Certified Information Systems Auditor (CISA®)
Introduction to CISA
Certified Information Systems Auditor is a registered trademark of ISACA
ISACA® is a registered trade mark of Information Systems Audit and Control Association.
© Simplilearn. All rights reserved.
Learning Objectives
By the end of this introductory domain, you will be able to:
• Describe CISA
• Demonstrate your understanding of the ISACA organization
• Discuss the history of CISA
• Understand the current CISA syllabus
• Describe the value of CISA
• List the requirements for certification and how to maintain the certification
• Outline the structure of CISA exams
Introduction to CISA
Introduced by ISACA in 1978, CISA has grown both in stature,
professional offering, and global influence. It is a widely recognized
certification because of the following features:
●
CISA is the preferred certification for information systems control,
assurance, and security professionals.
●
CISA is designed with the aim of attracting information systems
auditors, people concerned with technology security, educators,
and even CIOs.
CISA®
CERTIFIED INFORMATION SYSTEMS AUDITORTM
ISACA
ISACA formerly stood for Information Systems Audit and Control Association. However, the organization is known by
the acronym ISACA only to reflect the range of governance professionals within IT that it caters for. ISACA was
founded in 1969 as a nonprofit organization and currently (in 2019) has over 159,000 members in 188 countries.
Following are the certifications provided by ISACA:
Certified Information Systems Auditor®
(CISA®)
Certified Information Security Manager®
(CISM®)
Certified in the Governance of Enterprise
IT® (CGEIT®)
Certified in Risk and Information Systems
Control (CRISC®)
!✔ ISACA has developed COBIT 5, RISK IT, and Val IT, which it continually updates.
History of CISA
Introduced in 1978
First exam monitored in 1981
• Approved by the United States Defense Department as part of its assurance framework
In 2011, there
was a change in
curriculum: six
domains to five
domains
Current CISA Syllabus
The CISA syllabus (2019) is divided into five domains. The exam has 150 multiple choice questions. The duration of the exam is four hours.
Beginning June 2019, ISACA is offering continuous testing, with a 365-day exam eligibility period to take your exam. Following is a summary
of the CISA domains:
Domain
Topic
Exam
Weightage
Domain 1
Information Systems Auditing Process
21%
Domain 2
Governance and Management of IT
17%
Domain 3
Information Systems, Acquisition, Development, and Implementation
12%
Domain 4
Information Systems Operations and Business Resilience
23%
Domain 5
Protection of Information Assets
27%
Total
100%
Value of CISA
Globally accepted
and recognized
certification
Increased value at
workplace
Increased
confidence
Numerous benefits of a CISA
designation
Achieve a high professional
standard
Trust and
recognition for
expertise
Higher earnings and greater career
growth
CISA Certification
The steps to obtain a CISA certification are:
• Pass CISA exam:
Pass the exam with a minimum of 450 marks
• Apply for certification:
• Minimum five years experience needed in IS Audit Domain areas
Note: Certification Application has to be within five years of sitting for the exam
• Waivers possible. See ISACA website for details.
• Agree to the Code of Professional Ethics
• Cohere with the Continuing Professional Education (CPE) Program
• Comply with the IS auditing standards
CISA Examination
CISA exams are prepared with the aim of gauging and testing hands-on skills in Information System Control and Audit.
Exam title
Certified Information Systems Auditor (CISA®)
Exam duration
Four hours to answer 150 multiple-choice questions covering five practice areas
Exam type
Computer-based
Question type
Multiple-choice questions
Pass requirements
A candidate must receive a score of 450 or higher to pass the exam
Scaled score
A scaled score is a conversion of a candidate’s raw score on an exam to a common scale.
A candidate’s scores are reported as a scaled score.
!✔ ISACA uses and reports scores on a common scale from 200 to 800.
Thank You
© Simplilearn. All rights reserved.
Certified Information Systems Auditor (CISA®)
Information System Auditing Process
Certified Information Systems Auditor is a registered trademark of ISACA
ISACA® is a registered trade mark of Information Systems Audit and Control Association.
© Simplilearn. All rights reserved.
Learning Objectives
By the end of this domain, you’ll be able to:
Plan an audit to determine whether information systems are protected, controlled, and provide
value to the organization
Conduct an audit in accordance with IS audit standards and a risk‐based IS audit strategy
Communicate audit progress, findings, results, and recommendations to stakeholders
Conduct an audit follow‐up to evaluate whether risks have been sufficiently addressed
Evaluate IT management and monitoring of controls
Utilize data analytics tools to streamline an audit process
Provide consulting services and guidance to the organization in order to improve the quality and
control of information systems
Identify opportunities for process improvement in the organization's IT policies and practices
Part A: Planning
Part A: Planning
The following topics are covered in Part A:
•
IS Audit standards, guidelines, and codes of ethics
• Business processes
• Types of controls
• Risk-based audit planning
•
Types of audits and assessments
IS Audit Standards, Guidelines, and Codes of Ethics
Information System Auditing Process
Part A: Planning 1.1
IS Audit Standards, Guidelines,
and Codes of Ethics
IS Audit Standards, Guidelines, and Codes of Ethics
Introduction
Credibility of an audit is based, in part, on use of commonly accepted standards.
ISACA is the global pioneer of IS Assurance and Audit guidelines, Tools and Techniques, Standards, and Code of
Professional Ethics.
ISACA standards provide a benchmark for IS audit.
Main Areas of Coverage
The main areas covered under this knowledge statement include:
ISACA IS
Audit and
Assurance
Guidelines
ISACA IS Audit
and Assurance
Tools and
Techniques
Relationship
between
Guidelines, Tools
and Techniques,
and Standards
ISACA IS
Audit and
Assurance
Standards
Framework
The main
areas of
coverage
ISACA Code
of
Professional
Ethics
The CISA Exam will test your understanding of the application of Standards and Guidelines.
Categories of Standards and Guidelines
Performance
General
This category applies
to all assignments and
contains guiding
principles for IS
assurance.
It covers:
o Ethics
o Independence
o Objectivity
o Due care
o Knowledge
o Competence
o Skill
This category deals
with the conduct of the
IS audit and assurance
assignments.
It covers:
o Planning
o Scoping
o Risk
o Materiality
o Supervision
o Exercise of
professional
judgement
o Due care
Reporting
This category covers:
o Reports
o Information
o Means of
communication
ISACA IS Audit and Assurance Standards
General
1001 Audit Charter
1002 Organizational
Independence
1003 Professional
Independence
1004 Reasonable Expectation
1005 Due Professional Care
1006 Proficiency
1007 Assertion
1008 Criteria
Performance
Reporting
1201 Engagement Planning
1401 Reporting
1202 Risk Assessment in
Planning
1402 Follow up Activities
1203 Performance and
Supervision
1204 Materiality
1205 Evidence
1206 Using the Work of Other
Experts
1207 Irregularity and Illegal Acts
ISACA IS Audit and Assurance Guidelines
General
Performance
Reporting
2001 Audit Charter
2201 Engagement Planning
2401 Reporting
2002 Organizational
Independence
2202 Risk Assessment in
Planning
2402 Follow up Activities
2003 Professional
Independence
2203 Performance and
Supervision
2004 Reasonable Expectation
2204 Materiality
2005 Due Professional Care
2205 Evidence
2006 Proficiency
2206 Using the Work of Other
Experts
2007 Assertion
2008 Criteria
2207 Irregularity and Illegal Acts
2208 Sampling
ISACA Code of Professional Ethics
ISACA set forth a code governing the professional conduct and ethics of all certified IS auditors and members of the
association. The members and certification holders shall:
Support the implementation and encourage
compliance with appropriate standards,
procedures, and controls for information systems.
Perform their duties with due diligence and
professional care in accordance with professional
standards and best practices
Serve in the interest of stakeholders in a lawful
and honest manner while maintaining high
standards of conduct and character and not
engage in acts discreditable to the profession.
Maintain the privacy and confidentiality of
information obtained in the course of their duties
unless disclosure is required by a legal authority.
Such information shall not be used for personal
benefit or released to inappropriate parties.
Maintain competency in their respective fields
and agree to undertake only those activities that
they reasonably expect to complete with
professional competence.
Inform appropriate parties about the results of
work performed, revealing all significant facts
known to them
Support the professional education of stakeholders
to enhance their understanding of information
systems security and control.
ISACA Code of Professional Ethics
Failure to comply with the code of professional ethics can result in an investigation into a
member’s and/or certification holder's conduct and, ultimately, in disciplinary measures.
ISACA IT Audit and Assurance Standards Framework Objective
The objectives of IS audit and assurance standards are to inform:
IS auditors
of the bare minimum level of
performance required to meet the
professional responsibilities set in
the Professional Code of Ethics
The management
The CISA certification
holders
that failure to meet these
standards results in a review of
their conduct by the ISACA board
of directors, which may ultimately
result in a disciplinary action
of the profession’s requirement
regarding the work of audit
practitioners
ISACA IS Audit and Assurance Guidelines
• ISACA IS Audit and Assurance guidelines provide additional information on how to comply with
the ISACA Information Technology Assurance and Audit Standards.
• The IS Auditor should use professional judgment and be able to justify any differences.
•
Guideline documents are identified by a prefix G, followed by the number, for example, “G10.”
There are 42 categories of guidelines.
ISACA IS Audit Guidelines
Using the Work of Other
Auditors
Audit Evidence Requirement
Audit Sampling
Effect of Pervasive IS Controls
Irregularities and Illegal Acts
Computer Forensics
Configuration Management
Reporting
Post-implementation Review
Access Controls
Use of Computer-Assisted
Audit Techniques (CAATs)
Organizational Relationship
and Independence
Enterprise Resource Planning
(ERP) Systems Review
Competence
IT Organization
Outsourcing of IS Activities to
Other Organizations
Use of Risk Assessment in
Audit Planning
Business-to-Consumer (B2C)
E-commerce Review
Privacy
Review of Security
Management Practices
Audit Charter
Application Systems Review
System Development Life
Cycle (SDLC) Review
Business Continuity Plan (BCP)
Review from IT Perspective
Return on Security Investment
(ROSI)
Materiality Concepts for
Auditing Information Systems
Planning
Internet Banking
General Considerations on the
Use of the Internet
Continuous Assurance
Due Professional Care
Effect of Third Parties on an
Organization’s IT Controls
Review of Virtual Private
Networks
Responsibility, Authority, and
Accountability
Audit Documentation
Effect of Non-audit Role on
the IS Auditor’s Independence
Business Process Reengineering
(BPR) Project Reviews
Follow-up Activities
Audit Considerations for
Irregularities and Illegal Acts
IT Governance
Mobile Computing
Biometric Controls
ISACA IS Audit and Assurance Tools and Techniques
White
papers
IS Audit and
Assurance tools and
techniques provide
additional guidance to
IS audit and assurance
professionals.
Tools and techniques are
listed under www.isaca.org/itaf
IS Audit and
Assurance
tools and
techniques
Reference
books
IS Audit
and
Assurance
programs
COBIT 5
family of
products
ISACA IS Audit and Assurance Tools and Techniques
ISACA has Standards and Guidelines related to Audit (ITAF™):
Section 2200
General Standards
Section 2400
Performance Standards
Section 2600
Reporting Standards
Section 3000
IT Assurance Guidelines
Section 3200
Enterprise Topics
Section 3400
IT Management Processes
Section 3600
IT Audit and Assurance Processes
Section 3800
IT Audit and Assurance Management
Business Processes
Business Processes
Explanation
A business process is an inter-related set of cross-functional activities or events that result in the delivery of a
specific product or service to a customer.
An IS auditor must understand and evaluate the business processes they are auditing.
An Internal audit function must be independent and report to the audit committee or to the board of directors.
Audit Charter
Audit charters are high-level documents that define the purpose, authority, and responsibility of the internal audit activity.
Grants and assigns authorization, responsibility, and accountability to the auditor
Guides the auditor to get an approval
Defines the scope of audit
function’s activities
Charter
from the board of directors or the audit
committee or senior management in their
absence
Fundamental Business Processes
Explanation
Understanding the underlying business process that is audited
Understanding the role that IS play in these processes
IS auditing involves assessment of IS-related controls and understanding the control objectives
Identifying key controls that help achieve a well-controlled environment, according to standards
Audit Planning
• Audit planning is the first step of the audit process.
The auditor’s responsibilities during the planning phase include:
• Gaining an understanding of the clients and its business
• Establishing priorities
• Determining an audit strategy
• Determining the type of evidence to collect, based on the risk
levels
• Assigning personnel resources for the audit
• Scheduling with the client to coordinate activities
The result of a well researched and completed audit plan is an audit program.
Fundamental Business Processes: Transaction Examples
Examples
Mobile
banking
ATM
transactions
Over the counter transactions
(For example: deposits,
withdrawals)
A bank may have various
transactions
A chain store may have PoS (Point of Sale)
transactions with credit card information,
or cash extranet transactions with
suppliers (Electronic Data Interchange)
Using the Services of Other Auditors and Experts
IS audit and assurance professionals should:
• Consider using the work of other experts when there are constraints which would impair work performance
or potential gains in the quality of engagement.
• Assess and approve the adequacy of the other experts’ professional qualifications, competencies, relevant
experience, resources, independence, and quality‐control processes prior to the engagement.
• Assess, review, and evaluate the work of other experts as part of the engagement, and document the
conclusion on the extent of use and reliance on their work.
Risk Assessment and Risk Analysis
Part A: Planning 1.2
Business Processes
Relationship between Standards, Guidelines, Tools and Techniques
Standards
They are mandatory.
Guidelines
Tools and Techniques
They provide examples of
steps that the auditor may
follow in audits.
They provide assistance on
how Information Systems
Auditor (ISA) can
implement standards in
audits.
ISA must use professional judgment while applying the guidelines, tools, and techniques.
Legal and regulatory requirements may sometimes be more stringent than the standards.
The ISA should ensure compliance with the stringent legal or regulatory requirements.
Types of Controls
Control Principles
Explanation
Understand how the controls function
Explain how those control principles relate to IS
Internal Controls
Internal Controls are an enterprise’s internal processes implemented to achieve specific objectives while
minimizing risk.
They are the policies, procedures, practices, and structures incorporated by an organization to reduce risk.
They provide reasonable assurance to management that business objectives will be achieved and undesirable
events will be prevented, detected, and corrected.
They can be manual or automated.
Internal Controls
Internal controls have two broad objectives:
Examples of
Objectives
Increase the likelihood of an objective
or a desirable event
Internal
Control
Objectives
• Ensure that business
requirements are clearly
documented and understood
• Ensure software delivery without
time and cost overruns
• Ensure testing before release
Examples of
Undesirable
Events
Decrease the likelihood of an
undesirable event occurring
• Virus outbreak
• Unfulfilled project objectives
Internal Controls
What can be
achieved?
Internal Controls consider two things
What can be evaded?
Internal controls procedures have two categories
General control
procedures
Information
system control
procedures
Classification of Internal Controls
Preventive
Controls
Corrective
Controls
Detective
Controls
Classification of Internal Controls
Preventive
Controls
Corrective
Controls
Detective
Controls
•
•
•
Predict and prevent problems before they occur
Monitor input controls and events as a preventive measure
Examples:
o Segregation of duties
o Maker-checker/four-eyes principle
o Input and access controls (physical and logical)
o Encryption of data at rest and in transit
Classification of Internal Controls
Preventive
Controls
Corrective
Controls
Detective
Controls
•
•
•
•
Minimize the impact of a threat and rectify the cause of a problem
Correct detected errors
Root cause analysis, followed by changes to minimize future occurrences
Examples:
o Disaster recovery and business continuity planning
o Incident response
o Backups, to ensure recovery by restoring data
o Reruns of failed processes
Classification of Internal Controls
Preventive
Controls
Corrective
Controls
Detective
Controls
•
•
•
Controls to detect and report intentional and unintentional errors after they occur
Report incidence of errors, attacks, and omissions as they occur
Examples:
o Logs
o Error messages
o Hash totals
o Rechecking of calculations
o Scrutiny of reports
o Code review
o Internal audit function
o Logical and physical access logging, such as application audit trails, database
security logging, server room access control, and door logging to know details of
the person and time.
General Controls
General controls are the policies and procedures involving all areas of an organization, including IT
infrastructure and support services.
•
•
•
•
•
They enable IT functioning for the achievement of corporate goals such as:
Controls over data center and networks
Access control
Segregation of duties
SDLC and Change Management
Physical security
General Controls
Internal
Accounting
Controls
Operational
Controls
Administrative
Controls
Safeguarding
of assets and
reliability of
financial
records
Day-to-day
functions and
activities to
accomplish
business
objectives
Supports
operational
controls,
operational
efficiency, and
adherence to
management
policies
Organizational
policies and
procedures
Physical and
logical security
policies
Safeguarding
of assets and
ensuring
proper
utilization of
resources
Facilities, data
centers,
servers, IT
infrastructure,
and access
control
IS Control Objectives
A statement of the preferred purpose
or result to be attained by applying
controls around information system
processes
Made of procedures, policies,
organizational structures, and
practices
IS control objectives
are high-level
objectives that
management may
use for effective
control of IT
processes
Intended to reasonably assure that
enterprise objectives will be achieved
while undesired events are detected,
corrected, or prevented
IS Control Objectives
Confidentiality
Reliability
Integrity
The first three are the
basic principles of
information systems
security.
Overarching
principles of IS
controls
Compliance
Efficiency is getting it done
with optimal use of
resources.
Availability
Efficiency
Effectiveness
Effectiveness is getting the
job done with a high degree
of certainty.
IS Control Objectives
Management plays an important role in regulating IS control objectives:
Selecting the control
objectives that can be
easily implemented and
are most appropriate to
the organization’s policies
Manner of implementation
Cognizant of the risk
involved in
non-implementation of
some of the applicable
control objectives
IS Control Objectives: Examples
Ensure integrity of the sensitive
and critical application systems
Ensure integrity of the
system such as Operating
System integrity
Ensure safeguarding of assets
Ensure availability of service
through Disaster Recovery
Plan and Business
Continuity Planning
Ensure effectiveness and
efficiency of operations
Ensure proper authentication
process for users
IS Control Objectives: Examples
Ensure integrity of application systems by input authorization, input
validation, accuracy and completeness of data processing, database
integrity, accuracy, completeness, and security of output controls
Ensure availability of IT assets
by having BCP and DR plans
Protect computer systems
from improper access
Ensure database
confidentiality, integrity,
and availability
Ensure that inputs are
validated
IS Control Objectives: Examples
Ensure integrity of the sensitive
and critical application systems
Ensure outsourced IT processes and services
have clearly defined SLAs, organizational assets
are protected, and business objectives are met
Safeguard information assets
by implementing physical and
logical access controls
Ensure SDLC processes are established,
maintained, and followed for repeatable
and reliable development of software
applications to meet business objectives
Ensure availability of IT services by
developing effective and efficient
Disaster Recovery and Business
Continuity plans
Ensure integrity and reliability of systems by
implementing change management controls
IS Controls
• IS control procedures include the following:
Strategy and
direction of the IT
function
General
organization and
management of
the IT function
Access to
Information
Technology
programs, data
and resources
System
development
procedures
Operation
procedures
Database administration
System
programming and
system support
departments
Quality Assurance
(QA) processes
Communications
and networks
Business
Continuity
(BCP)
Physical access
controls
Database
administration
Detective and
protection
mechanisms
Fundamental Business Processes
Part A: Planning 1.3
Types of Controls
Enterprise Architecture
An Enterprise
Architecture (EA) is a
conceptual blueprint
that defines the
structure and
operations of an
organization.
It determines how
an organization can
most effectively
achieve its current
and future
objectives.
Source: http://searchcio.techtarget.com/definition/enterprise-architecture
It determines if IT is
aligned with
enterprise
objectives and
delivers value to
business, keeping in
view the complexity
of an organization.
Zachman FrameworkTM
• It is a method to define an enterprise.
Two classifications are combined:
The first is what,
how, when, who,
where, and why
The second is
identification,
definition,
representation,
specification,
configuration, and
instantiation
Zachman FrameworkTM for Enterprise Architecture
It is a schema with an intersection between two
historical classifications.
First classification
includes
fundamentals of
communication of
the primitive
interrogatives.
It includes:
• What
• How
• When
• Who
• Where
• Why
Second
classification is
derived from
reification, the
transformation of
an abstract idea
into an
instantiation,
initially postulated
by ancient Greek
philosophers.
It includes:
• Identification
• Definition
• Representation
• Specification
• Configuration
• Instantiation
(Source: https://www.zachman.com/about-the-zachman-framework)
Zachman FrameworkTM for Enterprise Architecture
The Zachman framework is not a methodology, but it is a structure.
It is a two-dimensional framework that combines six basic interrogatives (What, How, Where, Who, When, and Why).
The framework intersects with different perspectives: Executives, Business Managers, System Architects, Engineers,
and Technicians.
It enables holistic understanding of the enterprise by looking at the organization from various viewpoints.
Sherwood Applied Business Security Architecture
(SABSA)
Security architecture
with a layered
framework, similar to
Zachman
Each layer expands in
detail to move from a
policy to the
implementation of
technology
The primary
characteristic of the
SABSA model is that
everything must be
derived from an analysis
of the business
requirements for
security
Ongoing “manage
and measure”
phases of the
lifecycle
Provides a chain of
traceability through the
various layers:
contextual, conceptual,
logical, physical,
component and
operational
Risk-driven enterprise
information security
architectures
SOMF
Service-oriented
modeling
framework
Modeling business
and software
systems to specify
service orientation
Devised by
Michael Bell
Used with a
number of
architectural
approaches
Can be used to design
any application,
business, and
technological
environment, either
local or distributed
Risk-Based Audit Planning
Risk-based Audit Planning
Explanation
Identification of key enterprise risks requires understanding of the organization, its environment, and control
objectives
Type and nature of transactions the entity engages in
Flow of this transaction and how it is captured into information systems
Risk Assessment Terms
Asset
Risk
Valuable
resource you
are trying to
protect
The potential
that a chosen
action or
activity will
lead to a loss
Threat
Negative
action that
may harm a
system
Vulnerability
Impact
Weakness that
allows a threat
to cause harm
The severity of
the damage,
sometimes
expressed in
dollars
Inherent, Control, Detection, and Overall Audit Risk
Different types of risk:
sk
Ri
Control
Risk
Inherent
Risk
Probability of an
error existing
that might be
material
assuming
compensating
controls do not
exist. It
• exists
irrespective
of an audit
• is contributed
by the nature
of a business
Probability that
a material
error exists
which will not
be prevented
or detected on
a timely basis
by the system
of internal
controls
Detection
Risk
Probability
that the
Information
Systems
Auditor (ISA)
used
inadequate
checks and
surmises that
material
errors are
absent, when
in fact, they
are present
Overall
Audit Risk
Summation of
all audit risk
groups for
each control
objective
Gap Analysis
Following are the two issues in Gap Analysis:
Usage gap
Gap Analysis
Product
gap
Assurance Definitions
•
Target of evaluation (TOE): This is the information security deliverable, the object for which assurances are
made.
•
Assurance activities: These activities depend on the method of assessment. Various methods of assessment
are discussed later.
•
Security target (ST): This is the set of security specifications and requirements used to evaluate the target of
evaluation.
•
Security protection profile (SPP): Similar to a security target, this profile is much broader in scope. Unlike an
ST, an SPP does not apply to any one particular deliverable but represents the security needs of a given
individual or group of individuals.
Risk-based Audit Definitions
Contro
l
IT Governance
IT Control Objective
Evidence
Risk
Risk Assessment and Risk Analysis
Explanation
Overall audit plan should focus on business risks related to use of IT.
Area under audit represents the audit scope.
Auditor to use risk-analysis techniques to establish critical area to focus on in the audit scope (focus to be on
high-risk areas).
Limited audit resources require this kind of focus in drawing the audit plan.
A proper audit report is critical.
Follow up on issues found in the audit is also critical.
Main Areas of Coverage
Risk Analysis
Audit
Methodology
Risk-Based
Auditing
Audit Risk
and
Materiality
The main
areas of
coverage
Risk
Assessment
and Treatment
Risk
-Assessment
techniques
Reporting
techniques
Follow-up
Risk Analysis
1
2
3
Risk analysis assists an auditor in recognizing
vulnerabilities and risks, and how they can define
controls to be put in place to ensure such risks are
mitigated.
Risk is defined as the mixture of the likelihood of an
event and its magnitude (ISO/IEC 73)
IT Risk is specifically the enterprise risk associated with
the ownership, use, operation, influence, involvement
and adoption of Information Technology within a
business (ISACA’s IT Risk Framework).
Definitions of Risk
The probable
frequency and
probable magnitude
of future loss
(source: An
Introduction to
Factor Analysis of
Information Risk
(FAIR), Risk
Management Insight,
LLC)
The potential that a
given threat will
exploit
vulnerabilities of an
asset or group of
assets and thereby
cause harm to the
organization (source:
ISO 27005)
Factor Analysis of Information Risk (FAIR)
FAIR is a probabilistic approach.
It focuses on what is probable, rather than what is possible.
It can be used to complement other methodologies.
•
•
•
•
•
•
Loss
Productivity
Resources utilized (for adverse
events)
Replacement of damaged and
defective assets
Legal and regulatory costs
Loss of competitive advantage
Reputational loss
Value
• Criticality (impact on
smooth functioning)
• Cost
Threat agents
• Access
• Misuse
• Disclosure
• Unauthorized modification
• Sensitivity
Risk Analysis
From the Information System audit’s view, risk analysis aids in the following:
●
It helps the auditor identify threats and
Identify
Business
Objectives
(BO)
risks within the IS environment.
●
It assists in planning the audit by
evaluating controls in place.
●
Identify
information
assets
supporting
the BOs
The helps an auditor be in a position to
know the audit objective.
●
Decision making is easier as a risk-based
methodology is used.
Perform
Periodic Risk
Reevaluation
(BO/RA/RM/RT)
Perform Risk
Treatment (RT)
[Treat significant
risks not
mitigated by
existing controls]
Perform Risk
Assessment (RA)
[Threat
–Vulnerability
–Impact]
Perform Risk
Management
(RM) [Map
Risks with
controls in
place]
Calculating Risk
Exposure Factor
The Exposure Factor (EF) is the percentage of value an asset lost due to an incident
Single Loss Expectancy
The Single Loss Expectancy (SLE) is the cost of a single loss. SLE is the Asset Value (AV) times the Exposure Factor (EF)
Annual Rate of Occurrence
Annualized Loss Expectancy
The Annual Rate of Occurrence (ARO) is the number of losses you suffer per year
The Annualized Loss Expectancy (ALE) is your yearly cost due to a risk. It is calculated by multiplying the Single Loss
Expectancy (SLE) times the Annual Rate of Occurrence (ARO)
Calculating Risk
Risk Formulas
SL
E
Ris
k
AL
E
Asset Value
(AV)
Exposure Factor
(EF)
Probability of
the Risk
Cost of the
Eventuality
Single Loss
Expectancy (SLE)
Annual Rate of
Occurrence (ARO)
Risk-based Audit Approach
Audit risk is the risk that
The risk-based audit approach is based on a concept in which
determination of areas that should be audited is based on
the perceived level of risk.
Residual Risk – This represents management’s risk appetite.
Normally, controls would be implemented to mitigate risk to
acceptable levels (i.e. residual risk).
A report or
information
might contain
an error that is
material
Might be
undetected
through the
audit period
Risk-based Auditing
Risk Assessment
Risk
Assessment
Risk Evaluation
●
Risk assessment drives the audit process.
●
The identification of risk, prioritization of audit areas, and allocation of audit
resources should be based on risk assessment.
●
Evaluation of the risk management process must be conducted at every stage to
ensure that risk is being managed within the risk appetite of the organization.
Risk Assessment and Treatment
Risk Assessment
Risk
Assessment
●
Risk Treatment
Risks assessments involve identifying, prioritizing, and quantifying risks
against criteria for risk tolerance and objectives relevant in the organization.
●
Risk assessments should be carried out regularly to ensure it addressed
changes in security, risk situation, and environment, especially when key
changes takes place.
Risk Assessment and Treatment
Risk Assessment
Risk
Assessment
Risk Treatment
Risk
Treatment
●
Risk Mitigation – Applying adequate controls to lower the risks
●
Risk acceptance – Objectively and knowingly not taking action
●
Risk avoidance – Evading risks by ensuring actions that cause the risk are prevented
●
Risk transfer/sharing – Sharing the risk with third parties such as suppliers or insurance companies
Risk Assessment Methods
• Different methods are employed to perform risk assessments. Examples: Scoring System Method and Judgmental
Method
A combination of methods may
be used
Methods may develop and change
over time
Scoring System Method
and Judgmental
Method
Auditor should evaluate appropriateness
of any chosen risk methodology
All methods depend on subjective judgment
Control Principles
Part A: Planning 1.4
Risk-Based Audit Planning
Types of Audits and Assessments
Types of Audits
Knowledge Statement 1.11
Knowledge of various types of audits (e.g., internal, external, financial) and methods
for assessing and placing reliance on the work of other auditors or control entities.
Types of Audits
Explanation
Following are the various types of audits:
Internal vs. External
Specific domain (i.e. financial)
Reliance on other auditors
Internal vs. External Audits
Internal
● Pre-audits
● Compliance
● Post
audits
incident
● Often
targeted
External
●
Compliance
●
Regulatory
●
General
Specific Domain
Specific Domain Audits
Financial
Regulatory
PCI DSS
IT
Network Systems
Database Systems
Web or E-commerce
Systems
Reliance on Other Auditors
•
Past audit results
•
Incorporating other
audits
•
Comparison
Audit Factors
The area to be
audited
The purpose of
the audit
Constrains the audit
to a specific system,
function, or unit, or
period of time
Audit Subject
Audit Objective
Audit Scope
Part B: Execution
Part B: Execution
The following topics are covered in Part B:
• Audit Project Management
• Sampling Methodology
• Audit Evidence Collection Techniques
• Data Analytics
• Reporting and Communication Techniques
• Quality Assurance and Improvement of the Audit Process
Audit Project Management
Audit Project Management
Plan the audit
engagement
Build the audit plan
Execute the plan
Monitor project
activity
Audit Objectives
Audit objectives are the specific goals that the audit process must accomplish.
The audit objectives assure the following:
• Compliance with legal and regulatory requirements
• Protection of the confidentiality, integrity, and availability of information and IT resources
Audit Phases
The whole auditing process can generally be divided into the following three different phases:
Planning
Fieldwork and
documentation
Reporting and
follow-up
Planning Phase
Determine audit
subject
Determine audit
objective
Set audit scope
Perform preaudit
planning
Determine
procedures
Fieldwork and Documentation Phase
Acquire data
Test controls
Discover and validate
issues
Document results
Reporting Phase
Gather report
requirements
Draft report
Issue report
Follow-up
Audit Program
•
An Audit Work Program represents the audit plan and strategy. It has audit procedures, scope and
objectives.
•
•
The Audit Work Program:
Is a guide for documenting various audit steps performed and the types and extent of evidential matters
reviewed;
•
Provides a trail of the process used; and
•
Provides accountability for performance.
•
IS Audit Process Steps:
•
Plan – assess risks, develop audit program: objectives, procedures (Guidance 5)
•
Obtain and evaluate evidence – strengths and weaknesses of controls
•
Prepare and present report – draft and final report
•
Follow-up – corrective actions taken by management (Guidance 35)
Audit Methodology
Scope
Audit Methodology
refers to standard
audit procedures to be
used to achieve the
planned audit
objectives.
It is a documented approach
for performing the audit in a
continuous and recurring
manner to achieve the
planned audit objectives.
Audit
Methodology
Components
Work
programs
Audit
objectives
Audit Working Papers
•
Audit Project Management
Part B: Execution 1.6
Audit Project Management
Applicable Laws and Regulations for IS Audit
Part B: Execution 1.6
Knowledge of the applicable laws
and regulations that affect the
scope, evidence collection and
preservation, and frequency of
audit.
Fraud Irregulaties and Illegal Acts
Explanation
Fraud investigations or legal proceedings require the integrity of the evidence be maintained throughout its
life cycle (called chain of custody in forensic evidence).
Legal requirements include law, regulation and/or contractual agreements placed on Audit (or IS Audit) or the
Auditee. Management and audit personnel in an organization should be aware of external requirements for
computer system practices and controls, and how data is processed, transmitted and stored. There is a need to
comply with different laws raising legal requirements that impact on audit objectives and audit scope.
Main Areas of Coverage
The main areas covered under this knowledge statement include:
Eviden
ce
Continuous Auditing
Audit Documentation
Legal Requirements
HIPAA and HITECH
PHI (Personal Health
Information)
The Health Insurance Portability
& Accountability Act of 1996
(HIPAA)
Redefining what a breach is
Health Information Technology
for Economic and Clinical Health
Act (HITECH)
Creating stricter notification
standards
Sarbanes-Oxley and PCI
1
Sarbanes-Oxl
ey
2
Public companies
must keep
electronic records
for 5 years
3
PCI-DSS (Payment
Card Industry-Data
Security Standards)
Cryptography Standards
ISO/IEC
7064
Data processing – Check character systems
ISO/IEC
9796
Digital signature schemes giving message recovery
Published 2003
3 parts published 2002 2006, under revision
ISO/IEC
9797
Message authentication codes (MACs)
ISO/IEC
9798
Entity authentication | 6 parts published 1997 2005
ISO/IEC
10116
Modes of operation for an n-bit block cipher algorithm | Published 2006
ISO/IEC
10118
ISO/IEC
11770
2 parts published 1999 2002, under revision, 3rd part is upcoming
Hash-functions | 4 parts published 1998 2004 (2006), under revision
Key management
4 parts published 1996 2006, under revision
Balanced Score Card
A type of
structured report
used as a
performance
management tool
Financial
Should define
measurements
from four
perspectives
Customer
Internal
Process
Innovation/
Learning
Used to track
execution of
activities
Actually
measures
performance
against an
expected value
Sampling Methodology
Sampling Methodology
Knowledge Statement 1.8
Knowledge of different sampling
methodologies and other
substantive/data analytical procedures.
Sampling Methodologies
Compliance testing involves gathering evidence to test the enterprise’s compliance with control procedures.
Substantive testing is evidence gathered to evaluate the integrity of individual transactions, data, or other
information.
Presence of adequate internal controls (established through compliance testing) minimizes the number of
substantive tests that have to be done.
Conversely, weaknesses in internal controls will increase the need or number of substantive tests.
Sampling is done when it is not logical to test or verify all transactions by the consideration of the time and cost
needed. (i.e. the population which consists of all items in the area being examined).
Sampling Methodologies
Main Areas of Coverage:
Compliance vs. Substantive testing
Sampling
Sampling
A sample is a subset of population members used to infer characteristics about a population based on the
results of examining the characteristics of a sample of the population.
A population consists of the entire
group of items that need to be
examined.
The sample must represent as
closely as possible the
characteristics of the whole
population.
Sampling is done, when verifying all
The sample drawn must be a correct
transactions or events (population)
representation of the population,
in the audit scope is not feasible.
since all the conclusions are drawn
from the sample.
A basic understanding of sampling is necessary for the ISA.
General Approaches to Sampling
Sampling can either be statistical or non-statistical.
Non-statis
tical
Sampling
Statistical
Sampling
●
Uses objective judgment to determine:
o
o
o
o
●
●
Sample size
Selection criteria
Sample precision
Reliability or confidence level
This can be used to infer population
characteristics from the sample and is
the preferred method.
Uses subjective judgment to
determine:
o
o
o
●
Method of sampling
Sample size
Sample selection
This cannot be used to not infer
population characteristics from the
sample and is not a preferred method
of sampling.
General Approaches to Sampling
Non-statis
tical
Sampling
Statistical
Sampling
Uses the judgment of the ISA to
determine the sample selection and
size
● Increased possibility of sampling
risk—the risk that the analysis /
conclusions will be wrong because the
sample is not representative of the
population
● This technique may be used when
drawing an inference about the
population is not necessary; say, when
a handful of large-value credit limits
are picked up for scrutiny from a
population of extremely low-value
credit limits
●
●
Uses statistical principles of probability
and confidence level to draw a sample
representative of the population
●
ISA decides the sample precision (how
closely the sample should represent
the population) and the confidence
level (the number of times in 100 that
the sample will represent the
population)
Attribute and Variable Sampling
Sampling methods are of two types, attribute sampling and variable sampling.
Variable
sampling
Attribute
sampling
Also known as proportional sampling
● Deals with the presence or absence of
an attribute
● Generally applied for compliance
testing, to detect the presence or
absence of an attribute and draw
conclusions from the rate of incidence.
● Conclusions expressed in rates of
incidence
Types:
● Attribute sampling or fixed sample size
attribute sampling or frequency
estimation
● Stop-or-go sampling
● Discovery sampling
●
Used to estimate the value of some
variable, example verification of
transactions, review of processing in
programs used in the preparation of
financial statements.
● Also known as dollar estimation or Mean
value estimation sampling or Quantitative
sampling
● Applied in substantive testing and deals
with characteristics that vary, monetary
values, measures and in drawing
conclusions regarding deviations from the
norm.
● Provides conclusions related to deviations
from the norm.
Types:
● Stratified mean per unit
● Un-stratified mean per unit
● Difference estimation
●
Attribute Sampling
Fixed Sample-Size
Attribute /
Frequency-Estimat
e Sampling
• Aim is to
determine the
rate of
occurrence: How
many, how often?
• Example:
Approval
signature on user
account creation
forms
Stop-or-go
Sampling
• Adopted when
the auditor
expects less
number of errors
• Sample size is
small and can be
kept to minimum
Discovery
Sampling
• Adopted when
errors are
expected to be a
rare occurrence
• Aim is to
discover:
o fraud
o bypassing rules
by manipulation
(by splitting a
large order value
into several
smaller ones to
avoid having to
obtain approval
of a higher
authority)
Variable Sampling
Stratified Mean
Per Unit
Unstratified
Mean Per
Unit
• Population is
divided into
strata, and
samples are
drawn from
various strata
• Stratification, if
properly applied,
reduces the
sample size
relative to
unstratified mean
per unit
• Mean is
calculated for the
entire sample,
without
stratification and
extrapolated to
the entire
population
• It increases the
sample size
Difference
Estimation
• Technique used
to estimate the
difference
between the
audited values
and the book
values, on the
basis of
differences
observed in the
sample
Stratified sampling produces a higher confidence level for the same sample size, or may result in a lower sample size
for the same confidence level, while other attributes are kept equal.
Sampling Terms
(Applicable to both attribute and variable sampling)
Confidence Coefficient / Level / Reliability Factor
•
The probability that the sample is representative of the
Level of Risk
•
population, in relation to the characteristic observed,
expressed as a percentage
•
95% confidence coefficient implies 95% chance that the
sample is representative of the population
•
Depending on assessment of the effectiveness of
internal controls, the ISA will vary the sample size
•
The greater the confidence level the ISA desires, the
larger will be the sample size
The opposite of the confidence coefficient, the risk that the
sample is not representative of the population
•
If the confidence coefficient is 95%, the level of risk is 5%
Sampling Terms
(Applicable to both attribute and variable sampling)
Precision
•
The range of difference between the sample and
population acceptable to the ISA
•
This is expressed in percentage for attribute sampling
and as a numerical value for variable sampling
•
The higher the precision level, the lower the sample size
and vice versa
Sample / Population Standard Deviation
•
A measure of the variance or spread of values around the
mean
Sampling Terms
•
(Applicable to both attribute and variable sampling)
Expected Error Rate
Tolerable Error Rate
•
The expected error in percentage
•
Applied only to attribute sampling, not variable
degree of error that can exist, without the result being
sampling
materially misstated
•
If the expected error rate is high, the sample size will
have to be increased
•
•
Expressed as a percentage, it represents the maximum
Define maximum precision using tolerable error rate, within
permissible limits
Audit Evidence Collection Techniques
Evidence Collection Techniques
Knowledge Statement 1.7
Knowledge of the evidence collection
techniques (e.g., observation, inquiry,
inspection, interview, data analysis,
forensic investigation techniques,
computer-assisted audit techniques
[CAATs]) used to gather, protect and
preserve audit evidence.
Evidence Collection Techniques
Explanation
Audit findings must be supported by objective evidence
Know techniques to gather and preserve evidence
Information gathered through inquiry, observation, interview, analysis using CAATs (Computer Assisted
Auditing Techniques) such as, ACL, IDEA among others
Electronic media may be used to retain audit evidence to support audit findings
Retention policies should meet requirements for such evidence to support audit findings
Main Areas of Coverage
Computer
Assisted Audit
Techniques
(CAATs)
1
Evidence
Interviewing and
Observing Personnel
in Performance of
their Duties
Continuous
Auditing
Audit
Documentation
2
3
4
5
Evidence
Is the information the
Must directly relate to
Is key to the audit
Is mandatory under
Should be appropriately
Information Systems
the objectives of review
process
standard “S6
organized and
Auditor (ISA) gathers while
Performance of Audit
documented to support
performing an IS audit to
Work”
the findings and
meet the audit objectives
by supporting the audit
findings
conclusion(s)
Reliability of Evidence
Determinants for the reliability of evidence include:
Independence
of the provider
of the
evidence
Objectivity
of the
evidence
Qualification
of the individual
providing the
information/
evidence
Timing of the
evidence
Given an audit scenario in the exam, a candidate should be able to determine which type of
evidence gathering technique would be best.
Evidence Characteristics and Types
• The confidence level of evidence is based on its value; audit evidence is considered
•
Sufficient if it is complete, adequate, convincing, and would lead another ISA to form the same
conclusions
•
Useful if it assists ISAs in meeting their audit objectives
•
Reliable if in the auditor’s opinion, it is valid, factual, objective and supportable
•
Relevant if it pertains to the audit objectives and has a logical relationship to the findings and
conclusions it is used to support
Techniques for Gathering Evidence
Techniques for gathering evidence include the following:
Reviewing IS
organizational
structures
Interviewing
appropriate personnel
Reviewing IS
documentation
Observing processes
and employee
performance
Reviewing IS standards
Reviewing IS policies
and procedures
Re-performance
Walkthroughs
Audit Documentation
Audit documentation should include a record of
Planning
and
preparation
of audit
scope and
objectives
Description
and/or
walkthroughs
on the scoped
audit area
Audit
program
Audit steps
performed
and audit
evidence
gathered
Use of
services of
other
auditors or
experts
Audit
findings,
conclusions,
and
recommendations
Audit
document-atio
n related
to document
identification
and dates
Data Analytics
Data Analytics
Explanation
Audit findings must be supported by objective evidence
Know techniques to gather and preserve evidence
Information gathered through inquiry, observation, interview, analysis using CAATs (Computer Assisted
Auditing Techniques) such as, ACL, IDEA among others
Electronic media may be used to retain audit evidence to support audit findings
Retention policies should meet requirements for such evidence to support audit findings
Computer Assisted Audit Techniques (CAATs)
•
Automated tools and techniques used for gathering and analyzing data from computer systems to meet a
predetermined audit objective.
Examples
of CAATs
CAATs
CAATs process involves;
● Understanding the client
● Obtaining effective evidence
● Data analysis
● Reporting
● CAATs necessitated by differences
in HW, SW environments, data
structures, record formats,
processing functions
● Generalized
audit software e.g.
IDEA, ACL
● Utility software e.g. DBMS report
writers
● Debugging and scanning software
● Test Data
● Expert systems
● SQL commands
● Third party access control software
● Application software tracing and
mapping
● Options and reports build in a
system
Computer-Assisted Auditing Techniques
(CAATs
)
Collate and analyze diverse data.
Provide means of analyzing
Enable the ISA to work
Information systems employ
data to achieve audit objectives
independently, eliminating
diverse hardware, software,
continuous assistance from the
databases, data structures, and
IT function
formats for audit evidence
Types of CAATs:
•
GAS (Generalized Audit
Software)
•
Utility software
•
Industry-specific audit
software
•
Fourth-generation languages
like SQL
•
Expert systems
•
Neural networks
•
Application software tracing
•
Mapping
Types of CAATs
Generalized
Audit
Software
(GAS)
Utility
Software
Industry-specific
Audit Software
Standard, off-the-shelf software which can read data from diverse database platforms,
flat files, and ASCII formats
• ISA can utilize the in-built functions of the software
• Functions of GAS include:
o File access and reorganization
o Sampling
o Filtration
o Statistical analysis
o Stratification and frequency analysis
o Report generation
o Duplicate checking
o Recomputation
• Limitations of GAS include:
o Not suitable for concurrent auditing
o Can only conduct post-event audit
o Limited capabilities to verify processing logic
•
Types of CAATs
Generalized
Audit
Software
(GAS)
Utility
Software
Industry-specific
Audit Software
• Is a part of a suite of programs like: copy, sort programs, report generators, disk search
utility, and fourth-generation languages, like SQL (structured query language).
Types of CAATs
Generalized
Audit
Software
(GAS)
Utility
Software
•
Industry-specific
Audit Software
•
•
While GAS is generic in nature, audit software specific to some industries like financial
services, insurance, and health care is also available.
They include built-in queries to perform audit functions in specific industries, say check
kiting in banking.
Constructing similar queries in GAS would need more effort and skills.
Types of CAATs
Expert
System
Neural
Networks
Continuous
Online Audit
This is a type of artificial intelligence and incorporates a knowledge base that contains
the knowledge of human experts in the concerned domain.
• The inference engine in the expert system compares the data presented against the
knowledge base to draw conclusions.
• Expert systems can be used for:
o Risk analysis
o Evaluation of internal controls and assessing if provisions on doubtful debts are
adequate
•
Types of CAATs
Expert
System
Neural
Networks
Continuous
Online Audit
•
•
These are designed to mimic the neurons of the human brain.
They can be “trained” to recognize patterns that indicate certain occurrences, like a
fraud.
Types of CAATs
Expert
System
Neural
Networks
Continuous
Online Audit
• CAATs can be used to implement ongoing monitoring.
• They can be configured to continuously analyze data either in real or near real time
intervals, in furtherance of preset audit objectives.
Computer Assisted Audit Techniques (CAATs)
Functional capabilities of Generalized Audit Software (GAS) are as follows:
File access: reading different file
structures and record formats
File reorganization: indexing,
sorting, merging, linking
Data selection: filtration
conditions, selection criteria
Statistical functions: sampling,
stratifications, frequency analysis
Arithmetic functions: arithmetic
operators and functions
Reporting and Communication Techniques
Reporting and Communication Techniques
Knowledge Statement 1.9
Knowledge of reporting and communication
techniques (e.g., facilitation, negotiation,
conflict resolution, audit report structure,
issue writing, management summary, result
verification).
Reporting and Communication Techniques
Explanation
Communication needs to be effective and clear to improve the quality of the audit and maximize results.
When an argument ensues between the auditor and the auditee during the final IS audit findings report
presentation over the accuracy of the findings in the report, it makes the audit process counterintuitive and
quickly dilutes the audit process and its value.
Audit findings reported to stakeholders need to have appropriate buy-in from the auditees for the audit
process to be successful and value adding.
Communication and negotiation skills are required throughout the audit activity.
Communication skills determine the effectiveness of the audit reporting process.
Audit Report Objectives
The objectives of audit reporting are:
•
Formally presenting the audit report to the auditee or client
•
Providing statements of assurance of controls
•
Identifying areas that require corrective actions
•
Providing recommendations
•
Formally seeking closure of the audit engagement
Main Areas of Coverage
The main areas of coverage:
Information Technology Assurance
Communicating Audit Results
Framework (ITAF) (Section 2600 –
Reporting Standards)
Communication of Audit Results
During exit interviews, the IS auditor should:
Ensure recommendations are
realistic and cost-effective
Ensure facts presented in the
report are accurate
Recommend implementation
dates for agreed-on
recommendations
Presentation techniques include:
●
Executive summary Easy to read, concise report that presents the summary of the entire report
●
Visual presentation: May include slides or computer graphics
Before communicating the results of an audit to senior management, the IS audit should discuss the findings with
management staff of the audited entity. This is to ensure an agreement is reached for both the findings and the
corrective action to be taken.
The CISA candidate should become familiar with the ISACA S7 Reporting and S8 Follow-up Activities standard.
Communication Skills
Facilitation
Negotiation
Conflict resolution
Issue writing
The Report
Identify and Include:
• Organization, recipients, restriction on circulation
• Scope, objectives, period of coverage, nature, timing, and extent
• Findings, conclusions, recommendations/follow up, and reservations
or qualifications
o Grouped by materiality or intended recipient
o Mention faults and constructive corrections
• Evidence to support results (may be separate)
• Overall findings, conclusion, and opinion
• Signed and dated
Audit Report Basics
An audit report includes the following features:
Organization, recipients and
restriction on circulation
Scope, objectives, period of
coverage, nature, timing, and extent
Audit
Report
Features
Grouped by materiality or
intended recipient
Findings, conclusions,
recommendations/follow- ups, and
reservations/qualifications
Mention faults and
constructive corrections
Evidence to support results
Overall findings, conclusion, and
opinion
Signature and date
Follow-Up Activities
•
An IS auditor should conduct a follow-up program to determine whether the management has
implemented the agreed-on corrective actions.
•
The results of the follow-up should be communicated appropriately.
Quality Assurance and Improvement of the Audit Process
Audit Assurance Systems and Frameworks
Knowledge Statement 1.10
Knowledge of audit quality assurance
(QA) systems and frameworks.
Quality Assurance and Improvement of the Audit Process
Explanation
Auditing standards are the minimum parameters to be taken into account when performing an audit.
An IS auditor has to understand the impact of the IS environment on traditional auditing practices and
techniques to ensure the audit objective is achieved.
Control Self Assessment (CSA) is a process in which an IS auditor can act in the role of a facilitator to business
process owners to help them define and assess appropriate controls (taking into consideration the risk
appetite of the organization).
Process owners are best placed to define appropriate controls due to their process knowledge.
IS auditors help process owners understand the need for controls based on business risk.
Main Areas of Coverage
The main areas covered under this knowledge statement are as follows:
Evaluation of
Audit
Audit
methodology
Audit
programs
audit strengths
objectives
Objectives,
Control Self
Assessment
and weakness
Using services
advantages, and
Auditors Role
of other
Traditional vs.
disadvantages of
in CSA
Auditors and
CSA Approach
CSA
Experts
(CSA)
Control Self Assessment (CSA)
CSA is a management technique
that assures stakeholders,
customers, and other parties that
the internal control system of the
CSA is a methodology used to
organization is reliable.
review key business objectives,
risks involved in achieving the
business objectives, and
CSA involves a series of tools on a
internal controls designed to
continuum of sophistication,
manage these business risks in
ranging from simple questionnaires
a formal, documented
to facilitated workshops.
collaborative process.
It ensures employees are aware of
business risk and that they conduct
periodic, proactive reviews of
controls.
Objectives of a CSA
Following are the objectives of a CSA:
Leverage the internal
audit function by
shifting some of the
control monitoring
responsibilities to the
Ensure Line
Educate
managers are in
management on
charge of monitoring
control design and
controls
monitoring
functional areas
Control Objectives for Information and Related Technology (COBIT provides guidance on development of a CSA
COBIT
Some important facts about COBIT are:
•
Control Objectives for Information and related Technology
•
ISACA first released COBIT in 1996
•
Revised in 2005 to become ISO 17799:2005
•
ISACA published the current version, COBIT 5, in 2012
•
Contains 134 detailed information security controls based on 11 areas
Benefits of a CSA
Benefits of a CSA include the following:
•
Early detection of risk
•
More effective and improved internal controls
•
Create cohesive teams – employee involvement
•
Develops sense of ownership of controls in employees and process owners
•
Improved audit rating process
•
Reduction in control cost
•
Increased communication between operations and top management
•
Highly motivated employees
•
Assurance provided to stakeholders and customers
CSA Disadvantages and Role of Auditor
Disadvantages of a CSA
●
●
●
Might be mistaken as an audit function
●
Internal control professional and
replacement
assessment facilitator (management staff
May be taken as additional workload (e.g.
participates in the CSA process, not the
writing reports to management)
auditor)
Failure to act on improvement suggestions
could damage employee morale
●
Auditor’s role in CSA
Inadequate motivation limits effectiveness in
the discovery of weak controls
Traditional Vs. CSA Approach
The following table compares the traditional audit approach with CSA:
Traditional Audit Approach
CSA
Assigns tasks
Empowered and accountable employees
Policy-driven
Continuous improvement learning curve
Limited employee participation
Extensive employee participation and training
Limited stakeholder focus
Broad stakeholder focus
Auditors and other specialists
Staff at all levels and in all functions are the
primary control analysts
Domain One Exam Quick Pointers
1.
The auditor is a facilitator in a Control Self Assessment.
2.
Examples of substantive tests include testing samples of an inventory of backup tapes.
3.
Control self Assessment (CSA) enhances audit responsibility as one of its key objectives.
4.
Accountability cannot be enforced without authentication and identification in an access control.
5.
IS Auditors are likely to perform compliance tests of internal controls if, after their initial evaluation of
the controls, they conclude that control risks are within acceptable limits.
6.
Identification of high-risk areas is the most important step in an audit plan.
7.
The auditor should be aware of data flows within an enterprise when assessing corrective, preventive,
or detective controls.
8.
Responsibility and accountability can be established by the use of audit trails.
Domain One Exam Quick Pointers
9.
10.
11.
12.
13.
14.
Knowledge
Check
QUIZ
An audit charter should _____.
1
a.
summarize the responsibilities, authority and scope of an internal audit
department.
b.
define audit processes
c.
outline audit goals and how to achieve them
d.
keep track with the change in information technology
QUIZ
An audit charter should _____.
1
a.
summarize the responsibilities, authority and scope of an internal audit
department
b.
define audit processes
c.
outline audit goals and how to achieve them
d.
keep track with the change in information technology
The correct answer is a.
An audit charter should summarize the responsibility, authority, and scope of an audit department.
QUIZ
An audit report prepared by the information systems auditor should be
corroborated by _____.
2
a.
supporting statements from IS management
b.
work-papers of senior auditors
c.
control self-assessment from the organization
d.
appropriate, relevant, and sufficient audit evidence
QUIZ
An audit report prepared by the information systems auditor should be
corroborated by _____.
2
a.
supporting statements from IS management
b.
work-papers of senior auditors
c.
control self-assessment from the organization
d.
appropriate, relevant, and sufficient audit evidence
The correct answer is a.
An IS auditor should have statements from IS Management to ensure that they are in agreement with the
findings as well the corrective action to be taken.
An IS auditor reviews the previous audit plan implemented for a client and finds that it was
designed to review the company network and e-mail systems, but not the e-commerce Web
server. The IT manager indicates that the preferred focus for audit is the newly implemented
ERP application. How should the auditor respond?
QUIZ
3
a.
Determine the highest-risk systems and plan the audit based on the results
b.
Audit the new ERP application as requested by the IT manager
c.
Audit both the e-commerce server and the ERP application
d.
Audit the e-commerce server since it was not audited last year
An IS auditor reviews the previous audit plan implemented for a client and finds that it was
designed to review the company network and e-mail systems, but not the e-commerce Web
server. The IT manager indicates that the preferred focus for audit is the newly implemented
ERP application. How should the auditor respond?
QUIZ
3
a.
Determine the highest-risk systems and plan the audit based on the results
b.
Audit the new ERP application as requested by the IT manager
c.
Audit both the e-commerce server and the ERP application
d.
Audit the e-commerce server since it was not audited last year
The correct answer is c .
The best course of action is to conduct a risk assessment and design the audit plan to cover the areas of
highest risk. The IS auditor should not rely on the prior-year audit plan since it may not have been
designed to reflect a risk-based approach.
When testing program change requests, an IS auditor found that the population
of changes was too small to provide a reasonable level of assurance. What is
the most appropriate action for the IS auditor to take?
QUIZ
4
a.
Report the finding to management as a deficiency.
b.
Create additional sample changes to programs.
c.
Develop an alternate testing procedure.
d.
Perform a walk-through of the change management process.
When testing program change requests, an IS auditor found that the population
of changes was too small to provide a reasonable level of assurance. What is
the most appropriate action for the IS auditor to take?
QUIZ
4
a.
Report the finding to management as a deficiency.
b.
Create additional sample changes to programs.
c.
Develop an alternate testing procedure.
d.
Perform a walk-through of the change management process.
The correct answer is a.
If a sample size objective cannot be met with the given data, the IS auditor would not be able to provide
assurance regarding the testing objective. In this instance, the IS auditor should develop (with audit
management approval) an alternate testing procedure.
QUIZ
The main advantage derived from an enterprise employing control
self-assessment (CSA) process is that it:
5
a.
enables management to delegate responsibility.
b.
can replace the traditional audit methods.
c.
allows the auditor to independently assess risks.
d.
identifies high-risk areas that require a detailed review later.
QUIZ
The main advantage derived from an enterprise employing control
self-assessment (CSA) process is that it:
5
a.
enables management to delegate responsibility.
b.
can replace the traditional audit methods.
c.
allows the auditor to independently assess risks.
d.
identifies high-risk areas that require a detailed review later.
The correct answer is d.
Control Self Assessment is based on the review of high-risk areas that will need a more thorough review at
a later date or either an immediate attention.
Case Study
Case Study 1
The IS auditor has been asked to perform a pre-audit review to assess the company’s readiness for a regulatory
compliance audit. The regulatory requirements include management taking an active role in IT management including
managerial review and testing of IT controls.
The areas to assess in the upcoming regulatory compliance audit include physical controls, logical controls, end-user
computing, and change management. The IS Auditor has only two weeks to complete the pre-audit review. Previous
audits found no issues with physical controls or end-user computing but did find issues with logical controls and change
management.
Previous issues found include inadequate password management and not all changes where reviewed by a change
approval board.
QUIZ
Which of the following would be the most important item for the IS auditor to
check first?
1
a.
Password management
b.
Change approval
c.
Patch management
d.
Physical security
QUIZ
Which of the following would be the most important item for the IS auditor to
check first?
1
a.
Password management
b.
Change approval
c.
Patch management
d.
Physical security
The correct answer is a.
Password management and change approval were both identified as issues in previous audits. However,
password management is a more critical issue, and it is less time consuming to check. It may not be
possible to review change management within the time allotted.
QUIZ
If time permits, should the IS auditor review physical controls and end-user
computing, even though there were no problems noted in previous audits?
2
a.
Yes, check both if time permits
b.
No, as there were no previous issues
c.
If possible, check physical controls but not end-user computing
d.
If possible, check end-user computing then physical controls
QUIZ
If time permits, should the IS auditor review physical controls and end-user
computing, even though there were no problems noted in previous audits?
2
a.
Yes, check both if time permits
b.
No, as there were no previous issues
c.
If possible, check physical controls but not end-user computing
d.
If possible, check end-user computing then physical controls
The correct answer is a.
Simply because there have not been issues in the past does not mean an area should not be reviewed
during an audit. If time permits, every area that will be addressed in the regulatory compliance audit
should be reviewed.
Case Study 2
An IS auditor has been tasked to audit a financial application used by a bank to process loan applications. The application
can be accessed via a Web interface from anywhere in the world. The company maintains the Web server internally (that
is. it is not outsourced) as well as the back end database. The auditor has limited time and may not be able to do a
complete audit.
QUIZ
Which of the following tools would be most helpful in this audit?
1
a.
General audit software application tool
b.
Statistical analysis tool
c.
Web vulnerability testing tool
d.
General vulnerability assessment tool
QUIZ
Which of the following tools would be most helpful in this audit?
1
a.
General audit software application tool
b.
Statistical analysis tool
c.
Web vulnerability testing tool
d.
General vulnerability assessment tool
The correct answer is c .
Since the application is accessed via the Web, the most critical item to audit is the Web interface. This is
where most security issues would be helpful in an audit.
QUIZ
In this scenario, what is the order of importance of items checked?
2
a.
Firewall, VPN, Web server, Database server
b.
VPN, Firewall, Database server, Web server
c.
Database server, VPN, Web server, Firewall
d.
Web server, Firewall, Database server, VPN
QUIZ
In this scenario, what is the order of importance of items checked?
2
a.
Firewall, VPN, Web server, Database server
b.
VPN, Firewall, Database server, Web server
c.
Database server, VPN, Web server, Firewall
d.
Web server, Firewall, Database server, VPN
The correct answer is d.
The Web server is the most important as it is the publically facing interface most vulnerable to attack. The
database is protected by the firewall, so the next item to check is the firewall. VPN connections need not be
checked, as there is no VPN used in this scenario.
Key Takeaways
You’ are now able to:
Plan an audit to determine whether information systems are protected, controlled, and provide
value to the organization
Conduct an audit in accordance with IS audit standards and a risk‐based IS audit strategy
Communicate audit progress, findings, results, and recommendations to stakeholders
Conduct an audit follow‐up to evaluate whether risks have been sufficiently addressed
Evaluate IT management and monitoring of controls
Utilize data analytics tools to streamline an audit process
Provide consulting services and guidance to the organization in order to improve the quality and
control of information systems
Identify opportunities for process improvement in the organization's IT policies and practices
This concludes “Process of Auditing
Information Systems.”
The next domain is “Governance and Management of IT."
Certified Information Systems Auditor (CISA®)
Governance and Management of IT
Certified Information Systems Auditor is a registered trademark of ISACA
ISACA® is a registered trade mark of Information Systems Audit and Control Association.
© Simplilearn. All rights reserved.
Learning Objectives
By the end of this domain, you’ll be able to:
Evaluate the IT strategy for alignment with the organization’s strategies and objectives
Evaluate the effectiveness of IT governance structure and IT organizational structure
Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements
Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives
Evaluate the policies of organization's risk management and data governance
Evaluate IT management and monitoring of controls
Evaluate the monitoring and reporting of IT key performance indicators (KPIs)
Evaluate whether IT supplier selection, service, and contract management processes align with business
requirements
Conduct periodic review of information systems and enterprise architecture
Evaluate the information security program to determine its effectiveness and alignment with the
organization’s strategies and objectives
Evaluate potential opportunities and threats associated with emerging technologies, regulations, and
industry practices
Part A: IT Governance
IT Governance
The following topics are covered in Part A:
• IT governance and IT strategy
• IT-related frameworks
• IT standards, policies, and procedures
• Organizational structure
• Enterprise architecture
• Enterprise risk management
• Maturity models
• Laws, regulations, and industry standards affecting the
organization
IT Governance and IT Strategy
IT Governance and IT Strategy
• Explanation
To assure the stakeholders that IT deployment is aligned with the business vision, mission, and
objectives, the top management may implement an IT governance framework.
Essential elements of IT governance include Strategic Alignment, Value Delivery, Risk Management, Resource
Management, and Performance Measurement.
Main Areas of Coverage
The main areas covered are:
Governance of enterprise IT
Best practices for governance
of an enterprise IT
Information systems strategy
Main Areas of Coverage
The main areas covered are:
Standards
Policies
The main areas
covered in this
knowledge
statement are
IT Governance
Guidelines
Corporate Governance
At a high level, corporate governance has been defined as “the system by
which business corporations are directed and controlled.”
Corporate governance can also be defined as “a set of relationships between a
company’s management, its board, shareholders, and other stakeholders.”
It is a set of
responsibilities and
practices used by an
organization’s
management to
provide strategic
direction, in order to
ensure that goals are
achievable, risk is
properly addressed,
and organizational
resources are properly
utilized.
It also provides the
structure through
which the objectives
of the company are
set, the means of
attaining those
objectives, and
monitoring
performance.
Good corporate
governance should
provide proper
incentives for the
board and
management to
pursue objectives that
are in the interests of
the company and its
shareholders, and
should facilitate
effective monitoring.
Corporate governance
frameworks are
increasingly being
used by governments
to curb inaccurate
financial reporting and
foster greater
transparency and
accountability.
Many government
regulations require
senior management to
sign off on the
adequacy of internal
controls and include
an assessment of the
organization’s internal
controls.
Corporate Governance
It is the system by which companies are directed and controlled.
Corporate
Governance
“Governance is the
combination of processes
and structures implemented
by the board in order to
inform, direct, manage and
monitor the activities of the
organization toward the
achievement of its
objectives.” – Institute of
Internal Auditors
Boards of directors are responsible for the governance of the
companies.
Shareholders appoint the directors and auditors and ensure that the
governance structure is in place.
It also presupposes fair treatment of all stakeholders, monitors their
performance and takes adequate measures to ensure compliance with
laws, regulations, policy and contractual obligations.
Responsibilities of the board include setting the company’s strategic aims,
providing leadership to put them into effect, supervising management of
the business and reporting to shareholders on their stewardship. – Cadbury
Committee Report on Corporate Governance
The board’s actions are subject to laws, regulations and the shareholders in
general meeting.
Objectives of Corporate Governance
Corporate governance also presupposes the fair treatment of all
stakeholders, monitoring of performance, and taking adequate
measures for compliance with laws, regulations, policy, and
contractual obligations.
Provide
strategic
direction
Attainment
of corporate
objectives
Effective risk
management
to control risk,
within
acceptable
levels
Efficient and
effective
utilization of
corporate
resources
Role of Audit
Audit plays an important role in corporate governance.
Internal
Audit
Audit
“Internal audit is an independent,
objective assurance and consulting
activity, designed to add value and to
improve an organization's operations.
It helps an organization accomplish its
objectives, by bringing a systematic,
disciplined approach to evaluate and
improve the effectiveness of risk
management, control, and
governance processes.”
- Institute of Internal Auditors
External
Audit
It is an examination of accuracy of
financial statements by an
independent external auditor.
Assurance
Services
• Provide an independent and objective
assessment, based on evidence of the
governance, risk management and control
processes in the organization.
• Assure testing before release.
• Information systems audit falls under this
category.
Consulting
Services
• These are advisory in nature and intended to
add value and improve the governance, risk
management, and control processes of an
organization, without internal audit assuming
management responsibility.
• Here, an internal auditor is engaged in providing
advice on controls in a new project or function.
• Examples:
o Training
o Advice
IT Governance
An organization must have a long-term strategy for IT to guide decisions,
instead of taking decisions on an ad hoc basis.
Corporate
Governance
IS is used to aid business objectives and improve business processes.
IT Governance
IT governance is effective only when done within a formal framework.
IT governance is a
subset of corporate
governance
Performance management can extend to efficacy of policies and proper
functioning of equipment, software and network, apart from the personnel.
Following industry standards is better than developing one from scratch.
Industry standards have been through several iterations and have been
refined and improved over the years by experts.
An auditor must begin with the IT strategy and then follow policies,
procedures, framework, and practices which must be reviewed periodically
whenever the environment, business, or regulatory requirement changes.
IT Governance
Adequate investments must be provided for in-house and outsourced IT
resources to meet current and future business needs.
Corporate
Governance
IT Governance
IT governance is a
subset of corporate
governance
Current and new technologies must be opted for only after considering
the benefits, risks, and costs and envisioning the future trends.
Internal Audit must analyze IT from a strategic perspective, before moving
on to the granular level of individual processes and applications.
The compliance and regulatory requirements must be met and the risk of
these not being met must be measured. All the risks should be known and
discussed openly along with the efficacy of controls.
Executive management must be aware of the risks in the organization and
closely monitor the processes and personnel to manage them. They should
check if the residual risk is within the risk appetite of the organization.
Finally, the value added by IT to the organization must be measured and the
costs incurred on it must be optimized.
Objectives of IT Governance
Corporate
Governance
Ensuring that IT strategies and policies are in alignment with business
strategies and objectives and support corporate strategy
Managing IT risk and ensuring that it remains within the acceptable risk
level of the organization
IT Governance
Dovetailing IT policies and objectives with corporate policies and objectives
IT governance is a
subset of corporate
governance
Ensuring that the investments in IT yield expected returns to business
Optimizing resources spent on IT and ensure that they deliver value to
business
Ensuring that IT is in compliance with regulatory obligations
Best Practices for Governance of an Enterprise IT
Governance of an enterprise IT integrates and institutionalizes good practices to ascertain the enterprise IT supports the business
objectives.
Business Managers and Boards demanding a better return
on investment
Concern over high expenditure on IT
Factors leading to the
importance of enterprise
IT governance
The need to meet regulatory requirements for IT (SOX, Basel
II, and HIPAA.)
The selection of service providers, and management of
service outsourcing and acquisition
Increasingly complex IT-related risks such as network
security
Best Practices for Governance of an Enterprise IT
Other factors leading to the importance of enterprise IT governance are:
IT governance
initiatives include
adoption of control
frameworks and good
The need to optimize
practices to monitor
costs by following
and improve critical IT
standardized rather
activities. These
than specially
increase business
developed approaches
value and reduce
business risks
The growing maturity
and the consequent
acceptance of
well-regarded
frameworks
The need for
enterprises to assess
how they are
performing against
generally accepted
standards and their
peers (benchmarking)
Information Security Governance
IT governance is a subset of corporate governance, whereas information security governance is a subset of
IT governance.
Corporate
Governance
IT Governance
Information Security
Governance
“Information security governance can be
defined as the process of establishing and
maintaining a framework and supporting
management structure and processes to
provide assurance that information security
strategies are aligned with and support
business objectives, are consistent with the
applicable laws and regulations through
adherence to policies and internal controls
and provide assignment of responsibility, all
in an effort to manage risk.”
-NIST, Information Security Handbook:
A Guide for Managers.
Information Security Governance
Role of IT extends beyond corporate
boundaries to monitor if information
systems are networked and critical elements
of IT are outsourced.
The board of directors and executive
management are responsible for
information security governance.
risk management
strategic alignment of information
Core concerns of
information security
governance
compliance and value delivery
Information security governance has been
rendered important due to rapidly changing
IT threat scenario.
security with business objectives
Information Security Governance
Five basic objectives of Information Security Governance
Strategic
alignment of
information
security with
business strategy
to support
organizational
objectives
Risk management
by executing
appropriate
measures to
manage and
mitigate risks,
and reduce
potential impacts
on information
resources to an
acceptable level
Resource
management by
utilizing
information
security
knowledge and
infrastructure,
efficiently and
effectively
(Source: Information Security Governance: Guidance for Boards of Directors
and Executive Management, 2nd Edition, IT Governance Institute)
Performance
measurement by
measuring,
monitoring, and
reporting
information
security
governance and
metrics to ensure
achievement of
organizational
objectives
Value delivery by
optimizing
information
security
investments in
support of
organizational
objectives
Information Security Governance
Information security governance requires strategic direction and impetus. It requires commitment, resources, and assigning
responsibility for information security management. It also requires means for the board to determine whether its intent has
been met.
Role of BODs/Senior Management:
Effective information security governance is achieved only by involvement of the Board of Directors and/or senior
management in:
Approving policy
Appropriate
monitoring and
metrics
Reporting and
trend analysis
Members of the board
need to be aware of
the organization’s
information assets
and their criticality to
the ongoing business
operations
This can be accomplished
by periodically providing
the board with high-level
results of comprehensive
risk assessments and
Business Impact Analysis
(BIA), and business
dependency assessments
of information resources
GEIT (Governance of Enterprise IT)
It is the responsibility of the
board and Executive
Management.
The primary goals of GEIT
are to ensure that IT goals
and strategy are aligned
Executive management is
responsible for implementing
the necessary framework and
controls.
with organization goals and
objectives, and that the
promised benefits are
realized.
The board should oversee the
process to ensure that it is
effective.
Information Systems Strategy
An IS strategy articulates the enterprise’s long-term intention to use Information Systems to improve
its business processes based on business requirements.
When formulating the IS strategy, an enterprise must consider:
• Business objectives and the competitive environment.
• Current and future technologies, costs, risks, and benefits involved.
• The capability of an IT organization and technology to deliver current and future levels of
service, and the extent of change and investment this might imply for the enterprise.
• Cost of the current IT, and the value it provides to the business.
• Lessons learned from past failures and successes.
IT Governance Focus Areas
The focus areas of IT governance are as follows:
Strategic
Alignment
This involves executing the value proposition throughout
the delivery cycle, ensuring that IT delivers the promised
benefits against the strategy, concentrating on
optimizing costs, and proving the intrinsic value of IT.
This focuses on ensuring the linkage of business and IT
plans by defining, maintaining, and validating the IT
value proposition; and aligning IT operations with
enterprise operations.
Value
Delivery
Risk
Management
It requires risk awareness by senior corporate officers,
understanding the enterprise's appetite for risk and
compliance requirements, transparency of significant
risks to the enterprise, and embedding responsibilities
into the organization.
IT-Related Frameworks
IT Governance, Management, Security, and Control Frameworks
Knowledge Statement 2.2
Knowledge of IT governance, management,
security and control frameworks, and
related standards, guidelines, and practices
IT-Related Frameworks
Explanation
IT Governance can be effective with a formal framework.
Effective management and monitoring of IT.
Management controls the decisions, direction, and performance of IT.
COBIT 5 Framework
The COBIT 5 framework clearly distinguishes between governance and management.
The governance function should
establish balanced and high-level
objectives, considering the
interests of all stakeholders, with a
provision to monitor performance
and compliance with the
objectives set by the board.
Management is responsible for
planning and carrying out activities in
accordance with the directive of the
board.
COBIT 5 framework
functions
Principles, Policies, and Frameworks
Principles, policies, and frameworks refer to the communication mechanisms that convey the direction and instructions of
governing bodies and management, which include:
Adapting
policies to the
enterprise
environment
Information
security
principles
Policy life
cycle
Principles,
policies, and
framework
model
Information
security
policies
ISO Standards
ISO 27000 (vocabulary and definitions).
ISO 27001 (ISMS requirements and implementation) This defines the main standard applicable for certification of ISMSs.
ISO 27002 (code of security practices) A code of best practices in ISMS; includes more than 5000 detailed controls.
ISO 27003 (implementation guidance) Guidelines to implement ISO 27000 series standards.
ISO 27004 (security management metrics and measurement) Information security management measurement and metrics.
ISO 27005 (information security risk management) Guidelines relating to the risk management aspects of ISO 27001.
ISO 38500
It is a high-level framework for effective IT governance.
Responsibilit
y
Strateg
y
Acquisitio
n
Includes
Performanc
e
Human
behavior
Conformanc
e
PCI Frameworks
Build And Maintain a Secure
Network
1
2
Install and maintain a
firewall configuration to
protect cardholder data
Do not use vendor-supplied
defaults for system
passwords and other
security parameters
Implement Strong Access
Control Measures
7
8
9
Restrict access to data by a
business need-to-know
Assign a unique ID to
persons with computer
access
Restrict physical access to
cardholder data
Maintain a Vulnerability
Management Program
Protect Cardholder Data
3
4
Protect stored cardholder
data
Encrypt transmission of
cardholder data across
open, public networks
5
6
Regularly Monitor and Test Networks
10
11
Track and monitor access to
network resources and
cardholder data
Routinely test security systems
and processes
Use and regularly update
the anti-virus software
Develop and maintain
secure systems and
applications
Maintain an Information Security
Policy
12
Establish high-level security
principles and procedures
IT Standards, Policies, and Procedures
IT Standards, Policies, and Procedures
Explanation
IT strategies, policies, standards, and procedures should be consistent with business requirements.
Policies
Policies are high-level management directives.
Purpose
Scope
All policies should
contain these basic
components:
Responsibility
Compliance
Scope
COBIT 5 for
Information Security
describes these
attributes of each
policy:
Goals
Validity
Policies
Policies are high-level documents that
specify the thinking and philosophy of an
organization.
They are the guiding principles that set the
tone for the organization as a whole.
Policies
In addition to high-level corporate policies,
individual units and departments may have
their own policies, which should be
consistent with the high-level ones.
Policies should be clear and concise, which
would clearly define the expectations for
the employees. In short, they are what the
organization expects.
Procedures, Standards, and Guidelines
A Standard describes the
specific use of technology,
often applied to hardware
and software
A Procedure is a step-by-step
guide to accomplish a task
Guidelines are recommendations
(which are discretionary)
Procedures
Procedures
Procedures are step-by-step
instructions of how something
should be done in order to
accomplish the objectives set out
in the policies.
Procedures are expected to change
more often than polices, in order to
keep pace with the changes in the
environment and regulatory
requirements.
Guidelines
Guidelines are recommendatory in
nature.
Guidelines
Professional judgment should be used
while applying guidelines in the
organization.
Auditor should be prepared to justify
any departure from them.
Organizational Structure
Roles and Responsibilities
Knowledge Statement 2.3
Knowledge of the organizational
structure, roles, and responsibilities
related to IT, including segregation
of duties (SoD)
Organizational Structure
Explanation
Organizations must define organizational structures.
Responsibilities of major functions should be outlined and documented to ensure proper segregation of duties.
Main Areas of Coverage
The main areas covered are:
Auditing IT Governance structure
and implementation
Segregation of Duties control
Sourcing practices
Reviewing documentation
Segregation of Duties within IS
Reviewing contractual
commitments
In CISA Exam, the IS Auditor must be aware of these globally recognized concepts.
However, knowledge of specific legislation and regulations will not be tested.
Roles and Responsibilities: BODs
Board members should approve the assessment of key assets to be protected.
The tone of top
management must
be conducive to
effective security
governance.
It is unreasonable to
expect lower-level
personnel to abide by
security measures if
the senior
management do not
follow them.
Executive
management should
endorse security
requirements.
Penalties for
non-compliance must
be defined,
communicated, and
enforced.
Roles and Responsibilities: Senior Management
The roles and responsibilities of senior management are as follows:
Executive
Management
Steering
Committee
• Implements effective
security management
governance, and defines
the strategic security
objectives of an
organization.
• Focuses on all security
aspects of an
organization.
• Should represent the
respective groups or
functions impacted by
the information security.
Chief
Information
Security
Officer (CISO)
• Ensures that good
information security
practices are carried out
within the organization.
Reviewing Documentation
The following documents should be reviewed.
IT strategies, plans, and budgets
Security policy documentation
Organizational/Functional charts
Job descriptions
Steering Committee reports
System development and program
change procedures
Operations procedures
Human Resource manuals
Quality Assurance manuals
Segregation of Duties (SoD) Matrix
The table illustrates an example of SoD matrix.
The rows and
columns capture
various IS duties
Note: X indicates incompatible duties
Enterprise Architecture
Enterprise Architecture
Explanation
The complexity of IT and global connectivity requires understanding of the IT architecture.
Architecture and strategy are intertwined and germane to your audit.
IT Architecture Models
Information architecture of COBIT Control Objective PO2
Zachman
Framework
AF-EAF
Sherwood
Applied
Business
Security
Architecture
CAFEA
AFIoT
NAF
UADF
IoT (Internet of Things)
Wearable
devices
IoT has applications in a
variety of devices, such as
heart-monitoring implants,
automobiles with built-in
sensors, devices to
monitor the environment,
food, pathogens.
The IoT is the internetworking of
physical devices like vehicles and
buildings, referred to as “smart” or
”connected” devices that are
embedded with electronics,
software, sensors, and networking
capability, enabling these devices to
collect and exchange data.
Smart
street
lighting
Growth of IoT
in various
verticals
Security,
Connected Cameras,
homes
Lighting
Cars
Infotainment,
Navigation
IoT (Internet of Things)
The network of IoT devices is expected to reach between 5 billion and 1
trillion in number.
IoT poses security challenges in the following areas:
Authentication
(IoT devices do
not incorporate
strong
authentication
mechanisms)
Encryption
(implementing
encryption requires
substantial
processing and
memory resources,
which IoT devices
are low on)
Updates (pushing
updates to such
large numbers of
devices is difficult)
AF-EAF
Consists of various approaches, models, and definitions to communicate and
facilitate the presentation of key architecture components.
Air Force
Enterprise
Architecture
Framework
See also https://www.mitre.org/sites/default/files/pdf/10_1541.pdf
AFIoT
IEEE P2413 – Architecture Framework for the Internet of Things
Defines
relationships
among various
IoT verticals
It also
provides a
blueprint for
data
abstraction
Definition of
basic
architectural
building blocks,
and their ability
to be integrated
into multi-tiered
systems
CAFEA
Following are the Common Approach to Federal Enterprise Architecture:
National
Federal
Sector
Application
International
Levels of Scope
System
Segment
Agency
UADF
Universal Architecture Description Framework or UADF
• A collection of models form an architecture description framework
• If this collection is comprehensive, it is called a universal framework
NAF
Following is the NATO C3 System Architecture Framework:
Capability-oriented
Operation-oriented
Service-oriented
NATO C3 Systems Architecture
Framework
System-oriented
Technical-oriented
Program-oriented
Enterprise Risk Management
Enterprise Risk Management
Explanation
Enterprise Risk Management is the cornerstone of IT auditing
Main Areas of Coverage
The main areas of covered are:
1
ERM definitions
2
ERM domains
3
ERM standards
ERM Definition
“Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied
in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: http://www.coso.org/documents/coso_erm_executivesummary.pdf
ERM Objectives
Following are the objectives of ERM:
Strategic
Operations
ERM
Objectives
Compliance
Reporting
ERM Perspectives
Following are the perspectives of ERM:
Enterprise
Division
ERM
Perspectives
Process
Unit
COSO's ERM Integrated Framework
Following is the COSO’s Enterprise Risk Management integrated framework:
Risk Response
Control Activities
Objective Setting
Internal Environment
COSO’s
Enterprise Risk
Management:
Integrated
Framework
Risk Assessment
Monitoring
Event Identification
Information and
Communication
ISO 31000
ISO 31000:2009 Principles and Guidelines on
Implementation
Established in
November
2009
Sometimes
called ISO
31000:2009
Standards
relating to risk
management
ISO/IEC 31010:2009 Risk Management: Risk
Assessment Techniques
ISO Guide 73:2009 Risk Management:
Vocabulary
ISO 31000
Following are the different ways to deal with the risk:
Removing the risk
source
Avoiding the risk
How to deal
with risk
Changing the consequences
of risk
Accepting or increasing the risk to pursue
an opportunity
Changing the likelihood of
risk
Accepting/retaining the risk by informed
decision
Sharing the risk with another party
Maturity Models
Maturity Models
Explanation
Maturity and process improvement models help enterprises evaluate the current state of internal controls in
comparison to the desired state.
CMM
Following are the various levels of Capability Maturity Model (CMM):
Level 5 Continuously Improving
Level 4 Quantitatively Controlled
Level 3
Well-defined
Level 2
Planned and Tracked
Level 1
Performed Informally
ISACA CMM
0
Lack of
management
Processes and their
management is
completely chaotic
2
4
Managed
Repeated
The processes are
managed and
carried out to
measure their
performance
through KPI
1
Initial
Certain discipline
necessary to
perform basic
repetitive processes
is compiled
5
Optimized
Processes are
implemented ad hoc
3
Defined
Processes are
continually
improved; there is
an innovation cycle
for processes and
management
Processes of the
organization are
documented
IDEAL Model
The IDEAL model is an organizational improvement model developed by the Software Engineering Institute (SEI) at the Carnegie
Mellon University that serves as a roadmap for initiating, planning, and implementing improvement actions.
It is useful in planning and implementing effective process improvement programs for CMMI and similar initiatives.
•
•
•
The IDEAL model is •
named for the five •
phases it describes:
Initiating
Diagnosing
Establishing
Acting
Learning
Laws, Regulations, and Industry Standards Affecting the Organization
Laws, Regulations, and Industry Standards Affecting the Organization
Explanation
External requirements affecting the organization.
Main Areas of Coverage
The main areas covered are:
Legal Requirements
Regulations
Industry Standards
Laws and Standards
The various laws and standards are as follows:
Electronic Fund Transfer
Act, Regulation E (EFTA)
•
•
•
•
Children's Online Privacy
Protection Act (COPPA)
Passed in 1978
Implemented by the Fed Reserve Board Regulation E
Limits to customer liability on loss or theft of card
EFT errors
Federal Information
Security Management Act
(FISMA)
Personal Information
Protection and Electronic
Documents Act (PIPEDA)
Laws and Standards
The various laws and standards are as follows:
Electronic Fund Transfer
Act, Regulation E (EFTA)
Children's Online Privacy
Protection Act (COPPA)
Federal Information
Security Management Act
(FISMA)
Personal Information
Protection and Electronic
Documents Act (PIPEDA)
• Effective since 2000
• It applies to the online collection of personal information from children below 13 years of age under the US
jurisdiction
• The Federal Trade Commission (FTC) has the authority to issue regulations and enforce COPPA
Laws and Standards
The various laws and standards are as follows:
Electronic Fund Transfer
Act, Regulation E (EFTA)
Children's Online Privacy
Protection Act (COPPA)
Federal Information
Security Management Act
(FISMA)
Personal Information
Protection and Electronic
Documents Act (PIPEDA)
• Effective since 2002
• NIST is responsible for developing standards, guidelines, and associated methods and techniques
• NIST develops standards, metrics, tests, and validation programs to promote, measure, and validate security in
information systems and services
• FIPS 200 "Minimum Security Requirements for Federal Information and Information Systems“
Laws and Standards
The various laws and standards are as follows:
Electronic Fund Transfer
Act, Regulation E (EFTA)
Children's Online Privacy
Protection Act (COPPA)
Federal Information
Security Management Act
(FISMA)
• Canadian law
• It governs how private sector organizations collect, use, and disclose personal information
• The law gives different rights to individuals
Personal Information
Protection and Electronic
Documents Act (PIPEDA)
Laws and Standards
The various laws and standards are as follows:
European Union Data
Protection Directive
•
•
•
•
Sarbanes-Oxley Act
DMCA – Digital Millennium
Copyright Act
Directive 95/46/EC
Regulates the processing of personal data within the European Union
Governs the use of personal data
Requires organizations to be transparent
PCI DSS
Laws and Standards
The various laws and standards are as follows:
European Union Data
Protection Directive
Sarbanes-Oxley Act
DMCA – Digital Millennium
Copyright Act
PCI DSS
• Enacted on July 30, 2002 (nine months after the discovery of Enron problems)
• Applicable to “Issuers” as defined in the SEC Act of 1934 (approximately 15,000 public companies)
o Companies required to file periodic reports with the SEC
o Companies with more than 1 million dollars in total assets and at least 500 shareholders
o Companies who have registered securities with the SEC
o Creates the Public Company Accounting Oversight Board, or PCAOB funded by accounting firms and
registrants
Laws and Standards
The various laws and standards are as follows:
European Union Data
Protection Directive
Sarbanes-Oxley Act
• Signed into law on October 28, 1998
• Focused primarily on methods to bypass access control
• Made it illegal to circumvent copy protection technologies
DMCA – Digital Millennium
Copyright Act
PCI DSS
Laws and Standards
The various laws and standards are as follows:
European Union Data
Protection Directive
Sarbanes-Oxley Act
DMCA – Digital Millennium
Copyright Act
PCI DSS
• The Payment Card Industry Data Security Standard (PCI DSS) was jointly created in 2004 by four major credit-card
companies: Visa, MasterCard, Discover, and American Express
• PCI data security requirements apply to all merchants and service providers who store, process, or transmit any
cardholder data
PCI: Card Holder Data
Cardholder data is any Personally Identifiable Information (PII) of the cardholder.
Sensitive
Authentication Data
Card Holder Data
Primary Account
Number (PAN)
Expiration date
Card holder name
CVV or CVC (Card
Verification Values)
Track 1 & Track 2 data
(magnetic stripe)
Knowledge Statement 2.6
Development, Implementation, and Maintenance of IT Strategy
Knowledge Statement 2.6
Knowledge of processes for
development, implementation and
maintenance of IT strategy, policies,
standards, and procedures
Development, Implementation, and Maintenance of IT Strategy
Explanation for Knowledge Statement
IT development, implementation, and maintenance follow formal processes.
This is intertwined with strategy, policies, standards, and procedures.
Main Areas of Coverage
The main areas covered are:
Strategies
Outsourcing
Steering
Committee
Development
Policies
Strategy
COBIT Control Objective PO1 - Define a Strategic IT Plan
COBIT Control Objective PO1.4 - IT Strategic Plan
ACTIONS
MEASUREMENTS
1.
Engaging with business and senior
management
1.
2.
Understanding current IT capabilities
2.
3.
Providing a prioritization scheme
3.
Percent of IT objectives in the IT
strategic plan that support the
strategic business plan
Percent of IT projects in the IT project
portfolio that can be directly traced to
the IT tactical plans
Delay between updates of IT strategic
plans and updates of IT tactical plans
Steering Committee
COBIT Control Objective PO4.3: IT Steering Committee is present within the process. Define the IT Processes, Organization,
and Relationships
Determine prioritization of
IT
Monitor status of projects
Monitor service levels and
service improvements
Development Policies
COBIT Control Objective PO8.3: Development and Acquisition Standards
How is a software developed?
How is a software acquired?
Tools and Models
Development Policies
COBIT Control Objective PO8.3: Development and Acquisition Standards
How is a software developed?
How is a software acquired?
COBIT Control Objective AI2 Acquire and Maintain
Application Software
Outsourcing
Following are the various COBIT Control Objectives:
COBIT Control Objective AI5:
Procure IT Resources
COBIT Control Objective AI5.4: IT
Resources Acquisition
COBIT Control Objective AI5.3:
Supplier Selection
Value and Risk Drivers
Control Practices
Part B: IT Management
Part B: IT Management
The following topics are covered in Part B:
• IT Resource Management
• IT Service Provider Acquisition and Management
• IT Performance Monitoring and Reporting
• IT Quality Assurance and Quality Management
IT Resource Management
Resource Allocation
Knowledge Statement 2.9
Knowledge of IT resource investment
and allocation practices, including
prioritization criteria (e.g., portfolio
management, value management,
personnel management)
IT Resource Management
Explanation
Proper resource allocation
Prioritization
Main Areas of Coverage
The main areas covered are:
IT Investment and Allocation Practices
Financial Management Practices
Resource Management
COBIT Control Objective ME4.4: Resource Management
S
B
trategic Alliances
usiness Priorities
A
llocate Investments
M
onitor
Value Drivers
Efficient and
effective
prioritization
Goals achieved
Efficient IT
resources
utilization
Planning
Costs
IT planning
support and
optimization
IT costs
optimization
Resources
Priorities
Risk Drivers
Following are the common Risk Drivers:
Goals achieved
Incorrect
priorities
Insufficient
capabilities and
skills
Insufficient
resources
Skills
Infrastructure
Insufficient
resources to
achieve desired
goals
Fragmented
and/or inefficient
infrastructure
Resources
Priorities
VAL IT Framework
The VAL IT framework is an initiative of the IT Governance Institute (ITGI) to help
enterprises optimize the business value, derived by enterprises from investments in IT.
The VAL IT framework complements COBIT.
Goal
• Business value from IT
Version
• Currently in version
2.0
Domains
• Value governance
• Portfolio management
• Investment
management
VAL IT
Be managed as a portfolio of
investments
IT-enabled investments will
Include complete scope of activities
necessary to achieve business
values
Be managed through their full
economic life cycle
7 principles of
VAL IT
Recognize different categories of
investments to be evaluated and
managed differently
Value delivery practices will
Define and monitor key metrics and
respond quickly to any changes or
deviations
Engage all stakeholders and assign
appropriate accountability for
delivery of capabilities and
realization of business benefits
Source: ISACA VAL IT Brochure
Be continually monitored, evaluated,
and improved
Risk IT Framework
Following are the features of Risk IT framework:
Always connects to the
business objectives
Aligns the management
of IT-related business
risks with the enterprise
risks management
Risk IT Framework
Balances the costs and
benefits
of managing IT
Visualizations
risks
EnforcesSpeed
accountability
Risk IT
•Risk IT is an initiative of ISACA dedicated to helping enterprises manage IT-related risk.
•Risk IT also complements COBIT.
•It is based on the principles of ERM (Enterprise Risk Management).
•IT Risk is a part of business risk and is the outcome of the use, ownership, and adoption of IT in an organization.
Principles of Risk IT
IT Risk always aligns
with business
objectives
IT risk should be
aligned with
enterprise risk
management
IT risk management
should be driven by
cost-benefit analysis
IT risks should be
openly and fairly
communicated
IT risk management
must be a
continuous process
and be a part of
daily activities
Accountability must
be enforced and
defined to set the
right tone and
confirm to
well-defined
tolerance levels
IT Investment and Allocation Practices
Enterprises have limited resources in the form of people and money, which can be allocated to IT investments. These
investments provide financial benefits such as cost reduction, and non-financial benefits such as improved customer
satisfaction.
Information Technology value is determined by the relationship between what the organization pays and what it receives.
The key governance practices to increase the value of IT are
Evaluate value optimization
Direct value optimization
Monitor value optimization
Implementing IT Portfolio Management
Risk-profile analysis
Continuous
improvement
The methods
to implement
IT Portfolio
Management
are
Continuous alignment
with business goals
Diversification of
projects
Infrastructure and
technologies
Financial Management Practices
Financial management is a critical element of all business functions, in which the user-pays scheme (a form of chargeback) can
improve application monitoring of IS expenses and available resources.
Facilitates adequate allocation of funds,
especially in the IS environment where
expenses can be cost-intensive
Allows forecasting, monitoring, and
analyzing financial information
Should be linked to short-range and
long-range IT plans
IS Budget
Financial Management Practices
Key points in software development are as follows:
IS auditor should know how an enterprise
tracks costs in software development
This includes understanding the
requirements of treating costs related to
software development for internal use or for
sale
IT Service Provider Acquisition and Management
IT Resource Investment and Allocation Practices
Knowledge Statement 2.10
Knowledge of IT supplier selection, contract
management, relationship management and
performance monitoring processes,
including third-party outsourcing
relationships
IT Service Provider Acquisition and Management
Explanation
How to select suppliers
Managing contracts
Managing relationships
Monitoring processes
COBIT Control Objective AI5.2 - Supplier Contract Management
Vendor/Supplier Selection
Following is the process of vendor/supplier selection:
The IS auditor should
be familiar with
vendor/supplier
selection
1
Growth
potential
3
Capabilities
2
Business
stability
4
Prior
relationships
Reviewing Contractual Commitments
The IS auditor should be familiar with the Request for Proposal (RFP) process and know what needs to be reviewed.
Service levels
Right to audit, or
third-party audit
reporting
Software escrow
Penalties for
non-compliance
Issues that should be addressed will cover
Contract
termination and
any associated
penalties
Contract change
processes
Protection of
customer
information
Adherence to
security policies
and procedures
Software Contracts
Contract
acceptance
Contract
maintenance
Contract bidding
process
Development of
contract
requirements
and service
levels
Software contracts
reviewed by an IS
auditor include
Contract
compliance
Value Drivers
Defined supplier
relationship,
objectives, and goals
Efficiently managed
procurement of
resources
High-quality
contribution to
businesses and IT
processes
Control Policies
Intellectual property
rights
Technology upgrade
clauses
Penalties or incentives
for SLA
Right to audit
SLAs
Establish
supplier
contract
management
responsibilities
QA practices
Monitoring and reporting
against SLAs
Notification and
escalation procedures
Security standards,
records management, and
control requirements
Contract Policies
Following are the various Contract Policies:
All contracts and
contract changes
should be reviewed
by legal advisors
Internal review of
supplier/vendor
Software escrow
agreements
Alternative
vendors/suppliers
IT Performance Monitoring and Reporting
Process Optimization
Explanation for Knowledge Statement
Process optimization approaches
Specific techniques
Tools
Performance Optimization
•Performance optimization is the process of improving the productivity of information systems to the highest possible level
without additional investment in the IT infrastructure.
•Performance optimization is driven by key performance indicators (KPIs) based on the business operations/processes,
strategic IT solutions, and corporate strategic objectives.
The broad phases of performance measurement include
Establishing and
updating
performance
measures
Establishing
accountability for
performance
measures
Gathering and
analyzing
performance
measures
Reporting and
using
performance
information
Optimization
Following are the different categories of Optimization:
Equipment optimization
Control optimization
Operating procedures
Optimization Approaches
Following are the various Optimization approaches:
Lean Management
TQM
Kaizen
Six Sigma
DMAIC and DMADV
DMAIC and DMADV are fundamental elements of Six Sigma
DMAIC is used to
improve an
existing process.
DMADV is used to
develop a new
process, without
any yardstick for
improvement.
Define
Define
Measure
Measure
Analyze
Analyze
Control
Verify
Improve
Design
DRIVE
Expansion of DRIVE
D
efine
R
eview
I
dentify
V
erify
E
xecute
Methods
Following are the various methods for Process Improvement:
CEDAC
Brainstorming
Pareto
Analysis
Methods
CEDAC
CEDAC (Cause
and Effect
Diagram)
Also known as
Fishbone or
Ishikawa
method
In this method, problem is written at the end of the horizontal line drawn on a sheet of paper,
which resembles the spine of a fish.
On either side of
the spine, lines are
drawn and labelled
with the major
factors involved
like task, people,
location.
The causes and the
effects of the
problem are written
along the fish
bones.
Pareto Analysis
Pareto Analysis
is derived from
the Pareto
principle
Also known as
80/20 principle
The Pareto principle is widely used in quality control and can be applied to the following scenarios:
20% of defects
cause 80% of
the problem
20% of your
workforce
produces 80%
of the results
80% of
complaints
stem from 20%
of your
products
Monitoring and Reporting IT Performance
Knowledge Statement 2.14
Knowledge of practices for monitoring and reporting
IT performance (for example, balanced scorecard
[BSC] and key performance indicators [KPIs])
IT Performance Monitoring and Reporting
Explanation
IT governance progress must be measured and monitored with effective tools such as balanced scorecards
(BSCs) and key performance indicators (KPIs)
The results provide a clear indication of the capabilities of organization to meet its objectives
It also shapes IT Strategy for the long-term
Main Areas of Coverage
The main areas covered are:
IT Balanced Scorecard
KPI
IT Balanced Scorecard
A balanced scorecard measures:
Financial
performance
The IT balanced
scorecard (BSC) is a
process management
evaluation technique
that can be applied to
the IT governance
process to assess IT
functions and
processes.
The ability to
learn and
innovate
Customer/
user
satisfaction
Internal/operational
processes
IT Balanced Scorecard
User
Satisfaction
Business
Contribution
The scorecard
measures
Innovation
Operational
Excellence
IT Balanced Scorecard
The scorecard illustrates the relationship between financial, internal business processes, the customer, and learning and
growth in determining a balanced score.
KPI
The key stages in identifying KPIs are:
Combined teamwork
Result Indicators
(RIs)/Key Result
Indicators (KRIs)
A pre-defined business
process (BP)
Performance Indicators
(PIs)/Key Performance
Indicators (KPIs)
Requirements for the
business process
Combined teamwork
The key stages in
identifying KPIs are
Investigating variances
Quantitative measurement
of the results
IT Quality Assurance and Quality Management
Quality Management and Quality Assurance
Explanation
IS audits examine IS quality
Quality Assurance is not the same as Quality Management
Main Areas of Coverage
The main areas covered are:
Quality Assurance
Quality Management
Main Areas of Coverage
The main areas covered are:
Quality Assurance
Quality Management
Quality Assurance
Following are the different ways to perform Quality Assurance:
1
2
3
Failure
Testing
Statistical
Controls
TQM
Standards
A few standards involved in Quality Assurance are the following:
ISO 17025
ISO 9000
+
+
Standards
A few standards involved in Quality Assurance are the following:
ISO 17025
-
• General requirements for the competence of testing and calibration
laboratories
• Scope
• Normative references
• Terms and definitions
• Management requirements
• Technical requirements
ISO 9000
+
Standards
A few standards involved in Quality Assurance are the following:
ISO 17025
ISO 9000
•
•
•
•
•
•
•
Customer focus
Leadership
Involvement of people
System approach to management
Continual improvement
Factual approach to decision-making
Mutually beneficial supplier relationships
+
-
Quality Management
Quality Management include:
uality
planning
uality
control
uality
assurance
uality
improvement
Quality Management Standards
ISO 9004:2008 – guidelines for performance improvement
Six Sigma
Kaizen
Taguchi methods
ISO 15504-4: 2005 – information technology – process assessment
TQM
Business Process Reengineering
Quality Management Systems
Knowledge Statement 2.7
Knowledge of the use of capability
and maturity models
ISACA KPI
Following are the different Key Performance Indicator (KPI):
IT services
indicators
Supply
indicators
Financial
perspective
Customer
perspective
Process
performance
indicators
System of
interrelated
indicators
Process
perspective
Quality
indicators
Economic
indicators
Learning
and
growth
SMART
Expansion of SMART
S
Specific
M
Measurable
A
Achievable/Acceptable
R
Realistic/Relevant
T
Time-specific/Trackable
Quality Management
COBIT Control Objective PO8 - Manage Quality
Quality Management is the process by which IS department-based processes are controlled, measured, and improved.
Areas of control for quality management include the following:
Software development, maintenance, and
implementation
Security
Acquisition of hardware and software
HR management
Day-to-day operations
General administration
Service management
A good example of quality management is ISO 9001:2008
ISO Quality Management Systems (QMS)
ISO QMS incorporates the following 8 principles:
Customer focus
Leadership
Involvement of People
Process approach
8 principles of
ISO QMS
System approach to
management
Factual approach to
decision-making
Continual
improvement
Mutually beneficial
supplier relationship
Knowledge Statement 2.8
Process Optimization
Knowledge Statement 2.8
Knowledge of process optimization
techniques
Knowledge Statement 2.12 and 2.13
Quality Management and Quality Assurance
Knowledge Statement 2.12
Knowledge of the practices for
monitoring and reporting controls
performance (e.g., continuous
monitoring, quality assurance [QA])
Quality Management and Quality Assurance
Knowledge Statement 2.13
Knowledge of Quality Management
and quality assurance (QA) systems
Knowledge Statement 2.15
Business Impact Analysis Related to Business Continuity Planning
Knowledge Statement 2.15
Knowledge of business impact
analysis (BIA)
Business Impact Analysis Related to Business Continuity Planning
Explanation for Knowledge Statement
The IS auditor should determine whether BIA and BCP are suitably aligned
BCP should be based on a well-documented BIA to be efficient and effective
BIA drives the focus of BCP/disaster recovery plan (DRP) efforts of the organization and helps balance the costs
to be incurred with corresponding benefits to the organization
Main Areas of Coverage
Business Impact
Analysis
Business Impact Analysis is a component of Business Continuity Planning (BCP), which identifies events
that could impact the continuity of operations and assesses the impact of these events.
BIA helps an organization to:
Understand the
priorities and time
requirements for
recovery of business
functions
Gather information
regarding the
organization’s
current recovery
capabilities
Business Impact Analysis: Activities, Approval, and Approaches
Key
business
processes
Understanding
the
organization
Activities involved in
BIA:
Roles
involved
End-users
IT
personnel
Approvals
required in BIA:
Approaches of BIA
are:
Senior
management
Questionnaires,
interviews, and
brainstorming
sessions
Business Impact Analysis: Points to Consider
It is important to analyze the following questions before the business impact
analysis.
• What are the organization’s business processes?
• What are the critical information resources related to the critical business processes?
• What is the critical recovery time for information resources to resume business processing before
significant or unacceptable losses?
Business Impact Analysis: RTO and RPO
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are discussed here.
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
This is acceptable downtime in
case of a disruption to
operations (determines
processes and technology used
for backup and recovery, for
example, data tapes or disk)
This is the acceptable data loss
in case of a disruption to
operations (determines the
frequency of backup)
Disruption Cost vs. Recovery Costs
The diagram shows the relationship between Disruption costs and Recovery costs.
The two should be balanced to attain an optimum protection level of key information assets, that is, to obtain an optimal RPO
and RTO.
Disruption Cost vs. Recovery Costs
If the business continuity strategy aims at a longer recovery time, it will be less expensive than a more stringent requirement,
and more susceptible to downtime costs spiraling out of control.
Downtime cost of the
disaster in the short run
(for example, hours, days,
and weeks), grows quickly
with time, where the
disruption impact
increases if it lasts longer.
At a certain moment, it
stops growing, reflecting
the moment or point
when the business can
no longer function.
Knowledge Statement 2.16
Business Continuity Plan (BCP)
Knowledge Statement 2.16
Knowledge of the standards and
procedures for development,
maintenance, and testing of the
business continuity plan (BCP)
Business Continuity Plan (BCP)
Explanation for Knowledge Statement
The IS Auditor needs to understand the life cycle of BCP/DRP plan development and maintenance and the types of
BCP tests, factors to consider when choosing the appropriate test scope, methods for observing recovery tests and
analyzing test results.
Main Areas of Coverage
The main areas covered in this domain are:
IS Business Continuity
Planning
Business Continuity Planning
Process
Business Continuity Policy
Development of Business
Continuity Plans
Components of a Business
Continuity Plan
Business Continuity Planning
Incident Management
Other Issues in Plan
Development
Plan Testing
Components of an Effective BCP
Crisis communication plan
Continuity of
support plan
Incidence
response plan
Continuity of
operations
plan
Business
resumption
plan
Disaster
recovery plan
The components of a Business
Continuity Plan depend on the
organization size and requirements.
It may include:
Occupant
emergency
plan
Components to be Agreed
The components to be agreed are:
Governing policies
Goals/requirements/products
Alternative facilities
Critical IS resources to deploy
Data and systems
Staff required/responsible
for recovery tasks
Key decision-making
personnel
Resources to support
deployment
Backup of required supplies,
other personnel
Schedule of prioritized
activities
Business Continuity Plan Testing
BCP testing involves:
1
2
3
4
5
Testing the developed
plans to determine if
they work and
identify areas that
need improvement
Specifications such as
objective and scope
of the test, test
execution, and
pretest
Testing of plan by
post-test, paper test,
preparedness test,
and full operational
test
Documentation of
test results, which
include document
observations,
problems, and
resolutions to
facilitate recovery in a
real disaster
Analysis of the results
obtained against
specifications set in
time, amount, count,
and accuracy
Business Continuity Plan Test Execution
BCP tests can be executed by conducting pre-test, actual test, and post-test.
Pre-test: The set of actions necessary to set the stage for the actual test. This ranges from placing tables
in the proper operations recovery area to transporting and installing backup telephone equipment.
Actual test: This is the stage for real action of the business continuity test.
•
•
•
•
Actual operational activities are executed to test specific objectives of the BCP.
This is the real action of the business continuity test
Actual operational activities are executed to test the specific objectives of the BCP
This is the actual test of preparedness to respond to an emergency.
Business Continuity Plan: Test
There are five levels of testing.
Cutover
Level 5
Parallel
Level 4
Level 3
Simulation
Level 2
Walkthrough
Level 1
Document Review
Knowledge Statement 2.17
Business Continuity Plan (BCP)
Knowledge Statement 2.17
Knowledge of the procedures used
to invoke and execute the business
continuity plan (BCP) and return to
normal operations
Business Continuity Plan (BCP)
Explanation for Knowledge Statement
What is involved in invoking a BCP and DRP
How do you return to normal operations
Invoking the BCP/DRP
What factors trigger the BCP?
Who is authorized to invoke the BCP?
What steps must be taken to resume normal
operations?
Domain Two Exam Quick Pointers
Data and systems owners are accountable for maintaining appropriate security measures over information asset.
Business unit management is responsible for implementing cost effective controls in an automated system.
Proper segregation of duties prohibits a system analyst from performing quality assurance functions (it is difficult for us to poke holes in our own work).
The board of directors is ultimately accountable for developing an IS security policy.
Know BIA, RTO, and RPO
Knowledge
Check
QUIZ
To support organizational goals, the IS department should have ___________.
1
a.
a leading-edge technology
b.
plans to acquire new hardware and software
c.
a low-cost philosophy
d.
long- and short-range plans
QUIZ
To support organizational goals, the IS department should have ___________.
1
a.
a leading-edge technology
b.
plans to acquire new hardware and software
c.
a low-cost philosophy
d.
long- and short-range plans
The correct answer is d
The IS department should have long- and short-range plans that are consistent with the organization's
plans to attain its goals.
QUIZ
An organization needs to better understand whether one of its key business
processes is effective. What action should the organization consider?
2
a.
Audit the process
b.
Benchmark the process
c.
d.
Offshore the process
QUIZ
An organization needs to better understand whether one of its key business
processes is effective. What action should the organization consider?
2
a.
Audit the process
b.
Benchmark the process
c.
d.
Offshore the process
The correct answer is a
Auditing is the best way to understand a process
QUIZ
An IS auditor is reviewing a contract management process to determine the financial viability
of a software vendor for a critical business application. Which of the following is correct
regarding the vendor’s suitability?
3
a.
can deliver on the immediate contract
b.
has similar financial standing as the organization
c.
has significant financial obligations that can impose liability on the
organization
d.
support the organization in the long term
QUIZ
An IS auditor is reviewing a contract management process to determine the financial viability
of a software vendor for a critical business application. Which of the following is correct
regarding the vendor’s suitability?
3
a.
can deliver on the immediate contract
b.
has similar financial standing as the organization
c.
has significant financial obligations that can impose liability on the
organization
d.
support the organization in the long term
The correct answer is d
The long term viability of a vendor is essential to derive maximum value for the organization. It is more
likely a financially sound vendor would be in business for a long period of time.
An organization having a number of offices across a wide geographical area has
developed a disaster recovery plan. Using actual resources, which of the
following is the MOST cost-effective test of the disaster recovery plan?
QUIZ
4
a.
Cutover test
b.
Walk through
c.
d.
Regression test
An organization having a number of offices across a wide geographical area has
developed a disaster recovery plan. Using actual resources, which of the
following is the MOST cost-effective test of the disaster recovery plan?
QUIZ
4
a.
Cutover test
b.
Walk through
c.
d.
Regression test
The correct answer is a
A cut over test, literally causes the primary systems to go offline, to ensure that backup systems and
processes function.
QUIZ
Which of the following is the MOST important action in recovering from a
cyber-attack?
5
a.
Creating an incident-response team
b.
Using cyber-forensic investigators
c.
Executing a business continuity plan
d.
Filing an insurance claim
QUIZ
Which of the following is the MOST important action in recovering from a
cyber-attack?
5
a.
Creating an incident-response team
b.
Using cyber-forensic investigators
c.
Executing a business continuity plan
d.
Filing an insurance claim
The correct answer is c
The most important key step in recovering from cyber attacks is the execution of a business continuity plan
to quickly and cost-effectively recover critical systems, processes and data.
Case Study
Case Study 1
An IS auditor has been asked to audit a financial services company. The primary goal is to evaluate the alignment of
business strategic objectives with the IT objectives. While collecting data, the IS auditor finds the documentation for the
business strategic objectives is a brief list in a PowerPoint presentation. And there are items in the IT strategic plan
specifically designed to support specific business goals that are not in the budget. Some IT projects do not correlate to
any business objective. Finally, he discovers the communication between the IT management and the executive staff is
not effective.
QUIZ
Which of the following is a big concern for the auditor?
1
a.
Items not correlated to business objectives
b.
Items that are correlated but not budgeted
c.
The abbreviated documentation for strategic objectives
d.
Poor communication between IT and executives
QUIZ
Which of the following is a big concern for the auditor?
1
a.
Items not correlated to business objectives
b.
Items that are correlated but not budgeted
c.
The abbreviated documentation for strategic objectives
d.
Poor communication between IT and executives
The correct answer is b.
These are clearly defined items that have been determined to be necessary to support strategic goals, but
are not budgeted for. Answer option A would be the next most serious issue as it wastes financial
resources on unnecessary projects. Option C and D are both concerns, but not as critical as B.
QUIZ
Which is the most important reason that the abbreviated business strategic
goals would be a concern?
2
a.
They would not, that is sufficient
b.
The lack of detail makes it difficult to align IT with strategic goals
c.
It may indicate poor communication from executives to IT
d.
It may indicate executives lack of strategic vision
QUIZ
Which is the most important reason that the abbreviated business strategic
goals would be a concern?
2
a.
They would not, that is sufficient
b.
The lack of detail makes it difficult to align IT with strategic goals
c.
It may indicate poor communication from executives to IT
d.
It may indicate executives lack of strategic vision
The correct answer is b.
While options C and D are both possible, those are primarily outside the scope of an IS audit. Option B is
measureable and definable, and should be noted in the audit.
Case Study 2
An IS auditor is tasked with the review of a hotel chain’s outsourcing agreements. The company
outsources management of its Website, Web servers, and reservation application (including the
backend database) to a third-party. This business relationship has existed for 3 years, and is working
well. So far, there have been no significant outages and no security breaches.
QUIZ
Which of the following is the least important in an IS audit review?
1
a.
The Web servers vulnerability to attack
b.
The SLA
c.
Incident reports in the past 3 years
d.
The process for updating and patching Web servers
QUIZ
Which of the following is the least important in an IS audit review?
1
a.
The Web servers vulnerability to attack
b.
The SLA
c.
Incident reports in the past 3 years
d.
The process for updating and patching Web servers
The correct answer is c .
There are no outages or breaches in the past three years. Hence, there should be few minor incidents.
QUIZ
Why should you closely review the SLA, even though the company reports show
satisfaction with the service?
2
a.
Because there are no incidents to test the SLA
b.
You need not review the SLA
c.
You should briefly review the SLA
d.
Because it is a common item to review in an audit
QUIZ
Why should you closely review the SLA, even though the company reports show
satisfaction with the service?
2
a.
Because there are no incidents to test the SLA
b.
You need not review the SLA
c.
You should briefly review the SLA
d.
Because it is a common item to review in an audit
The correct answer is a.
Simply because the company has been satisfied so far, does not mean the SLA is adequate or complete. It
is likely that there will eventually be a breach or outage, and it is important to confirm that the SLA is
adequate.
Key Takeaways
You are now able to:
Evaluate the IT strategy for alignment with the organization’s strategies and objectives
Evaluate the effectiveness of IT governance structure and IT organizational structure
Evaluate the organization’s IT policies and practices for compliance with regulatory and legal requirements
Evaluate IT resource and portfolio management for alignment with the organization’s strategies and objectives
Evaluate the policies of organization's risk management and data governance
Evaluate IT management and monitoring of controls
Evaluate the monitoring and reporting of IT key performance indicators (KPIs)
Evaluate whether IT supplier selection, service, and contract management processes align with business
requirements
Conduct periodic review of information systems and enterprise architecture
Evaluate the information security program to determine its effectiveness and alignment with the
organization’s strategies and objectives
Evaluate potential opportunities and threats associated with emerging technologies, regulations, and
industry practices
This concludes ‘Governance and Management of IT.’
The next domain is ‘IS Acquisition, Development, and Implementation.’
Certified Information Systems Auditor (CISA®)
Information Systems Acquisition, Development, and Implementation
Certified Information Systems Auditor is a registered trademark of ISACA
ISACA® is a registered trade mark of Information Systems Audit and Control Association.
© Simplilearn. All rights reserved.
Learning Objectives
By the end of this domain, you’ll be able to:
Evaluate whether the business case for the proposed changes in information systems
meet the business objectives
Explain the organization's project management policies and practices
Evaluate the controls at stages of information systems development life cycle
Illustrate the readiness of information systems for implementation and migration into production
Conduct post‐implementation review of systems to determine whether project deliverables,
controls, and requirements are met
Evaluate change, configuration, release, and patch management policies and practices
Part A: Information Systems Acquisition and Development
Part A: Information Systems Acquisition and Development
The following topics are covered in Part A:
• Project governance and management
•
Business case and feasibility analysis
•
System development methodologies
•
Control identification and design
Overview
Organizations need proper processes and methodologies to create and change application systems and infrastructure
components. This is called information systems lifecycle management. Information systems lifecycle management encompasses:
Information system lifecycle
Acquisition Plan
Acquisition
Use and Maintenance
Retire Information
System
Project Governance and Management
Project Organizational Forms
Following are the project organizational forms:
t
jec
Infl
Pro
ue
nc
re
e
Pu
Matrix
Project Organizational Forms
Project managers have no formal or managerial authority
Influence Project Organization
Form
Their role is advisory in nature
They are at a peer level with other members
Project Organizational Forms
Team members are involved completely in the project
Pure Project Organization
Project managers have complete responsibility of the project
They have entire management authority over all team members
Project Organizational Forms
It is a hybrid form that combines characteristics of influence and
pure project forms
Matrix Project
Organization
Responsibility for the project is shared between Project Manager
and functional managers
Members of the project report to both the Project Manager and
their functional managers
Project Organizational Forms
The IS Auditors must be
familiar with all project
organizational forms
and choose the most
appropriate one for the
project. They must
review the implications
for management of the
project.
They can be
included as
advisories for their
expertise in
controlling aspects.
However, this makes
them ineligible to
audit the project or
application, while it
is operational.
Last, but not the
least, the IT Steering
Committee must
prioritize the IT
projects.
Project Objectives
Main Objectives
Sub Objectives
Project Breakdown
Project Communication
On initiating a project management process, communication may be achieved in a number of ways depending on its size and
complexity. Project Communication types are as follows:
Team
Member
Manager
Team
Member
Manager
Manager
Team
Member
Team
Member
Project Culture
Establishment of a
project mission
statement
Project name and
logo
Project specific
social events
Project Culture represents the norms and rules of
engagement of the project. It is the common
understanding or the orientation expected of the
team.
Project culture development /influencing method
includes
Project office or meeting place
Project team
meeting rules and
communication
protocols
Project intranet
Project Management Practices and Project Initiation
Project management processes include:
Closing
Controlling
Executing
Planning
Initiating
Elements of Project
Projects have three key intertwining elements called Deliverables, Duration, and Budget (these should have positive
correlation).
Deliverables
Duration
Budget
Software Size Estimation
Software Size Estimation methods are used to determine the relative physical size of the application software to be
developed. These methods are:
Software Size Estimation
One of the methods of software size estimation is Function Point Analysis (FPA):
FPA is an indirect measure of the size of an information system (software size) based on number and complexity of inputs, outputs,
files, external interfaces, and queries.
Complexity adjustments (rating factors) are used based on analysis of reliability, criticality, complexity, reusability, changeability and
portability.
Software Cost Estimation
Software Cost estimation is a consequence of software size estimation and involves estimation of programs at each phase. Some of
the components to consider when using these techniques include:
Budgets and Schedules
Tasks involved in budgeting and scheduling are:
Critical Path Methodology (CPM)
In the Critical path methodology (CPM), a project can be represented as a network where activities are shown as branches
connected at nodes immediately preceding and immediately following activities.
Program Evaluation Review Technique (PERT)
Program evaluation review technique (PERT) is used for planning and control, estimation of time and resources required, and
detailed scheduling (timing and sequence).
Gantt Charts
Gantt charts are a graphical representation of scheduled tasks.
Timebox Management
Project Controlling Activities
The controlling activities of a project includes management of scope, resource usage, and risk. New requirements should be
documented and, if approved, allocated the appropriate resources.
To manage scope, the deliverables breakdown is accompanied by proper documentation in a component management database
(CMDB).
Changes to scope will always lead to changes in activities impacting deadline and budget. Therefore these need to be handled
formally in a Change Management Process.
Project Controlling
The steps in the Change Management Process are as follows:
Resource Usage Management
Resource usage is the process by which the project budget is being spent.
It checks if actual spending is in line with planned spending. Resource usage must be
measured and reported.
Every budget and project plan presupposes a certain "productivity" of resources and
delivers the expected quality of the outcome/deliverable.
Earned Value Analysis (EVA) technique can be used to check this. It involves comparing
the following continuously:
Closing a Project
A project should be finite and at some point be closed with the new or modified system handed over to the users and/or system
support staff.
The project sponsor
should be satisfied
that the system
produced is
acceptable and ready
for delivery.
Custody of
contracts may need
to be assigned, and
documentation
archived or passed
on to those who will
need it.
Survey the project
team, development
team, users, and
other stakeholders
to identify any
lessons learned that
can be applied to
future projects.
Closing a Project: Post Project Review
A post project review is important to improve a project.
Project Governance Framework
•
The project manager’s skill set should be commensurate with the project at hand.
To manage all the relevant parameters of a large project, project management practices, tools and control
frameworks are required.
Projects need to be managed on hard (Example: Budget and technical requirements), soft (Example: Personal
relationships, and departmental politics), and environmental factors.
COBIT Control PO10.3 - Project Management Approach.
Value Drivers
Optimized use of
resources for
project
management
Clear roles and
responsibilities
Clear
accountability and
commitment for
key decisions and
tasks
Enhanced
alignment of
project objectives
with business
objectives
Timely ability to
react to and deal
with project issues
Risk Drivers
Confusion caused
by different project
management
approaches within
the organization
Negative impact
on project
completion
Failure to respond
to project issues
with optimal and
approved decisions
Controls
Project risks can be mitigated via controls which include:
Establishing a project management governance structure
• Project’s size
• Complexity
• Risks including legal, regulatory, and reputational risks
Defining the responsibility and accountability of roles
• The project manager
• The steering committee
Regular reporting and reviewing
Project Governance Mechanisms
•
Strong project governance is essential for successful project implementation.
Effective and efficient deployment of project resources is enhanced by having adequate project governance
mechanisms.
The more complex the project, the more elaborate the governance structures and mechanisms.
Use of vendors can speed up a project and potentially reduce total costs
However, use of vendors adds risks, especially if the vendor is single or sole source provider
Proper vendor management can reduce/ prevent problems caused by picking a vendor that is unable to achieve
the required solution or timescale and by ensuring that contracts address business needs and do not expose
the business to unnecessary risk
Main Areas of Coverage
The main areas covered under this knowledge statement include:
Hardware Acquisition
Infrastructure
development
System Software
Acquisition
Hardware Acquisition
Selection of a computer hardware and software environment frequently requires the preparation of specifications for
distribution to hardware/software (HW/SW) vendors and criteria for evaluating vendor proposals.
The specifications are sometimes presented to vendors in the form of an invitation to tender (ITT), also known as a request for
proposal (RFP).
Hardware Acquisition
When acquiring a system, the specifications should include the following:
Centralized or
decentralized,
Distributed,
Information processing requirements
…
…
…
…
Adaptability requirements
Hardware requirements
Organizational descriptions indicating
whether the computer facilities are
…
…
…
…
Manned or
lights-out
Constraints
System software applications
Conversion requirements
Support requirements
Outsourced
Hardware Acquisition
When purchasing or acquiring hardware and software from a vendor, consider the following:
Testimonials or visits with other users
Provisions for competitive bidding
Analysis of bids against requirements
Comparison of bids against each other using predefined evaluation criteria
Analysis of the vendor's financial condition
Analysis of the vendor's capability to provide maintenance and support (including training)
Review of delivery schedules against requirements
Hardware Acquisition
Other considerations include:
Analysis of hardware and software upgrade capability
Analysis of security and control facilities
Evaluation of performance against requirements
Review and negotiation of price
Review of contract terms (including right to audit clauses)
Preparation of a formal written report summarizing the analysis for each of the alternatives
and justifying the selection based on benefits and cost
System Software Acquisition
When selecting new system software, the business and technical issues considered include:
Business, functional, and technical needs and specifications
Cost and benefits
Compatibility with existing systems
Security
Demands of existing staff
Training and hiring requirements
System Software Acquisition
When selecting new system software, the business and technical issues considered include:
Future growth needs
Impact on system and network performance
Open source code vs. proprietary code
Infrastructure Development/Acquisition Practices
Challenges to infrastructure development and acquisition include the following:
Alignment with corporate standards
Scalability and flexibility
Security
Maintainability (cost effective)
Integration with existing systems
Standardized hardware and software
IT industry trends
ROI, cost and operational efficiency
Infrastructure Development Acquisition Practices
Phases in ICT Infrastructure Development and Acquisition are as follows:
Review of existing architecture
Procurement
Analysis and design
Implementation planning
Functional requirements
Delivery
Proof of concept
Installation
Request for Proposal Process
The requirements for a Request for proposal (RFP) are given in the following table:
Request for Proposal Process (contd.)
The requirements for a Request for proposal (RFP) are given in the following table:
Project Success
•
What makes a project a success?
How to integrate risk into that definition?
Define Success
User
Satisfaction
Productivity
Legal
and
Regulatory
Financial
Compliance
ROI
Cost- Benefit
Risk Management
•
Risk management and project management go hand-in-hand
Risk management processes are applied to project management
Risks Associated with Software Development
Risks associated with software development are as follows:
Levels of Software Project Risk
Software project risks exist at the following levels:
Risk Management
Risks are the possible negative events or conditions that would disrupt relevant aspects of the project.
Those that impact the project
itself. The project manager is
responsible for mitigating this
risk (risks within the project).
There are two main
categories of project
risk:
Those that impact the business benefits
and therefore endanger the project's
very existence. The project sponsor is
responsible for mitigating this risk
(business risk of the project).
Risk Management Process Steps
Risks are the possible negative events or conditions that would disrupt relevant aspects of the project.
Identify risks
Assess and
evaluate risks
Manage risks
Monitor risks
Review and
evaluate risk
management
process
Business Case and Feasibility Analysis
Benefits Realization Practices
•
The objective of IT projects is to realize tangible benefits.
Managing these benefits is essential to the success of projects.
A cost benefit analysis should be prepared prior to beginning a project.
This should estimate all costs and benefits throughout the life of a new system.
Main Areas of Coverage
The main areas covered under this knowledge statement include:
Business Realization
Business Case Development
and Approval
Benefits Realization
Techniques
Benefits Realization
Benefits realization is the process by which an organization evaluates technology solutions to business problems.
Cost
Quality
Factors in benefits realization
include
Development/timely delivery
Reliability
Dependability
Benefits Realization Technique
Benefits Realization Technique is also called Benefits Management.
must be part of project governance and management.
Business Case Development and Realization
Feasibility Study
Business Case
Business Case Requirements
A business case should:
answer the question,
“Why should this
project be
undertaken?”
be reviewed to ensure
that it is still valid.
System Development Methodologies
System Development Models
•
System and software development is a critical part of any enterprise
Part of an IS audit is understanding how the audit target develops software and systems.
Traditional SDLC Phases: Waterfall Model
Feasibility
Requirements
Design
Development
Implement
Maintain
Disadvantages of Traditional SDLC
Changing
Requirements
Unclear
Specifications
Fast Pace
Agile Software Development Life Cycle
Start Next
Iteration
Plan
Design
Development
Evaluate
Rapid Application Development (RAD)
Team
•
•
Process
•
•
Timeline
•
•
Object-Oriented Systems Development
Object-Oriented Systems Development contrasts from traditional approaches that treat data and procedures separately. Data and
procedures are grouped into an entity called an “object”:
Objects are organized into an aggregation hierarchy, with descriptions which show how services are used. Object classes
may inherit attributes and services from other object (parent) classes. Major advantages of this method are as follows:
• Permits analysts,
programmers,
developers to consider
larger logical chunks of
a system
• Ability to manage
unrestricted variety of
data types
• Allows modeling of
complex relationships
Data-Oriented System Development
Data-Oriented System Development involves representing software requirements by focusing on data structure rather than data flow.
It considers data
independently from the
processes that transform
data.
Data-oriented development
complements traditional
development strategies.
Requirements Analysis in System Development Life Cycle (SDLC)
Requirements Analysis involves identifying and specifying requirements of the system chosen.
Decisions on Requirement Analysis are made on:
System processes
User requirements
and interaction
Information criteria
(effectiveness,
efficiency,
confidentiality,
integrity,
availability,
compliance,
reliability)
System operating
environment (that
is, operating
system)
Requirements Analysis in SDLC
Requirements analysis in SDLC involves:
01
02
03
04
05
06
Key Outputs of Requirements Analysis
Key outputs include:
Design
Schedule
Resources
Control Identification and Design
Application Controls
• Primary objective of application controls is to ensure that only valid and accurate data is entered into an application.
• They may be automated or manual.
• Controls make the application more reliable in terms of accurate processing and expected results.
Data Validation and Edit Controls
Value Range
• Limits
• Ranges
Value Type
• Data type
• Reasonableness
Format
• Completeness
• Format
Input and Origination Controls
• Input controls ensure that all data entered into an application is valid, authorized, and processed accurately.
• Examples: edit checks, reconciliation and exception reports.
•
•
•
o Signatures on source documents
o Logical access controls
o Workstation identification—restricting input to
specific terminals or staff
o Authentication of source documents
•
o Total number of records
o Total amount
o Total number of documents: Each document should
hold a unique number that enables tracking
o Hash totals: This is the total of non-numeric field such
as account numbers, customer ID, phone numbers, and
dates. This ensures the integrity of the data and that
non-numeric fields have not been changed
o Error correction procedures
o Logs
o Reconciliation
o Source document controls and procedures
Processing Procedures and Controls
Manual Checks
• Calculations
• Totals
Process
• Review
• Process
• Algorithms
Exceptions
• Handling
• Reporting
Processing Controls
• Processing controls ensure that the application is processing data accurately.
Data validation, edits, and controls
•
Processing controls
•
•
•
•
o
Sequence check
o
Limit check
o
Range check
o
Validity check
o
Reasonableness check
o
Check digit
o
Completeness check
o
Duplicate check
o
o
o
o
o
o
Manual recalculation
Edit check
Programmed controls
Limit check
Reconciliation of file totals
Exception reports
Output Controls
• Output controls ensure that output is well formatted and delivered in a consistent and secure manner.
• Some of the examples of output controls are:
Final Values
Reports
• Manually
re-check
• Reconciliation
with control
totals
• Controls over
computer
generated
forms,
signatures,
and
negotiable
instruments
• Verification of
receipts
• Formatting
• Retention
• Distribution in
a secure
manner
• Accuracy,
completeness,
and timely
delivery
Output
•
•
•
•
Methods
Constraints
Error handling
Logging and
secure storage
of sensitive
forms
Risk Management Practices
•
Proper risk management is required in order to minimize the consequences and the likelihood that the project
fails to achieve its goals.
Major issues include: scope/deliverables, quality, budget and time.
Risk management is a continuous process, not a one-time activity, since risk profiles will change over time.
Part B: Information Systems Implementation
Part B: Information Systems Implementation
The following topics are covered in Part B:
•
Testing methodologies
•
Configuration and release management
•
System migration, infrastructure deployment, and data conversion
•
Post-implementation review
Testing Methodologies
Testing Methodologies and Practices Related to ISs
•
Organizations employ a methodology to reduce development time and improve maintainability of the
resulting code base.
Controls appropriate to one form of development may not apply to other forms.
SDLC: Testing
SDLC: Testing
• System testing: collective constitution of the programs/modules as one system:
Recovery testing is the ability to recover from failure;
Security testing refers to access controls and impact on other systems;
Load testing refers to testing performance during peak hours (processing with large volumes of data);
Volume testing means applying incremental records to determine maximum volume of data the application can process;
Stress testing refers to concurrent users and/or services that can be supported at a time (by increasing transactions
progressively); and
o Performance testing is comparing against other equivalent systems and/or benchmarks.
o
o
o
o
o
• Final acceptance testing is done during implementation, and considers:
o Quality assurance (technical aspects): focuses on documented specifications and technology employed.
o User acceptance (functional aspects): assesses if the system is production ready and satisfies all requirements.
SDLC: Testing Terminology
Alpha Testing
Beta Testing
Pilot Testing
SDLC: Testing Terminology
Function/validatio
n testing: testing
functionality
against detailed
requirements
Regression testing:
rerunning tests to
ensure changes or
corrections have
not introduced
errors; data used
should be the
same as data used
in original system
Parallel testing:
feeding test data
into two systems
and comparing
results
Sociability testing:
evaluating impact
on existing
systems or
environment
o test data generators are
used to systematically
generate random test
data
o interactive debugging
aids and code logic
analyzers are available
to assist in testing
activities.
SDLC: Implementation
Certification
Accreditation
Implementation
SDLC: Implementation
Testing complete
Documentation
Complete
Users Trained
Configuration and Release Management
Release Management
•
Configuration and release management provide systematic, consistent, and unambiguous control on
attributes of IT components comprising the system
Changes to IT systems must be carefully assessed, planned, tested, approved, documented, and
communicated to minimize any undesirable consequences to the business processes
Main Areas of Coverage
IS
Maintenance
Configuration
management
Change
Management
Change Management Process Overview
Authorize
Implement
Confirm
and
Document
Change Management Process Overview
Emergency Changes
Change Management Process Overview
Change Control
Documented
Requests
Review
System Migration, Infrastructure Deployment, and Data Conversion
System Migration and Infrastructure Deployment
•
Deployment and migration are essential processes
Audits must consider these processes
Data Migration
Meaning and objectives of data migration
It involves porting
data from one
platform or
database to
another and is an
essential part of
migrating from an
existing legacy
application to a
new one.
Objective of data
conversion is to
ensure that the
entire existing
data is converted
and ported onto
another platform,
without affecting
the integrity of
the data.
It should be
scheduled at a
time when no /
minimal
disruption occurs
It must be
meticulously
planned to ensure
that the migration
is done well within
the defined
budget and
stipulated time.
Tools or processes:
o Record counts
o Totals
o Hash totals
o Logs
o Tools
o Manual
processes
o Specialized
applications
Data Migration
Objectives of data migration
The consistency
of data should be
maintained
throughout the
process of data
being ported
from legacy to
the target system.
Security of data
being converted
should be
maintained.
Any loss of
confidentiality and
integrity must be
prevented.
A record should
be maintained for
the data exported
from legacy
system into the
new one, which
enables
verification of
completeness and
accuracy of data.
A rollback plan
must be defined, in
case the
conversion fails
despite all the care
taken.
Data Migration Steps
5
4
3
2
1
Identify the data to
be converted and
the method to do
that
Check if accuracy is
to be maintained at
100% or some
margin of
difference is
permissible
Identify who is
responsible for
verifying the
conversion and
signing off
Define audit trails
Identify the method
by which the
conversion will be
tested
Migration Issues
Migration
• Data Format
• Data Size
Mapping
Finalize
• Source
• Destination
• Test
• Document
Change Management
The Change Management process is as follows:
Possible Rollback
Review
Implementation
Change Approval
Board (CAB)
Formal RFC
Change Request
Cutover or Changeover Methods
• Once a new system has been tested and is ready to go live (also called cutover and
changeover), users and activities need to be shifted from legacy to the new
application.
• This can be done in several ways:
Parallel
Changeover
Phased
Changeover
Abrupt
Cutover
Cutover or Changeover Methods
Parallel
Changeover
Phased
Changeover
Abrupt
Cutover
• Old and new systems are run in parallel for some time, until stakeholders and
users gain confidence in the new system.
• This gives users access to both systems for a while, which ensures that the
operations are not disrupted, even if unexpected problems occur.
• This is the safest method of changeover, since it provides sufficient time to identify
and correct any flaws or errors in the new system.
• The drawback of this method is that the users are required to run both the systems
during the overlap period which leads to a temporary increase in their workload.
Cutover or Changeover Methods
Parallel
Changeover
Phased
Changeover
Abrupt
Cutover
• Switchover from old system to new one is done in a phased manner or stages.
• Some of the modules of new application are implemented initially and then
gradually extended until the old system is entirely shut down.
• A unique challenge in this approach is that the users will have to perform different
tasks on two different systems in the initial phase, and will thus have to be
conversant with both.
Cutover or Changeover Methods
Parallel
Changeover
Phased
Changeover
Abrupt
Cutover
• Old system is shut down on the pre planned date and time, and the new system is
activated.
• New system must be thoroughly tested and a fallback plan should be designed,
before the cutover is attempted.
• Out of all the methods, this method is most likely to cause disruption if the new
system does not perform, since the comfort of some or all modules of old system
running in parallel is absent.
Enterprise Architecture
•
You must understand the architecture and architectural models in order to understand the organization.
Value Drivers
Requirements analysis in SDLC involves:
User
Satisfaction
Compliance
Functionality
Cost Effective
Security
Risk Drivers
Bad Information
Functionality
Not User Friendly
User Satisfaction
Expensive
Compliance is Difficult
Cost Effective
Compliance is easier
Controls
Develop the information
architecture model consistent
with the organization's strategy
and the strategic and tactical IT
plans.
Establish and maintain the
information architecture model in
the context of the entire
organization, documented in a
manner that can be understood
by business and IT management.
Check the information
architecture model regularly for
adequacy regarding flexibility,
functionality, cost-effectiveness,
security, failure resiliency,
compliance, and user satisfaction,
and update the model accordingly.
Post-Implementation Review
Post-Implementation Review Objectives and Practices
•
Post-implementation review is typically carried out in several weeks or months after project completion, when
the major benefits and shortcomings of the solution implemented will be realized
Projects should be formally closed to: provide accurate information on project results, improve future projects,
and allow an orderly release of project resources
The closure process should: determine whether project objectives were met or excused, and identify lessons
learned to avoid mistakes and encourage repetition of good practices
Main Area of Coverage
Post
implementation
Review
Post-Implementation Review
Post-implementation review verifies whether the system was designed and developed properly and proper controls
were built into the system.
Assessing system adequacy
o Were user requirements and management objectives met?
o Were access controls adequately defined and implemented?
•
•
Reviewing program cost/benefit and Return on
Investment (ROI) requirements
The objectives of
post
implementation are
•
Providing recommendations for system inadequacies/deficiencies
•
Providing implementation plans for
recommendations
Post-Implementation Review
Post-implementation review verifies whether the system was designed and developed properly and proper controls
were built into the system.
Reviewing the development process
o Were the chosen methodologies followed?
o Was appropriate Program management used?
•
•
Focus is to assess and critique the Program process
The objectives of
post
implementation are
•
•
Best performed by parties not involved in the
Program
Can be done internally by the Program development team and selected end-users
Knowledge
Check
QUIZ
The phases and deliverables of a system development life cycle (SDLC) project
should be determined:
1
a.
During the initial planning phases of the project
b.
After early planning has been completed, but before work has begun
c.
Throughout the work stages, based on risks and exposures
d.
Only after risks and exposures have been identified and the IS auditor has
recommended appropriate controls
QUIZ
The phases and deliverables of a system development life cycle (SDLC) project
should be determined:
1
a.
During the initial planning phases of the project
b.
After early planning has been completed, but before work has begun
c.
Throughout the work stages, based on risks and exposures
d.
Only after risks and exposures have been identified and the IS auditor has
recommended appropriate controls
The correct answer is a
Explanation: It is extremely important that the project be planned properly and that the specific phases
and deliverables be identified during the early stages of the project.
QUIZ
By evaluating application development projects against the capability maturity
model (CMM), an IS auditor should be able to verify that:
2
a.
Reliable products are guaranteed
b.
Programmers' efficiency is improved
c.
Security requirements are designed
d.
Predictable software processes are followed
QUIZ
By evaluating application development projects against the capability maturity
model (CMM), an IS auditor should be able to verify that:
2
a.
Reliable products are guaranteed
b.
Programmers' efficiency is improved
c.
Security requirements are designed
d.
Predictable software processes are followed
The correct answer is d
Explanation: By evaluating the organization's development projects against the CMM, an IS auditor determines whether the
development organization follows a stable, predictable software process. Although the likelihood of success should increase
as the software processes mature toward the optimizing level, mature processes do not guarantee a reliable product. CMM
does not evaluate technical processes such as programming nor does it evaluate security requirements or other application
controls.
QUIZ
An IS auditor reviewing a proposed application software acquisition should ensure that the:
3
a.
Operating system (OS) being used is compatible with the existing hardware
platform.
b.
Planned OS updates have been scheduled to minimize negative impacts on
company needs.
c.
OS has the latest versions and updates.
d.
Products are compatible with the current or planned OS.
QUIZ
An IS auditor reviewing a proposed application software acquisition should ensure that the:
3
a.
Operating system (OS) being used is compatible with the existing hardware
platform.
b.
Planned OS updates have been scheduled to minimize negative impacts on
company needs.
c.
OS has the latest versions and updates.
d.
Products are compatible with the current or planned OS
The correct answer is d
Explanation: In reviewing the proposed application the auditor should ensure that the products are
compatible with the current or planned OS.
QUIZ
Which of the following is an advantage of prototyping?
4
a.
The finished system normally has strong internal controls.
b.
Prototype systems can provide significant time and cost savings.
c.
Change control is often less complicated with prototype systems.
d.
It ensures that functions or extras are not added to the intended system.
QUIZ
Which of the following is an advantage of prototyping?
4
a.
The finished system normally has strong internal controls.
b.
Prototype systems can provide significant time and cost savings.
c.
Change control is often less complicated with prototype systems.
d.
It ensures that functions or extras are not added to the intended system.
The correct answer is b
Explanation: Prototype systems can provide significant time and cost savings; however, they also have
several disadvantages. They often have poor internal controls, change control becomes much more
complicated, and it often leads to functions or extras being added to the system that were not originally
intended.
Case Study
Case Study 1
•
QUIZ
Which of the following should be the auditor’s greatest concern?
1
a.
The VPN
b.
The database
c.
The wireless connection
d.
The firewall
QUIZ
Which of the following should be the auditor’s greatest concern?
1
a.
The VPN
b.
The database
c.
The wireless connection
d.
The firewall
The correct answer is c
Explanation: The scenario does not indicate how the wireless is secured, and wireless is always vulnerable
to attack attempts. The other items should also be audited, but the wireless connection must be the most
critical concern.
QUIZ
Why would the database be an issue?
2
a.
It would not, it is encrypted, updated, and protected by the firewall
b.
It would only be an issue if the encryption is weak
c.
It is not an issue if the encryption is strong and the firewall is adequate
d.
The collocation with other databases is an issue
QUIZ
Why would the database be an issue?
2
a.
It would not, it is encrypted, updated, and protected by the firewall
b.
It would only be an issue if the encryption is weak
c.
It is not an issue if the encryption is strong and the firewall is adequate
d.
The collocation with other databases is an issue
The correct answer is d
Explanation: Collocation of credit card data is not allowed with PCI standards. Furthermore, the various
databases all have points of entry to them that could be used to exploit the credit card related data.
Case Study 2
•
The tech company supporting the firm has suggested a complete overhaul of security
including high end firewalls, intrusion detection systems, anti-virus, quarterly
penetration tests, and a variety of other security measures. What should be the
auditor’s opinion of this recommendation?
QUIZ
1
a.
This is an excellent plan that will protect the data
b.
This plan exceeds budget and provides limited ROI
c.
The plan is good, provided the tech firm does not profit from it
d.
The plan is inadequate and additional measures such as hard drive
encryption for all workstations should be considered
The tech company supporting the firm has suggested a complete overhaul of security
including high end firewalls, intrusion detection systems, anti-virus, quarterly
penetration tests, and a variety of other security measures. What should be the
auditor’s opinion of this recommendation?
QUIZ
1
a.
This is an excellent plan that will protect the data
b.
This plan exceeds budget and provides limited ROI
c.
The plan is good, provided the tech firm does not profit from it
d.
The plan is inadequate and additional measures such as hard drive
encryption for all workstations should be considered
The correct answer is b
Explanation: It is easy to wish for every security innovation available. But budget constraints and return on
investment are always considerations. For this small network, less expensive measures like password
management could deliver significant security gains.
QUIZ
Apart from the items listed, what would be the most important item for the
company to consider?
2
a.
Ensuring all machines including servers are updated and patched
b.
Adding a DMZ
c.
Implementing an IDS
d.
Implementing stronger passwords (longer than 20 characters)
QUIZ
Apart from the items listed, what would be the most important item for the
company to consider?
2
a.
Ensuring all machines including servers are updated and patched
b.
Adding a DMZ
c.
Implementing an IDS
d.
Implementing stronger passwords (longer than 20 characters)
The correct answer is a
Explanation: Updates and patches are free, and provide a significant security benefit. Failure to update
and patch can also lead to serious vulnerabilities. While the other measures might be useful, they are not
as critical as updates, and options B and C may be cost prohibitive for a small company.
Key Takeaways
You are now able to:
Evaluate whether the business case for the proposed changes in information systems
meet the business objectives
Explain the organization's project management policies and practices
Evaluate the controls at stages of information systems development life cycle
Illustrate the readiness of information systems for implementation and migration into production
Conduct post‐implementation review of systems to determine whether project deliverables,
controls, and requirements are met
Evaluate change, configuration, release, and patch management policies and practices
This concludes ‘IS Acquisition, Development, and
Implementation.’
The next domain is ‘Information Systems Operations and Business
Resilience.’
Certified Information Systems Auditor (CISA®)
Information Systems Operations and Business Resilience
Certified Information Systems Auditor is a registered trademark of ISACA
ISACA® is a registered trade mark of Information Systems Audit and Control Association.
© Simplilearn. All rights reserved.
Learning Objectives
By the end of this domain, you’ll be able to:
Evaluate the organization’s ability to continue business operations
Evaluate whether IT service management practices align with business requirements
Conduct periodic review of information systems and enterprise architecture
Evaluate IT operations and maintenance to determine whether they are controlled
effectively and continue to support the organization’s objectives
Evaluate database management practices and data governance policies and practices
Evaluate problem and incident management policies and practices
Evaluate change, configuration, release, and patch management policies and practices
Evaluate end-user computing to determine whether the processes are effectively controlled
Evaluate policies and practices related to asset lifecycle management
Part A: Information Systems Operations
Part A: Information Systems Operations
The following topics are covered in Part A:
•
Common technology components
•
IT asset management
•
Job scheduling and production process automation
•
System interfaces
•
End-user computing
•
Data governance
Part A: Information Systems Operations
•
Systems performance management
•
Problem and incident management
•
Change, configuration, release, and patch management
•
IT service level management
•
Database management
Overview
The following gives an overview of Domain 4:
• Information systems operations, maintenance, and support practices are important to provide assurance
to users and management that the expected level of service will be delivered.
• Service level expectations are derived from the organization’s business objectives. IT service delivery
includes IS operations, IT services and management and the groups responsible for supporting them.
Common Technology Components
Technology Concepts
•
The IS auditor must be familiar with the functionality of information system hardware and network
components.
This includes understanding the importance of the physical part of IS/IT solutions that support the
organizational objectives and goals and key control and risks involving system software.
Although the CISA exam does not test technical knowledge of the working of individual components, an
understanding of the risks associated with and possible control functions of each component is expected.
Main Areas of Coverage
Network Infrastructure
Applications
Hardware Reviews
Types of Networks
Operating systems
Access Control
Enterprise Network Architectures
Network
Segments
Backbones
Protocols
Hardware Risks
• Data Exposed
• Hardware Lost
• Computers
• Storage Media
• Virus
• Spyware
Data Loss
Malicious
Code
Physical
Theft
Data
Corruption
• Drive Corruption
• Drive Damage
Hardware Controls
Encryption
Physical Security
Media Sanitation
Maintenance
Radio Frequency Identification: Risks
Business Process Risk
Interference with RFID results in interference with business processes.
Business Intelligence Risk
Privacy risk
Business Process Risk
Competitors can gain information from RFID and use it to harm the business.
RFID can compromise personally identifiable information, wherein tagged items can be traced to an
individual.
Example: An adversary gaining unauthorized access to computers on an enterprise
network through Internet Protocol (IP) through enabled RFID readers if the readers are
not designed and configured properly
Radio Frequency Identification: Controls
Following are the various controls in Radio Frequency Identification:
Management
Operational
Technical
Hardware Monitoring Practices
Availability reports –
check for downtime
caused by:
•
•
•
•
•
Utilization reports
(automated) –
document utilization of
machine and
peripherals:
Inadequate facilities
Excessive
maintenance
Lack of preventive
maintenance
Inadequate physical
plants
Inadequate operator
training
• 85% overcapacity,
while >95% review
resource, capacity
and schedules
Error reports – detect
failures, corrective
action
Asset management
reports – Inventory of
network – connected
equipment such as PC,
servers, routers, and
other devices
Hardware monitoring
practices include the
following
Hardware Auditing
•
Capacity management procedures
o Ensuring continuous performance
o Whether performance management is
objective
•
Performance evaluation procedures
•
Availability and utilization reviews
Auditing of
hardware covers:
•
Change management controls
o Approval
o Planning, scheduling, communication
o minimize impact on business
o operator documentation
o Hardware availability and utilization
reporting
Operating System Integrity
Protect the OS from interference and compromise
Protect applications from other applications
Involves
Protecting itself (OS) from deliberate and inadvertent modifications
Ensure privileged programs are not interfered with by user programs
Process isolation ensures
Multiple processes are protected from each other; Example, writing into each other’s memory
Enforcement of least privilege
Access Control Software
Access Control Software developed for the computer must be compatible with its operating system.
Access to data
01
02
Designed to prevent unauthorized
Use of system functions/programs
Updates/Changes to data
Designed to detect and prevent unauthorized computer access
Data communication software is used to transmit data from one point to another. It is also used for conversion:
Codes – ASCII, EBCDIC, Unicode. Communication software components include:
Sender and receiver
03
Communication software
components
Message
The medium or channel
Network Topology and Its types
• Network topology defines the structure and arrangement of computers and other devices on a network.
• Network topology may be physical or technological.
• It includes the physical placement of devices, as well as the logical topology or the flow of data.
Bus
Topology
Ring
Topology
Star
Topology
Mesh
Topology
Network Topology and Its types
Bus Topology
Ring Topology
•
•
•
•
•
•
•
•
Linear with single
cable
Tree where main
cable has branches
Network Topology and Its types
Star Topology
Mesh Topology
•
•
•
•
•
•
•
•
•
Types of Networks
PAN
PAN
Distributed
Types
of
Networks
Local
WAN
LAN
Area
MAN
CAN
WLAN
WLAN incorporates an access point (AP)
It offers wireless
extension of the
range of LAN to
end-user devices
like desktops,
tablets, and
mobile phones.
It bears
attendant risks,
since the
wireless signals
are susceptible
to
eavesdropping.
Access Point (AP)
It is a device that
connects a wired
hub, switch, or
router and
broadcasts a Wi-Fi
signal over a
designated area.
It serves as a bridge
between the wired
and wireless
segments of LAN.
End-user devices
must possess a
wireless NIC
(Network Interface
Card) to
communicate with
an AP.
The AP and wireless
devices within a
WLAN form a group
and share a Service
Set Identifier (SSID).
Wireless Network Security
The three important protocols of Wireless Network Security are as follows:
Security
WEP
WPA
WPA2
Wired Equivalent Privacy (WEP)
•It was the first WLAN standard (IEEE 802.11).
•It uses the RC4 algorithm.
•In this protocol, wireless devices can authenticate themselves to the AP.
Two methods of AP authentication:
Open System
Authentication
(OSA)
• It requires endpoint devices to provide only the
SSID.
• All transmissions between AP and endpoint
devices are in cleartext and can be intercepted.
• No encryption or decryption is involved here.
Shared Key
Authentication
(SKA)
• It requires both devices to share a symmetric
key, which is used to encrypt and decrypt the
data transmitted between them.
• This method provides better security than the
OSA.
Wi-Fi Protected Access (WPA & WPA2)
WPA
Limitations of WEP
• Symmetric key used in many
implementations may not be
changed.
• In most cases, same key is
used by all devices in
network.
• The initialization vector is
static, which leads to an
inadequate degree of
randomness in the
encryption.
• Packet integrity is not
adequately assured.
A
• IEEE 802.11i was developed
to overcome the
weaknesses of WEP
protocol.
• It utilizes the Temporal Key
Integrity Protocol (TKIP),
which uses a different key
for each frame.
B
WPA2
C
• It employs AES algorithm
for encryption, which
provides a higher level of
security.
Virtual Private Networks
A VPN extends the corporate network securely via encrypted packets sent out via virtual connections
over the public Internet to distant offices, homeworkers, salespeople, and business partners. VPN
allows the following:
•
•
•
•
•
Network managers to cost-efficiently increase the span of the corporate network
Remote network users to securely and easily access their corporate enterprise
Corporations to securely communicate with business partners
Supply chain management to be efficient and effective
Service providers to grow their businesses by providing substantial incremental bandwidth with
value-added services
Virtual Private Networks: Types
Intranet VPN – Used to
connect branch offices
within an enterprise
WAN
Remote-access VPN – Used
to connect telecommuters
and mobile users to the
enterprise WAN in a secure
manner
Extranet VPN – Used to give
business partners limited
access to each other’s
corporate network
VPN Types
IT Asset Management
Asset Management and Software Licensing
•
Software licensing should be subject to controls to ensure that the number of copies in circulation within an
organization does not exceed the number purchased.
Main Area of Coverage
Monitoring Use of
Resources in
Software Licensing
Software Licensing Issues
Possibility of copyright infringements leads to penalties and/or public embarrassment.
Policies and procedures to safeguard against license infringement:
• Relevant personnel policies on copyrights
• List of software used and licensed
• Compare with software in servers, PCs
Options to prevent software license violations:
• Centralized control and automatic distribution
• Disable ability of users to install software
• Diskless Workstations with access to server software
• Access through metered software
• Scanning PCs for unauthorized software
• Site licensing agreement with vendors
License Types
Following are the three
types of license:
Individual
Site
Organizational
Digital Rights Management
Digital Rights Management (DRM) refers to access control technologies that can be used by hardware manufacturers,
publishers, and copyright holders to impose limitations on the usage of digital content and devices.
The digital revolution that
has empowered
consumers to use digital
content in new and
innovative ways has also
made it nearly impossible
for copyright holders to
control the distribution of
their property.
DRM removes usage
control from the person in
possession of digital
content and puts it in the
hands of a computer
program.
DRM can also refer to
restrictions associated
with specific instances of
digital works or devices.
Some companies that
make use of DRM are
Sony, Apple Inc.,
Microsoft, BBC among
others.
Job Scheduling and Production Process Automation
Job Scheduling
•
Job Scheduling Software
COBIT Control DS13.2 - Job Scheduling
Job Scheduling Value Drivers
Optimized use of
resources
Equalizing
Workloads
Minimize effects
of change
Job Scheduling Controls
Following are some of the controls used in job scheduling:
Job Scheduling Software
Systems software used
by installations that
process large number of
batch routines
Job information set up
only once, reducing
chance of error
Reliance on operators is
reduced
Sets up daily work
schedules
Job
Scheduling
Software
Automatically determines
which jobs to be
submitted for processing
Job dependencies are
defined so that if a job
fails, subsequent jobs
relying on its output will
not be processed
Advantages
Records of all job
successes and failures
are maintained
System Interfaces
Control Techniques for Interface Integrity
•
System interfaces including middleware, application program interfaces (APIs), and other similar software
present special risks because they may not be subject to the same security and control rigor that is found in
large-scale application systems.
Management should ensure that systems are properly tested and approved, modifications are adequately
authorized and implemented, and appropriate version control procedures are followed.
System Interfaces
System Interfaces enable disparate systems to communicate and transfer data to each other by using
standard interfaces, data formats, and communication protocols.
Well-designed and well-developed system interfaces enable reliable physical and logical connection of
different systems.
An incorrectly functioning interface could affect the confidentiality, integrity, or availability of data which
can potentially affect business objectives or invoke legal compliance liability.
An IS auditor must understand and evaluate the controls used to protect system interfaces and data
transfers which could include encryption for confidentiality, hashing or data conciliation for integrity, audit
trails for non-repudiation, etc.
End-User Computing
End User Computing
•
End-user activities are still one of the biggest vulnerabilities in security; therefore, they must be examined as
part of any IS Audit.
End User Issues
Password control
Leaving systems
unsecure
Bypassing security
for convenience
Failure to follow
policies
Introducing rogue
devices and
software
Password Re-use
Risks and Controls for End User Computing
•
Operational risks and controls that relate to end-user computing
End User Risks and Controls
Behavior
Policies
End User Risk
Operations
Security Software
Data Governance
Data Quality
•
Data Quality Factors
Data Quality Areas (Technical, Operational, and Governance)
COBIT Control DS11.1 - Business Requirements for Data Management
Data Quality Factors
Following are the factors to be considered for better data quality:
Data Basics
Data Validity
Data Usability
Accuracy
Consistent
Accessible
Integrity
Complete
Timely
Data Quality Areas: Technical
The technical issues for quality data are as follows:
Database Structure
Application
Processes
Data Quality Areas: Operational
Following are the operational issues for quality data:
Business Processes
Business Rules
Validation
Data Quality Areas: Governance
Data Roles
Data Responsibilities
Monitoring
System Performance Management
Capacity Planning and Related Monitoring Tools and Techniques
•
Capacity planning ensures that the current and future capacity and performance aspects of business
requirements are anticipated in advance, assessed and, where necessary, provided in a cost-effective manner.
Capacity of information systems must be monitored on a continuous basis to meet business needs and should
be planned using projections of expected demands. Capacity includes the size and speed of the processor;
internal system memory; and storage and communications media.
Main Areas of Coverage
Capacity Management
This involves planning and monitoring computing and network resources to ensure efficiency and
effectiveness. It requires expansion/reduction in line with business growth/reduction and takes
into account present business and future expansions.
• Annually, management should review and
update:
o utilization of CPU, storage, SAN, terminal,
IO channel, telecomm, and LAN & WAN
bandwidth
o number of users
o new technologies
o new applications
o SLAs
• Network devices such as routers and switches
which comprise physically and logically separated
networks (VLAN – Virtual LANs)
Problem and Incident Management
Problem and Incident Management Practices
•
An incident is any event that causes temporary disruption to the business. A problem may develop when such
incidents are unresolved.
Problem and Incident Management Practices
Initial Response
Root Cause Analysis
Follow-up
Problem Management
History of Incidents
Source of Incidents
Address the root
cause
Change, Configuration, Release, and Patch Management
Change Management
•
Software changes are critical to IT controls.
Change Management Process
Change
Management
Exceptions/
Emergencies
Follow-up
Configuration Management
Planning
Executing
Follow-up
Configuration Management
“Configuration management is a process of identifying and documenting hardware components, software and the
associated settings. A well-documented environment provides a foundation for sound operations management by
ensuring that IT resources are properly deployed and managed.”
-- Official ISC2 Guide to the CISSP CBK
Steps for sound configuration management:
4
Change management
3
Recovery Strategy
2
Software Inventory
1
Hardware inventory
Includes make, model,
MAC address, serial
number, location, and
organizational fixed
asset code
Includes name, type,
vendor, license
number, type, validity,
and librarian
Includes alternate
sites; but no
arrangement is done if
function has low
priority
Used to control and
record all changes
Software Release Management
Test release
Gradual Rollout
Follow-up
IT Service Level Management
Service Level Management Frameworks
•
Service level management ensures that IT services meet customer’s expectations and that service level
agreements (SLAs) are continuously maintained and improved as needed.
SLAs are generally separate documents from the contracts with external vendors. SLAs may also be created
internally to assure the key process owners of the level of service that the IT organization has agreed to
provide.
Service Level Management Practices
Response
• Time
• Level
Availability
• Days/Times
• Total Uptime
Responses
• Initial
• Escalation
IT Service Management
IT Service Management (ITSM) comprises processes and procedures for efficient and effective delivery of IT services relative to
business expectations. ITSM comprises IT support services and IT delivery services.
IT Support Services
• Service desk (also called technical
support/help desk)
• Incident management
• Problem management
• Configuration management
• Change management (system and
infrastructure changes)
• Release management
IT Delivery Services
•
•
•
•
•
Service level management
IT financial management
Capacity management
IT service continuity management
Availability management
SLA and OLA
Service Level Agreement (SLA)
•
Operational Level Agreement (OLA)
•
•
•
•
•
•
•
In a nutshell, the service assured in SLA must be supported and backed up by OLA.
Service Management Practices
•
It is essential to know the latest approaches in contracting strategies, processes and contract management
practices.
Outsourcing IT can help reduce costs and/or complement an enterprise’s own expertise but may introduce
additional risks.
IT Service Management
Three important factors you need to be concerned with include the following:
Availability
Financial
performance
Efficiency and
effectiveness
Tools to Measure IS Efficiency and Effectiveness
There are two ways to measure efficiency and effectiveness:
Exception Reports
System Logs
Tools to Measure IS Efficiency and Effectiveness
Operator problem
reports
Operator work
schedules
These manual reports are
used by operators to log
computer operations
problems and their
resolution. IS management
should review operator
actions to determine if they
were appropriate and/or
whether additional
operator training is
required.
These reports are
maintained manually by IS
management to assist in
human resource planning.
Proper staffing of
operation support
personnel will assure that
service requirement of end
users will be met.
Systems Performance Monitoring Processes, Tools, and Techniques
•
IT performance monitoring of critical processes and assets should be conducted on a continuous basis to
ensure reliable IT services that meet SLAs and achieve defined business objectives.
Performance monitoring processes must be established with supporting tools and techniques and, although
the CISA exam does not test knowledge of specific tools, the IS auditor should be aware of the importance of
monitoring and of basic techniques which may be employed.
Monitoring, evaluation, and assessment (MEA)
Main Area of Coverage
Monitoring Use of Resources
Critical Success Factors for Monitoring of Enterprise IT
Identifying and engaging with key
stakeholders (Who)
Determining assessment frequency and
time to execute (When)
Continually tracking, reviewing and
reporting performance to management
Planning and communicating the
in-scope processes (What)
Employing a risk-based assessment
approach with proper prioritization (How)
The Process
Risk Based
Track
Performance
Review and
Report
Performance
Monitor
Processes
Monitor
Performance
Validate Goals
Database Management
Database Management
•
COBIT Control DS11.1 - Business Requirements for Data Management
Value and Risk Drivers
Data Management and Database Management System (DBMS)
Data management capabilities are enabled by system software components that enact and support the definition, storage,
sharing, and processing of user data and deal with file management capabilities.
File organization
User and system data are
usually partitioned into
manageable units called
data files. Examples of data
file organizations include
Sequential
One record is
processed after
another
Direct Random
Access
Records are
addressed
individually based on
a key, not related to
the data. (e.g. a
record)
Database
Management
Systems
Provide a facility and
create and maintain
a well organized
Database (DB)
Data Management and Database Management System (DBMS)
The advantages are as follows:
DBMS
enables:
Decreased
access time
Reduced data
redundancy - Security
over data (record,
field, transaction)
•
•
•
•
•
•
•
•
•
•
Data independence
Ease of support and flexibility
Transaction processing efficiency
Reduction of data redundancy
Maximize data consistency
Minimize maintenance cost through
sharing
Enforce data/programming standards
Enforce data security
Stored data integrity checks
Use of SQL/application generators
DBMS: Architecture
Metadata is data elements required to
define a database (data about data)
DBMS Architecture includes:
• Conceptual schema (logical DB Design)
• External schema (user view)
• Internal schema (physical
implementation)
Database Controls and Database Reviews
Database Controls are necessary to ensure integrity and availability. Database controls include:
• Definition standards and compliance
• Backup and recovery
• Access control over data items and tables
• Concurrency controls
• Controls to ensure accuracy, completeness, and consistency of data and relationships
• Use of checkpoints
• Database reorganization
• Database restructuring procedures
• Database performance monitoring tools/procedures
• Minimize non-system access
Database Controls and Database Reviews
Database reviews are as follows:
• Design:
o Integrity of data ensured through primary and foreign keys (e.g. preventing null values for key fields)
o Reduced duplication of data
• Access:
o User access to the database
o Speed of data access through the use of indexes
• Administration of the database:
o DBA/ODBC access
o Managing concurrent user access
o Backup and recovery/restore and contingency procedures
o Interfaces with other systems
Value Drivers
Following are the various Value Drivers:
Data Handling
Transactions
Support
Business
Requirements
Risk Drivers
Following are the various Risk Drivers:
Breaches
Legal
Requirements
Regulatory
Requirements
Controls
Following are the steps in database controls:
• Define the business requirements for the
management of data by IT.
• Segregation of duties within operations for the entry,
processing and authorization of data transactions.
• Ensure data completeness
• Handling of data errors
• Verify logs
• Safeguard stored data
Part B: Business Resilience
Part B: Business Resilience
The following topics are covered in Part B:
•
Business Impact Analysis (BIA)
•
System resiliency
•
Data backup, storage, and restoration
•
Business Continuity Plan (BCP)
•
Disaster Recovery Plan (DRP)
Business Impact Analysis (BIA)
Business Impact Analysis (BIA)
•
A Business Impact Analysis (BIA) drives the focus of the BCP efforts of an organization and helps balance costs
to be incurred with the corresponding benefits to the organization. A good understanding of the BIA concept is
essential for the IS auditor to audit the effectiveness and efficiency of a BCP.
BIA
Following are the three items in Business Impact
Analysis:
Identify
Vulnerabilities
Identify Likelihood
Identify Impact
Identify Criticalities
Following are the three items to identify criticalities:
Critical Processes
Critical Data
Critical Systems
BIA: Concepts
The Business Impact Analysis concepts are as follows:
RPO and RTO
MTTD and MTTR
MTO and SDO
BIA, RTO, and RPO
It is a key input in determining the RTO and RPO, which are the systems
that support mission critical business functions.
BIA
BIA (Business Impact
Analysis) is a process that
identifies mission critical
functions. It also identifies
the impact that disruption of
these functions will have on
business continuity.
RTO and RPO are critical factors in determining the DR solutions that an
organization chooses for its applications.
The smaller the RTO and RPO windows, the more robust and resilient should
be the systems to restore a minimum acceptable level of service.
The choice of different recovery solutions like mirroring, hot site, warm site
etc., depends on the RTO and RPO objectives.
Defining and installing resilient systems for a smaller RTO and RPO involves
greater expenditure.
RTO and RPO
RPO
RTO
RTO stands for Recovery Time
Objective.
• It is the maximum period within
which a business function or process
must be restored to an acceptable
level (in case of full restoration is not
possible) to preclude unacceptable
consequences for the business.
• It means that any delay beyond RTO in
restoring an agreed and acceptable
level of service will have grave
repercussions for the continuity of the
business.
•
RPO stands for Recovery Point
Objective.
• It is the maximum amount of data
that an organization can afford to
lose, in the event of a disaster.
• Any loss of data beyond the RPO
may threaten the continuity of a
business.
•
Business Impact Analysis Related to Business Continuity Planning
•
The IS auditor should determine whether BIA and BCP are suitably aligned
BCP should be based on a well-documented BIA to be efficient and effective
BIA drives the focus of BCP/disaster recovery plan (DRP) efforts of the organization and helps balance the costs
to be incurred with corresponding benefits to the organization
Main Areas of Coverage
Business Impact
Analysis
Business Impact Analysis is a component of Business Continuity Planning (BCP), which identifies events
that could impact the continuity of operations and assesses the impact of these events.
BIA helps an organization to:
Understand the
priorities and time
requirements for
recovery of business
functions
Gather information
regarding the
organization’s
current recovery
capabilities
Business Impact Analysis: Activities, Approval, and Approaches
Understanding
the
organization
Key
business
processes
End-users
Activities involved in
BIA:
Approvals
required in BIA:
Roles
involved
IT
personnel
Senior
management
Questionnaires,
interviews, and
brainstorming
sessions
Approaches of BIA
are:
Business Impact Analysis: Points to Consider
It is important to analyze the following questions before the business impact analysis.
• What are the organization’s business processes?
• What are the critical information resources related to the critical business processes?
• What is the critical recovery time for information resources to resume business processing before
significant or unacceptable losses?
Business Impact Analysis: RTO and RPO
Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are discussed here.
Recovery Time Objective (RTO)
Recovery Point Objective (RPO)
This is acceptable downtime in
case of a disruption to
operations (determines
processes and technology used
for backup and recovery, for
example, data tapes or disk)
This is the acceptable data loss
in case of a disruption to
operations (determines the
frequency of backup)
Disruption Cost vs. Recovery Costs
The diagram shows the relationship between Disruption costs and Recovery costs.
The two should be balanced to attain an optimum protection level of key information assets, that is, to obtain an optimal RPO
and RTO.
Disruption Cost vs. Recovery Costs
If the business continuity strategy aims at a longer recovery time, it will be less expensive than a more stringent requirement,
and more susceptible to downtime costs spiraling out of control.
Downtime cost of the
disaster in the short run
(for example, hours, days,
and weeks), grows quickly
with time, where the
disruption impact
increases if it lasts longer.
At a certain moment, it
stops growing, reflecting
the moment or point
when the business can
no longer function.
System Resiliency
System Resiliency
•
System resiliency tools and techniques are important to ensure uninterrupted service.
Main Area of Coverage
System resiliency
tools and
techniques
Resiliency
RAID
SITES
Resiliency
BACKUP
SPARES
Redundant Array of Inexpensive or Independent Disks (RAID)
• It protects data against disk failure.
• It provides redundancy, fault tolerance, and performance improvement by combining several physical disks into a logical
disk.
• Main features of RAID are:
Striping
Redundancy
Parity
• It implies dividing data into blocks
and writing these blocks to
different disks.
• It improves performance, since
both read and write operations
are carried on in parallel on two or
more disks.
• It implies that the same data is
stored on more than one disk so
that no disk turns out to be a
single point of failure.
• In case one disk fails, data can still
be accessed from the other disk.
• This feature is used to provide
fault tolerance, enabling data to be
reconstructed from its parallel disk
or parity, in case of failure.
• Checksums are used to detect any
loss or mutilation in transit, since
data can be lost or unintentionally
modified while in transit.
RAID Levels
The primary levels of RAID are:
Disk
Striping
Disk Striping
with dual
parity
Disk
Mirroring
0
6
1
RAID
5
Disk Striping
with
distributed
parity
3
4
Disk Striping
with
dedicated
parity
Disk Striping
with
dedicated
parity
RAID Levels: 0,1, and 3
• Two or more physical disks are combined into a
single logical disk.
• Data is striped across multiple drives.
• It neither offers redundancy nor parity.
• It offers performance improvement.
0
6
RAID 1
1
RAID
5
3
4
RAID 0
• Data is written onto two disks.
• This level offers redundancy: If one disk fails, the
data is available on another disk.
• It does not incorporate striping or parity.
• It does not offer fault tolerance or improved
performance.
• Since the same data is written to two disks,
effective storage space is reduced by 50%.
RAID 3
• It requires a minimum of 3 disks.
• Data is striped on two or more disks, while parity
is on one disk.
• If any disk fails, it can be reconstructed with
parity.
• However, it offers no protection if both, a data
disk and parity disk, fail at the same time.
RAID 6
RAID Levels: 5, 6, and 10
• It is similar to RAID 5, except that the second set
of parity is written onto all disks.
• There is an increased level of redundancy.
• Here, the system remains operational, even if
both disks fail.
0
6
RAID
RAID 5
• In this level, data and parity are striped across
three or more disks.
• If one disk fails, the lost data can be
reconstructed again, using the data and parity in
other disks.
• Some implementations allow hot swapping, the
ability to replace faulty drive, without shutting
down the server.
• Thus, the system remains operational, even if
one disk fails.
• This offers both improved performance (striping)
and redundancy (parity is distributed on all
disks).
• This is the most common RAID level.
1
5
3
10
RAID 10
• This level is also referred to as RAID 1+0, as it
essentially combines the two.
• It requires at least 4 drives to function.
• Blocks are mirrored (redundancy) and striped
(performance), which gives it the name, “stripe of
mirrors”.
• It is most suitable for highly utilized databases,
where many read and write operations have to
be performed.
• It is expensive, since it requires twice as many
disks as other RAID levels.
Sites and Spares
Following are the types of sites and spares:
Hot site – Fully configured sites ready to operate
Cold Site – Alternate location earmarked
Warm site – Business site that can be converted
Reciprocal Agreement – Also called “Mutual Aid” when two companies agree to help each other out
in the case of an emergency
• Hot spare – Fully configured hardware
• Cold spare – Duplicate hardware that can be configured
•
•
•
•
Disaster Recovery Site Types
Mirror Site
It is completely redundant and
consists of all the necessary
equipment, software, data and staff,
on par with the primary site.
● Data from the primary site is
replicated to the mirror site, in real
time.
● It is the most expensive disaster
recovery site type, but offers highest
assurance for critical functions.
● A disruption in service is hardly
discernible to end users, when this
type is adopted.
● It is mandatory for some types of
organizations like banks, to adopt this
site type.
●
Hot Site
This site is entirely prepared and
configured for activation, in case any
disaster strikes the primary site.
● Data can be replicated to a hot site in near
real time, or backups can be moved on a
regular basis.
● The hardware and software (system and
application) of a hot site, must be identical
to that of the primary site.
● It must be compatible for restoration of
backup data and commencement of
operations on its own.
● In case a disaster strikes, the last available
backup is loaded, and the hot site is made
operational within a few hours, so as to
restore the operations.
● It usually employs minimal staff to run
operations; however more staff is added if
needed.
●
Disaster Recovery Site Types
Warm
Site
● It
is a site that includes complete
infrastructure (HVAC, network
devices, tape drives, etc.).
● It is essential that the IT equipment
is adequate to sustain an
acceptable level of performance
for mission-critical applications.
● Prior to a warm site becoming
operational, latest versions of
applications and data backups
need to be loaded.
● Operational staff also needs to be
moved.
● A warm site is less expensive as
compared to a hot site and hence
is widely adopted.
Cold Site
● It
comprises a basic infrastructure,
in terms of space and HVAC,
without any IT or communications
equipment (hardware, software,
data, network devices).
● Prior to a cold site becoming
operational, necessary hardware,
software, and office equipment are
acquired.
● It is an empty data center.
● It may take weeks altogether to fully
equip a cold site and render it
operational.
Disaster Recovery Site Types
Mobile
Site
It includes all equipment required
for recovery like, computers,
electric power, network
connections, and office equipment,
but mounted on trailers which can
be delivered to any location for
recovery.
● Prior to mobile site becoming
operational, it requires power,
data connections, water, and waste
disposal.
●
Data Backup, Storage, and Restoration
Data backup
•
An IS auditor should understand the relationship between backup/recovery plans and business process
requirements; it’s essential that critical data be available in the event of data loss or contamination.
Data must be backed up, available at a location that is not likely to be impacted by a disaster at the primary
site, and protected (i.e. physically secure and encrypted if necessary).
An organization should have documented policies, processes, procedures, and standards that clearly explain
data backup and recovery.
Data Backup, Storage, Maintenance, Retention, and Restoration
The terms involved in Data Backup:
Recovery Time
Objective
Recovery Point
Objective
Backup
There three types of backup:
Full
A complete backup is obtained.
Differential
A backup of last 4 changes is obtained.
Incremental
A complete backup is obtained from the
previous backups.
Types of Backup
Full Backup
Differential Backup
Incremental Backup
• In this type, the data is fully
backed up, and the archive bit is
set to zero.
• The advantage of this type of
backup is that the restoration is
quick.
• However, since entire data is
backed up, the process of backing
up is slow.
• This type of backup makes a copy
of all the files, that have changed
since the last full backup.
• It does not change the archive bit
value.
• It consumes less time, as
compared to the full backup.
• However, restoration takes more
time, since full as well as,
differential backup is required.
• This type backs up all the files,
subsequent to the last full or
incremental backup.
• It sets the archive bit to zero.
• It is the fastest method of creating
a backup, among others.
• However, restoration is the
slowest, as several backups are
required.
Backups
Other Backups
Electronic
Vaulting
WORM
Offsite
Read Only
Business Continuity Plan (BCP)
Business Continuity Plan (BCP)
•
Business Continuity Plan (BCP)
•
Invoking the BCP/DRP
•
•
•
Main Areas of Coverage
The main areas covered in this domain are:
IS Business Continuity
Planning
Business Continuity Planning
Process
Business Continuity Policy
Development of Business
Continuity Plans
Components of a Business
Continuity Plan
Business Continuity Planning
Incident Management
Other Issues in Plan
Development
Plan Testing
Components of an Effective BCP
Crisis communication plan
Continuity of
support plan
Incidence
response plan
Continuity of
operations
plan
Business
resumption
plan
Disaster
recovery plan
The components of a Business
Continuity Plan depend on the
organization size and requirements.
It may include:
Occupant
emergency
plan
Components to be Agreed
The components to be agreed are:
Governing policies
Goals/requirements/products
Alternative facilities
Critical IS resources to deploy
Data and systems
Staff required/responsible
for recovery tasks
Key decision-making
personnel
Resources to support
deployment
Backup of required supplies,
other personnel
Schedule of prioritized
activities
Business Continuity Plan Testing
BCP testing involves:
Testing the developed
plans to determine if
they work and
identify areas that
need improvement
Specifications such as
objective and scope
of the test, test
execution, and
pretest
Testing of plan by
post-test, paper test,
preparedness test,
and full operational
test
Documentation of
test results, which
include document
observations,
problems, and
resolutions to
facilitate recovery in a
real disaster
Analysis of the results
obtained against
specifications set in
time, amount, count,
and accuracy
Business Continuity Plan Test Execution
BCP tests can be executed by conducting pre-test, actual test, and post-test.
• Pre-test: The set of actions necessary to set the stage for the actual test. This ranges from placing tables
in the proper operations recovery area to transporting and installing backup telephone equipment.
• Actual test: This is the stage for real action of the business continuity test.
o Actual operational activities are executed to test specific objectives of the BCP.
o This is the real action of the business continuity test
o Actual operational activities are executed to test the specific objectives of the BCP
o This is the actual test of preparedness to respond to an emergency.
Business Continuity Plan: Test
Cutover
Level 5
Parallel
Level 4
Level 3
Simulation
Level 2
Walkthrough
Level 1
Document Review
Disaster Recovery Plan (DRP)
Disaster Recovery
•
Understand different types of alternate sites
Explain the benefits and drawbacks of each
Disaster Recovery Planning: Alternatives
There are three basic sites in disaster recovery planning:
Hot Site
Warm Site
Cold Site
Disaster Recovery
•
An IS auditor should understand the concepts behind the decision to declare a disaster and invoke a BCP/DRP
and should understand the impact of the decision on an organization, remembering that invocation of the
BCP/DRP can, in itself, be a disruption.
Implementing DRP/BCP
Before initiating DRP/BCP implementation, ask the following questions:
Who
When
How
Disaster Recovery
•
The IS Auditor needs to understand the various testing methods for DRP/BCP.
Business Continuity Plan: Test
Document Review
Walkthrough
Five levels of testing:
Simulation
Parallel
Cutover
DRP BCP Standards
ISO 27001
Requirements for Information
Security Management Systems
Section 14 addresses business
continuity management
ISO 27002
Code of Practice for Business
Continuity Management
Plan-Do-Check-Act Cycle
Plan
Repeat
Do
Act
Check
NOTE: PDCA is NOT in ISO 27001:2014
Process
Pre-project activities
Perform a Business Impact
Assessment (BIA)
Develop business continuity
and recovery plans
Test resumption and
recovery plans
Regulatory issues and DRP
•
Laws, regulations, and contracts all impact disaster recovery planning (DRP). Insurance policies also impact
DRP.
Regulatory, Legal, Contractual, and Insurance Issues
The main areas covered include:
Business Continuity Planning
may also be mandatory depending on
various regulatory or legal requirements.
Additionally, insurance is an important
component of the risk mitigation strategy
in terms of transfer of risk and the IS
auditor must be aware of the need to
maintain an insurance valuation
commensurate with the enterprise
technology infrastructure
Regulatory issues for DRP
Insurance
Laws
DRP
Regulations
Contracts
Knowledge
Check
QUIZ
An IS auditor examining the configuration of an operating system to verify the
controls should review the:
1
a.
Transaction logs
b.
Authorization tables
c.
Parameter settings
d.
Routing tables
QUIZ
An IS auditor examining the configuration of an operating system to verify the
controls should review the:
1
a.
Transaction logs
b.
Authorization tables
c.
Parameter settings
d.
Routing tables
The correct answer is c
Explanation: Parameters allow a standard piece of software to be customized for diverse environments
and are important in determining how a system runs. The parameter settings should be appropriate to an
organization's workload and control environment.
QUIZ
The database administrator (DBA) suggests that database (DB) efficiency can be
improved by denormalizing some tables. This would result in:
2
a.
Loss of confidentiality
b.
Increased redundancy
c.
Unauthorized accesses
d.
Application malfunctions
QUIZ
The database administrator (DBA) suggests that database (DB) efficiency can be
improved by denormalizing some tables. This would result in:
2
a.
Loss of confidentiality
b.
Increased redundancy
c.
Unauthorized accesses
d.
Application malfunctions
The correct answer is b
Explanation: Normalization is a design or optimization process for a relational DB that minimizes
redundancy; therefore, denormalization would increase redundancy. Denormalization is sometimes
advisable for functional reasons. It should not cause loss of confidentiality, unauthorized accesses or
application malfunctions.
QUIZ
Which of the following controls would be the most effective to ensure and maintain
continuous system availability?
3
a.
Appropriate authorization of system changes
b.
Access to users on a need-to-know basis
c.
Appropriately documented changes
d.
Near real-time monitoring
QUIZ
Which of the following controls would be the most effective to ensure and maintain
continuous system availability?
3
a.
Appropriate authorization of system changes
b.
Access to users on a need-to-know basis
c.
Appropriately documented changes
d.
Near real-time monitoring
The correct answer is a
Explanation: Authorizing all changes effectively prevents a potential change that may affect system
availability. Authorization is generally based on successful testing and is put into production after
acceptance by a business user.
An organization having a number of offices across a wide geographical area has
developed a disaster recovery plan. Using actual resources, which of the
following is the MOST cost-effective test of the disaster recovery plan?
QUIZ
4
a.
Full operational test
b.
Preparedness test
c.
Paper test
d.
Regression test
An organization having a number of offices across a wide geographical area has
developed a disaster recovery plan. Using actual resources, which of the
following is the MOST cost-effective test of the disaster recovery plan?
QUIZ
4
a.
Full operational test
b.
Preparedness test
c.
Paper test
d.
Regression test
The correct answer is b
A preparedness test is performed by each local office to test the adequacy of the preparedness for disaster
recovery.
QUIZ
Which of the following is the MOST important action in recovering from a
cyber-attack?
5
a.
Creating an incident response team
b.
Using cyber-forensic investigators
c.
Executing a business continuity plan
d.
Filing an insurance claim
QUIZ
Which of the following is the MOST important action in recovering from a
cyber-attack?
5
a.
Creating an incident response team
b.
Using cyber-forensic investigators
c.
Executing a business continuity plan
d.
Filing an insurance claim
The correct answer is c
The most important key step in recovering from cyber attacks is the execution of a business continuity plan
to quickly and cost-effectively recover critical systems, processes and data.
IS Operations, Maintenance, and Service Management
Case Study
Case Study 1
•
QUIZ
Which of the following would be the most important external item to audit?
1
a.
The company’s website
b.
The company’s wireless network
c.
The company’s VPN
d.
The company’s physical security
QUIZ
Which of the following would be the most important external item to audit?
1
a.
The company’s website
b.
The company’s wireless network
c.
The company’s VPN
d.
The company’s physical security
The correct answer is c
Since employees work from home, this is a potential point of entry for malware, attacks, and other dangers. The
Wireless should be checked, but given the office location the only people who could attempt to breach their
wireless would be those companies on the floors immediately below this company. The website contains no
sensitive data, so even if it is breached, it would have minimal impact. Physical security is not something that is
checked externally.
QUIZ
Is physical security of the servers an important item to audit?
2
a.
No they are in a locked room in the office
b.
No, that is outside the scope of an IS audit
c.
Yes, access control must be assessed
d.
Yes, but primarily just to confirm the lock works
QUIZ
Is physical security of the servers an important item to audit?
2
a.
No they are in a locked room in the office
b.
No, that is outside the scope of an IS audit
c.
Yes, access control must be assessed
d.
Yes, but primarily just to confirm the lock works
The correct answer is c
It is not sufficient that there is a lock. It needs to be determined who has access to that room and how such
access is monitored and controlled.
Case Study 2
•
QUIZ
When auditing which of the following is the most critical element of the SLA to
examine?
1
a.
Exception reports
b.
Response time
c.
Penalties for failure to meet response time
d.
Staff training
QUIZ
When auditing which of the following is the most critical element of the SLA to
examine?
1
a.
Exception reports
b.
Response time
c.
Penalties for failure to meet response time
d.
Staff training
The correct answer is a
Exception reports detail any exception to the SLA. This is the best way to determine if the SLA is being met.
Prior to evaluating if the current SLA is adequate, it is important to note if it is even being adhered to.
QUIZ
What is the importance of a right to audit clause?
2
a.
Very little it does not significantly impact the SLA
b.
It allows the company to audit the vendor
c.
It is important only if it is a no-notice right to audit
d.
It is used to force the vendor to conform to security standards
QUIZ
What is the importance of a right to audit clause?
2
a.
Very little it does not significantly impact the SLA
b.
It allows the company to audit the vendor
c.
It is important only if it is a no-notice right to audit
d.
It is used to force the vendor to conform to security standards
The correct answer is b
A is clearly wrong. Right to audits are very rarely with no-notice and a right to audit does not force
conformity to standards, it simply allows the company to confirm adherence or deviation from security
standards.
Key Takeaways
You are now able to:
Evaluate the organization’s ability to continue business operations
Evaluate whether IT service management practices align with business requirements
Conduct periodic review of information systems and enterprise architecture
Evaluate IT operations and maintenance to determine whether they are controlled
effectively and continue to support the organization’s objectives
Evaluate database management practices and data governance policies and practices
Evaluate problem and incident management policies and practices
Evaluate change, configuration, release, and patch management policies and practices
Evaluate end-user computing to determine whether the processes are effectively controlled
Evaluate policies and practices related to asset lifecycle management
This concludes ‘IS Operations, Maintenance, and
Service Management’.
The next domain is ‘Protection of Information Assets’.
Certified Information Systems Auditor (CISA®)
Protection of Information Assets
Certified Information Systems Auditor is a registered trademark of ISACA
ISACA® is a registered trade mark of Information Systems Audit and Control Association.
© Simplilearn. All rights reserved.
Learning Objectives
By the end of this domain, you’ll be able to:
Conduct audit in accordance with IS audit standards and a risk‐based IS audit strategy
Evaluate problem and incident management policies and practices
Evaluate the organization's information security and privacy policies and practices
Evaluate physical and environmental controls to determine whether information assets
are adequately safeguarded
Evaluate logical security controls to verify the confidentiality, integrity, and availability
of information
Evaluate data classification practices for alignment with the organization’s policies and
applicable external requirements
Evaluate policies and practices related to asset lifecycle management
Evaluate the information security program to determine its effectiveness and alignment with
the organization’s strategies and objectives
Perform technical security testing to identify potential threats and vulnerabilities
Evaluate potential opportunities and threats associated with emerging technologies, regulations,
and industry practices
Part A: Information Asset Security and Control
Part A: Information Asset Security and Control
The following topics are covered in Part A:
•
Information asset security frameworks, standards, and guidelines
•
Privacy principles
•
Physical access and environmental controls
•
Identity and access management
•
Network and end-point security
•
Data classification
Part A: Information Asset Security and Control
•
Data encryption and encryption-related techniques
•
Public Key Infrastructure (PKI)
•
Web-based communication techniques
•
Virtualized environments
•
Mobile, wireless, and Internet-of-Things (IoT) devices
Overview
An information asset is a component related to provision of accurate data or information for decision-making purposes by an
entity. It is considered to hold value to that particular organization and should, therefore, be protected by ensuring Confidentiality,
Integrity, and Availability (CIA).
Information assets example
Information
Applications
Human Resources
Computers
Network
Facilities
Information Asset Security Frameworks, Standards, and Guidelines
External Requirements
•
Many external factors impact audits—most important are laws and regulations that affect cyber security.
Contractual requirements are also important.
COBIT Control ME3.1 – Identification of External Legal, Regulatory, and Contractual Compliance Requirements.
Information Security and External Parties
Legal
Regulatory
Contractual
Laws and Regulations
2
1
Cyber
Security Act
2015
Health Insurance Portability
& Accountability Act
(HIPAA)
Health Information
Technology for Economic
and Clinical Health Act
(HITECH)
3
Federal
Information
Security
Management
Act
Electronic
Fund
Transfer Act
4
5
Payment
Card
Industry
Contractual
Various contractual requirements are:
Encryption
Security
GENERAL
Authentication
Data Storage
DATA ACCESS
Personnel
Policies
OPERATIONAL
Privacy Principles
Privacy Principles
•
Maintaining the privacy of confidential data is critical to IS. Therefore, any audit must verify that privacy
principles are applied and maintained.
Privacy Management Issues and Role of IS Auditors
?
?
?
How
Who
Why
!
Destruction
Exception
Who
Control
COLLECTION
ACCESS
Disclosure
D&D
Privacy Management Issues and Role of IS Auditors
As an IS auditor, you should ask the following questions:
ADEQUACY
INTERNATIONAL
ONGOING ASSESSMENT
Privacy Management Issues and Role of IS Auditors
Focus and extent of privacy impact assessment may depend on changes in technology, processes, or people as shown below:
Physical Access and Environmental Controls
Physical Controls
•
Physical security weaknesses can result in financial loss, legal repercussions, loss of credibility, or loss of
competitive edge.
Thus, information assets must be protected against physical attacks, such as vandalism and theft, through
controls that restrict access to sensitive areas containing computer equipment or confidential data files.
Such controls usually employ the use of access door locks that require the use of a password, key, token, or
biometric authentication of the person attempting entry.
Physical Controls
Restrict Entry
•
•
Locks and
Barriers
Guards
Identify
•
•
Badges
Key cards
Monitor
•
•
Cameras
Sign In
Physical Access Exposures
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Physical Access Exposures
Auditing physical access
includes:
• Touring the information
processing facility
• Visibly observing
physical access controls
• Reviewing physical
security documentation
Evaluation includes:
• General cleanliness
• Doors, Windows, walls,
curtains
• Ceilings, raised floors
• Ventilation
Additional Physical Security Measures
• Bollards are small concrete pillars, sometimes containing lights or flowers
• Fences
• 3 ft – 4 ft High, Deters casual trespassers
• 6 ft – 8 ft High, Too hard to climb easily
• 8 ft High with 3 Strands of Barbed Wire, deters intruders
• Motion Detectors
• Lighting
Man Traps
• Two doors each with an entry that is secure
Doors—1 uses pin, the other swipe card
Short Hall
The Facility
Identity and Access Management
Logical Access Control
•
Logical access controls are used to manage and protect information assets.
Controls enact and substantiate policies and procedures designed by management to protect information
assets.
Controls exist at both the operating system level and the application level, so it is important to understand
logical access controls as they apply to systems that may reside on multiple operating system platforms and
involve more than one application system or authentication point.
Access
Access is the flow of data between subjects and
objects.
A subject is an active
component such as a
user, a program, or a
process.
An object is a passive
component such as a
file, program, data, or
other resource.
Identification, Authentication, Authorization and Accountability (IAAA)
Logical access control may be divided into the following stages:
1
•
•
2
3
4
It is a process by which a subject claims a particular identify, typically by providing user account name or number.
It forms the first part of the credentials.
Identification, Authentication, Authorization and Accountability (IAAA)
Logical access control may be divided into the following stages:
1
•
•
•
2
3
4
At this stage, the subject provides the second part of credentials such as a password, biometric reading, PIN, or
cryptographic key.
If both parts of the credential set supplied match the values stored by the system (those provided when the user account
was set up), the subject is considered to have been authenticated.
However, the subject’s rights or privileges (namely, what they can accomplish on the system) depend on the next stage –
authorization.
Identification, Authentication, Authorization and Accountability (IAAA)
Logical access control may be divided into the following stages:
1
2
3
4
• When the subject desires to perform an action or access a resource, the system needs to consult an access matrix to
determine whether the subject has the privileges/rights to carry the resource to perform the action.
• Depending on the role of the subjects, they may or may not be permitted to access the resource.
• For example, not all subjects may have access to sensitive data or a resource such as a printer.
Identification, Authentication, Authorization and Accountability (IAAA)
Logical access control may be divided into the following stages:
1
2
3
4
• Although users have been identified, authenticated, and authorized to use a resource, they need to be accountable for their
actions.
• This is accomplished by recording the actions of the subjects, typically done by logging their actions on the system.
• To establish accountability of the subjects for their action, it is necessary to ensure that each subject is uniquely identified by
a unique user account.
• It is also necessary to log critical (though not necessarily all) actions of the subjects on the system.
Authentication
There are three types of Authentication. They
are:
Type I: Something you know
1
2
3
Type II: Something you have
Type III: Something you are
Identification and Authentication
Identification and Authentication
•
•
Proving one’s identity, which is
authenticated prior to being granted
access
Critical building block of IS security:
o basis of most access control
systems: first line of defense –
preventing unauthorized access
o establishes user accountability –
linking activities to users
Multifactor authentication
•
A combination of more than one method
e.g.
o Token and password or PIN
o Token and biometric device
Identification and Authentication: Login IDs and Passwords
Login IDs and Passwords:
• Two-phase user
identification/authentication
process based on something you
know:
o Login ID – individual
• Used to restrict access to
computerized information,
transactions, programs, and
system software
identification
o
Password – individual
authentication
• May involve an internal list of
valid login-IDs and a
corresponding set of access rules
for each login-ID
• Access rules can be specified at
OS level (controlling access to
files) or within individual
applications controlling access to
menu functions and types of data
Access Control Matrix
Access Control Matrix is used to identify:
Access Control
Matrix
Capability
Access
Biometrics
Fingerprint
Handprint
Retina
Iris
False Acceptance
False Rejection
Crossover Error-Rate
Data Leakage
•
Data leakage is the risk that sensitive information may be inadvertently made public.
It occurs in different ways such as job postings that list the specific software and network devices with which
applicants should have experience in to system administrators posting questions on technical web sites that
include posting with the specific details on the firewall or database versions they are running and the IP
addresses they are trying to connect.
Risks and Controls Associated Data Leakage
Any information regarding the internal network
Any information regarding key personnel schedules
Social Media leakage
Posting organization charts and strategic plans to externally
accessible websites
Data classification policies, security awareness training, and
periodic audits of data leakage are elements that the IS auditor
will want to ensure are in place
Maintenance and Monitoring of Security Controls
•
Security needs to be aligned with business objectives to provide reasonable reduction in risk.
Information Security Management (ISM)
Electronic trading through service
providers and directly with customers
010010100010
Factors that raise the profile of
information and privacy risk
LOGIN
Loss of organizational barriers
through use of remote access facilities
***
Effective ISM is the most critical factor in
protecting information assets and privacy
High-profile security exposures:
viruses, denial of service (DOS)
attacks, intrusions, unauthorized
access, disclosures and identity theft
over the Internet, and so on
Information Security Management (ISM)
The three issues in Information Security Management are:
Confidentiality
Availability
Integrity
Resiliency
Cryptographic
Data at rest
Backups
Hash
Data at transit
HMAC
Redundancy
Validation
Information Security Management (ISM)
The key elements in ISM are:
Senior Management
Policies & Procedures
Organization
Network and Endpoint Security
Network Security Controls
•
An IS Auditor must know how network security controls function. This includes firewalls, IDS, and
honeypots.
COBIT Control DS5.10 - Network Security
Types of Firewalls
Packet Filter
Stateful Packet
Inspection
Application
Types of Firewalls
• A firewall is a device used as a barrier between a trusted network (typically the intranet) and an
untrusted network (like the internet).
• It works by enforcing rules to control incoming and outgoing traffic.
• It may also be used to prevent one network segment from accessing another.
• For example, access to critical segments of the network may be restricted.
• The three types of firewalls are as follows:
Packet-filtering
Firewall
Stateful Inspection
Firewall
Proxy Firewall
Types of Firewalls
Packet-filtering
Firewall
•
•
•
•
Stateful Inspection
Firewall
Proxy Firewall
•
This is basically a packet-filtering router and is a first-generation firewall.
The device takes decisions on whether or not to allow a packet based on the rules
configured in the ACL (Access Control List).
The rules may be based on the source and destination IP addresses, port numbers,
and protocol types.
A packet-filtering firewall has two limitations:
(a) It is stateless (that is, it does not track the state of the packet)
(b) It examines only the packet header and does not conduct deep-packet inspection.
These limitations mean that this kind of firewall cannot protect against some types of
attacks.
Types of Firewalls
Packet-filtering
Firewall
Stateful Inspection
Firewall
Proxy Firewall
• This firewall overcomes a limitation of the packet-filtering firewall by keeping track of
the movement of packets in and out of the network until the connection has been
closed.
• This is done by maintaining a state table, which keeps a track of all connections.
• This firewall can keep track of connectionless protocols like UDP (User Datagram
Protocol) and ICMP (Internet Control Message Protocol).
Types of Firewalls
Packet-filtering
Firewall
Stateful Inspection
Firewall
Proxy Firewall
• A proxy firewall is also known as a “dual-homed host” as it has two network interfaces,
one with an internal IP address and another with an external IP address.
• It acts as a middleman intercepting both incoming and outgoing traffic before
forwarding it with a different IP address.
• Thus, it masks the internal network from the internet.
Types of Firewalls
Packet-filtering
Firewall
Stateful Inspection
Firewall
Proxy Firewall
There are 2 types of proxy firewalls
• It creates a circuit or connection between the two communicating
systems.
• It works at the session layer and is application independent.
• However, it does not do deep-packet inspection.
• It provides granular controls.
• It not only distinguishes between protocols but also controls
the commands in protocols.
• Thus, it is possible to allow some commands in a protocol but
disallow others.
Intrusion Detection Systems (IDS)
Intrusion Detection Systems
IDS components
• Monitor network usage anomalies
• Used together with firewalls and
routers
• Continuously operates in the
background
• Administrator alerted when intrusions
are detected
• Protects against external and internal
misuse
• Sensor – collects data (network packets,
log files, system call traces)
• Analyzer – receives input from sensors
and determines intrusive activity
• Admin console
• User interface
Intrusion Detection Systems (IDS)
Anomaly Based
Signature Based
Combined
Intrusion Detection System
• While firewalls allow or deny certain types of packets based on rules, an IDS or Intrusion Detection System is designed to
detect suspicious traffic and raise an alert.
• IDS may be of the following types:
Host-based IDS
(HIDS)
• Has Network Interface
Cards (NICs) configured
in promiscuous mode,
which means that they
copy all the traffic in the
network and pass it on to
an analyzer
• Can work only with the
traffic on the network,
meaning cannot see
what is happening inside
a computer
Both NIDS and HIDS are of
the following types:
Signature-based
Anomaly-based
Hybrid or Combined
• Usually installed on
critical servers to
watch for suspicious
activity
Intrusion Detection System
• Every known attack has a
signature that is fed into
the IDS.
• This is used to detect an
attack.
• Limitation of IDS is that
only known attacks can
be detected.
• Unknown or new attacks,
whose signatures have
not been fed into the
system, are not detected.
• This is behavioral-based and works on
the basis of statistical anomalies,
rather than known signatures.
• The IDS is initially put in “learning
mode,” during which it samples the
environment and formulates a profile.
• All the traffic is compared with the
profile built up by IDS and any
anomaly triggers an alert. This is likely
to generate false positives.
• The longer the system is put in
learning mode, the more accurate the
profile is likely to be.
• This combines both
signature-based and
anomaly- or
behavioral-based IDS.
• This is flexible and can
detect attacks based on
known signatures as
well as unknown
attacks.
Honey Pots and Honey Nets
Fake System
Detract the attacker
Monitor and trace
SIEM
• Security information and event management. These are products that have Security Information
Management combined with Security Event Management. Usually combining things such as:
o Log management: Aggregating and monitoring logs
o Alerting
o Dashboards: Management consoles
o Compliance: Monitoring and reporting
SIEM
Data about events concerning an organization’s security is produced by logs
at multiple locations, like firewalls, IDS, IPS, various servers, proxies, etc.
Looking at each of the logs individually does not produce a holistic picture of
suspicious events and threats. Nor is it feasible to scrutinize these logs
manually. Moreover, log formats differ widely for different systems.
SIEM stands for Security
Incident and Event
Management
The objective of SIEM is to pool the logs from various sources and use
automated tools to correlate and analyze them.
In addition to storing logs from various sources centrally, SIEM analyzes
them in near real time so that suitable counter measures can be taken.
It deploys agents at multiple locations to gather security-related data and
relay it back to the central console, where they are analyzed and anomalies
are flagged for remedial action. This serves as an early warning system.
Security Devices, Protocols, and Techniques
•
An organization implements specific applications of cryptographic system to ensure confidentiality of
important data.
Security Devices
FIREWALL
IDS
PACKET FILTER
ACTIVE
SPI
PASSIVE
APPLICATION
HONEYPOT
PROXY
Protocols
IPSec
CHAP
SSL/TLS
KERBEROS
SESAME
VPN
AUTHENTICATION
SSS/TLS Process
Step 1: Client Hello (cipher settings, SSL version, etc.)
Step 2: Server Hello (cipher settings, SSL version, X. 509 cert., etc.)
Step 3: Client authenticates the server with the CA
Step 4: Client sends pre-master secret
Step 5: Client has session key and finishes handshake
Client Machine
Step 6: Server has session key and finishes handshake
Server
Kerberos Process
Key Distribution Center
(KDC)
Step 1: User is authenticated by AS
Step 3: TGT is sent back to user; encrypted with
symmetric key known only to KDC
User
AS
Authentication Service
Step 2: AS directs
TGS to create TGT
TGS
Ticket Granting Service
Step 4: User requests service ticket, sends TGT to KDC
Step 5: KDC sends service ticket to user. Good for <5min
symmetric key known to KDC and Service
Step 6: User sends service ticket to service
Service (some server/service
the user wants to access
Main Areas of Coverage
Application of
the OSI Model in
Network
Architectures
Open Systems Interconnection Model
Common standard for open system interconnection
using a layered set of protocols.
Defines a 7-layer
hierarchical architecture
that logically partitions
functions required to
support system-to-system
communication
Objective is to provide:
A set of open
system standards
for equipment
manufacturers
A benchmark to
compare
different
communication
systems
OSI Model: Summary Functions
Summary functions of the OSI model are as follows:
OSI Model: Mnemonics
Some mnemonics to remember the OSI layers:
A
Application
All
P
Presentation
People
S
Session
Seem
T
Transport
To
N
Network
Need
D
Data Link
Data
P
Physical
Processing
OSI Model: Mnemonics
Lets reverse the layers to form another mnemonic:
P
Physical
Please
D
Data Link
Do
N
Network
Not
T
Transport
Throw
S
Session
Sausage
P
Presentation
Pizza
A
Application
Away
OSI Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
• This is the layer closest to the user.
• It comprises protocols that support the
applications.
• Examples of functionality of this layer are:
o HTTP
o SMTP
o FTP
OSI Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
• This layer is either placed below (or above the
application layer, depending on whether you
move top down or bottom up) the Application
layer.
• It is responsible for formatting the data to make
it readable to the applications.
• Functionalities of this layer include:
o Compression
o Decompression
o Encryption
o Decryption
OSI Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
• This layer establishes, maintains, and terminates
the connections between two applications.
• It keeps track of all applications that are
communicating over the network.
• Some of the protocols that operate at this layer
are:
o RPC (Remote Procedure Call)
o SQL (Structured Query Language)
OSI Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
• This layer establishes connections between two
computers.
• For example:
o TCP
o UDP (User Datagram Protocol)
o SSL
OSI Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
• This layer uses IP addresses that are routable.
• Inserts data into packet headers for routing.
• Logical addressing enables packets to be routed
in different layers through networks like
Ethernet, Token Ring, etc.
• It maintains routing tables.
• Routers operate at the Network Layer.
• Common protocols for this layer are:
o IP
o ICMP
o OSPF (Open Shortest Path First).
OSI Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
• This layer converts data into appropriate formats
for LAN and WAN.
• Bridges and switches operate at the Data Link
Layer.
• Network technologies have different signaling
and encoding patterns and interpret electricity
voltages differently.
• MAC addresses are physical addresses and are
not routable. They cannot go beyond the
physical segment of the network.
OSI Layers
Application
Presentation
Session
Transport
Network
Data Link
Physical
• This layer is responsible for converting bits into
voltages for transmission over the network.
• Specifications include voltage levels, voltage
changes, physical connectors for electrical and
optical data transmission.
• Repeaters and hubs operate at the Physical
Layer.
Data Classification
Data Classification Standards
•
Information assets have varying degrees of sensitivity and criticality in meeting business objectives. Data is
classified and protected according to the set degree.
An important first step to data classification is discovery, inventory, and risk assessment. Once this is
accomplished, data classification can be put into use.
Data Classification Standards and Supporting Procedures
Confidential
Sensitive
Public
Inventory and Classification of Information Assets
•
•
•
•
•
•
•
Inventory and Classification of Information Assets
•
•
•
•
•
o
Who has access to what
o
Who determines access rights and levels
Classification of Information Assets
Critical
Significant
Moderate
Low
Classifying Data
Military
Civilian
Top Secret
Confidential
Secret
Private
Confidential
Sensitive
Store, Retrieve, Transport, and Dispose of Confidential Information
•
Confidential information assets are vulnerable during storage, retrieval and transport and must be disposed of
properly.
Handling Confidential Information
Storing, retrieving, transporting, and disposing of confidential information:
Backup files and databases
Need procedures
to prevent access
to, or loss of,
sensitive
information and
software
Data banks
Disposal of media previously used to hold confidential information
Controls required
for
Management of equipment sent for offsite maintenance
Public agencies and organizations concerned with sensitive, critical
or confidential information
E-token electronic keys
Storage records
Destruction of Confidential Data
DoD Data Destruction
Physical Destruction
Document Destruction
Data Encryption and Encryption-Related Techniques
Encryption
•
One of the best ways to protect the confidentiality of information is through the use of encryption
Symmetric vs. Asymmetric
Effective encryption systems depend on:
• Algorithm strength, secrecy, and difficulty of compromising a key
• The nonexistence of back doors by which an encrypted file can be decrypted without knowing the key
Symmetric vs. Asymmetric Encryption
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Symmetric vs. Asymmetric Encryption
•
•
•
•
•
•
•
Symmetric vs. Asymmetric Keys compared
The number of keys required for groups of people is large:
N(n-1)/2
The number of keys required for groups of people is less.
Symmetric keys are faster and stronger than asymmetric
keys of comparable length.
Asymmetric keys are slower and weaker than symmetric
keys of comparable length.
The same key is used for encryption and decryption.
A pair of keys (private key and public key) is used.
Messages encrypted with either of them can be decrypted
only with the other key.
It provides only confidentiality.
It provides confidentiality and non-repudiation.
The keys have to be shared confidentially. Common means
Since two different keys are used and the public key is
of communication, like email, cannot be employed.
known to all, the question of sharing the key does not arise.
It requires no other infrastructure to support them.
It requires PKI (public key infrastructure) to support them.
Symmetric Ciphers
DES
• 56-bit key
• Outdated
AES
• 128-, 192-, or
256-bit key
• Very Secure
Blowfish
• Variable Key
Length of 32
to 448 bit
• Very Secure
Asymmetric Ciphers
RSA
• Widely used
• Older but still
can be secure
DH
• The first
• Only for key
exchange
ECC
• Newer
• Very Secure
Asymmetric Ciphers
Digital Envelope
• Digital envelopes adopt a hybrid approach by using both symmetric and asymmetric encryption.
• This approach is preferred because symmetric keys are quicker and less resource intensive than asymmetric keys of similar
length.
• However, secure exchange using symmetric keys between two parties can pose challenge.
Let’s say Alex wishes to send a message to Bob. It would
be quicker and more efficient to use symmetric
encryption rather than asymmetric encryption (digital
signatures) if Alex could convey the symmetric key to Bob
without the risk of compromise.
On receiving the digital envelope, Bob would obtain the
symmetric key by decrypting the encrypted key with his
private key (which only he has). Once he has obtained the
symmetric key, he would decrypt the encrypted message.
There is no chance of compromise as an attacker cannot
obtain the value of the symmetric key without Bob’s private
key.
Instead, Alex could encrypt the message with a symmetric key and then
encrypt the symmetric key with Bob’s public key (asymmetric
encryption) and send both the encrypted message (which has been
encrypted with a symmetric key) and the encrypted (with Bob’s public
key) symmetric key to Bob. These together constitute a digital envelope.
Network Infrastructure Security: Encryption
Following are the differences between symmetric and public keys:
Symmetric key
Public key
●
Both share the same key
●
Two separate keys: a public and a private key
●
Much faster
●
Typically slower
●
As secure with a smaller key
●
Examples:
●
Examples:
RSA, ElGamal Encryption, ECC
DES, IDEA, RC5, AES, Serpent, GOST, Blowfish
Hardware, System Software, and DBMS
•
Operating system issues
Hardware issues
Issues with closed systems vs open systems
Logical Access Controls
Various Logical Access Controls
are:
User Profiles
Logging
User
Authentication
Login Management
Access Control
Data protection
Operating System Issues
Configuration
Inherent
OS Security
Hardening
Patch
Management
Hardware
Access
Circumventing
Security
Hardware
Security
Rogue Devices
Installation
Database Activity Monitoring
Database Activity
Monitoring
It is monitoring and
analyzing database activity
that operates
independently of the
database management
system (DBMS) and does
not rely on any form of
native (DBMS-resident)
auditing or native logs
such as trace or
transaction logs. DAM is
typically performed
continuously and in
real-time.
Database activity
monitoring and prevention
(DAMP) is an extension to
DAM that goes beyond
monitoring and alerting to
also block unauthorized
activities.
Public Key Infrastructure (PKI)
PKI and Digital Signatures
•
Encryption is the process of converting a plaintext message into a secure coded form of text called cipher
text, which cannot be understood without converting it back via decryption (the reverse process) to
plaintext. PKI involves the distribution of asymmetric keys.
Digital Signatures
Digital signatures ensures:
• Electronic identification
of a person or entity
• Intended for the
recipient to verify the
integrity of the data
and the identity of the
sender
• Data integrity – one-way
cryptographic hashing algorithm
(digital signature algorithms)
• Sender identity (authentication) –
public key cryptography
• Non-repudiation
• Replay protection – timestamps and
sequence numbers are built into the
messages
• Used to send
encrypted information
and the relevant key
along with it
• The message to be
sent, can be encrypted
by using either:
o Asymmetric key
o Symmetric key
Digital Signatures
Public Key Infrastructure (PKI)
Public Key Infrastructure (PKI) is a framework a trusted party uses to issue, maintain, and revoke public key certificates.
Many applications need key distribution.
In PKI, a Certification Authority (CA) validates
keys.
Distribution in PKI is done via a hierarchy of CAs.
Public Key Infrastructure (PKI)
• PKI (Public Key Infrastructure) uses asymmetric key pairs and combines software, encryption, and
services to provide a means of protecting security of business communication and transactions.
• PKCS (Public Key Cryptography Standards) was put in place by RSA to ensure uniform Certificate
management throughout the Internet.
• A Certificate is a digital representation of information that identifies you as a relevant entity by a
trusted third party (TTP).
• A CA (Certification Authority) is an entity trusted by one or more users to manage certificates.
• RA (Registration Authority) is used to take the burden off of a CA by handling verification prior to
certificates being issued. RA acts as a proxy between the user and CA. RA receives request,
authenticates it, and forwards it to the CA.
• CRL (Certificate Revocation List) is a list of certificates issued by a CA that are no longer valid. CRLs
are distributed in two main ways: PUSH model: CA automatically sends the CRL out a regular
intervals and Pull model: The CRL is downloaded from the CA by those who want to see it to verify
a certificate. End user is responsible.
X.509 Certificates
Version
Certificate holder’s public key
Serial number
Certificate holder’s distinguished name
Certificate’s validity period
Unique name of certificate issuer
Digital signature of issuer
Signature algorithm identifier
Web-Based Communication Techniques
Peer-to-peer, IM, and Web
•
All of these communication technologies can be a definite improvement for corporate communications, but
they also have risks.
Peer-to-peer Computing
In Peer-to-peer Computing there is no specific server is required to connect. The connection is between two peers.
The risk involved are:
Malware
Copyright
Issues
Data
Leakage
Social Networking Sites
Various security risks in using social networking
sites:
Information
Leakage
Phishing
Stalking
Cloud Computing
It offers advantages
over in-house
computing resources in
terms of hardware
acquisition; installation
of software, power, and
environmental controls;
considerable
expenditure; etc.
However, it also comes
with associated risks,
which have to
considered.
Cloud computing
services are usually
delivered on virtual
machines. This
enables the service
provider to optimize
the hardware
resources by running
multiple operating
systems and
applications on each
server.
Cloud Computing
The following are the popular models of cloud computing services:
Platform as a
Service (PaaS)
Software as a
Service (SaaS)
• Application software is
delivered on the cloud.
• The service provider is
responsible for the
infrastructure, hosting,
and management of the
application.
• Users subscribe to the
service on payment.
• Example: Salesforce.com
•
•
Service provider is
responsible for the
server hardware and
network.
Users can concentrate
on developing and
implementing their
application software.
Infrastructure
as a Service
(IaaS)
• This is the lowest level
of cloud computing and
envisages provision of
pre-configured
hardware and
networking via
virtualized interface like
hypervisor.
• Operating system and
applications are the
responsibility of the
subscriber.
Cloud Computing
• Cloud computing is the provision of internet based, remote computing services.
• It makes use of virtual machines and can be outsourced to a third-party service provider.
• Three different models of cloud computing are:
Software as a
Service (SaaS)
• Service provider offers
the use of a specific
application and
database in their own
environment.
Platform as a
Service (PaaS)
• Service provider offers a
platform, including
server, operating
system, and database
and is responsible for
securing the platform.
• Clients do not get
administrative access,
but they can develop
and run their
applications on the
platform.
Infrastructure
as a Service
(IaaS)
• A self-service model,
where the user gets full
remote access to and
responsibility for
managing, monitoring,
and securing the
computing resources.
• Users can migrate from
a capex model (users
invest in the resources)
to an opex model (users
pay for the services).
Virtualized Environments
Virtualized Systems
•
Virtualization provides an organization with a significant opportunity to increase efficiency and decrease
costs of its IT operations.
Virtualization
•Virtualization is a means by which a single hardware device or server can host multiple operating system environments, which
in turn provide a platform for multiple applications. This facilitates an efficient use of hardware resources.
•A virtual machine or guest is a virtual instance of an operating system that operates in an environment provided by the host.
•Computer resources such as RAM, processor time, and storage are emulated through the host environment.
•Guest systems do not interact directly with these resources but through a layer called hypervisor in the host environment.
Two methods to implement virtualization:
Bare metal
or native
virtualization
In this model, the hypervisor directly interacts with
the hardware since there is no operating system
between the hypervisor and the hardware.
Hosted
virtualization
In this model, there is an operating system
between the hypervisor and the hardware.
However, the host operating system (which comes
between the hypervisor and the hardware) can be
a single point of failure, as the guests will not be
able to operate if the host operating system fails.
Virtualization
It affords a means
of consolidating
the workloads of
several
under-utilized
servers into one
or a few servers.
It serves the need
to run legacy
applications,
which even
though they do
not require much
computing
resources, may
not be compatible
with newer
systems.
Virtual Machines
provide secure
and isolated
sandboxes on
which untrusted
applications can
be tested or
executed. This
assures fault and
error
containment.
Legacy application
can run on an
older operating
system version in
a VM, while other
VMs in the same
host environment
support other/
later operating
systems.
Virtual machines
can be used to run
multiple operating
systems
simultaneously (on
the same
hardware
platform).
Virtualization Risks
Apart from the risks for conventional resources, virtualization attracts other risks.
Misconfiguration
of the Host
Rootkits
• Misconfiguration of host
occurs when any
vulnerability or flaw in
the host extends to the
guest virtual machine
that it supports.
• Rootkits may install
themselves as
hypervisors below the
guest operating systems.
• They may escape the
anti-virus detection,
since they operate
below the operating
system.
Guest
operating
systems
access
• In hosted virtualization
implementations, guest
tools enable guest
operating systems to
access resources of
another guest or host
operating system.
• This feature could be
exploited for an attack.
Virtualization Controls
Securing the
configuration of
hypervisor
Patching the
hypervisor
Implementing the
Disabling hypervisor
mechanisms to
services such as
monitor integrity of
file-sharing between
hypervisor files that
guest operating system
detect change
and host operating
system
Types of Virtual Systems
Virtual Machine
Software as a Service (SaaS)
Platform as a Service (PaaS)
Infrastructure as a Service (IaaS)
Cloud
Virtual Machines
Virtual Machine (VM)
Virtualization
• It enables a single hardware
device, like a server, to
support multiple operating
systems, each of which can,
in turn, support a different
application
• By enabling multiple
operating systems to
function from a single
server, virtualization
enhances server
optimization.
A
B
C
• It is an operating system
that is implemented in a
virtual environment.
• It is also referred to as a
, operating in the
environment of the
.
Hypervisor
• To implement a virtual environment,
a hypervisor is installed on the top of
the hardware.
• It provides a layer of abstraction
between the host environment and
the guest operating systems.
• The host environment emulates
computer resources (like memory,
processor, storage, etc.) to each VM.
• The hypervisor interacts with the
underlying hardware to create
multiple instances of virtual
machines, each of which can support
an operating system and application.
Types of Virtualization
Virtual machines can be implemented in two ways:
• There is no operating system
between the hypervisor and the
hardware, hence the name.
• The hypervisor is the first thing to
be installed on the server since it
is the operating system.
• The hypervisor communicates
directly with the hardware.
• Hardware support may be limited,
as it has limited device drivers.
• Examples: VMWare ESX, Microsoft
Hyper-V.
• A host operating system is first
installed on the server, and the
hypervisor is installed on top of
the operating system.
• Guest Virtual Machines run on
top of the hypervisor.
• Hypervisor provides better
hardware support and
compatibility since it invokes
drivers of the host operating
system.
• Operating system of the host can
become a single point of failure. If
it fails, all VMs above it also fail.
Components of Virtual Systems
Hypervisor
The hypervisor mechanism is the
process that provides the virtual
servers with access to resources.
Virtual storage
The virtual servers are hosted on one
or more actual/physical servers. The
hard drive space and RAM of those
physical servers are partitioned for the
various virtual servers’ usage.
Voice Communications Security
•
The increasing complexity and convergence of voice and data communications introduces additional risks
that must be taken into account by the IS auditor.
Voice-over IP
IP telephony (Internet
telephony) is the technology
that makes it possible to
have a voice conversation
over the Internet. Protocols
used to carry the signal over
the IP network are referred
to as VOIP.
• VOIP is a technology where voice traffic is carried on
top of existing data infrastructure.
• In VOIP, sounds are digitized into IP packets and
transferred through the network layer before being
decoded back into the original voice.
• VOIP has reduced long-distance call costs in a number
of organizations.
Voice-over IP
VoIP
advantages
over traditional
telephony
Risks of VoIP
•
•
•
•
•
•
VOIP innovation progresses at market rates rather than at
the rates of International Telecommunications Union (ITU)
Lower costs per call or even free calls for long-distance calls
Lower infrastructure costs
Need to protect two asset: the data and the voice
Inherent poor security
The current Internet architecture does not provide the same
physical wire security as the phone lines
Controls for securing VoIP are security mechanisms such as those deployed in data networks (e.g., firewalls,
encryption) to emulate the security level currently used by PSTN network users.
Private Branch Exchange (PBX)
PBX is a sophisticated computer-based phone system from the early 1920s. Originally analog, it is now
digital. The principal purpose was to save the cost of providing each person with a line. Attributes include:
Multiple telephone
lines
Digital phones for
both voice and
data
Switching calls
within PBX
Non-blocking
configuration that
allows
simultaneous calls
Operator console
or switchboard
Private Branch Exchange (PBX)
The issues in Private Branch Exchange are as follows:
Theft of Service
1
2
3
Denial of Service
Information Disclosure
Mobile, Wireless, and Internet of Things (IoT) Devices
Mobile, Wireless, and IoT devices
•
Portable and wireless devices present a new threat to an organization's information assets and must be
properly controlled.
Internet of Things (IoT) are nonstandard computing devices that connect wirelessly to a network and have
the ability to transmit data.
Controls and Risks Associated with the Use of Mobile and Wireless Devices
Device Theft
Information
Compromise
Malware
Laptop Security
The risks involved in laptop security are:
• Difficult to implement logical and physical security in a mobile environment
Laptop Security Controls:
•
•
•
•
•
•
Engraving the serial number, company name
Cable locks, monitor detectors
Regular backup of sensitive data
Encryption of data
Allocating passwords to individual files
Theft response procedures
Bring Your Own Device
Perform the following to avoid organization
threat:
Limit Access
1
2
3
Minimum Requirements
Sheep dip
Risks Associated with IoT Devices
Business Risk
Operational Risk
Technical Risk
Part B: Security Event Management
Part B: Security Event Management
The following topics are covered in Part B:
• Security awareness training and programs
•
Information system attack methods and techniques
•
Security testing tools and techniques
•
Security monitoring tools and techniques
•
Incident response management
•
Evidence collection and forensics
Security Awareness Training and Programs
Security Awareness Program
•
Security depends on the participation of all members of an organization. Therefore, ensuring that the entire
staff is aware of security issues is important. This is something that should be checked in an IS audit.
Awareness and Education
Security awareness and education –
training and regular updates
•
•
•
•
•
•
•
Written policies and procedures and
updates
Non-disclosure statements signed by
employees
Newsletters, web pages, videos, and other
media
Visible enforcement of security rules
Simulated security incidents and simulated
drills
Rewards for reporting suspicious events
Periodic audits
Monitoring and compliance
•
•
•
Control includes an element of monitoring
Usually relates to regulatory/legal
compliance
Incident Handling and Response
Security Awareness
Login Banner
Email/Intranet
Lunch and
Learn
Information System Attack Methods and Techniques
Fraud
•
Fraud is a significant threat to any organization. There are always new scams being used by criminals. IS audits
should review the IS controls regarding fraud.
Email Fraud
Gain control of
upper-level
executive’s email
Use that to con
lower-level
employee into
sending wire
transfers/authoriz
ing payments
FBI estimates that
losses to
businesses as a
result of this
fraud were more
than $1.2 billion
worldwide
Remediation
Multiparty approval process
Be suspicious of email/phone requests
Require a purchase order number to send
money to vendors
Email Fraud
1. Send a fake email from a person who can authorize
payment
2. Encourage rapid processing (an emergency situation)
3. Make sure the real authorizing authority is unavailable
4. Send the money to an account in this country
Attack Methods
•
Various attacks pose different issues for remediation.
Malware
Virus/Worm
Trojan Horse
Logic Bomb
Spyware
Malware
• This is a malware that requires a
host to be able to deliver its
payload.
• A virus infects a file by inserting or
attaching itself to a file.
• There are various kinds of viruses.
• A worm is a self-contained
program that can reproduce
without a host program.
• A Trojan is a malware that
disguises itself as legitimate
software but has a hidden
malicious functionality.
• It can install itself through
backdoors and key loggers and
implement rootkits.
Malware
• A logic bomb is a malware that is
triggered when a certain condition
occurs, such as a particular date or
time.
• This is a malware that covertly
collects sensitive information
about victims, such as their
browsing habits.
• It can be used to install malware,
change system settings, log
keystrokes, etc.
• It generates advertisements based
on the user’s browsing habits.
• It is not malicious in nature but
has implications relating to privacy
and security.
General Attacks
Denial of Service
Wireless Attacks
Data Theft
Web Attacks
SQL Injection
Website Defacement
Cross-Site Scripting
Web Attacks
• In this attack, an SQL (Structured
Query Language) query is ‘injected’
into data input fields.
• If the system executes the SQL
query, it can lead to sensitive data
being revealed.
• A buffer is an allocated
segment of memory.
• A buffer overflow occurs when
more data is written to a buffer
than it can hold, causing some
of it to be written to an adjacent
buffer.
• The overflow data which is
written to an adjacent buffer
may contain executable code of
malicious nature.
Security Testing Tools and Techniques
Security Testing
•
Tools are available to assess the effectiveness of network infrastructure security.
These tools permit identification of real-time risks to an information processing environment and corrective
actions taken to mitigate these risks.
Security Testing Techniques
Vulnerability Scanners
Patch management
Automated pen test
Pen Testing
Benefits
Dangers
Advice
Pen Testing Phases
Planning
Discovery /
Reconnaissance
• Seek management approval
• Sign NDA
• Define scope of work
• Agree on deliverables
• Agree on rules of engagement
• Agreed upon timelines/deadlines
• Identify milestones
Attack
Reporting
Pen Testing Phases
Planning
Discovery /
Reconnaissance
• Internet footprinting
• OS detection
• Network mapping
• WHOIS lookups
• Domain name searches
• Social engineering
• Dumpster diving
Attack
Reporting
Pen Testing Phases
Planning
Discovery /
Reconnaissance
• Injection attacks
• OS exploits
• Network exploits
• Privilege escalation
• Internet service exploits
Attack
Reporting
Pen Testing Phases
Planning
Discovery /
Reconnaissance
Attack
• Provides report to management with summary and detailed
findings
• Identifies risks of vulnerabilities and their impact on business
• Gives recommendations and solutions
Reporting
Security Monitoring Tools and Techniques
Prevention and Detection
•
The ability to detect a security breach is critical for IS. Therefore, detection tools and techniques are an
important part of any IS audit.
Virus Detection Tools and Control Techniques
• Malware
• Intrusion
Detection
Value and Risk Drivers
• Logs
• Events
Review
• Traffic
• Performance
Behavior
File Change Detection and IDS
The three issues in File Change Detection are as
follows:
File Hash
IDS
Tripwire
Log Review
Various logs to be reviewed are as
follows:
Server Log
Firewall Log
Router Log
Incident Response Management
Incident Response Management
•
Incident response management enables organizations to detect incidents promptly and respond appropriately.
This allows them to mitigate the damage and reduce the delays and costs that come with disruptions.
Automated IDS is placed to detect and notify potential incidents in real-time.
IS auditor should validate the incident response plan and ensure that the CSIRT is capable to handle and
prevent security incidents.
Incident Response Management Phases
Planning and
preparation
Detection
Initiation
Recording
Evaluation
Containment
Eradication
Escalation
Response
Recovery
Closure
Reporting
Post-incident
review
Lessons learned
Evidence Collection and Forensics
Forensics
•
Incident response can lead to at least a basic forensic examination. It is also the case that the first responders
to computer crimes are often IT personnel. For this reason, forensic procedures are important to IS and to IS
Audits.
Forensics Process
Preparation
Reporting
Collection
Analysis
Evidence Preservation Techniques
Audit Documentation
Investigation
Continuous Audit
Evidence Preservation Techniques
The general guidelines in evidence preservation techniques are as
follows:
Make few changes
Document
Established Techniques
Knowledge
Check
QUIZ
Accountability for the maintenance of appropriate security measures over information assets
resides with the _____.
1
a.
Security administrator
b.
Systems operations group
c.
Management
d.
Data and systems owners
QUIZ
Accountability for the maintenance of appropriate security measures over information assets
resides with the _____.
1
a.
Security administrator
b.
Systems operations group
c.
Management
d.
Data and systems owners
The correct answer is d
Explanation: Management should ensure that all information assets (data and systems) have an appointed owner
who makes decisions about classification and access rights. System owners typically delegate day-to-day
custodianship to the systems delivery/operations group and security responsibilities to a security administrator.
Owners, however, remain accountable for the maintenance of appropriate security.
QUIZ
Which of the following best provides access control to payroll data being processed on a
local server?
2
a.
Logging access to personal information
b.
Using separate passwords for sensitive transactions
c.
Using software that restricts access rules to authorized staff
d.
Restricting system access to business hours
QUIZ
Which of the following best provides access control to payroll data being processed on a
local server?
2
a.
Logging access to personal information
b.
Using separate passwords for sensitive transactions
c.
Using software that restricts access rules to authorized staff
d.
Restricting system access to business hours
The correct answer is c
Explanation: The server and system security should be defined to allow only authorized staff members
access to information about the staff whose records they handle on a day-to-day basis.
QUIZ
An organization is proposing the installation of a single sign-on facility, giving access to all
systems. The organization should be aware that _____.
3
a.
Maximum unauthorized access would be possible if a password is disclosed
b.
User access rights would be restricted by the additional security parameters
c.
The security administrator’s workload would increase
d.
User access rights would be increased
QUIZ
An organization is proposing the installation of a single sign-on facility, giving access to all
systems. The organization should be aware that _____.
3
a.
Maximum unauthorized access would be possible if a password is disclosed
b.
User access rights would be restricted by the additional security parameters
c.
The security administrator’s workload would increase
d.
User access rights would be increased
The correct answer is a
Explanation: If a password is disclosed when single sign-on is enabled, there is a risk that unauthorized
access to all systems will be possible. User access rights should remain unchanged by a single sign-on, as
additional security parameters are not implemented necessarily.
QUIZ
When installing an intrusion detection system (IDS), which of the following is MOST
important?
4
a.
Identifying messages that need to be quarantined
b.
Properly locating the IDS in the network architecture
c.
Minimizing the rejection errors
d.
Preventing denial-of-service (DoS) attacks
QUIZ
When installing an intrusion detection system (IDS), which of the following is MOST
important?
4
a.
Identifying messages that need to be quarantined
b.
Properly locating the IDS in the network architecture
c.
Minimizing the rejection errors
d.
Preventing denial-of-service (DoS) attacks
The correct answer is b
Explanation: Proper location of an IDS in the network is the most important decision during installation. A
poorly located IDS could leave key areas of the network unprotected.
Protection of Information Assets
Case Study
Case Study
An IS auditor is auditing a medical billing company. The company services over 100 clinics consisting of over 1200 doctors
and 100,000 patients. The company stores medical billing data in a server cluster. That cluster is located in a secure
building that includes physical security measures such as camera surveillance, biometric entry to the building and the
server room, and round-the-clock security guards. The databases are patched and updated regularly. The network access
to the data servers is protected by a firewall/DMZ combination and an IDS is run. Users who access the databases need a
password and digital signature.
QUIZ
The auditor wants to confirm the security of the cryptography used with the
digital signatures. Which of the following is the most important to check?
1
a.
Key length used
b.
Password policies are in place
c.
Key storage policies and procedures
d.
Details of the cryptography algorithms used
QUIZ
The auditor wants to confirm the security of the cryptography used with the
digital signatures. Which of the following is the most important to check?
1
a.
Key length used
b.
Password policies are in place
c.
Key storage policies and procedures
d.
Details of the cryptography algorithms used
The correct answer is c
Most auditors are not cryptographers and cannot evaluate the details of an algorithm. Passwords are
important, but a separate issue from the cryptography. Key length is important but all vendors of digital
certificates have minimum key lengths that should be adequate. The security concern is the storage of
keys.
QUIZ
When considering the data on servers, which law or regulation would be the
most important to review?
2
a.
PCI
b.
Sarbanes-Oxley
c.
FISMA
d.
HIPAA
QUIZ
When considering the data on servers, which law or regulation would be the
most important to review?
2
a.
PCI
b.
Sarbanes-Oxley
c.
FISMA
d.
HIPAA
The correct answer is d
HIPAA specifically addresses privacy and security of health care records. PCI is applicable to credit card
data, Sarbanes Oxley to electronic records and publically traded companies, and FISMA relates to security
standards for US Federal agencies.
Key Takeaways
You are now able to:
Conduct audit in accordance with IS audit standards and a risk‐based IS audit strategy
Evaluate problem and incident management policies and practices
Evaluate the organization's information security and privacy policies and practices
Evaluate physical and environmental controls to determine whether information assets
are adequately safeguarded
Evaluate logical security controls to verify the confidentiality, integrity, and availability
of information
Evaluate data classification practices for alignment with the organization’s policies and
applicable external requirements
Evaluate policies and practices related to asset lifecycle management
Evaluate the information security program to determine its effectiveness and alignment with
the organization’s strategies and objectives
Perform technical security testing to identify potential threats and vulnerabilities
Evaluate potential opportunities and threats associated with emerging technologies, regulations,
and industry practices
THANK YOU