ITauditSecurity’s CISA Study Guide
For a description of this guide, guidance on using it, and some warnings, see
http://itauditsecurity.wordpress.com/2012/03/30/free-cisa-study-guide/
Table of Contents on next page
Copyright 2012, ITauditSecurity
Rev 2.0
NOTE: When this guide was created, the main sections of the exam were as follows:
• IS Audit process
• IT Governance
• Systems & Lifecycle Mgmt
• IT Service Delivery & Support
• Protection of Info Assets
• BCP and DRP
ISACA has since reorganized the sections, but that doesn’t affect the information itself.
Quick Review Info
Yellow highlight notes where ISACA
emphasizes CISA must-know this
Blue highlight = good-to-know info
List of key items to recite from memory:
5 Task Statements - SPCCA
10 Knowledge Statements – SPGE – CRP - CCC
7 Code of Ethics – IPS PC DE
3 types of Standards
6 Project Mgmt – IP EMC
Projects: Triple restraint: QRS & CDT
10 Audit Stages
OSI – PDNTSPA
TCP/IP – NDITA
Capability Maturity Model– zeroIRDMO
6 SDLC – FRD DIP
(don’t forget differences if software purchased)
6 Benchmarking – PROAAI
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
1 of 40
Quick Review Info ................................................................................................................................................... 1
> IS Audit Process...................................................................................................................................................... 5
5 Task Statements - SPCCA .................................................................................................................................. 5
10 Knowledge Statements – SPGE – CRP - CCC ................................................................................................. 5
7 Code of Ethics – IPS PC DE ............................................................................................................................... 5
Information Tech Assurance Framework (ITAF) .................................................................................................... 6
3 types of Standards (+ Guidelines & Techniques = ITAF) .................................................................................................. 6
Policy/Standards .................................................................................................................................................................. 6
Misc Notes .............................................................................................................................................................. 6
Project Mgmt .......................................................................................................................................................... 6
Project Estimation ................................................................................................................................................................ 7
10 Audit Stages ...................................................................................................................................................... 7
Engagement Letter vs. Audit Charter ..................................................................................................................... 8
Charter - RAA....................................................................................................................................................................... 8
Sampling .............................................................................................................................................................................. 8
Open Systems Interconnect (OSI) Model............................................................................................................. 10
IP Addresses (32 bits) .......................................................................................................................................... 11
Packet Switching ................................................................................................................................................................ 11
> IT Governance ...................................................................................................................................................... 12
CMM vs. ISO 15504 (SPICE) – PME PO ........................................................................................................................... 13
Risk Management .............................................................................................................................................................. 13
Business Process Reengineering (BPR) ............................................................................................................................ 13
Risk Management .............................................................................................................................................................. 14
Systems & System Development Life Cycle (SDLC) ............................................................................................... 15
Alternatives to SDLC Project Organization......................................................................................................................... 16
Alternative Development Methods ..................................................................................................................................... 17
Physical Architecture Analysis (RADFFP) .......................................................................................................................... 18
Change Control Procedures ................................................................................................................................. 19
Change Management Auditing ........................................................................................................................................... 19
Emergency Changes .......................................................................................................................................................... 19
Computer-aided Software Engineering (CASE) ................................................................................................... 19
Key CASE Audit Issues ...................................................................................................................................................... 19
Programming Languages ..................................................................................................................................... 19
Fourth-generation Languages ............................................................................................................................................ 19
4GL Types.......................................................................................................................................................................... 20
Application Controls ................................................................................................................................................. 20
Input Controls ....................................................................................................................................................... 20
Input Control Techniques ................................................................................................................................................... 21
Processing Controls ............................................................................................................................................. 22
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
2 of 40
Output Controls .................................................................................................................................................... 23
Data Integrity ............................................................................................................................................................ 24
Testing ............................................................................................................................................................................... 24
Data Integrity Requirements (ACID)................................................................................................................................... 24
Application Testing Methods .............................................................................................................................................. 24
Continuous Auditing Techniques ............................................................................................................................. 24
E-commerce Risks ............................................................................................................................................................. 25
EDI Controls ....................................................................................................................................................................... 25
Auditing EDI ....................................................................................................................................................................... 26
Digital Signatures ............................................................................................................................................................... 26
Project Mgmt Organizational Alignment ............................................................................................................................. 28
> IT Service Delivery & Support ............................................................................................................................... 28
IS Operations ........................................................................................................................................................ 28
IS Hardware .......................................................................................................................................................... 28
IS Architecture & Software ................................................................................................................................... 28
Database Management System (DBMS) ........................................................................................................................... 28
Database Structures .......................................................................................................................................................... 29
Networking ............................................................................................................................................................ 29
Wireless ................................................................................................................................................................ 30
TCP/IP (32-bit) ...................................................................................................................................................... 30
System Control................................................................................................................................................................... 30
> Protection of Information Assets ........................................................................................................................... 31
Key elements of Information Security Mgmt ....................................................................................................................... 31
Inventory Classification ...................................................................................................................................................... 31
Mandatory access control (MAC) ....................................................................................................................................... 31
Discretionary access control (DAC) ................................................................................................................................... 31
Biometrics .......................................................................................................................................................................... 31
Bypassing Security Controls .............................................................................................................................................. 32
Wireless Security .................................................................................................................................................. 32
Firewalls................................................................................................................................................................ 33
Application Firewalls - 2 levels/types.................................................................................................................................. 33
Stateful Inspection Firewalls............................................................................................................................................... 33
Firewall implementations .................................................................................................................................................... 34
Intrusion Detection Systems (IDS) ....................................................................................................................... 34
IDS Types .......................................................................................................................................................................... 34
Encryption ............................................................................................................................................................. 34
Digital signatures................................................................................................................................................................ 35
Digital Envelope ................................................................................................................................................................. 35
Encryption Risks ................................................................................................................................................................ 36
Viruses ............................................................................................................................................................................... 37
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
3 of 40
VOIP .................................................................................................................................................................................. 37
Auditing Infosec Management Framework ......................................................................................................................... 38
Computer Forensics (IPAP) ............................................................................................................................................... 38
> BCP/DRP .............................................................................................................................................................. 38
Difference between ISACA book and Sybex ........................................................................................................... 40
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
4 of 40
> IS Audit Process
5 Task Statements - SPCCA
Develop & implement risk-based IS audit strategy
Plan specific audits
Conduct audits
Communicate issues, risks, results
Advise on risk mgmt & control practices
10 Knowledge Statements – SPGE – CRP - CCC
Standards/Code of Ethics
Auditing practices/techniques
Techniques to gather/preserve evidence
Evidence lifecycle (collection, protection, chain of custody)
Control objectives & controls
Risk Assessment
Audit planning & mgmt
Reporting/Communication
CSA
Continuous audit techniques
7 Code of Ethics – IPS PC DE
Support the implementation of appropriate policies, standards, guidelines, and procedures for information
systems.
Perform your duties with objectivity, professional care, and due diligence in accordance with professional
standards. Support the use of best practices.
Serve the interests of stakeholders in an honest and lawful manner that reflects a credible image upon your
profession.
Maintain privacy and confidentiality of information obtained during your audit except for required disclosure to
legal authorities.
Undertake only those activities in which you are professionally competent; strive to improve your competency.
Disclose accurate results of all work and significant facts to the appropriate parties.
Support ongoing professional education to help stakeholders enhance their understanding of information
systems security and control.
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
5 of 40
Information Tech Assurance Framework (ITAF)
•
•
•
Provides guidance on design, conduct, and reporting of IT audit & assurance
Establishes IT audit standards
Consists of General, Performance, and Reporting standards; Guidelines; Tools & Techniques (TBA)
3 types of Standards (+ Guidelines & Techniques = ITAF)
General – guiding principles for IT assurance profession
Performance – how to conduct IT assurance engagements
Reporting – address types of reports, means of communication, and info to be communicated
Policy/Standards
Policy, Standard, Procedure – mandatory
Guideline– discretionary
Misc Notes
Purpose of audit: challenge mgmt assertions and determine whether evidence supports mgmt claims
Types of audits:
•
•
•
Internal – audit own organization, scope restrictions, cannot use for licensing
External – customer auditing your organization or you auditing supplier
Independent – 3rd party audit used for licensing, certification, product approval.
Compliance audit– verify presence or absence
Substantive audit - check the content/substance and integrity of a claim
Risk – the potential that a given threat will exploit vulnerabilities of an asset (or group of assets) and thereby cause harm to the
organization
CobiT – Control Objectives for Information and Related Technology. A framework consisting of strategies, processes, and
procedures for leading IT organizations.
Project Mgmt
Project is unique, progressive (planning starts high-level and gets more detailed), and has start and end dates.
Triple restraint: QRS
• Quality
• Resources (cost, time)
• Scope
3 project elements: CDT
• Cost/resources
• Deliverables
• Time/duration
5 Process groups/phases of project management – IP EMC
• Initiating (2 components: scope & authorization)
• Planning (detail scope, goals, deliverables)
• Executing
• Monitoring & Controlling
• Closing
Earned value – current value of work already performed in a project
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
6 of 40
Project Estimation
•
•
•
Source Lines of Code (SLOC) – traditional method (also Kilo LOC or KLOC) – direct size-oriented measures
Thousand Delivered Source Instructions (KDSI) – better with structured programming languages like BASIC,
COBOL
Function Point Analysis (FPA) – indirect measure
• Based on number and complexity of inputs, outputs, files, interfaces, and user queries
• Functions are weighted by complexity
Project Diagramming
• Gantt: resource details;-schedule & sequence in waterfall-style (MS Project);
serial view w/bars & diamonds
o Shows concurrent and sequential activities
o Show project progress and impact of completing a task early or late
•
PERT (Program Evaluation Review Technique)-illustrates relationships
between planned activities
o Critical path (minimum steps, longest route, shortest time estimate for completion)
Activities on critical path have no slack
time; activities w/ no slack time are on
critical path
Route on which a project can be shortened
(accelerated) or lengthened (delayed)
o Quantitative measure for risk analysis: risk of
delays, failure, and likely completion
o 3 hourly estimates for each task’s effort:
Optimistic, Mostly likely, and Pessimistic
PERT time estimate for each task: [O + P +
4 (M)] / 6
Timebox Management
• Define and deploy software deliverables in short/fixed period of time
• Prevents cost overruns or delays from scheduled delivery
• Design/development shortened due to newer development tools/techniques
10 Audit Stages
1. Approving audit charter/engagement letter
2. Preplanning audit
3. Risk Assessment
4. Determine whether audit is possible
5. Performing the actual audit
6. Gathering evidence
7. Performing audit tests
8. Analyzing results
9. Report Results
10. Follow-up activities
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
7 of 40
Engagement Letter vs. Audit Charter
Diff is auditor independence (external vs. internal audit)
Charter - RAA
•
•
•
Responsibility – scope with goals/objectives
Authority – right to access & audit
Accountability – agreement between auditor/Audit Committee; reporting requirements
2 foundational audit objectives:
• Test control implementation to determine if adequate safeguards implemented
• Comply with legal requirements
Process technique – Shewhart - PDCA
1. Plan – plan or method?
2. Do – work match the plan?
3. Check – anyone monitoring the process? What is acceptable criterion?
4. Act – how are differences identified and dealt with?
Controls
• General – overall controls; all depts.
•
Pervasive (technology)
• Detailed IS controls (tasks)
• Application (most detailed, lowest level controls)
Evidence Life Cycle – ICI SAP PR Chain of custody
• Identification
• Collection
• Initial preservation
• Storage
• Analysis
• Post analysis preservation storage
• Presentation
• Return of evidence
Sampling
Statistical/Mathematical
• Random
• Cell – random selection at defined intervals
• Fixed interval – select every n + increment
Non-statistical
• Haphazard
Compliance Testing – presence/absence
Attribute sampling – is attribute present in sample? Specified by rate of occurrence
Stop & Go sampling – used when few errors expected, reduces overall sample size. Reduces effort. Auditor determines
whether to stop testing or continue testing.
Discovery sampling – 100 percent sampling to detect fraud (ex: forensics).
Precision/expected error rate – acceptable margin of error between samples and subject population. Low error rate
requires large sample.
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
8 of 40
Substantive Testing – content/integrity
Variable sampling – designating $ value or effectiveness (weight) of entire subject by prorating from a smaller sample
(ex: weigh $50 bill and calculate value of stack of bills by total weight).
Unstratified mean estimation – projects an estimated total for entire population
Stratified mean estimation – calculate average by grouping items (all males, all females, all over 30)
Difference estimation – determine difference between audited and unaudited claims of value.
Audit coefficient – level of confidence re: audit results. 95% & higher = high degree of confidence
Attestation – providing assurance via your signature that document contents are authentic & genuine.
Type 1 events occur before balance sheet date; Type 2 after (not auditor’s responsibility to detect subsequent events)
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
9 of 40
Open Systems Interconnect (OSI) Model
Provides standard interface at each layer; ensures each layer does not have to be concerned about the details of how
other layers operate
Each layer is self-contained and can be updated without affecting other layers
•
Memory
Phrase
Each layer communicates with the layer above and below it, as well as virtually with the same layer on the
remote system
7 OSI Layers
Away
7 – Application
Pizza
6–
Presentation
4 TCP/IP
Layers
4Application
Memory
Phrase
Headers &
Data
Communication
Types
Layer Controls/
Provides
To
Application
Gateway
-Standard
interface to
the network
-Problem
solving
-Encryption
Translate &
Display.
Screen
formatting
Communicati
on sessions
between
applications
-Login screen
Format &
Data
Structure
Anchovi
es
App to App
Sausage
Throw
Not
Do
5 – Session
4 – Transport
3–
Transport
3 – Network
2–
Internet/
Network
2 - Data Link
Host to Host
Throw
Message
I
Packet
Router
Do
1 – Link
(LAN/WAN
Interface)
Please ↑
1 – Physical
Nor
-Frame
-MAC
address
Switch/Bridg
e
Signal
Cable/Wireless
Hub/Repeater
Wifi Transmitter
Routing
Address to
Address
Transmit &
Receive
Cable &
voltage
requirements
-Flow control
-Error
notification
-Order
sequence
Control
electrical link
between
systems
Protocol
-DNS
-RPC
-SQL database
session
-NFS
-TCP (confirmed
delivery)
-UDP(un-confirmed)
-IP
-NetBIOS
-DHCP
-PPP
MAC Address = 48-bit
Cables
•
•
•
Coax – 185 meters, 2 pairs of wires
UTP < 200 ft, 4 twisted pairs
Fiber – dense wave multiplexing
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
10 of 40
Point-to-Point Protocol (PPP)
• Data link layer protocol for accessing remote network using IP over serial lines (replaced SLIP)
IP Addresses (32 bits)
Four IPs in each subnet are lost/reserved
• Numeric name (e.g., 192.0.0.0) for routing table/network path
• Starting IP
• Ending IP (IPs in between start & end = IP address space)
• Broadcast IP
ARP = MAC address to IP address
VLANs (requires router to access other subnets)
• Port-based: specific port configured to a specific VLAN. Small networks
• MAC-based: ties MAC address into VLAN, reconfigures network port on switch
• Policy or rule-based: Rule based on IP address or protocol in header. Switch ports reconfigure automatically
DNS – Bootp using RARP!
Dedicated Phone Circuits
• POTS – 56Kbs (half of ISDN circuit)
• Integrated Services Digital Network (ISDN) – 128Kbs, 23 channels of data, voice, video (conference); runs on
POTS
• Primary trunk line (T1) – 28 POTS circuits, 1.544 Mbps. Charged by the mile.
• Digital Subscriber Line (DSL) – over POTS. 368 Kbps-1.544 Mbps.
Packet Switching
•
•
•
•
Eliminated need for dedicated lines (Internet is PS’d)
Not limited by distance
Source & destination known, path is not
Charged according to packets transmitted, not distance
Examples
• X.25 – foundation of modern switched networks (not popular today)
o Quality of Service (QOS)
o Permanent Virtual Circuits (PVCs) – fixed path, replaced dedicated phone lines
o Switched Virtual Circuits (SVCs) – path dynamic, constantly changing
• Frame relay – has PVC and SVC. 1.544 – 44.5 Mbps (replaced X.25)
o Different format and functionality
o Packets arrive out of sequence, are reassembled
• Asynchronous Transfer Mode (ATM)
o High speed, 155 Mbps – 1 GBps
o Cell switching and multiplexing ensures solid delivery
o Multiple concurrent data paths
Multiprotocol Label Switching (MPLS)
• Protocol and routing table independent
• Packet headers examined once (versus every hop in traditional layer 3 switching) and then assigned a
stream/label that contains forwarding information
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
11 of 40
Piconet – one trillionth or very small – Small wireless adhoc network – Bluetooth (PAN)
Syslog – no message authentication/integrity; no message delivery verification
Remote Monitoring Protocol (RMON1) – monitors only Data Link/MAC layers and below
Remote Monitoring Protocol 2 (RMON2) - unlike Sniffer that monitors layers 1-3, RMON2 monitors all 7 OSI layers
> IT Governance
IT Governance – leading and monitoring IT performance & investment
•
•
•
Strategic alignment between IT & business
Monitoring assurance practices for executive management
Intervention to stop, modify, or fix practices as they occur
3 IT Governance management levels:
• Strategic (3+ yrs)
• Tactical (6 months – 2 yrs)
• Operational (daily)
Balanced Scorecard – CB FG
•
•
•
•
Customer
Business process
Financial
Growth & Learning
3 layers that incorporate the 4 perspectives (MMS)
• Mission
• Metrics
• Strategy
5 Capability Maturity Model (CCM) Levels – zero IRD MO
• 13 to 25 months to move up a level
• Idea started in auto assembly line
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
12 of 40
CMM vs. ISO 15504 (SPICE) – PME PO
#
0
1
Level
Nothing
Initial
Description
Process
adhoc, firefighting
2
Repeatable
Documented
3
Defined
well documented
and understood
4
Managed
mgmt controls
processes &
adjusts
5
Optimized
continually
improved to
reflect business
needs
unique and chaotic (people
have most freedom and
decision making)
• Inspected quality
• Project mgmt
• Basic standards, processes,
procedures documented
• Lessons learned
• Standardization between
departments
• Objectives, qualitative
measurements,
improvement procedures
• Portfolio mgmt
• PMO
• Predictable by quantitative
measure (numeric measure
of quality)
• least freedom, decision
making
• statistical process control
ISO
Incomplete
Performed
Managed
Established
Predictable
Optimizing
Risk Management
Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %
Annual Loss Expectancy (ALE)$ = SLE * Annual Rate of Occurrence (ARO)
Business Process Reengineering (BPR)
3 areas of improvement
1. Business efficiency
2. Improved techniques
3. New requirements
Guiding Principles
• Think big  future process/end state
• Incremental
• Hybrid approach  top down view of strategy, bottom-up research
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
13 of 40
Business Process Reengineering (BPR) vs. Project Mgmt vs. SDLC Chart
6 BPR
EIDRRE
5 Project Mgmt
IP EMC
Envision
Initiate
Initiate
Diagnose
Plan
Redesign
Execute
Reconstruct
Evaluate
Manage and Control
Close
6 SDLC
FRD DIP
Waterfall method
Feasibility
Requirements
Task
Scope, sponsor, pick a process, goals
Stakeholder buy-in, external customer
needs
Identify benchmarks, activities, resources,
roles, costs, communication needs
Design/Select*
Determine solutions, alternatives
Development/Configuration* Build prototypes
Implementation
Install systems, train, transition
Post Implementation
Monitor and review; goals obtained?
Lessons learned, archive files, TQM
* When software is purchased rather than developed in-house
BPR Rules
• Fix only broken processes
• Calculate ROI
• Understand current process first
• No leftovers
Role of IS in BRP
• Enable new processes by improving automation
• Provide IT project mgmt tools to analyze process and define requirements
• Provide IT support for collaboration tools, teleconference, and specialized business user software
• Help business integrate their processes with ERP
Delphi technique – blind interaction of ideas between group members
6 Benchmarking Steps – PRO AAI
• Plan – identify critical processes
• Research – baseline data re: own processes, then that of other businesses
• Observe – visit benchmark partner, collect data
• Analyze – identify gaps between own and benchmark partner’s processes
• Adapt – translate findings into principles strategies action plans
• Improve - link each process to improvement strategy and organizational goals
Business Impact Analysis – discovery of inner workings of a process
• Process value
• How process works, who does what
• Shortcomings
• Revenue created or supported
• Project process lifetime
Risk Management
Single Loss Expectancy (SLE) = Asset value (AV) $ * Exposure factor (EF) %
Annual Loss Expectancy (ALE) = SLE * Annual Rate of Occurrence (ARO)
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
14 of 40
> Systems & System Development Life Cycle (SDLC)
Verification/Validation Model (V-model)
•
•
Identifies relationship between development and test phases
Most granular test, unit test, validates detailed design phase
Development methodology
• Organization-centric use SLDC
• End-user centric alternate approaches
SDLC/Waterfall technique - FRD DIP
See chart under Business Process Re-engineering
• Feasibility
o Identify the alternatives for addressing the business need
o Business case that justifies proceeding to the next phase
o Calculate ROI
o Impact assessment – future effects on current projects/resources
• Requirements
o Management/users must be involved
o Identify stakeholders and expectations
o Request for Proposal (RFP) process
o Create project schedule and resource commitments
o Create general preliminary design use entity relationship diagram (ERD)
• Design/Select (When software is purchased rather than developed in-house, the stages are Select and Configuration)
o Establish baseline of system, program, database specifications
o Implement change control for scope creep - software baselining (design freeze), version numbering
o Address security considerations
• Development/Configuration*
o Includes all unit and system testing, iterations of user acceptance testing (UAT) in secure environment
to protect against changes
o Develop data conversion strategies
o Train super users
o QA activities, software QA plan, Application QA function
Focuses on documented specifications and technology used, application works as specified in
logical design; performed by IT; not functionality related
• Implementation
o Final UAT
o Certification
Assessment of management, operational, and technical controls; used to reassess risks and
update security plan
o Accreditation process
Management decision to authorize operation
Involves accepting responsibility and accountability for system’s risks and system security
• Post Implementation
o Assess whether system meets business requirements, has appropriate access controls, ROI achieved,
lessons learned
o ROI requires a few business cycles to be completed first
o Info to be reviewed needs to be identified at project startup
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
15 of 40
Entity Relationship Diagram (ERD)
• Example: http://en.wikipedia.org/wiki/File:ER_Diagram_MMORPG.png
• Identifies relationships between system data
• Data modeling technique that describes information needs or the type of information to be stored in a
database (helps design the data dictionary)
• Entity
o Physical object such as a report, an event such as a sale or a repair service, or a concept such as a
customer transaction or order (logical construct) NOUNS
o Attributes form the keys of an entity
o Primary key uniquely identifies each instance of an entity
o Represented by rectangular boxes
• Relationships
o How entities are associated VERBS
o Foreign key is one or more entity attributes that map to primary key of related entity
o Represented by diamonds
Testing
• Regression – rerunning a part of the test scenario to ensure changes have not introduced new errors
• Socialability – can system operate in target environment without impacting existing systems (memory, shared
DLLs)
Alternatives to SDLC Project Organization
Iterative Development
•
•
Develop in iterations or increments, with feedback after each stage
Now regarded as best practice; deals with development complexities and risks
Examples
• Evolutionary – create prototype to gather/verify requirements, explore design issues (called prototyping)
• Spiral – uses series of prototypes that become more detailed; risk analysis precedes each prototype
• Agile – developed in short, time-boxed iterations; uses trace-bullet approach
Evolutionary (Prototyping) Development (also called Heuristic)
•
•
Combines best of the SDLC with an iterative approach that enables developer and customer to react to risks at
each iteration
Focuses on prototyping screens and reports
Disadvantages
• Leads to system extras that were not included in initial requirements (could end up functionally rich but inefficient)
• Poor controls (that normally come out of traditional SDLC)
• Poor change control and documentation/approvals
Agile Development
Process designed to handle changes to the system being developed or the project itself
Scrum, one of first processes, 1990s
Characteristics
• Small, time-boxed iterations (plan and do 1 phase at a time)
• Replanning at the end of each iteration (e.g., identify new requirements, reprioritizing)
• Relies on head knowledge (vs. project documentation), frequent team meetings
• Pair-wise programming: 2 people code same functions (knowledge share and quality check)
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
16 of 40
•
•
Planning and control by team members; project manager = facilitator/advocate
Validate functionality via frequent build-test cycle to limit defects
Rapid Application Development (RAD)
Well-defined methodology
• Evolutionary prototypes with rigid limits on development timeframes
• Small, well-trained team
• Integrated power tools for development
• Central repository
• Iterative requirements and design workshops
• Does NOT support planning or analysis of the info needs of business area/ enterprise as a whole
Stages
1. Concept definition
2. Functional design
3. Development
4. Deployment
Alternative Development Methods
Development methods (data-oriented, object-oriented) are independent of the project organization model (evolutionary,
spiral, agile)
Data-Oriented System Development (DOSD)
Focuses on data and their structure in prespecified formats for download or use in other systems
Examples: stock, airline flight data
Eliminates data transformation/converting errors
Object-Oriented System Development (OOSD)
Data and procedure (instructions) are grouped in an object
Data = attributes, functionality = methods (vs. SDLC which addresses data separate from procedures)
OOSD = programming technique, NOT a software development methodology: can be used in prototyping,
waterfall, agile, etc.
• Objects are created from a template called a class, which contains characteristics of the class without
reference to the data
• Polymorphism: ability of objects to interpret a message differently at execution depending on object’s
superclass
• First OOP languages: Simiula67, Smalltalk; Java boosted acceptance of OOP
• Unified Modeling Language (UML)
Major Advantages
• Ability to manage unrestricted variety of data types
• Ability to model complex relationships
•
•
•
Component-Based Development
•
•
Outgrowth of OOD
Definition: assembling applications from packages of executable software that make their services available
through defined interfaces (i.e., objects, which can interact with one another regardless of language written in
or OS running)
o In process client components – run from within a container ( e.g., web browser)
o Stand-alone client components – applications that expose services to other software (e.g., Excel and
Word).
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
17 of 40
Initiated by RPCs or other network calls. Supporting technologies:
• Microsoft’s Distributed Component Object Model (DCOM) – basis for ActiveX
• Common Object Request Broker Architecture (CORBA)
• Java via Remote Method Invocation (RMI)
All of the above are distributed object technologies, which all objects on distributed platforms
to interact. Also called middleware, which provides run-time services whereby
programs/objects/components can interact.
o Stand-alone server components – processes running on servers that provide standard services
o In process server components – run on servers within containers
Microsoft’s Transaction Server (MTS)
Enterprise Java Beans (EJB)
Benefits
o Reduces development time & cost. Only have to code unique parts of the system.
o Improves quality. Prewritten components have already been tested.
o Allows developers to focus more on business functionality. Increases abstraction and shields low-level
programming details.
o Promotes modularity.
o Simplifies reuse. No source required, no need to know procedural or class libraries.
o Supports multiple development environments as components can interact regardless of language or OS.
o Allows combining build and buy components.
•
Web-Based Application Development
Extensible Markup Languages (XML) are key to development
Simple Object Access Protocol (SOAP) is used to define APIs
•
•
•
•
SOAP works with any OS or programming language that supports XML
SOAP is simpler than RPCs in that modules are coupled loosely (can change one component without
changing others)
Web Services Description Language (WSDL) identifies the SOAP specification used for the module’s API;
formats the SOAP messages in/out of the module. Also identifies the web service available to be used
Universal Description, Discovery, and Integration (UDDI) is used to make an entry in the UDDI directory,
which allows others to find and use the available web services
Reengineering – updating an existing system by extracting and reusing design and program components.
Reverse Engineering
Risks
software licenses usually prohibit it to protect trade secrets/programming techniques
•
Decompilers depends on specific computers, OSs, and programming languages. Any changes to these require a
new decompiler.
Physical Architecture Analysis (RADFFP)
•
•
•
•
•
•
Review of existing architecture
Analysis and design
Draft functional requirements (start vendor selection)
Function requirements
Define final functional requirements
Proof of Concept
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
18 of 40
Change Control Procedures
Change Management Auditing
•
•
•
•
•
•
•
•
Program library access is restricted
Supervisory reviews occur
Changes are approved and documented
Potential impact of changes is assessed
User approves change
Programming management reviews/approves change
Implementation date on change request matches actual implementation date
Distributed systems – changes are rolled out to all nodes (check for same version of software)
Emergency Changes
•
•
Emergency ID use is logged and monitored
Normal change controls are applied, often retroactively
Computer-aided Software Engineering (CASE)
3 categories of CASE tools
• Upper CASE – describe and document business/application requirements
• Middle CASE – develop the detailed design: screen/report layouts, editing criteria, data object organization,
process flow
• Lower CASE – generate code and database definitions (using upper and middle case output)
Key CASE Audit Issues
Functional design and data elements become the source code
•
•
•
•
•
•
Users are involved
CASE methodology is defined and followed
Integrity of data between CASE products and processes is controlled and monitored
Changes to the application are reflected in stored CASE product data
Application controls are designed and included
CASE repository is secured and version control implemented
Programming Languages
st
1 – machine lang
2nd – assembly lang
3rd – English-like
4th – embedded database interface, prewritten utilities; programmer selects program actions (aka psuedocoding or
bytecoding)
5th – artificial intelligence; learning system/fuzzy logic/neural algorithms
Fourth-generation Languages
4GL Characteristics
•
•
•
•
•
Nonprocedural language – event driven, uses OOP concepts of objects, properties, and methods
Portable across OSs, computer architectures
Software facilities – allows design/paint of screens, help screens, and graphical outputs
Programmer workbench concepts (integrated development environment) – include filing facilities, temporary
storage, text editing, OS commands
Simple language subsets
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
19 of 40
4GL Types
•
•
•
•
Query and report generators
Embedded database 4GLs – FOCUS, RAMIS II, NOMAD 2
Relational database 4GLs – included in vendor DBMS to allow better use of DBMS product: SQL+, MANTIS,
NATURAL
Application generators – generate lower-level programming languages (3GL) like COBOL and C.
Application Controls
Definition: controls over input, processing, and output functions
Examples
• Edit tests
• Totals
• Reconciliations
• Identification/reporting of incorrect, missing, and exception data
Auditor tasks
• Identify significant application components and flow of transactions
• Gaining understanding of the application through documentation review and interviews
• Identifying application control strengths and weaknesses
• Testing controls and evaluating control environment
• Reviewing application efficiency/effectiveness, and whether it meets management objectives
Input Controls
Input Authorization
• Signatures on batch forms/source documents
• Online access controls ensuring only authorized users can access data and perform sensitive functions
• Unique passwords
• Terminal/workstation identification to limit clients that can access the application
• Source documents – should be prenumbered and controlled
Batch Controls and Balancing
• Definition: Input transactions grouped together (batched) to provide control totals.
Batch Controls
• Total $ amount
• Total items
• Total documents
• Hash totals – total of a meaningless, predetermined field (e.g., customer account numbers or zip codes) used
to detect errors or omissions; do not ensure correct employees, pay rates, etc., only errors or omissions
Balancing Controls
• Batch registers – comparing manual batch totals against system reported totals
• Control accounts – control account use is performed via an initial edit to determine batch totals. After
processing data to the master file, reconciliation is performed between the initial edit file totals and the
master file.
• Computer agreement – application compares the batch totals recorded in the batch header with the calculated
totals and accepts/rejects the batch
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
20 of 40
Error Handling and Reporting
Input Error Handing
• Reject only transactions (trx) with errors
• Reject the whole batch of trxs
• Hold the batch in suspense (until errors corrected)
• Accepting the batch and flagging error transactions
Input Control Techniques
•
•
•
•
•
•
•
Trx Log of all updates, verified to source documents
Reconciliation of data
Documentation – written evidence of user, data entry, and data control procedures
Error correction procedures
o Logging of errors
o Timely corrections
o Upstream resubmission
o Approval of corrections
o Suspense file
o Error file
o Validity of corrections
Anticipation – user or control group anticipates the receipt of data
Transmittal log of transmission or receipt of data
Cancellation of source documents – punching or marking to avoid duplicate entry
Batch Integrity
• Batch established by time of day, specific terminal of entry, or individual who entered data
• Supervisor reviews batch and releases for processing
Data Validation/Editing Procedures
• Identifies errors, incomplete or missing data, and inconsistencies amount related items.
• Should occur as close to the time and point of origination as possible
Edits and Controls (types of checks)
• Sequence – control numbers are sequential
• Limit
• Range
• Validity
• Reasonableness
• Table lookups
• Existence
• Key verification – two people key the data and both sets are compared
• Check digit – detects transposition and transcription errors
• Completeness
• Duplicate
• Logical relationship
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
21 of 40
Processing Controls
Ensure completeness and accuracy of accumulated data
Processing Control Techniques
• Manual recalculations
• Edit check
• Run-to-run totals
• Programmed controls (e.g., detects incorrect file or file version)
• Reasonable verification of calculated amounts
• Limit checks on calculated amounts – check using predetermined limits
• Reconciliation of file totals
• Exception reports
Data File Control Procedures
• Ensures only authorized processing occurs
Data File Control Procedures
• Ensures only authorized processing occurs
Data File Control Techniques
• Before and after image reporting – shows impact trxs have on data
• Maintenance error reporting and handling
• Source documentation retention
• Internal and external labeling of files, batches, tapes
• Version usage (file or database)
• Data file security
• One-for-one checking – documents processed equals source documents]
• Prerecorded input – some data preprinted on blank input forms to reduce entry errors
• Trx logs
• File dating and maintenance authorization
• Parity checking for transmission errors
o Vertical/column check – check on single character
o Horizontal/longitudinal/row check – check on all the equivalent bits
Use of both checks recommended
4 Categories of data files or database tables
• System control parameters – controls edits and exception flags; changes to these files should be controlled
same as program changes
• Standing data – data that seldom changes, referred to during processing (e.g., vendor names & addresses).
Changes should be authorized and logged.
• Master data/balance data – running balances and totals should be adjusted only under strict approval/review
controls and logged
• Trx files – controlled via validation checks, control totals, exception reports, etc.
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
22 of 40
Output Controls
Ensures delivered data is presented, formatted, and delivered consistently and securely
•
•
•
•
•
•
•
Logging and storage of negotiable, sensitive, and critical forms securely
Computer generation of negotiable instruments, forms, and signatures
Report distribution
o All reports logged prior to distribution
o Secure print spools to avoid deletion or redirection of print jobs
o Restricted to certain IT resources, websites, or printers
o Confidential disposal
Balancing and reconciling
Output error handling
Output report retention
Verification of receipt of reports
Risk Assessment of Application Controls
• Quality of internal controls
• Economic conditions
• Recent accounting system changes
• Time since last audit
• Prior audit results
• Complexity of operations
• Changes in operations/environment
• Changes in key positions
• Time in existence
• Competitive environment
• Assets as risk
• Staff turnover
• Trx volume and trends
• Regulatory agency impact
• Monetary volume
• Sensitivity of trxs
• Impact of application failure
User Procedures Review
• SOD – authority to do only one: origination, authorization, verification, distribution (DAVO)
• Authorization of input – written approval or unique passwords
o Supervisor overrides should be logged and reviewed by mgmt
o Excessive overrides may indication validation/edit routines need improvement
• Balancing
• Error control and correction
• Distribution of reports
• Access authorizations and capabilities
o Based on job description
o Activity reports generated and reviewed (activities valid for user and occurs during authorized hours of
operations)
o Violation reports of unauthorized activities or unsuccessful access attempts
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
23 of 40
Data Integrity
Testing
•
•
Cyclical testing – checking data against source documents, one section of data at a time. Whole file is
eventually checked after multiple cycles.
Data Integrity Tests
o Relational – at data element and record levels
o Referential – enforced through programmed data validation routines or by defining the input
conditions (edits), or both
Define existence relationships between database elements (primary and foreign keys)
All references to a primary key from another file (foreign key) actually exist in the original file
Data Integrity Requirements (ACID)
•
•
•
•
Atomicity – trx is completed entirely or not at all
Consistency – maintained with each trx, taking the database from one consistent state to another
Isolation – Each trx isolated and accesses only data part of a consistent database state
Durability – trxs that are reported complete survive subsequent HW/software failures
Application Testing Methods
•
•
•
•
•
•
•
•
•
•
•
Snapshot – records flow of designated trxs through logic paths within programs
Mapping – identifies untested program logic and whether program statements have been executed
Tracing & tagging – shows trail of instructions executed; tagging selected trxs and using tracing to track them
Test data/deck
Base case system evaluation – uses test data to verify correct system operations (extensive test)
Parallel operation
Integrated test facility – using fictitious file with test trxs that is processed with live data
Parallel simulation – processing production data against simulated program logic
Trx selection programs – uses audit software to screen and select trxs
Embedded audit data collection – software embedded in production system used to select input and
generated trxs during production
o System control audit review file (SCARF) – auditor determines reasonableness of tests incorporated
into normal processing; provides information for further review
o Sample audit review file (SARF) – randomly selects trxs for analysis
Extended records – gathers all data affected by a particular program for review
Continuous Auditing Techniques
•
•
•
•
•
System control audit review file and Embedded Audit Modules (SCARF/EAM)
Snapshots of data from input to output; trxs are tagged by applying identifiers and recording selected
information for audit review
Audit hooks – functions as red flags; allows review before issues get out of hand
Integrated test facility (ITF)
Continuous and Intermittent Simulation (CIS) – system audits trxs that meet predetermined criteria
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
24 of 40
E-commerce Risks
•
•
•
•
•
Confidentiality
Integrity
Availability
Authentication and non-repudiation
Power shift to customers
E-commerce Audit/Control Issues (Best Practices)
• Security architecture (firewalls, encryption, PKI, certificates, password mgmt)
• Digital signatures
• Public Key Infrastructure (PKI)
o Framework for issuing, maintaining, verifying and revoking public key certificates by a trusted party.
o Key elements
Digital certificates - Public key and info about the owner that authenticates the owner (issued
by trusted 3rd party)
• Includes distinguishing username, public key, algorithm, certificate validity period
Certificate Authority (CA) – trusted provider of public/private key pairs that confirms
authenticity of the owner of the certificate (business) by issuing/signing the requestor’s
certificate with CA’s private key
Registration Authority (RA) – optional entity that some CA’s use to record/verify business’
information needed by a CA to issue/revoke certificates
Certification revocation list
Certification practice statement (CPS) – Rules governing CA’s operations, controls, validation
methods, expectations of how certificates are to be used.
• Log monitoring
• Methods and procedures to identify security breaches
• Protecting customer data to ensure not used for other purposes or disclosed without permission
• Regular audits of security and controls
EDI Risks
• Transaction authorization
• Business continuity
• Unauthorized access to transactions
• Deletion/manipulation of transactions before or after establishment of application controls
• Loss or duplication of EDI transmissions
• Loss of confidentiality or improper distribution of trx by 3rd parties
EDI Controls
•
•
•
•
•
•
•
•
•
Message format and content standards to avoid transmission errors
Controls to ensure transmissions are converted properly for the application software
Receiving organization controls to ensure reasonableness of messages received, based on trading partner’s trx
history or documentation
Controls to guard against manipulation of trxs in files and archives
Procedures for ensuring messages are from authorized parties and were authorized
Dedicated transmission channels between partners to prevent tapping
Data is encrypted and digitally signed to identify source and destination
Message authentication codes are used to ensure what was sent is received.
Error handling for trxs that are nonstandard or from unauthorized parties
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
25 of 40
•
Business relationships are defined in trading partner agreement identifying trxs to be used, responsibilities of
both parties in handling/processing trxs, and business terms of the trxs
Auditing EDI
•
•
•
•
•
•
•
•
Encryption processes ensure CIA and nonrepudiation of trxs
Edit checks to identify erroneous, unusual, or invalid trxs prior to updating the application
Edit checks to assess trx reasonableness and validity
Trx are logged on receipt
Control totals on receipt of trxs to verify number/value of trx to be passed to the application, and reconcile
totals between applications and trading partners
Segment count totals built into trx set trailers by sender
Trx set count totals built into group headers by sender
Validity of sender against trading partner details by:
o Using control fields with a message at the trx, function, group, or interchange level, often within the
EDI header, trailer, or control record
o Using VAN sequential control numbers or reports, if applicable
o Sending acknowledgement trx to sender to verify receipt; sender matches acks against a log of EDI
messages sent.
Digital Signatures
•
•
•
•
Unique to each document; cannot be transferred or reused
Verifies sender and that document has not been altered
Based on message digest, a short, fixed length number
o Some messages have the same digest, but can’t produce message from them
o 128-bit cryptographic hash
o Similar to checksum or fingerprint of the document
DES (symmetric); RSA (asymmetric – public key)
Risk Management for e-banking
1. Board & mgmt oversight
2. Security controls
3. Legal and reputational risk management
Purchase Order Accounting functions
• Accounts payable processing
• Goods received processing
• Order processing
Artificial Intelligence
•
•
Languages: LISP and PROLOG
Primary components
o Inference engine
o Knowledge base
Contains subject matter facts and rules for interpreting them
Decision trees – questionnaires or choices users walk through
Semantic notes – graph which describes relationships between the nodes
o Explanation module
o Database
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
26 of 40
•
•
•
Also contains
o Knowledge interface – allows entry of knowledge without needing a programmer
o Data interface – Enables system to collect data from nonhuman sources (other systems, like
temperatures)
Used in auditing!
Errors in system have a bigger impact, especially in health care
Decision Support Systems
• Emphasizes effectiveness (right task/right decision) over efficiency (performing tasks quickly and reducing
costs)
• G. Gorry-M.S. Morton framework – degree of structure in decision process & mgmt level making decision
o Decision-structure: structured, semi-structured, unstructured
Decision-structure depends on the extent it can be automated/programmed
o Mgmt-level: operational control, mgmt control, and strategic planning
• Sprague-Carson framework – family trees structure
• Motivated by end users
• Use 4GL
Critical Success Factors (CSF)
• Productivity
• Quality
• Economic value
• Customer service
Integrated Resource Management Systems ERP
American Standard Code for Information Interchange (ASCII)
Extended Binary-Coded Decimal Interchange Code (EBCDIC)
Project Portfolio Management Objectives
• Optimization of the results of the project portfolio
• Prioritizing and scheduling projects
• Resource coordination
• Knowledge transfer throughout the projects
PPM requires a PP database
Benefits Realization (Management) Techniques
• Describe benefits mgmt
• Assign measure/target
• Establish measuring/tracking regimen
• Document assumption
• Establish key responsibilities for realization
• Validate the benefits predicted in the business
• Planning the benefit to be realized
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
27 of 40
Project Mgmt Organizational Alignment
Method
Influence
Pure
Matrix
Authority
Not formal
Formal
Shared between PM & dept heads
Style
Advise on which activities to complete
Special work area
ISO – Intern’l Org for Standardization – creates intern’l standards
ISO 15504 – PME PO / Software Process Improvement and Capability Determination (SPICE) – see CCM
ISO 9001 – quality mgmt
• Requires quality manual, trained staff, managed to improve competency
ISO 9126 Software Quality Metrics – FUR PEM
•
•
•
•
•
•
Functionality of the software processes
Usability (Ease of use)
Reliability with consistent performance
Portability between environments
Efficiency
Maintainability for modifications
ISO 15489:2001 – Records Mgmt/Retention
• Requires ISO 9001 quality and 140001 records mgmt compliant
• Includes fundraising campaigns
• Used to determine liability and sentencing during prosecution
• Requires data classification
Decision Making
• Critical success factors
• Scenario planning
> IT Service Delivery & Support
IS Operations
•
•
•
Resource allocation
Standards & procedures
Process monitoring
IS Hardware
CPU = arithmetic logic unit (ALU), control unit, and internal memory
IS Architecture & Software
Database Management System (DBMS)
Primary Functions
• Reduced data redundancy
• Decreased access time
• Security over sensitive data
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
28 of 40
Data Dictionary/Directory System
• Contains index and description of all items stored in database
• Defines and stores source and object forms of all data definitions in schemas and all associated mappings
• One DD/DS can be used across multiple databases
Database Structures
•
•
•
Hierarchical
o data arranged in parent/child relationships
o one-to-many mappings
o results in duplicate data
o easy to implement, modify, and search.
o No high-level query capability; have to navigate the database
Network
o Data arranged in sets (owner record type, member record, name)
o One-to-many or one-to-one mappings
o Sets can have the same member record type
o Very complex
o No high-level query capability; have to navigate the database
Relational
o Based on sets and relational calculations (dynamic database)
o Data organized in tables (collection of rows)
Row/tuple = record
Columns/domains/attributes = fields
o Properties
Values are atomic
Rows are unique
Sequence of columns and rows insignificant
Allow control over sensitive data
o Easy to understand, query, modify
o Normalization – minimizing amount of data needed and stored by eliminating data redundancy
and ensuring reference integrity
Networking
Baseband – single channel, half-duplex, entire capacity used to transmit one signal
Broadband – multiple channels, full duplex, multiple signals
Bridge – Data link layer 2 device used to connect LANs or create separate LAN or WAN segments to reduce collision
domains
Router – Like bridges/switches, they link physical separate network segments. Block broadcast data. software-based,
less efficient than switches. Can connect LAN and WAN.
Router does packet-switching using microprocessor; layer 3 switch does switching using ASIC hardware
Layer 4 switch – switches based on layer 3 addresses and application information (such as port #s) to provide policybased switching
Layer4-7 switches – used for load balancing
Gateways – protocol converters; used between LANs and mainframes or LANs and Internet
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
29 of 40
Synchronous transmission – bits transmitted at constant speed. Sending modem uses specific character when it starts
sending data block to synchronize the receiving device. Provides maximum efficiency.
Asynchronous transmission – Sender uses start and stop bit before and after each data byte. Lower efficiency, but
simpler.
Multiplexing – dividing physical circuit into multiple circuits by:
• Time-division – regardless of whether data is ready to transmit
• Asynchronous time division – dynamically assigned time slots as needed for transmission
• Frequency – based on signal frequency
• Statistical – dynamic allocation of any data channel based on criteria
Wireless
Wi-fi Protected Access (WPA) – wireless security protocol
Wireless Application Protocol (WAP) – multi-layered protocol and technologies that provide Internet content to mobile
wireless devices (phones and PDAs).
TCP/IP (32-bit)
•
•
•
Includes network and application support protocols
Network layer 3 = IP
Transport layer 4 = TCP/UDP
Common Gateway Interface (GFI) Script – machine-independent code run on a server that can be called & executed by
a web server; performs tasks such as processing input received from a web form
Applets – Programs downloaded from web servers that run applications in browsers (most popular ones use Java,
JavaScript, Visual Basic)
Servlet – Small program that runs in web server, similar to CGI program. Unlike CGI, servlets stay in memory and can
serve multiple requests
Middleware – software used by client/server applications to provide communications and other services between
applications, systems, and devices.
• Services include identification, authentication, authorization, directories, and security
• Resides between the application and the network
• Manages the interaction between the GUI and the database back-end.
System Control
First level of control in a computer is the privileged supervisory user (root/admin).
Operating System States
• Supervisory – security front end not loaded; requests are run at highest authority level without security
controls.
• General user/problem – security is active; system is solving problems for user.
• Wait – computer busy and unable to respond to additional requests
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
30 of 40
> Protection of Information Assets
Risk – What can happen if a threat exploits a vulnerability.
Threat – Who or what can cause an undesirable event.
Vulnerability – How a weakness in technology or organizational process can be exploited by a threat.
Key elements of Information Security Mgmt
•
•
•
•
•
•
Senior mgmt commitment & support
Policies and procedures
Organization (define who is responsible for protection)
Security awareness & education
Monitoring and compliance
Incident Handling & response
Inventory Classification
•
•
•
•
•
•
•
Identification of the asset (hardware, software, data)
Relative value to the organization
Location
Security risk/classification
Asset group, if asset forms part of larger system’
Owner
Custodian
Logical security layers
• Networks
• Platforms (OS)
• Applications
• Databases
Mandatory access control (MAC)
•
•
•
Control that cannot be changed by normal users or data owners; they act by default; prohibitive
Changed by admins making decisions derived from policy
Example: password complexity requirements
Discretionary access control (DAC)
•
•
Controls that CAN be changed by normal users/data owners
Example: access to departmental shared folder on server
Pharming – redirecting web site traffic to a bogus site via changes in DNS or a user’s host file
Biometrics
•
•
Something you are (fingerprint) or do (typing behavior)
Quantitative measures (% rate)
o False rejection rate (FRR, type I) – person falsely rejected access
o Failure to enroll rate (FER) – person fails to enroll successfully
o False acceptance rate (FAR, type II) – unauthorized person allowed access
o Increase in type I rate decreases the type II rate & vice versa
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
31 of 40
Equal error rate (ERR) – point at which FRR & FAR are equal. Lower the measure, the more effective
the biometric
o Best response times and lowest ERR: palm, hand, iris, retina, fingerprint, voice
Palm* – ridges and valleys
Hand geometry* – oldest, 3D, hand and fingers, 90 measurements
Iris – color patterns around pupil, 260 characteristics. No physical contact, high cost
Retina – blood vessel pattern, best FAR, requires close proximity, high cost
Fingerprint – low cost, size, ease of integration
Face – acceptable/friendly, but lack of uniqueness
* Socially accepted, low storage cost
o
•
•
•
•
•
•
Single Sign-on (SSO)
• Consolidation of platform-based administration, authentication, and authorization functions into a single,
centralized function
• Example: Kerberos, developed at MIT, Project Athena
Bypassing Security Controls
Only system software programmers should have access to:
• Bypass label processing (BLP) – bypasses the reading of the file, which most access control rules are based, and
bypasses the associated security on the file
• System exits – system software feature that allows complex system maintenance. Exits often exist outside of
the computer security system, so they are not restricted or logged.
• Special system logon IDs – vendor provided
Wireless Security
9 categories of overall security threats
1. Errors and omissions
2. Fraud and theft by authorized/unauthorized users
3. Employee sabotage
4. Loss of physical and infrastructure support
5. Malicious hackers
6. Industrial espionage
7. Malicious code
8. Foreign government espionage
9. Personal privacy threats
Main Wireless Threats
1. Theft
2. DOS
3. Malicious hackers
4. Industrial espionage
5. Malicious code
6. Foreign government espionage
7. Theft of service
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
32 of 40
Security Requirements
• Authenticity – verification that message not changed in transit
• Nonrepudiation – verification of origin or receipt of message
• Accountability – actions traceable to an entity
• Network availability
Scanners – strobe, jakal, asmodeous
Install local firewall, turn off scripting
Firewalls
3 types of firewalls
•
•
•
router packet filtering
application
stateful inspection
Router packet filtering
•
•
•
•
first generation
examines header (source/destination IP, port number) at network layer
simple, stable performance
allows direct exchange of packets between outside/inside systems
Miniature fragment attack - fragment the IP packet into smaller ones; the first packets will be examined, and the rest
won't
•
•
Caused by default setting that passes residual packets
Firewall should drop fragmented packets or offset value = 1
Application Firewalls - 2 levels/types
•
•
•
application-level
circuit-level
Neither allow the direct exchange of packets between outside/inside systems
Bastion hosting: Handle all requests and are highly fortified
•
•
Can secure, modify, and log all packets
Provide NAT
Application level
•
•
analyzes traffic through a set of proxies, one for each service: http, ftp, etc
can reduce network performance
Circuit-level
•
•
Analyzes traffic through a single, general-purpose proxy
more efficient, but rare
Stateful Inspection Firewalls
•
•
•
Tracks destination address of packets leaving network; prevents initiation of attacks from outside
Tracks connection-oriented and connectionless packets like UDP
More efficient, faster firewall as packets are not examined in deep OSI layers
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
33 of 40
Firewall implementations
Screened host
•
•
•
•
packet filtering router and bastion host
Includes application firewall/proxy services
bastion host is on private network, packet filtering router is between Internet and private network
Requires compromise of two systems
Dual homed firewall
•
More restrictive version of the screened host firewall, a dual-home bastion host
DMZ or screened-subnet firewall
•
•
•
•
Uses 2 packet filtering routers and bastion host
Provides network (packet filtering) and application-level security with a DMZ network
Insider router manages DMZ access to the internal network, accepting traffic only from the bastion host
Requires compromise of 3 hosts; hides internal network addresses
Hardware firewalls faster, but not as flexible or scalable
Software firewalls more slower, but more scalable
Intrusion Detection Systems (IDS)
•
•
•
•
Monitor network anomalies
Network-based
Host-based – monitor modification of programs, files; detect privileged command execution
Components
o Sensors that collect data
o Analyzers that receive input and determine intrusive activity
o Administrative console
o User interface
IDS Types
•
•
•
Signature-based
Statistical-based – must be configured with known and expected system behaviors
Neural networks – monitors general activity, similar to statistical-based, but capable of self-learning
IDS cannot help with
• Policy definition weaknesses
• Application-level vulnerabilities
• Backdoors in applications
• Identification and authentication scheme weaknesses
Encryption
Key elements
• Encryption Algorithm
• Encryption Keys
• Key length
Private Key Systems
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
34 of 40
•
•
•
•
Symmetric – 1 key encrypts and decrypts
Less complicated, faster
Problem is distributing key safely
RC2, RC4, IDEA, DES, AES
Data Encryption Standard (DES) 64-bit block cipher
• 56-bit key (8 extra bits for parity checking)
• Replaced by AES 128-256 bit key (Rijndal → invented by Rijmen and Daemen)
o Symmetric block cipher
o Unlike DES, Rijndal has variable block and key length
o Based on round operations
Public Key Systems
• Asymmetric – 2 keys, one encrypts, other decrypts
• Keys created by integer factorization
• Used to encrypt symmetric keys and for digital signatures
• RSA (Rivest, Shamir, Adelman invented in 1977), Diffie-Hellman, DSA, Fortezza
Encrypt with public key, decrypt only with private key – confidentiality (read only by receiver)
Encrypt with private key, decrypt with public key – authentication and non-repudiation
Encrypt with private key, then public key – confidentiality, authentication, and non-repudiation
Elliptical Curve Cryptography (ECC)
• Public key variation using discrete logarithm using elliptical curve (2 points on curve)
• Works with networked computers, smart cards, wireless phones, mobile devices
• Less computational power, more security per bit (160-bit ECC = 1024-bit RSA)
Quantum Cryptography
• Uses interaction of light pulses, polarization metrics
Digital signatures
•
•
•
•
•
•
•
Uses public key algorithm to ensure identify of sender and integrity of the data
Hash algorithm creates message digest, smaller version of the original message
Changes variable length messages into a fixed, 128-bit length digest
Hashes are one-way functions, can't reverse
o MD5, SHA-1, SHA-256
Digital signature encrypted by sender's private key, receiver decrypts with public key, then recomputes a
digital signature and compares it to the original signature
Ensure data integrity, authentication, and non-repudiation (but not confidentiality)
Vulnerable to man-in-the-middle attack
Digital Envelope
•
•
•
Contains data encrypted with symmetric key and the session key (which is the symmetric key, encrypted with
the receiver's public/asymmetric key)
Receivers' private key used to decrypt session key (symmetric key); symmetric key used to decrypt data.
Uses asymmetric keys to protect the data integrity, authentication, and non-repudiation gained by symmetric
key
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
35 of 40
Secure Sockets Layer (SSL) and Transport Layer Security (TLS)
• Session or connection-layered protocol
• Provides end point authentication and confidentiality
• Typically, only the server is authenticated (including the client requires PKI deployment)
• Phases
o Algorithm negotiation
o Exchange of Public key and certificate-based authentication
o Symmetric cipher-based traffic encryption
• Runs on layers beneath application protocols HTTP, SMTP, NNTP and above the TCP protocol
• Uses hybrid of hashed, private, and public key cryptography to provide confidentiality, integrity, authentication
(between client & server), and non-repudiation
IPSec
•
•
•
•
•
•
Runs at the network layer
Used for communicating between two or more hosts, subnets, or hosts and subnets (establishes VPNs)
Transport mode – only data portion of packet (encapsulation security payload (ESP)) is encrypted –
confidentiality
Tunnel mode – ESP payload (data) and header are encrypted. Additional authentication header (AH) provides
non-repudiation
Uses security associations (SAs) to define the security parameters to use (algorithms, keys, initialization
vectors, etc.)
Using asymmetric encryption via Internet Security Association and Key Management Protocol/Oakley
(ISAKMP/Oakley) increases ISPsec security by using key management, public keys, negotiation, uses of SAs, etc.
SSH
•
•
•
Runs at application layer
Client/server program for encrypting command-line shell traffic used for remote logon and management.
Used to secure telnet and ftp
Secure Multipurpose Internet Mail Extensions (S/MIME)
• Email protocol authenticating sender and receiver
• Verifies message integrity and confidentiality, including attachments
Secure Electronic Transactions (SET)
• Visa/MasterCard protocol used to secure credit card transactions
• Application protocol using PKI of trusted 3rd party
Encryption Risks
•
•
•
Secrecy of keys is paramount
Randomness of key generation relates to how easy a key can be compromised
Tying passwords to key generation weakens the key’s randomness, so important to use strong passwords
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
36 of 40
Viruses
•
•
•
Attached to programs
Self-propagating to other programs
Attack EXEs, file directory system, boot & system areas, data files
Worms
•
•
Does not attach to programs
Propagates via OS security weaknesses
Virus/Worm controls – policies (preventative) and antivirus software (detective)
• Backups = vital control
VOIP
•
•
•
•
•
Replaces circuit switching (and associated waste of bandwidth) with packet switching
Secure VOIP similar to data networks (firewalls, encryption)
Network issues take down phones also, so backup availability a big issue
VLANS should be used to segregate VOIP infrastructure/traffic
Session Border Controllers (SBCs) provide VOIP security similar to firewalls by monitoring VOIP protocols,
monitor for DoS, provide network address and protocol transition features
Private Branch Exchange (PBX)
• In-house phone company for organization, allows 4-digit dialing, save cost of individual phone lines to phone
company’s central office
• PBX security different from normal OS security
o External access/control by 3rd party for updates/maintenance
o Richness of features available for attacks
PBX Controls
• Physically secure PBX and telephone closets
• Configure and secure separate and dedicated admin ports
• Control direct inward dial (DID) lines to avoid external parties getting dial tone for free long-distance calls
• Block certain long-distance numbers
• Control numbers destined for faxes and modems
• Use call-tracking logs
• Maintenance out of Service (MOS) – signaling communication is terminated on PBX, but line may be left open
for eavesdropping
• Embedded passwords can be restored when system rebooted during crash recovery
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
37 of 40
Auditing Infosec Management Framework
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Policies/Procedures, including Logical Access Security Polices
Security Awareness and training
Data ownership: owners, custodians, security administrator
New IT users (sign document regarding security policies/procedures)
New Data Users
Documented user authorization
Terminated users
Security baseline
Inventory (devices, applications, data)
Antivirus
Passwords
Patching
Minimizing services (turn off unneeded)
Addressing vulnerabilities
Backups
Computer Forensics (IPAP)
•
•
•
•
Identify – information
Preserve – retrieving data, documenting chain of custody
▪ Who had access to the data
▪ How evidence gathered
▪ Proving that analysis based on copies of original, unaltered evidence
Analyze
Present
> BCP/DRP
Starts with risk assessment
• People, data, infrastructure, and other resources that support key business processes
• Dangers and threats to the organization
• Estimated probability of threat occurrence
BCP includes
• DRP plan
• Plan to restore operations to normal following disaster
• Improvement of security operations
BCP Lifecycle
• Create BCP policy
• Businesses Impact Analysis (BIA)
• Classify of operations and criticality
• Identify IS processes that support business criticality
• Develop BCP and IS DRP
• Develop resumption procedures
• Training and awareness programs
• Test and implement plan
• Monitoring
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
38 of 40
BCP Policy
• Should encompass preventative, detective, and corrective controls
•
BCP most critical corrective control
•
Incident management control
• Main severity criterion is service downtime
•
Media backup control
BIA identifies:
• Different business processes & criticality
• Critical IS resources supporting critical business processes
• Critical recovery period before significant or unacceptable loses occur
Recovery point objective (RPO) – based on acceptable data loss; earliest time in which it is acceptable to recover;
date/time or synchronization point to which systems/data will be restored.
Recovery time objective (RTO) – based on acceptable downtime; earliest time when business operations must
resume.
Interruption window – how long a business can wait before operations resume (after this point, losses are
unaffordable)
Maximum Tolerable outage (MTO) – maximum time business can operate in alternate processing mode before
other problems occur
Service delivery objective (SDO) – acceptable level of services required during alternate processing
Recovery Alternatives
• Hot site – fully configured and ready to operate within hours. Not for extended use.
• Warm site – partially configured (network and peripheral devices, but no main computers). Site ready in hours,
operations ready in days or weeks.
• Cold site – has basic utilities, ready in weeks.
• Redundant site – dedicated, self-developed sites.
• Mobile site – data center in a box
• Reciprocal agreements with other businesses
Redundant Array of Inexpensive/Independent Disks (RAID)
• Level 0 -striped disk array, no fault tolerance; stripes multiple disks into one volume (faster when software based)
• Level 1 – mirroring; 2 drives, half the space (faster when software based)
• Level 2 – Hamming code ECC – interweaving data based on hamming code (EXPENSIVE and rare; HW based,
resource intensive)
• Level 3 – parallel transfer with parity; at least 2 striped data drives with 1 for parity (faster in HW)
• Level 5 – block level; independent disks with distributed parity blocks; at least 3 drives, stripes data and parity
(faster in HW) mirrored sets
• Level 6 – Level 5 with 2 independent distributed parity schemes (faster in HW)
• Level 10 – high reliability & performance; at least 4 drives, stripes level 1 segments; hi I/O
• Level ) 0 + 1 – High transfer rate; striped plus mirror; losing 2 drives = major data loss
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
39 of 40
Insurance Coverage
• IS equipment/facilities
• software media reconstruction
• Extra expense – of continuing operations after disaster; loss due to computer media damage
• Business interruption
• Valuable papers and records
• Errors and omissions
• Fidelity coverage – loss due to dishonest/fraudulent acts
• Media transportation
• Covers loss based on historical performance, not existing
• No compensation for loss of image/goodwill
Grandfather (monthly), father (weekly), son (daily) backup rotation scheme
Difference between ISACA book and Sybex
Sybex is easier to read and digest
• Layout is better and more reader-friendly
• More bullet points, charts, and tables that summarize the information and show relationships or differences in
the subject matter
• Less subject matter on a page, so eyes don’t get so tired as you read.
Both identify critical things a CISA must know, but ISACA is more specific in their must-know notes.
I would never read just one book. Read one book and take notes. Then read the other book and supplement
your notes. This process will help you understand the difference between the two sources. Each perspective is
helpful.
FREE CISA Study Guide from http://ITauditSecurity.wordpress.com
40 of 40