Question 4
The effect of which of the following should have priority in
planning the scope and objectives of an IS audit?
A. Applicable statutory requirements
B. Applicable corporate standards
C. Applicable industry best practices
D. Organizational policies and procedures
95
Question 5
Why does an audit manager review the staffs audit papers,
even when the IS auditors have many years of experience?
A. internal quality requirements.
B. the audit guidelines.
C. the audit methodology.
D. professional standards.
96
Question 6
An IS audit department considers implementing continuous
auditing techniques for a multinational retail enterprise that
requires high availability of its key systems. A PRIMARY
benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
97
Question 7
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has asked
for copies of the scripts so that they can use them for setting up a continuous
monitoring process on key systems. Would sharing these scripts with IT affect
the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to
pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review
all programs and software that runs on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits
may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS
auditors who wrote the scripts would not be permitted to audit any IS
systems where the scripts are being used for monitoring.
98
Question 8
The success of control self-assessment (CSA) depends
highly on:
A. having line managers assume a portion of the
responsibility for control monitoring.
B. assigning staff managers the responsibility for
building, but not monitoring, controls.
C. the implementation of a stringent control policy and
rule-driven controls.
D. the implementation of supervision and the monitoring
of controls of assigned duties.
99
Question 9
When conducting an IT security risk assessment, the IS auditor
asked the IT security officer to participate in a risk identification
workshop with users and business unit representatives. What is
the MOST important recommendation that the IS auditor should
make to obtain successful results and avoid future conflicts?
A. Ensure that the IT security risk assessment has a clearly
defined scope.
B. Require the IT security officer to approve each risk rating
during the workshop.
C. Suggest that the IT security officer accept the business
unit risk and rating.
D. Select only commonly accepted risk with the highest
submitted rating.
100
Question 10
An IS auditor is performing an audit in the data center when
the fire alarm begins sounding. The audit scope includes
disaster recovery, so the auditor observes the data center
staff response to the alarm. Which of the following is the
MOST important action for the data center staff to complete
in this scenario?
A. Notify the local fire department of the alarm condition.
B. Prepare to activate the fire suppression system.
C. Ensure that all persons in the data center are
evacuated.
D. Remove all backup tapes from the data center.
101
Question 11
When evaluating the controls of an
electronic data interchange (EDI)
application, an IS auditor should
PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D. nonvalidated batch totals.
102
Question 12
An organization is replacing a payroll program that
it developed in-house, with the relevant subsystem
of a commercial enterprise resource planning
(ERP) system. Which of the following would
represent the HIGHEST potential risk?
A. Undocumented approval of some project
changes
B. Faulty migration of historical data from the
old system to the new system
C. Incomplete testing of the standard
functionality of the ERP subsystem
D. Duplication of existing payroll permissions on
the new ERP subsystem
103
Question 13
An IS auditor reviewing a series of completed projects finds
that the implemented functionality often exceeded
requirements and most of the projects ran significantly over
budget. Which of these areas of the organizations project
management process is the MOST likely cause of this
issue?
A. Project scope management
B. Project time management
C. Project risk management
D. Project procurement management
104
Question 14
Which of the following techniques would BEST help an
IS auditor gain reasonable assurance that a project can
meet its target date?
A. Estimation of the actual end date based on the
completion percentages and estimated time to
complete, taken from status reports
B. Confirmation of the target date based on
interviews with experienced managers and staff
involved in the completion of the project
deliverables
C. Extrapolation of the overall end date based on
completed work packages and current resources
D. Calculation of the expected end date based on
current resources and remaining available project
budget
105
Question 15
An IS auditor has been asked to participate in
project initiation meetings for a critical project.
The IS auditors MAIN concern should be that
the:
A. complexity and risk associated with the
project have been analyzed.
B. resources needed throughout the project
have been determined.
C. technical deliverables have been
identified.
D. a contract for external parties involved in
the project has been completed.
106
Question 16
The PRIMARY objective of service-level management
(SLM) is to:
A. define, agree on, record and manage the required
levels of service.
B. ensure that services are managed to deliver the
highest achievable level of availability.
C. keep the costs associated with any service at a
minimum.
D. monitor and report any legal noncompliance to
business management.
107
Question 17
The BEST audit procedure to determine if unauthorized
changes have been made to production code is to:
A. examine the change control system records and trace
them forward to object code files.
B. review access control permissions operating within
the production program libraries.
C. examine object code to find instances of changes and
trace them back to change control records.
D. review change approved designations established
within the change control system.
108
Question 18
Which of the following is the BEST method for determining
the criticality of each application system in the production
environment?
A. Interview the application programmers.
B. Perform a gap analysis.
C. Review the most recent application audits.
D. Perform a business impact analysis (BIA).
109
Question 19
Which of the following issues should be the GREATEST concern
to the IS auditor when reviewing an IT disaster recovery test?
A. Due to the limited test time window, only the most
essential systems were tested. The other systems were
tested separately during the rest of the year.
B. During the test, some of the backup systems were
defective or not working, causing the test of these systems
to fail.
C. The procedures to shut down and secure the original
production site before starting the backup site required far
more time than planned.
D. Every year, the same employees perform the test. The
recovery plan documents are not used because every step
is well known by all participants.
110
Question 20
Which of the following groups is the BEST source of
information for determining the criticality of application
systems as part of a business impact analysis (BIA)?
A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts
111
Question 21
While designing the business continuity plan (BCP) for an
airline reservation system, the MOST appropriate method
of data transfer/backup at an offsite location would be:
A. shadow file processing.
B. electronic vaulting.
C. hard-disk mirroring.
D. hot-site provisioning.
112
Question 22
The information security policy that states each individual
must have his/her badge read at every controlled door
addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
113
Question 23
An IS auditor discovers that uniform resource locators
(URLs) for online control self-assessment questionnaires
are sent using URL shortening services. The use of URL
shortening services would MOST likely increase the risk of
which of the following attacks?
A. Internet protocol (IP) spoofing
B. Phishing
C. Structured query language (SQL) injection
D. Denial-of-service (DoS)
114
Question 24
A company is planning to install a network-based intrusion
detection system (IDS) to protect the web site that it hosts.
Where should the device be installed?
A. On the local network
B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the web site
115
Question 25
What would be the MOST effective control for enforcing
accountability among database users accessing sensitive
information?
A. Implement a log management process.
B. Implement a two-factor authentication.
C. Use table views to access sensitive data.
D. Separate database and application servers.
116
Question 26
What is the BEST approach to mitigate the risk of a
phishing attack?
A. Implementation of an intrusion detection system (IDS)
B. Assessment of web site security
C. Strong authentication
D. User education
117
Question 27
Which of the following BEST encrypts data on mobile
devices?
A. Elliptical curve cryptography (ECC)
B. Data encryption standard (DES)
C. Advanced encryption standard (AES)
D. The Blowfish algorithm
118
Question 28
When protecting an organizations IT systems, which of the
following is normally the next line of defense after the
network firewall has been compromised?
A. Personal firewall
B. Antivirus programs
C. Intrusion detection system (IDS)
D. Virtual local area network (VLAN) configuration
119
Question 29
Which of the following would MOST effectively enhance the
security of a challenge-response based authentication
system?
A. Selecting a more robust algorithm to generate
challenge strings
B. Implementing measures to prevent session hijacking
attacks
C. Increasing the frequency of associated password
changes
D. Increasing the length of authentication strings
120
Question 30
An IS auditor is reviewing a software-based firewall
configuration. Which of the following represents the
GREATEST vulnerability? The firewall software:
A. is configured with an implicit deny rule as the last rule
in the rule base.
B. is installed on an operating system with default
settings.
C. has been configured with rules permitting or denying
access to systems or networks.
D. is configured as a virtual private network (VPN)
endpoint.
121
THANK YOU!

S3 Presentation Slide Deck

Diunggah oleh

Informasi Dokumen

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

S3 Presentation Slide Deck

Diunggah oleh

Hak Cipta:

Format Tersedia

CISA EXAM PREP COURSE:

Copyright 2016 ISACA. All rights reserved.

Copyright 2016 ISACA. All rights reserved.

Provide assurance that the enterprises

Copyright 2016 ISACA. All rights reserved.

Evaluate the information security and

Copyright 2016 ISACA. All rights reserved.

Copyright 2016 ISACA. All rights reserved.

Information Security Management

Source: ISACA, CISA Review Manual 26th Edition, figure 5.2

Copyright 2016 ISACA. All rights reserved.

Copyright 2016 ISACA. All rights reserved.

Human Resources Security

Copyright 2016 ISACA. All rights reserved.

Third Party Access

Copyright 2016 ISACA. All rights reserved.

Copyright 2016 ISACA. All rights reserved.

Security Awareness Training

Copyright 2016 ISACA. All rights reserved.

Controls related to the oversight, reporting, procedures and

Controls also known as logical controls and are provided through

Controls that are locks, fences, closed-circuit TV (CCTV) and

Source: ISACA, CISA Review Manual 26th Edition, figure 5.5

Copyright 2016 ISACA. All rights reserved.

Copyright 2016 ISACA. All rights reserved.

System Access Permission

Physical access controls

Logical access controls

Restrict the entry and exit of

Restrict the logical resources of the

Copyright 2016 ISACA. All rights reserved.

System Access Reviews

Copyright 2016 ISACA. All rights reserved.

Evaluate the design, implementation,

Copyright 2016 ISACA. All rights reserved.

Physical Access Issues

Damage, vandalism or theft to equipment or documents

Copyright 2016 ISACA. All rights reserved.

Physical Access Controls

Copyright 2016 ISACA. All rights reserved.

Physical Access Audit

Copyright 2016 ISACA. All rights reserved.

Physical Access Audit (contd)

Copyright 2016 ISACA. All rights reserved.

Total failure (blackout)

Copyright 2016 ISACA. All rights reserved.

Fire alarms and

Power leads from

Copyright 2016 ISACA. All rights reserved.

Environmental Control Audit

Copyright 2016 ISACA. All rights reserved.

Evaluate the design, implementation,

Copyright 2016 ISACA. All rights reserved.

Copyright 2016 ISACA. All rights reserved.

Logical Access (contd)

Copyright 2016 ISACA. All rights reserved.

Paths of Logical Access

Copyright 2016 ISACA. All rights reserved.

Paths of Logical Access (contd)

Copyright 2016 ISACA. All rights reserved.

Logical Access Exposures

Copyright 2016 ISACA. All rights reserved.

Access Control Software

Copyright 2016 ISACA. All rights reserved.