Information Security Management
Audit/Assurance Program
Information Security Management Audit/Assurance Program
ISACA®
With more than 86,000 constituents in more than 160 countries, ISACA (www.isaca.org) is a leading global
provider of knowledge, certifications, community, advocacy and education on information systems (IS) assurance
and security, enterprise governance of IT, and IT-related risk and compliance. Founded in 1969, ISACA sponsors
international conferences, publishes the ISACA® Journal, and develops international IS auditing and control
standards. It also administers the globally respected Certified Information Systems Auditor™ (CISA®), Certified
Information Security Manager ® (CISM®), Certified in the Governance of Enterprise IT ® (CGEIT®) and Certified in
Risk and Information Systems Control™ (CRISC™) designations.
ISACA offers the Business Model for Information Security™ (BMIS™) and the IT Assurance Framework™
(ITAF™). It also developed and maintains the COBIT®, Val IT™ and Risk IT frameworks, which help IT
professionals and enterprise leaders fulfill their IT governance responsibilities and deliver value to the business.
Disclaimer
ISACA has designed and created Information Security Management Audit/Assurance Program (the “Work”)
primarily as an informational resource for audit and assurance professionals. ISACA makes no claim that use of any
of the Work will assure a successful outcome. The Work should not be considered inclusive of all proper
information, procedures and tests or exclusive of other information, procedures and tests that are reasonably directed
to obtaining the same results. In determining the propriety of any specific information, procedure or test, audit and
assurance professionals should apply their own professional judgment to the specific circumstances presented by the
particular systems or information technology environment.
Reservation of Rights
© 2010 ISACA. All rights reserved. No part of this publication may be used, copied, reproduced, modified,
distributed, displayed, stored in a retrieval system or transmitted in any form by any means (electronic, mechanical,
photocopying, recording or otherwise) without the prior written authorization of ISACA. Reproduction and use of
all or portions of this publication are permitted solely for academic, internal and noncommercial use and for
consulting/advisory engagements, and must include full attribution of the material’s source. No other right or
permission is granted with respect to this work.
ISACA
3701 Algonquin Road, Suite 1010
Rolling Meadows, IL 60008 USA
Phone: +1.847.253.1545
Fax: +1.847.253.1443
E-mail: info@isaca.org
Web site: www.isaca.org
ISBN 978-1-60420-156-7
Information Security Management Audit/Assurance Program
CRISC is a trademark/service mark of ISACA. The mark has been applied for or registered in countries throughout
the world.
© 2010 ISACA. All rights reserved. Page 2
Information Security Management Audit/Assurance Program
ISACA wishes to recognize:
Author
Norm Kelson, CISA, CGEIT, CPA, CPE Interactive Inc., USA
Expert Reviewers
Bok Hai Suan, CISM, CGEIT, Singapore
Kerrie Douglas, CISA, CGEIT, Six Sigma Green Belt, DaVita, USA
Gbadamosi Folakemi Toyin, CGEIT, APDM, CGRC-IT, CICA, CIPM, Flooky-Tee Computers, Nigeria
Anuj Goel, Ph.D., CISA, CGEIT, Citigroup, Inc., USA
Michael Lloyd Jones, CISA, CIA, CISSP, FLMI, BMO Financial Group, Canada
Prashant Khopkar, CISA, CA, USA
Raul Millan, CISA, CISM, CCSE, CEH, CISSP, Consultores de Seguridad Informatica, Panama
Philippe Rivest, TransForce, Canada
Vinoth Sivasubramanian, ABRCCIP, CEH, ISO 27001 LA, UAE Exchange Center LLC, UAE
Babu Srinivas, CISA, CISM, SP AusNet, Australia
Vikrant V. Tanksale, CISA, ACWA, CMA, ALBahja Industrial Holdings LLC, Oman
Bart van Lodensteijn, CISA, CGEIT, Ordina Consultancy B.V., The Netherlands
Jeff Warren, CISM, JPW Consult, Australia
ISACA Board of Directors
Emil D’Angelo, CISA, CISM, Bank of Tokyo-Mitsubishi UFJ Ltd., USA, International President
Hitoshi Ota, CISA, CISM, CGEIT, CIA, Mizuho Corporate Bank Ltd., Japan, Vice President
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico, Vice President
Christos K. Dimitriadis, Ph.D., CISA, CISM, INTRALOT S.A., Greece, Vice President
Rolf M. von Roessing, CISA, CISM, CGEIT, KPMG Germany, Germany, Vice President
Robert E. Stroud, CGEIT, CA Technologies, USA, Vice President
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Vice President
Ria Lucas, CISA, CGEIT, Telstra Corp. Ltd., Australia, Vice President
Everett C. Johnson Jr., CPA, Deloitte & Touche LLP (retired), USA, Past International President
Lynn C. Lawton, CISA, FBCS CITP, FCA, FIIA, KPMG Ltd., Russian Federation, Past International President
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Director
Tony Hayes, CGEIT, AFCHSE, CHE, FACS, FCPA, FIIA, Queensland Government, Australia, Director
Howard Nicholson, CISA, CGEIT, CRISC, City of Salisbury, Australia, Director
Jeff Spivey, CPP, PSP, Security Risk Management, USA, ITGI Trustee
Knowledge Board
Gregory T. Grocholski, CISA, The Dow Chemical Co., USA, Chair
Michael Berardi Jr., CISA, CGEIT, Nestle USA, USA
John Ho Chi, CISA, CISM, CBCP, CFE, Ernst & Young LLP, Singapore
Jose Angel Pena Ibarra, CGEIT, Alintec S.A., Mexico
Jo Stewart-Rattray, CISA, CISM, CGEIT, CSEPS, RSM Bird Cameron, Australia
Jon Singleton, CISA, FCA, Auditor General of Manitoba (retired), Canada
Patrick Stachtchenko, CISA, CGEIT, CA, Stachtchenko & Associates SAS, France
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA
Guidance and Practices Committee
Kenneth L. Vander Wal, CISA, CPA, Ernst & Young LLP (retired), USA, Chair
Kamal Dave, CISA, CISM, CGEIT, Hewlett-Packard, USA
Urs Fischer, CISA, CRISC, CIA, CPA (Swiss), Switzerland
Ramses Gallego, CISM, CGEIT, CISSP, Entel IT Consulting, Spain
Phillip J. Lageschulte, CGEIT, CPA, KPMG LLP, USA
Ravi Muthukrishnan, CISA, CISM, FCA, ISCA, Capco IT Service India Pvt. Ltd., India
Anthony P. Noble, CISA, CCP, Viacom Inc., USA
Salomon Rico, CISA, CISM, CGEIT, Deloitte, Mexico
Frank Van Der Zwaag, CISA, CISSP, Westpac, New Zealand, New Zealand
© 2010 ISACA. All rights reserved. Page 3
Information Security Management Audit/Assurance Program
ISACA and ITGI Affiliates and Sponsors
American Institute of Certified Public Accountants
ASIS International
The Center for Internet Security
Commonwealth Association for Corporate Governance Inc.
FIDA Inform
Information Security Forum
Information Systems Security Association
Institut de la Gouvernance des Systèmes d’Information
Institute of Management Accountants Inc.
ISACA chapters
ITGI Japan
Norwich University
Solvay Brussels School of Economics and Management
University of Antwerp Management School
Analytix Holdings Pty. Ltd.
BWise B.V.
Hewlett-Packard
IBM
Project Rx Inc.
SOAProjects Inc.
Symantec Corp.
TruArx Inc.
Table of Contents
Table of Contents .......................................................................................................................................... 4
I.
Introduction ......................................................................................................................................... 4
II. Using This Document........................................................................................................................... 5
IV. Assurance and Control Framework ..................................................................................................... 9
V. Executive Summary of Audit/Assurance Focus................................................................................. 11
VI. Audit/Assurance Program .................................................................................................................. 14
1. Planning and Scoping the Audit.................................................................................................... 14
2. Information Security Management ............................................................................................... 16
3. Information Security Operations ................................................................................................... 20
4. Information Security Technology Management ........................................................................... 27
VII. Maturity Assessment .......................................................................................................................... 33
VIII. Assessment Maturity vs. Target Maturity .......................................................................................... 38
I. Introduction
Overview
ISACA has developed the IT Assurance Framework TM (ITAFTM) as a comprehensive and good-practicesetting model. ITAF provides standards that are designed to be mandatory and are the guiding principles
under which the IT audit and assurance profession operates. The guidelines provide information and
direction for the practice of IT audit and assurance. The tools and techniques provide methodologies,
tools and templates to provide direction in the application of IT audit and assurance processes.
Purpose
The audit/assurance program is a tool and template to be used as a road map for the completion of a
specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use
by IT audit and assurance professionals with the requisite knowledge of the subject matter under review,
© 2010 ISACA. All rights reserved. Page 4
Information Security Management Audit/Assurance Program
as described in ITAF, in section 2200—General Standards. The audit/assurance programs are part of
ITAF, section 4000—IT Assurance Tools and Techniques.
Control Framework
The audit/assurance programs have been developed in alignment with the ISACA COBIT framework—
specifically COBIT 4.1—using generally applicable and accepted good practices. They reflect ITAF
sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes, and 3800—IT
Audit and Assurance Management.
Many organizations have embraced several frameworks at an enterprise level, including the Committee of
Sponsoring Organizations of the Treadway Commission (COSO) Internal Control Framework. The
importance of the control framework has been enhanced due to regulatory requirements by the US
Securities and Exchange Commission (SEC) as directed by the US Sarbanes-Oxley Act of 2002 and
similar legislation in other countries. Enterprises seek to integrate control framework elements used by
the general audit/assurance team into the IT audit and assurance framework. Since COSO is widely used,
it has been selected for inclusion in this audit/assurance program. The reviewer may delete or rename
these columns to align with the enterprise’s control framework.
IT Governance, Risk and Control
IT governance, risk and control are critical in the performance of any assurance management process.
Governance of the process under review will be evaluated as part of the policies and management
oversight controls. Risk plays an important role in evaluating what to audit and how management
approaches and manages risk. Both issues are evaluated as steps in the audit/assurance program. Controls
are the primary evaluation point in the process. The audit/assurance program identifies the control
objectives and the steps to determine control design and effectiveness.
Responsibilities of IT Audit and Assurance Professionals
IT audit and assurance professionals are expected to customize this document to the environment in
which they are performing an assurance process. This document is to be used as a review tool and starting
point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or
questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information
Systems Auditor (CISA) designation, or has the necessary subject matter expertise required to conduct the
work and is supervised by a professional with the CISA designation and/or necessary subject matter
expertise to adequately review the work performed.
II. Using This Document
This audit/assurance program was developed to assist the audit and assurance professional in designing
and executing a review. Details regarding the format and use of the document follow.
Work Program Steps
The first column of the program describes the steps to be performed. The numbering scheme used
provides built-in work paper numbering for ease of cross-reference to the specific workpaper for that
section. The physical document was designed in Microsoft® Word. The IT audit and assurance
professional is encouraged to make modifications to this document to reflect the specific environment
under review.
Step 1 is part of the fact-gathering and prefieldwork preparation. Because the prefieldwork is essential to
a successful and professional review, the steps have been itemized in this plan. The first level steps, e.g.,
1.1, are shown in bold type and provide the reviewer with a scope or high-level explanation of the
purpose for the substeps.
© 2010 ISACA. All rights reserved. Page 5
Information Security Management Audit/Assurance Program
Beginning in step 2, the steps associated with the work program are itemized. To simplify the use of the
program, the audit/assurance program describes the audit/assurance objective is described—the reason for
performing the steps in the topic area; the specific controls follow. Each review step is listed below the
control. These steps may include assessing the control design by walking through a process, interviewing,
observing or otherwise verifying the process and the controls that address that process. In many cases,
once the control design has been verified, specific tests need to be performed to provide assurance that the
process associated with the control is being followed.
The maturity assessment, which is described in more detail later in this document, makes up the last
section of the program.
The audit/assurance plan wrap-up—those processes associated with the completion and review of work
papers, preparation of issues and recommendations, report writing, and report clearing—has been
excluded from this document since it is standard for the audit/assurance function and should be identified
elsewhere in the enterprise’s standards.
COBIT Cross-reference
The COBIT cross-reference provides the audit and assurance professional with the ability to refer to the
specific COBIT control objective that supports the audit/assurance step. The COBIT control objective
should be identified for each audit/assurance step in the section. Multiple cross-references are not
uncommon. Processes at lower levels in the work program are too granular to be cross-referenced to
COBIT. The audit/assurance program is organized in a manner to facilitate an evaluation through a
structure parallel to the development process. COBIT provides in-depth control objectives and suggested
control practices at each level. As professionals review each control, they should refer to COBIT 4.1 or
the IT Assurance Guide: Using COBIT for good-practice control guidance.
COSO Components
As noted in the introduction, COSO and similar frameworks have become increasingly popular among
audit/assurance professionals. This ties the assurance work to the enterprise’s control framework. While
the IT audit/assurance function uses COBIT as a framework, operational audit and assurance
professionals use the framework established by the enterprise. Since COSO is the most prevalent internal
control framework, it has been included in this document and is a bridge to align IT audit/assurance with
the rest of the audit/assurance function. Many audit/assurance organizations include the COSO control
components within their report and summarize assurance activities to the audit committee of the board of
directors.
For each control, the audit and assurance professional should indicate the COSO component(s) addressed.
It is possible, but generally not necessary, to extend this analysis to the specific audit step level.
The original COSO internal control framework contained five components. In 2004, COSO was revised
as the Enterprise Risk Management (ERM) Integrated Framework and was extended to eight components.
The primary difference between the two frameworks is the additional focus on ERM and integration into
the business decision model. ERM is in the process of being adopted by large enterprises. The two
frameworks are compared in figure 1.
© 2010 ISACA. All rights reserved. Page 6
Information Security Management Audit/Assurance Program
Figure 1—Comparison of COSO Internal Control and ERM Integrated Frameworks
Internal Control Framework
ERM Integrated Framework
Control Environment: The control environment sets the tone of an
organization, influencing the control consciousness of its people. It is
the foundation for all other components of internal control, providing
discipline and structure. Control environment factors include the
integrity, ethical values, management’s operating style, delegation of
authority systems, as well as the processes for managing and
developing people in the organization.
Risk Assessment: Every entity faces a variety of risks from external
and internal sources that must be assessed. A precondition to risk
assessment is establishment of objectives, and, thus, risk assessment is
the identification and analysis of relevant risks to achievement of
assigned objectives. Risk assessment is a prerequisite for determining
how the risks should be managed.
Control Activities: Control activities are the policies and procedures
that help ensure management directives are carried out. They help
ensure that necessary actions are taken to address risks to achievement
of the entity's objectives. Control activities occur throughout the
organization, at all levels and in all functions. They include a range of
activities as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets
and segregation of duties.
Information and Communication: Information systems play a key
role in internal control systems as they produce reports, including
operational, financial and compliance-related information that make it
possible to run and control the business. In a broader sense, effective
communication must ensure information flows down, across and up
the organization. Effective communication should also be ensured with
external parties, such as customers, suppliers, regulators and
shareholders.
Monitoring: Internal control systems need to be monitored—a
process that assesses the quality of the system’s performance over
time. This is accomplished through ongoing monitoring activities or
separate evaluations. Internal control deficiencies detected through
these monitoring activities should be reported upstream and corrective
actions should be taken to ensure continuous improvement of the
system.
Internal Environment: The internal environment encompasses the
tone of an organization, and sets the basis for how risk is viewed and
addressed by an entity’s people, including risk management
philosophy and risk appetite, integrity and ethical values, and the
environment in which they operate.
Objective Setting: Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
Event Identification: Internal and external events affecting
achievement of an entity’s objectives must be identified,
distinguishing between risks and opportunities. Opportunities are
channeled back to management’s strategy or objective-setting
processes.
Risk Assessment: Risks are analyzed, considering the likelihood and
impact, as a basis for determining how they could be managed. Risk
areas are assessed on an inherent and residual basis.
Risk Response: Management selects risk responses—avoiding,
accepting, reducing or sharing risk—developing a set of actions to
align risks with the entity’s risk tolerances and risk appetite.
Control Activities: Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried
out.
Information and Communication: Relevant information is
identified, captured and communicated in a form and time frame that
enable people to carry out their responsibilities. Effective
communication also occurs in a broader sense, flowing down, across
and up the entity.
Monitoring: The entirety of enterprise risk management is monitored
and modifications are made as necessary. Monitoring is accomplished
through ongoing management activities, separate evaluations or both.
Information for figure 1 was obtained from the COSO web site, www.coso.org/aboutus.htm.
The original COSO internal control framework addresses the needs of the IT audit and assurance
professional: control environment, risk assessment, control activities, information and communication,
and monitoring. As such, ISACA has elected to utilize the five-component model for these audit/
assurance programs. As more enterprises implement the ERM model, the additional three columns can be
added, if relevant. When completing the COSO component columns, consider the definitions of the
components as described in figure 1.
© 2010 ISACA. All rights reserved. Page 7
Information Security Management Audit/Assurance Program
Reference/Hyperlink
Good practices require the audit and assurance professional to create a workpaper for each line item,
which describes the work performed, issues identified and conclusions. The reference/hyperlink is to be
used to cross-reference the audit/assurance step to the workpaper that supports it. The numbering system
of this document provides a ready numbering scheme for the workpapers. If desired, a link to the work
paper can be pasted into this column.
Issue Cross-reference
This column can be used to flag a finding/issue that the IT audit and assurance professional wants to
further investigate or establish as a potential finding. The potential findings should be documented in a
workpaper that indicates the disposition of the findings (formally reported, reported as a memo or verbal
finding, or waived).
Comments
The comments column can be used to indicate the waiving of a step or other notations. It is not to be used
in place of a workpaper describing the work performed.
III. Controls Maturity Analysis
One of the consistent requests of stakeholders who have undergone IT audit/assurance reviews is a desire
to understand how their performance compares to good practices. Audit and assurance professionals must
provide an objective basis for the review conclusions. Maturity modeling for management and control
over IT processes is based on a method of evaluating the enterprise, so it can be rated from a maturity
level of nonexistent (0) to optimized (5). This approach is derived from the maturity model that the
Software Engineering Institute (SEI) of Carnegie Mellon University defined for the maturity of software
development.
The IT Assurance Guide: Using COBIT, Appendix VII—Maturity Model for Internal Control, seen in
figure 2, provides a generic maturity model showing the status of the internal control environment and
the establishment of internal controls in an enterprise. It shows how the management of internal control,
and an awareness of the need to establish better internal controls, typically develops from an ad hoc to an
optimized level. The model provides a high-level guide to help COBIT users appreciate what is required
for effective internal controls in IT and to help position their enterprise on the maturity scale.
Maturity Level
Figure 2—Maturity Model for Internal Control
Status of the Internal Control Environment
Establishment of Internal Controls
0 Non-existent
There is no recognition of the need for internal control.
Control is not part of the organization’s culture or mission.
There is a high risk of control deficiencies and incidents.
There is no intent to assess the need for internal control.
Incidents are dealt with as they arise.
1 Initial/ad hoc
There is some recognition of the need for internal control.
The approach to risk and control requirements is ad hoc and
disorganized, without communication or monitoring.
Deficiencies are not identified. Employees are not aware of
their responsibilities.
There is no awareness of the need for assessment of what is
needed in terms of IT controls. When performed, it is only on
an ad hoc basis, at a high level and in reaction to significant
incidents. Assessment addresses only the actual incident.
2 Repeatable but
Intuitive
Controls are in place but are not documented. Their operation
is dependent on the knowledge and motivation of individuals.
Effectiveness is not adequately evaluated. Many control
weaknesses exist and are not adequately addressed; the
impact can be severe. Management actions to resolve control
issues are not prioritized or consistent. Employees may not be
aware of their responsibilities.
Assessment of control needs occurs only when needed for
selected IT processes to determine the current level of control
maturity, the target level that should be reached and the gaps
that exist. An informal workshop approach, involving IT
managers and the team involved in the process, is used to
define an adequate approach to controls for the process and to
motivate an agreed-upon action plan.
© 2010 ISACA. All rights reserved. Page 8
Information Security Management Audit/Assurance Program
Maturity Level
3 Defined
4 Managed and
Measurable
5 Optimized
Figure 2—Maturity Model for Internal Control
Status of the Internal Control Environment
Establishment of Internal Controls
Controls are in place and adequately documented. Operating
effectiveness is evaluated on a periodic basis and there is an
average number of issues. However, the evaluation process is
not documented. While management is able to deal
predictably with most control issues, some control
weaknesses persist and impacts could still be severe.
Employees are aware of their responsibilities for control.
There is an effective internal control and risk management
environment. A formal, documented evaluation of controls
occurs frequently. Many controls are automated and regularly
reviewed. Management is likely to detect most control issues,
but not all issues are routinely identified. There is consistent
follow-up to address identified control weaknesses. A
limited, tactical use of technology is applied to automate
controls.
An enterprise-wide risk and control program provides
continuous and effective control and risk issues resolution.
Internal control and risk management are integrated with
enterprise practices, supported with automated real-time
monitoring with full accountability for control monitoring,
risk management and compliance enforcement. Control
evaluation is continuous, based on self-assessments and gap
and root cause analyses. Employees are proactively involved
in control improvements.
Critical IT processes are identified based on value and risk
drivers. A detailed analysis is performed to identify control
requirements and the root cause of gaps and to develop
improvement opportunities. In addition to facilitated
workshops, tools are used and interviews are performed to
support the analysis and ensure that an IT process owner
owns and drives the assessment and improvement process.
IT process criticality is regularly defined with full support
and agreement from the relevant business process owners.
Assessment of control requirements is based on policy and
the actual maturity of these processes, following a thorough
and measured analysis involving key stakeholders.
Accountability for these assessments is clear and enforced.
Improvement strategies are supported by business cases.
Performance in achieving the desired outcomes is
consistently monitored. External control reviews are
organized occasionally.
Business changes consider the criticality of IT processes and
cover any need to reassess process control capability. IT
process owners regularly perform self-assessments to confirm
that controls are at the right level of maturity to meet
business needs and they consider maturity attributes to find
ways to make controls more efficient and effective. The
organization benchmarks to external best practices and seeks
external advice on internal control effectiveness. For critical
processes, independent reviews take place to provide
assurance that the controls are at the desired level of maturity
and working as planned.
The maturity model evaluation is one of the final steps in the evaluation process. The IT audit and
assurance professional can address the key controls within the scope of the work program and formulate
an objective assessment of the maturity levels of the control practices. The maturity assessment can be a
part of the audit/assurance report and can be used as a metric from year to year to document progression
in the enhancement of controls. However, it must be noted that the perception of the maturity level may
vary between the process/IT asset owner and the auditor. Therefore, an auditor should obtain the
concerned stakeholder’s concurrence before submitting the final report to management.
At the conclusion of the review, once all findings and recommendations are completed, the professional
assesses the current state of the COBIT control framework and assigns it a maturity level using the sixlevel scale. Some practitioners utilize decimals (x.25, x.5, x.75) to indicate gradations in the maturity
model. As a further reference, COBIT provides a definition of the maturity designations by control
objective. While this approach is not mandatory, the process is provided as a separate section at the end of
the audit/assurance program for those enterprises that wish to implement it. It is suggested that a maturity
assessment be made at the COBIT control level. To provide further value to the client/customer, the
professional can also obtain maturity targets from the client/customer. Using the assessed and target
maturity levels, the professional can create an effective graphic presentation that describes the
achievement or gaps between the actual and targeted maturity goals. A graphic is provided as the last
page of the document (section VIII), based on sample assessments.
IV. Assurance and Control Framework
ISACA IT Assurance Framework and Standards
ITAF section 3630.7—Information Security Management is of primary relevance to the audit/ assurance
of information security management. However, information security management is pervasive throughout
the IT organization and its functional responsibility. Components of information security are also
included in the following ITAF sections:
© 2010 ISACA. All rights reserved. Page 9
Information Security Management Audit/Assurance Program
3410—IT Governance
3425—IT Information Strategy
3427—IT Information Management
3450—IT Processes
3630—Auditing IT General Controls
ISACA Controls Framework
COBIT is a framework for the governance of IT and supporting tool set that allows managers to bridge
the gap among control requirements, technical issues and business risks. COBIT enables clear policy
development and good practice for IT control throughout enterprises.
Utilizing COBIT as the control framework from which IT audit/assurance activities are based aligns IT
audit/assurance with good practices as developed by the enterprise.
COBIT IT process DS5 Ensure systems security, from the Deliver and Support (DS) domain, is the
primary control framework and addresses good practices for ensuring security of corporate information.
Secondary COBIT processes are cross-referenced within the audit/assurance program.
The COBIT areas for this evaluation include:
DS5.1 Management of IT security—Manage IT security at the highest appropriate organizational
level, so the management of security actions is in line with business requirements.
DS5.2 IT security plan—Translate business, risk and compliance requirements into an overall IT
security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the
plan is implemented in security policies and procedures together with appropriate investments in
services, personnel, software and hardware. Communicate security policies and procedures to
stakeholders and users.
DS5.3 Identity management—The information security function has defined policies and monitors
activities relating to unique user identification; authentication mechanisms; user access rights
according to job definition; and documented, appropriate authorization and approval mechanisms.
DS5.4 User account management—The information security function has established policies and
monitoring procedures that address: requesting, establishing, issuing, suspending, modifying and
closing user accounts and related user privileges with a set of user account management procedures.
The process includes an approval procedure outlining the data or system owner granting the access
privileges and applies to all users, including administrators (privileged users) and internal and
external users, for normal and emergency cases.
DS5.5 Security testing, surveillance and monitoring—Test and monitor the IT security
implementation in a proactive way. IT security should be reaccredited in a timely manner to ensure
that the approved enterprise’s information security baseline is maintained. A logging and monitoring
function will enable the early prevention and/or detection and subsequent timely reporting of
unusual and/or abnormal activities that may need to be addressed.
DS5.6 Security incident definition—The security incident management process is defined and
monitored by the information security function, and an incident response team has been established
and is operationally effective.
DS5.7 Protection of security technology—Make security-related technology resistant to tampering,
and do not disclose security documentation unnecessarily.
DS5.8 Cryptographic key management—Policies and procedures are in place to organize the
generation, change, revocation, destruction, distribution, certification, storage, entry, use and
archiving of cryptographic keys to ensure the protection of keys against modification and
© 2010 ISACA. All rights reserved. Page 10
Information Security Management Audit/Assurance Program
unauthorized disclosure.
DS5.9 Malicious software prevention, detection and correction—Preventive, detective and
corrective measures are in place (especially up-to-date security patches and virus control) across the
enterprise to protect information systems and technology from malware (e.g., viruses, worms,
spyware, spam).
DS5.10 Network security—Information security management is included in the selection,
implementation and approval of security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorize access and
control information flows from and to networks.
DS5.11 Exchange of sensitive data—Information security has approved policies concerning the
exchange of sensitive transaction data through a trusted path or medium with controls to provide
authenticity of content, proof of submission, proof of receipt and nonrepudiation of origin. All
incidents involving the exchange of sensitive data are reported through the incident reporting system
and are directed to the CIRT team.
Information security management is an integral part of the entire IT infrastructure. The Information
Security Management Audit/Assurance Program cross-references numerous COBIT domains and
processes. These sections appear in the COBIT cross-reference of the audit/assurance program. For the
purposes of reporting, information security is a component of these areas, but the scope of the assessment
would be too limited to include these sections in the summary of the information security management
assessment.
Refer to the ISACA publication COBIT Control Practices: Guidance to Achieve Control Objectives for
Successful IT Governance, 2nd Edition, 2007, for the related control practice value and risk drivers.
V. Executive Summary of Audit/Assurance Focus
Information Security Management
Information security is an essential component of governance and management that affects all aspects of
entity-level controls. Audit and assurance professionals include appropriate information security
evaluations throughout their audit universe. However, the process of assessing the design and operating
effectiveness of information security management does not receive the focus it requires. The information
security management function is responsible for the governance, policy, enforcement, monitoring and
innovation necessary for the modern business to establish cost-effective information security processes,
while providing adequate information security assurance within the risk appetite and budget of the
organization.
The information security management function provides:
Management direction, including policy creation, involvement in significant information security
strategies, establishment of and adherence to an information security architecture, and alignment of
information security strategies with business strategies
Management oversight and execution of essential information security operations. The former focuses
on routine operations that affect information security, including access control; user identity
management; and configuration management of other security building blocks, including intrusion
detection and penetration testing systems, antimalware, and other processes. The latter includes
information security incident management and security forensics.
Management of information security technologies utilized within the organization
© 2010 ISACA. All rights reserved. Page 11
Information Security Management Audit/Assurance Program
Business Impact and Risk
Information security touches all aspects of the business environment. Failure to implement adequate
information security could result in the following operational issues:
Security breaches, both detected and undetected
Exposure of information
Breach of trust with other enterprises
Violations of legal and regulatory requirements
Inadequate physical security measures
Unauthorized external connections to remote sites
Disclosure of corporate assets and sensitive information accessible to unauthorized parties
Systems and data that are prone to malware
Damage to the enterprise’s reputation
Financial loss
The risks associated with inadequate information security management include:
Information security strategies not aligned with IT or business requirements
Information security value (cost-benefit) structure not aligned with business needs or goals
Undefined or confusing information security accountability
Noncompliance with internal and external requirements
Ineffective use of financial resources allocated to information security
Information security not included in portfolio selection and maintenance and/or architecture design
resulting in ineffective, inefficient or misguided information security solutions
Information security not monitored and policies not applied uniformly with varying enforcement
Information security is about minimizing exposures, based upon risk management. Failure to implement
and monitor risk mitigation processes in one area may compromise the entire organization.
Objective and Scope
Objective—The information security management audit/assurance review will:
Provide management with an assessment of the effectiveness of the information security management
function
Evaluate the scope of the information security management organization and determine whether
essential security functions are being addressed effectively
It is not designed to replace or focus on audits that provide assurance of specific configurations or
operational processes.
Scope—The review will focus on:
Information Security Management—Processes associated with governance, policy, monitoring,
incident management and management of the information security function
Information Security Operations Management—Processes associated with the implementation of
security configurations
Information Security Technology Management—Processes associated with the selection and
maintenance of security technologies
To ensure a comprehensive audit of information security management, it is recommended that the
following audit/assurance reviews be performed prior to the execution of the information security
management review and that appropriate reliance be placed on these assessments:
Identity management
© 2010 ISACA. All rights reserved. Page 12
Information Security Management Audit/Assurance Program
Security incident management
Network perimeter security
Systems development
Project management
IT risk management
Data management
Vulnerability management
Minimum Audit Skills
Information security management addresses many IT processes. Since the focus is on the management of
information security, the audit and assurance professional should have the requisite knowledge of the
scope and requirements of information security, governance of IT and the information security
components therein, information security components of IT architecture, risk management, and the direct
information security processes. In addition, this audit/assurance program addresses organizational human
resource reporting, management planning and senior management interfaces. Therefore, it is
recommended that the audit and assurance professional conducting the assessment have the requisite
experience and organizational relationships to effectively execute the assurance processes.
© 2010 ISACA. All rights reserved. Page 13
VI. Audit/Assurance Program
1. PLANNING AND SCOPING THE AUDIT
1.1 Define audit/assurance objectives.
The audit/assurance objectives are high level and describe the overall audit goals.
1.1.1 Review the audit/assurance objectives in the introduction to this audit/assurance program.
1.1.2 Modify the audit/assurance objectives to align with the audit/assurance universe, annual plan
and charter.
1.2 Define boundaries of review.
The review must have a defined scope. The reviewer should understand the information security
organization and function, and prepare a proposed scope, subject to a later risk assessment.
1.2.1 Obtain and review the information security organization chart and/or current job descriptions.
1.2.2 Obtain the information security organization charter (or a purpose, goals and objectives
statement).
1.2.3 Obtain and review any previous audit reports with remediation plans. Identify open issues and
assess updates of documents with respect to these issues.
1.2.4 Identify limitations and/or constraints affecting the audit of information security.
1.3 Identify and document risks.
The risk assessment is necessary to evaluate where audit resources should be focused. In most
enterprises, audit resources are not available for all processes. The risk-based approach assures
utilization of audit resources in the most effective manner.
1.3.1 Identify the business risk associated with information security with business owners and key
stakeholders.
1.3.2 Verify that the business risks are aligned, rated or classified with information security criteria
such as confidentiality, integrity or availability.
1.3.3 Review previous audits of information security management and/or information security
operations.
1.3.4 Determine whether issues identified previously have been remediated.
1.3.5 Evaluate the overall risk factor for performing the review.
1.3.6 Based on the risk assessment, identify changes to the scope.
1.3.7 Discuss the risks with IT management, and adjust the risk assessment.
© 2010 ISACA. All rights reserved. Page 14
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
Reference
Issue
HyperCross- Comments
link
reference
1.3.8 Based on the risk assessment, revise the scope.
1.4 Define the change process.
The initial audit approach is based on the reviewer’s understanding of the operating environment
and associated risks. As further research and analysis are performed, changes to the scope and
approach may result.
1.4.1 Identify the senior IT assurance resource responsible for the review.
1.4.2 Establish the process for suggesting and implementing changes to the audit/assurance
program, and the authorizations required.
1.5 Define assignment success.
The success factors need to be identified. Communication among the IT audit/assurance team, other
assurance teams and the enterprise is essential.
1.5.1 Identify the drivers for a successful review (this should exist in the assurance function’s
standards and procedures).
1.5.2 Communicate success attributes to the process owner or stakeholder, and obtain agreement.
1.6 Define the audit/assurance resources required.
The resources required are defined in the introduction to this audit/assurance program.
1.6.1 Determine the audit/assurance skills necessary for the review.
1.6.2 Estimate the total audit/assurance resources (hours) and time frame (start and end dates)
required for the review.
1.7 Define deliverables.
The deliverable is not limited to the final report. Communication between the audit/assurance teams
and the process owner is essential to assignment success.
1.7.1 Determine the interim deliverables, including initial findings, status reports, draft reports, due
dates for responses or meetings, and the final report.
1.8 Communications
The audit/assurance process must be clearly communicated to the customer/client.
1.8.1 Conduct an opening conference to:
Discuss the review objectives with the information security management assessment
Identify documents and information security resources required to effectively perform the
review
Establish timelines and deliverables
© 2010 ISACA. All rights reserved. Page 15
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
Reference
Issue
HyperCross- Comments
link
reference
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
Reference
Issue
HyperCross- Comments
link
reference
2. INFORMATION SECURITY MANAGEMENT
2.1 Management of IT Security
Audit/Assurance Objective: Manage IT security at the highest appropriate organizational level so
that the management of security actions is in line with business requirements.
2.1.1 Governance
Control: Processes are in practice to assure applicable management oversight of the
information security function.
2.1.1.1 Determine whether a security steering committee exists with representation from key
functional areas, including internal audit, HR, finance, operations, IT security and
legal.
2.1.1.2 Obtain the security steering committee charter.
2.1.1.3 Determine whether the committee membership is aligned with the organization and the
information security stakeholders.
2.1.1.4 Obtain the minutes of selected steering committee meetings.
2.1.1.5 Determine whether the committee members regularly attend committee meetings.
2.1.1.6 Inquire whether and confirm that a security management communication process
exists that informs the board, business and IT management of the status of information
security.
2.1.1.7 Review the security steering committee charter to identify the communication plan and
reporting relationships. Determine whether a common language (i.e., COBIT’s
information criteria) is in the communication plan and that the reporting lines are
clearly established.
2.1.1.8 Select several board meeting dates, obtain the information security presentations, and
determine the board-level discussions relating to information security.
2.1.1.9 Inquire whether and confirm that an adequate organizational structure and reporting
line for information security exist, and assess whether the security management and
administration functions have sufficient authority.
2.1.1.10 Based on the organization chart of the information security organization, determine
whether the structure provides for the information security function to report to and
interface with the upper levels of management.
© 2010 ISACA. All rights reserved. Page 16
PO4
DS5.1
ME4
x
x
x
2.1.1.5.1
2.1.1.5.7
2.1.1.5.2
2.1.1.5.3
2.1.1.5.4
2.1.1.5.5
2.1.1.5.6
2.1.1.5.8
2.1.1.11 Determine whether the placement of the information security function provides for
appropriate independence, objectivity and authority over its constituencies to be
effective.
2.1.1.12 Determine whether subordinate organizational hierarchy is adequate to provide
appropriate policy definition and monitoring.
2.1.2 Risk Assessment
Control: Risk assessments are regularly conducted to prioritize information security
initiatives and ensure alignment with business risks.
2.1.2.1 Determine whether a process exists to prioritize proposed security initiatives and
directives, including required levels of policies, standards and procedures.
2.1.2.2 Obtain recent risk assessment documents.
2.1.2.3 Determine whether the risk assessment has been utilized and addresses reasonable
risks.
2.1.2.4 Determine whether the risk assessment is aligned with the IT risk assessment, if one
exists, and the enterprise risk methodology, if one exists.
2.1.2.5 Test the design of the risk assessment for completeness, relevancy, timeliness and
measurability.
2.1.3 Policies
Control: Policies are created according to a defined format and are distributed following a
distribution list based on subject matter and relevance, and the scope of the policies are
appropriate to ensure that the information security is adequate to address the risk tolerance.
2.1.3.1 Determine whether and confirm that an information security charter exists.
2.1.3.2 Review and analyze the charter to verify that it refers to the organizational risk
appetite relative to information security and that the charter clearly includes:
Scope and objectives of the security management function
Responsibilities of the security management function
Compliance and risk drivers
2.1.3.3 Inquire whether and confirm that the information security policies cover the
responsibility and accountability of the board, executive management, line
© 2010 ISACA. All rights reserved. Page 17
PO9
DS5.2
ME4
x
PO4
PO6
PO9
DS5.2
ME3
ME4
x
x
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
x
x
x
x
Reference
Issue
HyperCross- Comments
link
reference
2.1.3.1.1
2.1.3.1.7
2.1.3.1.2
2.1.3.1.3
2.1.3.1.4
2.1.3.1.5
2.1.3.1.6
2.1.3.1.8
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
management, staff members and all users of the enterprise IT infrastructure and that it
refers to detailed security standards and procedures.
2.1.3.4 Inquire whether and confirm that detailed security policies, standards and procedures
exist. Examples of policies, standards, procedures and best practices concerning these
topics (COBIT, ISO27001/2) include:
Security compliance policy
Management risk acceptance (security noncompliance acknowledgement)
External communications security policy
Firewall policy
E-mail security policy
An agreement to comply with IS policies
Laptop/desktop computer security policy
Internet usage policy
2.2 IT Security Plan
Audit/Assurance Objective: Translate business, risk and compliance requirements into an overall
IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that
the plan is implemented in security policies and procedures, together with appropriate investments
in services, personnel, software and hardware. Communicate security policies and procedures to
stakeholders and users.
2.2.1 Security Plan Integration
Control: Information security requirements are integrated into other processes.
© 2010 ISACA. All rights reserved. Page 18
PO1
PO2
PO3
PO4
PO6
PO9
AI1
AI2
DS1
DS2
DS4
DS5.2
DS9
DS12
x
x
x
Reference
Issue
HyperCross- Comments
link
reference
DS13
ME3
ME4
2.2.1.1 Determine whether a process exists to integrate information security requirements and
implementation advice from the IT security plan into the development of service level
agreements (SLAs) and operating level agreements (OLAs) (Refer to COBIT DS1 and
DS2).
2.2.1.2 Review the SLAs and OLAs for an information security focus. Determine whether the
information security function had been involved in the development of these
SLAs/OLAs.
2.2.1.3 Determine whether a process exists to integrate information security requirements and
implementation advice from the IT security plan into automated solution (AI1) and
application (AI2) requirements.
2.2.1.4 Obtain systems development methodology documentation and determine whether
information security involvement and review are required by the policies and
procedures.
2.2.1.5 Select several high-risk and/or high-profile development projects. Obtain requirements
documentation, and determine whether information security requirements were
included in the project requirements documentation.
2.2.1.6 Determine whether information security resources were regularly involved in key
information security decisions at appropriate points in the process.
2.2.1.7 Determine whether a process exists to integrate information security requirements and
implementation advice from the IT security plan into the IT infrastructure components
(AI3).
2.2.1.8 Obtain the IT infrastructure plan.
2.2.1.9 Determine whether the information security function is involved in the development of
the security components of the IT infrastructure.
2.2.1.10 Determine whether the IT infrastructure team and the information security function
routinely interface on common initiatives.
2.2.1.11 Determine whether the IT security plan addresses: IT tactical plans (PO1) data
classification (PO2), technology standards (PO3), HR/user access policies, i.e.,
© 2010 ISACA. All rights reserved. Page 19
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
Reference
Issue
HyperCross- Comments
link
reference
segregation of duties, key personnel, contractors (PO4), security and control policies
(PO6), risk management (PO9), and external compliance requirements (ME3).
2.2.1.12 Obtain and review the IT security plan
2.2.1.13 Determine whether enterprise information security baselines for all major platforms
are commensurate with the overall IT security plan, whether the baselines have been
recorded in the configuration baseline (DS9) central repository and whether a process
exists to periodically update the baselines based on changes in the plan.
2.2.1.14 Determine that information security issues are included in the IT continuity plan.
2.2.2 Security Plan Maintenance
Control: The security plan is reviewed on a regular basis to determine that it is updated to
reflect changes to the operating environment and new threats.
2.2.2.1 Determine the effectiveness of the collection and integration of information security
requirements into an overall IT security plan that is responsive to the changing needs
of the organization.
2.2.2.2 Determine whether the appropriate triggers are built into the interfaces between IT,
business units and the information security organization to ensure that there is timely
notification of a need to update the information security plan.
2.2.2.3 Determine whether a process exists to periodically update the IT security plan and
whether the process requires appropriate levels of management review and approval of
changes
2.2.2.4 Determine the review process for updating the IT security plan; consider:
Quality of documentation including security policies
Approval process of changes
Job functions involved in the review process
3. INFORMATION SECURITY OPERATIONS
3.1 Identity Management
Audit/Assurance Objectives: The information security function has defined policies and monitors
© 2010 ISACA. All rights reserved. Page 20
AI2
AI3
DS4
DS5.2
DS9
DS12
DS13
x
x
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
Reference
Issue
HyperCross- Comments
link
reference
activities relating to the following:
Ensure that all users (internal, external and temporary) and their activity on IT systems (business
application, IT environment, system operations, development and maintenance) are uniquely
identifiable.
Enable user identities via authentication mechanisms.
Confirm that user access rights to systems and data are in line with defined and documented
business needs and that job requirements are attached to user roles.
Ensure that user access rights are requested by user management, approved by system owners
and implemented by the person responsible for security.
Ensure that information security operations functions maintain user roles and access rights in a
central repository. Deploy cost-effective technical and procedural measures, and keep them
current to establish user identification, implement authentication and enforce access rights.
3.1.1 Identity Management
Control: The information security function has established identity management policies and
monitoring functions.
3.1.1.1 Determine the role of the information security function relating to identity
management. If the information security function establishes policy and monitors
enforcement, the remainder of this section needs to be reviewed from a definition and
monitoring perspective. If the information security function also performs the
information security operations, the assessment must include the tests of the
operational follow-through.
3.1.1.2 Determine whether security policies require users and system processes to be uniquely
identifiable and systems to be configured to enforce authentication before access is
granted.
3.1.1.3 If policies require predetermined and preapproved roles to grant access, determine
whether the policies require the roles to clearly delineate responsibilities based on least
privileges and ensure that the establishment and modification of roles are approved by
process owner management.
3.1.1.4 Determine whether appropriate policies and monitoring have been implemented to
control access provisioning and whether authentication control mechanisms are
utilized for controlling logical access across all users, system processes and IT
resources for in-house and remotely managed users, processes and systems.
© 2010 ISACA. All rights reserved. Page 21
DS5.3
DS11.6
DS12
ME4
x
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
x
Reference
Issue
HyperCross- Comments
link
reference
3.1.2 Identity Management Operations
Control: Identity management policies are enforced, and appropriate review processes are in
place to evaluate their operating effectiveness.
x
x
x
PO4
DS5.4
ME3
ME4
x
x
x
Crossreference
Monitoring
Information and
Communication
DS5.3
ME1
ME2
ME3
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
Control Activities
COSO
3.1.2.1 Determine whether a previous audit/assurance assessment of the identity management
system has been performed.
3.1.2.2 If an audit/assurance assessment has been performed recently, as defined by internal
audit procedures, review the findings of that review, and determine whether additional
findings, including failure to complete previous open recommendations, are
appropriate.
3.1.2.2.1 If an assessment has not been performed, consider using the ISACA
Identity Management Audit/Assurance Program to complete a detailed
review.
3.1.2.2.2 If an assessment has been performed, but not within the internal audit
definition of “recent,” consider reperforming key control process to update
the assessment and provide current findings.
3.1.2.3 Determine whether the information security function performs annual assessments of
identity management operations and receives timely reports/scorecards of identity
management operations activities.
3.1.2.4 Determine whether the information security function has routinely monitored and
evaluated the effectiveness of identity management operations.
3.2 Account Management
Audit/Assurance Objective: The information security function has established policies and
monitoring procedures that address: requesting, establishing, issuing, suspending, modifying and
closing user accounts and related user privileges with a set of user account management procedures.
The process includes an approval procedure outlining the data or system owner granting the access
privileges and applies to all users, including administrators (privileged users); internal and external
users; normal and emergency cases; and system, shared and generic accounts.
3.2.1 User Account Management Policy
Control: The information security function has established policies and monitoring
procedures to ensure the effectiveness of user account management controls.
© 2010 ISACA. All rights reserved. Page 22
Reference
Issue
HyperCross- Comments
link
reference
© 2010 ISACA. All rights reserved. Page 23
DS5.4
ME1
ME2
x
x
Monitoring
Information and
Communication
3.2.1.1 Obtain the information security policy addressing user account management.
3.2.1.2 Determine whether procedures exist to periodically assess and recertify system and
application access and authorities.
3.2.1.3 Determine whether access control procedures exist to control and manage system and
application rights and privileges according to the organization’s security policies and
compliance and regulatory requirements.
3.2.1.4 Determine whether user provisioning policies, standards and procedures extend to all
system users and processes, including vendors, service providers and business
partners.
3.2.1.5 Determine whether a data classification policy is in place.
3.2.1.5.1 Ensure that the protection controls implemented are adequate for the
classification of data (refer to the classification of data policy).
3.2.1.5.2 Determine whether the data classification affecting information security is
reviewed periodically.
3.2.1.5.3 Determine whether systems, applications and data have been classified by
levels of importance and risk and whether process owners have been
identified and assigned.
3.2.2 User Account Management Operations
Control: The information security function monitors the control effectiveness of user account
management operations on a timely basis and reports the operating efficiency and
effectiveness.
3.2.2.1 Obtain management reports for user account management.
3.2.2.2 Assess the level of information security oversight for the operational aspects of user
account management.
3.2.2.3 Determine whether a previous audit/assurance assessment of the user account
management has been performed.
3.2.2.3.1 If an assessment has been performed recently, as defined by internal audit
procedures, review the findings of that review, and determine whether
additional findings, including failure to complete previous open
recommendations are appropriate.
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
x
Reference
Issue
HyperCross- Comments
link
reference
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
3.2.2.3.2 If an assessment has not been performed, consider using the ISACA User
Account Management Audit/Assurance Program to complete a detailed
review.
3.2.2.3.3 If an assessment has been performed, but not within the internal audit
definition of “recent,” consider reperforming key control process to update
the assessment and provide current findings.
3.3 Security Testing and Monitoring
Audit/Assurance Objective: The IT security implementation is tested and monitored in a proactive
way. IT security is reaccredited in a timely manner to ensure that the approved enterprise
information security baseline is maintained. A logging and monitoring function enables the early
prevention and/or detection and subsequent timely reporting of unusual and/or abnormal activities
that may need to be addressed.
3.3.1 Testing
Control: Routine testing of information-security-related controls is performed in accordance
with regulatory requirements and risk assessments that have identified high risk or vulnerable
assets.
3.3.1.1 Determine whether security baselines exist for all IT resources utilized by the
organization.
3.3.1.2 Determine whether the baselines are based upon best practices (COBIT, ISO27001/2
and/or ITIL). If not, determine the rationale for in-house-developed baselines.
3.3.1.3 Determine whether appropriate testing is performed to validate adherence to minimum
baselines.
3.3.1.4 Determine whether testing of information security assets are in conformance with
compliance requirements.
3.3.1.4.1 Determine whether the regulatory compliance requirements have been
documented.
3.3.1.4.2 Assess the completeness of the regulatory compliance.
3.3.1.4.3 Evaluate whether additional testing is required to be in compliance with
regulatory requirements.
3.3.2 Monitoring
Control: Key information security controls are monitored on a regular and timely basis.
© 2010 ISACA. All rights reserved. Page 24
DS5.5
PO9.4
PO9.5
ME4
PO8
DS5.5
ME1
ME2
x
x
x
x
x
x
Reference
Issue
HyperCross- Comments
link
reference
x
x
x
DS5.6
DS8
ME2
ME3
x
x
x
Crossreference
Monitoring
Information and
Communication
DS5.6
DS8
ME4
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
Control Activities
COSO
3.3.2.1 Determine whether all organization-critical, higher-risk network assets are routinely
monitored for security events.
3.3.2.2 Determine whether the IT security management function has been integrated within
the organization’s project management initiatives to ensure that security is considered
in all IT projects.
3.4 Security Incident Management
Audit/Assurance Objective: The security incident management process is defined and monitored
by the information security function, and an incident response team has been established and is
operationally effective.
3.4.1 Incident Management Definition
Control: An incident management policy has been established that defines the classification
of information security incidents and the actions to be executed when an information
security incident is identified, and the process has been communicated to units who are first
responders.
3.4.1.1 Determine whether the security incident management process appropriately interfaces
with key organization functions, including the help desk, external service providers
and network management.
3.4.1.2 Evaluate whether the security incident management process includes the following key
elements:
Event detection and classification
Correlation of events and evaluation of threat/incident
Resolution of threat, or creation and escalation work order
Criteria for initiating the organization’s incident response process
Who has authority to declare an incident
Escalation procedures
Verification and required levels of documentation of the resolution
Postremediation analysis
Work order/incident closure
3.4.2 Incident Management Response Team
Control: A CIRT has been established; manages emergencies; and reports the existence,
cause and effect, damage assessment, and closure to the information security function.
© 2010 ISACA. All rights reserved. Page 25
Reference
Issue
HyperCross- Comments
link
reference
3.4.3.1 Obtain the incident logs for a representative period of time.
3.4.3.2 Trace a representative sample of incidents per the incident/problem reporting system
to the CIRT management documentation to determine that all security-related incidents
have been reported to the CIRT.
© 2010 ISACA. All rights reserved. Page 26
PO8
DS5.6
ME1
ME2
x
x
Monitoring
Information and
Communication
3.4.2.1 Determine whether a CIRT exists to recognize and effectively manage security
incidents. The following areas should exist as part of an effective CIRT process:
Incident handling—General and specific procedures and other requirements to
ensure effective handling of incidents and reported vulnerabilities
Vendor relations—The role and responsibilities of vendors in incident prevention
and follow-up, software flaw correction, and other areas
Communications—Requirements, implementation and operation of emergency and
routine communications channels among key members of management
Legal and criminal investigative issues—Issues driven by legal considerations and
the requirements or constraints resulting from the involvement of criminal
investigative organizations during an incident
Constituency relations—Response center support services and methods of
interaction with constituents, including training and awareness, configuration
management, and authentication
Research agenda and interaction—Identification of existing research activities and
requirements and rationale for needed research relating to response center activities
Model of the threat—Development of a basic model that characterizes potential
threats and risks to help focus risk reduction activities and progress in those
activities
External issues—Factors that are outside the direct control of the enterprise (e.g.,
legislation, policy, procedural requirements), but that could affect the operation and
effectiveness of enterprise activities
Postincident evaluation—CIRT assessment of incident response and recommended
changes to the CIRT process
3.4.3 Incident Management Response Team Monitoring
Control: The information security function actively monitors CIRT activities and reports
incidents and appropriate analyzes direct reports.
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
x
Reference
Issue
HyperCross- Comments
link
reference
3.4.3.3 Review the CIRTs for a representative period. Determine that:
The response was timely
The incident severity met the conditions for the response
The remediation process closed the issue
A risk assessment was performed, and a reasonable remediation process was
executed
An impact assessment was completed
Escalation procedures, including the notification of affected parties, management
and legal authorities were completed in conformance with the escalation policy
The summary of activities was reported to the appropriate governance committees
3.4.4 Incident Management Assessment
Control: Perform an assurance assessment of the security incident management processes.
PO8
DS5.6
ME1
x
3.4.4.1 Determine whether a previous audit/assurance assessment of the incident management
process has been performed.
3.4.4.1.1 If an assessment has been performed recently, as defined by internal audit
procedures, review the findings of that review and determine whether
additional findings, including failure to complete previous open
recommendations are appropriate.
3.4.4.1.2 If an assessment has not been performed, consider using the ISACA Incident
Management Audit/Assurance Program to complete a detailed review.
3.4.4.1.3 If an assessment has been performed, but within the internal audit definition
of “recent” consider reperforming key control process to update the
assessment and provide current findings.
4. INFORMATION SECURITY TECHNOLOGY MANAGEMENT
4.1 Protection of Security Technology
Audit/Assurance Objective: The information security processes ensure that security-related
technology is resistant to tampering, and that documentation is only accessible to authorized
individuals.
4.1.1 Security Technology Policy
Control: The information security function has defined the policies governing specific access
control processes.
© 2010 ISACA. All rights reserved. Page 27
DS5.7
DS9
DS11.2
DS12
x
x
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
x
Reference
Issue
HyperCross- Comments
link
reference
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
ME4
4.1.1.1 Inquire whether and confirm that policies and procedures have been established to
address security breach consequences (specifically to address controls to configuration
management, application access, data security and physical security requirements).
4.1.1.2 Obtain the policies concerning security breaches.
4.1.1.3 Determine whether appropriate disciplinary measures have been defined.
4.1.1.4 Inquire whether and confirm that the policies require annual management reviews of
security features for physical and logical access to files and data.
4.1.1.5 Obtain the policies documentation.
4.1.1.6 Determine whether the policies require management reviews of security features.
4.1.1.7 Determine how the management review is documented and reported.
4.1.1.8 Determine how follow-up activities are addressed.
4.1.1.9 Inquire whether and confirm that the policies require security design features that
facilitate password rules (e.g., maximum length, characters, expiration, reuse).
4.1.1.10 Obtain the policies for password rules.
4.1.1.11 Determine whether the policies are appropriate.
4.1.1.12 Determine whether data classification and job function sensitivity are a component of
and affect the security design process.
4.1.2 Security Technology Monitoring
Control: Information security monitors the security technology processes to ensure adherence.
4.1.2.1 Inspect security reports generated from system tools preventing network penetration
vulnerability attacks.
4.1.2.2 Verify that information security monitors information security processes that report
access authorization and approvals.
4.1.2.3 Verify that information security policy monitors the regular management reviews of
security features for physical and logical access to files and data.
4.1.2.4 Verify that information security receives summary reports of the activities controlling
granting and approving access and logging unsuccessful attempts, lockouts, authorized
© 2010 ISACA. All rights reserved. Page 28
DS5.7
ME1
ME2
x x
x
Reference
Issue
HyperCross- Comments
link
reference
access to sensitive files and/or data, and physical access to facilities. Verify that the
information security function investigates repeat offenders and high-risk situations.
4.2 Cryptographic Key Management
Audit/Assurance Objective: Policies and procedures are in place to organize the generation,
change, revocation, destruction, distribution, certification, storage, entry, use and archiving of
cryptographic keys to ensure the protection of keys against modification and unauthorized
disclosure.
4.2.1 Key Management
Control: Key management systems are implemented to protect sensitive information and to
implement mutual authentication.
4.2.1.1 Determine whether an encryption key management role has been established to
manage the process of reviewing, distributing and disposing of keys.
4.2.1.1.1 Determine whether this role is segregated from other responsibilities and
has a trained backup.
4.2.1.2 Assess whether controls over private keys exist to enforce their confidentiality and
integrity. Consideration should be given to the following:
Storage of private signing keys within secure cryptographic devices
Private keys not exported from a secure cryptographic module
Private keys backed up, stored and recovered only by authorized personnel using
dual control in a physically secured environment
4.2.1.3 Determine whether a defined key life cycle management process exists. The process
should include:
Minimum key sizes required for the generation of strong keys
Use of required key generation algorithms
Identification of required standards for the generation of keys
Purposes for which keys should be used and restricted
Allowable usage periods or active lifetimes for keys
Acceptable methods of key distribution
Key backup, archival and destruction
4.3 Malicious Software Prevention, Detection and Correction
Audit/Assurance Objective: Preventive, detective and corrective measures are in place (especially
up-to-date security patches and virus control) across the organization to protect information
© 2010 ISACA. All rights reserved. Page 29
DS5.8
x
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
Reference
Issue
HyperCross- Comments
link
reference
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
Reference
Issue
HyperCross- Comments
link
reference
systems and technology from malware (e.g., viruses, worms, spyware, spam).
4.3.1 Malicious Software Prevention, Detection and Correction Policy
Control: Policies have been implemented to prevent, detect and remove malicious software.
4.3.1.1 Inquire whether and confirm that a malicious software prevention policy is established,
documented and communicated throughout the organization.
4.3.1.2 Ensure that policies address the implementation of automated controls to provide virus
protection and that violations are appropriately communicated.
4.3.1.3 Inquire whether and confirm that policies require that protection software be centrally
distributed (version and patch-level) using a centralized configuration and change
management process.
4.3.1.4 Determine whether information security patch management implementation adheres to
manufacturer and external/outsourced provider requirements/recommendations.
4.3.2 Malicious Software Prevention, Detection and Correction Operating Effectiveness
Control: Monitoring processes have been established to report the effectiveness of and
incidents occurring from malicious software.
4.3.2.1 Inquire whether key staff members are aware of the malicious software prevention
policy and their responsibility for ensuring compliance.
4.3.2.2 From a sample of user workstations, observe whether a virus protection tool has been
installed and includes virus definition files and the last time the definitions were
updated.
4.3.2.3 Review the distribution process against a known, up-to-date inventory to determine the
operating effectiveness.
4.3.2.4 Determine the review and evaluation process by information security to monitor the
operating effectiveness of the malicious software filtering process.
4.3.2.4.1 Verify whether there are processes in place for the information security
function to assess the competency and training of the malware team to
ensure that current threats are addressed.
© 2010 ISACA. All rights reserved. Page 30
PO6
DS2
DS5.9
ME1
ME2
PO6
DS5.9
ME1
ME2
x
x
x
x
x
x
x
4.3.2.4.2
4.3.2.4.8
4.3.2.4.3
4.3.2.4.4
4.3.2.4.5
4.3.2.4.6
4.3.2.4.7
4.3.2.4.9
4.3.2.5 Review the filtering process to determine operating effectiveness, or review the
automated process established for filtering purposes.
4.3.2.6 Determine whether routine internal/external vulnerability scans are performed.
4.3.2.6.1 Review the evaluation/assessment process of the scan results.
4.3.2.7.1 Review the evaluation/assessment process of the penetration testing results.
4.4.1.1 Inquire whether and confirm that network security policies (e.g., provided services,
allowed traffic, types of connections permitted) have been established with the
approval of and monitored by the information security function.
4.4.1.2 Determine whether a previous audit/assurance assessment of the network perimeter
process has been performed.
4.4.1.2.1 If an assessment has been performed recently, as defined by internal audit
procedures, review the findings of that review, and determine if additional
findings, including failure to complete previous open recommendations, are
appropriate.
4.4.1.2.2 If an assessment has not been performed, consider using the ISACA Network
Perimeter Audit/Assurance Program to complete a detailed review.
4.4.1.2.3 If an assessment has been performed, but not within the internal audit
definition of “recent,” consider reperforming key control process to update
the assessment and provide current findings.
© 2010 ISACA. All rights reserved. Page 31
Monitoring
Reference
Issue
HyperCross- Comments
link
reference
4.3.2.6.2
4.3.2.7 Determine whether penetration testing is performed.
4.4 Network Security
Audit/Assurance Objective: Information security management is included in the selection,
implementation and approval of security techniques and related management procedures (e.g.,
firewalls, security appliances, network segmentation, intrusion detection) to authorize access and
control information flows from and to networks.
4.4.1 Network Security
Control: Information security management is actively involved and approves network
security policies.
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
DS1
DS5.10
DS9
ME2
ME3
ME4
4.3.2.6.8
4.3.2.6.3
4.3.2.6.4
4.3.2.6.5
4.3.2.6.6
4.3.2.6.7
4.3.2.6.9
4.3.2.8
4.3.2.9
4.3.2.10
4.3.2.11
4.3.2.12
4.3.2.13
4.3.2.14
4.3.2.15
4.3.2.1
4.3.2.17
4.3.2.18
4.3.2.19
4.3.2.20
4.3.2.21
4.3.2.22
4.3.2.23
4.3.2.24
4.3.2.2
x
x
x
Monitoring
Information and
Communication
Crossreference
Control Activities
COBIT
Audit/Assurance Program Step
Control
Environment
Risk Assessment
COSO
4.4.1.3 Inquire whether and confirm that information security policies have been implemented
such that corporate data is classified according to exposure level and classification
scheme (e.g., confidential, sensitive).
4.4.1.4 Determine that sensitive data incidents have been reported to information security
management.
4.4.1.4.1 Scan the problem log, identifying sensitive data incidents.
4.4.1.4.2 Trace the incident through the CIRT process to management reports.
4.5 Exchange of Sensitive Data
Audit/Assurance Objective: Information security has approved policies concerning exchange of
sensitive transaction data through a trusted path or medium with controls to provide authenticity of
content, proof of submission, proof of receipt and nonrepudiation of origin. All incidents involving
the exchange of sensitive data are reported through the incident reporting system and are directed
to the CIRT team.
4.5.1 Exchange of Sensitive Data
Control: Information security management is actively involved and approves exchange of
sensitive data policies.
4.5.1.1 Inquire whether and confirm that policies addressing data transmissions outside the
organization require an encrypted format prior to transmission.
4.5.1.2 Inquire whether and confirm that information security policies have been implemented
such that corporate data are classified according to exposure level and classification
scheme (e.g., confidential, sensitive).
4.5.1.3 Determine that sensitive data incidents have been reported to information security
management.
4.5.1.4 Scan the problem log, identifying sensitive data incidents.
4.5.1.5 Trace the incident through the CIRT process to management reports.
© 2010 ISACA. All rights reserved. Page 32
DS5.11
x
x
x
Reference
Issue
HyperCross- Comments
link
reference
VII. Maturity Assessment
The maturity assessment is an opportunity for the reviewer to assess the maturity of the processes reviewed. Based on the results of audit/assurance review,
and the reviewer’s observations, assign a maturity level to each of the following COBIT control practices.
Assessed
Maturity
COBIT Control Practice
DS5.1 Management of IT Security
1.Define a charter for IT security, defining for the security management function:
Scope and objectives for the security management function
Responsibilities
Drivers (e.g., compliance, risk, performance)
2. Confirm that the board, executive management and line management direct the policy
development process to ensure that the IT security policy reflects the requirements of the
business
3. Set up an adequate organisational structure and reporting line for information security,
ensuring that the security management and administration functions have sufficient
authority. Define the interaction with enterprise functions, particularly the control functions
such as risk management, compliance and audit.
4. Implement an IT security management reporting mechanism, regularly informing the board
and business and IT management of the status of IT security so that appropriate
management actions can be taken.
DS5.2 IT Security Plan
1. Define and maintain an overall IT security plan that includes:
A complete set of security policies and standards in line with the established information
security policy framework
Procedures to implement and enforce the policies and standards
Roles and responsibilities
Staffing requirements
Security awareness and training
Enforcement practices
Investments in required security resources
2. Collect information security requirements from IT tactical plans (PO1), data classification
(PO2), technology standards (PO3), security and control policies (PO6), risk management
(PO9), and external compliance requirements (ME3) for integration into the overall IT
security plan.
3. Translate the overall IT security plan into enterprise information security baselines for all
major platforms and integrate it into the configuration baseline (DS9).
© 2010 ISACA. All rights reserved. Page 33
Reference
Target
HyperComments
Maturity
link
COBIT Control Practice
4. Provide information security requirements and implementation advice to other processes,
including the development of SLAs and OLAs (DS1 and DS2), automated solution
requirements (AI1), application software (AI2), and IT infrastructure components (AI3).
5. Communicate to all stakeholders and users in a timely and regular fashion on updates of the
information security strategy, plans, policies and procedures.
Assessed
Maturity
DS5.3 Identity Management
1. Establish and communicate policies and procedures to uniquely identify, authenticate and
authorise access mechanisms and access rights for all users on a need-to-know/need-to-have
basis, based on predetermined and preapproved roles. Clearly state accountability of any
user for any action on any of the systems and/or applications involved.
2. Ensure that roles and access authorisation criteria for assigning user access rights take into
account:
Sensitivity of information and applications involved (data classification)
Policies for information protection and dissemination (legal, regulatory, internal policies
and contractual requirements)
Roles and responsibilities as defined within the enterprise
The need-to-have access rights associated with the function
Standard but individual user access profiles for common job roles in the organisation
Requirements to guarantee appropriate segregation of duties
3. Establish a method for authenticating and authorising users to establish responsibility and
enforce access rights in line with sensitivity of information and functional application
requirements and infrastructure components, and in compliance with applicable laws,
regulations, internal policies and contractual agreements.
4. Define and implement a procedure for identifying new users and recording, approving and
maintaining access rights. This needs to be requested by user management, approved by the
system owner and implemented by the responsible security person.
5. Ensure that a timely information flow is in place that reports changes in jobs (i.e., people
in, people out, people change). Grant, revoke and adapt user access rights in co-ordination
with human resources and user departments for users who are new, who have left the
organisation, or who have changed roles or jobs.
DS5.4 User Account Management
1. Ensure that access control procedures include but are not limited to:
Using unique user IDs to enable users to be linked to and held accountable for their
actions
Awareness that the use of group IDs results in the loss of individual accountability and
are permitted only when justified for business or operational reasons and compensated
by mitigating controls. Group IDs must be approved and documented
© 2010 ISACA. All rights reserved. Page 34
Reference
Target
HyperComments
Maturity
link
COBIT Control Practice
Checking that the user has authorisation from the system owner for the use of the
information system or service, and the level of access granted is appropriate to the
business purpose and consistent with the organisational security policy
A procedure to require users to understand and acknowledge their access rights and the
conditions of such access
Ensuring that internal and external service providers do not provide access until
authorisation procedures have been completed
Maintaining a formal record, including access levels, of all persons registered to use the
service
A timely and regular review of user IDs and access rights
2. Ensure that management reviews or reallocates user access rights at regular intervals using
a formal process. User access rights should be reviewed or reallocated after any job
changes, such as transfer, promotion, demotion or termination of employment.
Authorisations for special privileged access rights should be reviewed independently at
more frequent intervals.
Assessed
Maturity
DS5.5 Security Testing, Surveillance And Monitoring
1. Implement monitoring, testing, reviews and other controls to:
Promptly prevent/detect errors in the results of processing
Promptly identify attempted, successful and unsuccessful security breaches and
incidents
Detect security events and thereby prevent security incidents by using detection and
prevention technologies
Determine whether the actions taken to resolve a breach of security are effective
2. Conduct effective and efficient security testing procedures at regular intervals to:
Verify that identity management procedures are effective
Verify that user account management is effective
Validate that security-relevant system parameter settings are defined correctly and are in
compliance with the information security baseline
Validate that network security controls/settings are configured properly and are in
compliance with the information security baseline
Validate that security monitoring procedures are working properly
Consider, where necessary, obtaining expert reviews of the security perimeter
DS5.6 Security Incident Definition
1. Describe what a security incident is considered to be. Document within the characteristics a
limited number of impact levels to allow commensurate response. Communicate and
distribute this information, or relevant parts thereof, to identified people who need to be
© 2010 ISACA. All rights reserved. Page 35
Reference
Target
HyperComments
Maturity
link
COBIT Control Practice
notified.
2. Ensure that security incidents and appropriate follow-up actions, including root cause
analysis, follow the existing incident and problem management processes.
3. Define measures to protect confidentiality of information related to security incidents.
Assessed
Maturity
DS5.7 Protection Of Security Technology
1. Ensure that all hardware, software and facilities related to the security function and
controls, e.g., security tokens and encryptors, are tamperproof.
2. Secure security documentation and specifications to prevent unauthorised access. However,
do not make security of systems reliant solely on secrecy of security specifications.
3. Make the security design of dedicated security technology (e.g., encryption algorithms)
strong enough to resist exposure, even if the security design is made available to
unauthorised individuals.
4. Evaluate the protection mechanisms on a regular basis (at least annually) and perform
updates to the protection of the security technology, if necessary.
DS5.8 Cryptographic Key Management
1. Ensure that there are appropriate procedures and practices in place for the generation,
storage and renewal of the root key, including dual custody and observation by witnesses.
2. Make sure that procedures are in place to determine when a root key renewal is required
(e.g., the root key is compromised or expired).
3. Create and maintain a written certification practice statement that describes the practices
that have been implemented in the certification authority, registration authority and
directory when using a public-key-based encryption system.
4. Create cryptographic keys in a secure manner. When possible, enable only individuals not
involved with the operational use of the keys to create the keys. Verify the credentials of
key requestors (e.g., registration authority).
5. Ensure that cryptographic keys are distributed in a secure manner (e.g., offline
mechanisms) and stored securely, that is:
In an encrypted form regardless of the storage media used (e.g., write-once disk with
encryption)
With adequate physical protection (e.g., sealed, dual custody vault) if stored on paper
6. Create a process that identifies and revokes compromised keys. Notify all stakeholders as
soon as possible of the compromised key.
7. Verify the authenticity of the counterparty before establishing a trusted path.
DS5.9 Malicious Software Prevention, Detection And Correction
1. Establish, document, communicate and enforce a malicious software prevention policy in
the organisation. Ensure that people in the organisation are aware of the need for protection
© 2010 ISACA. All rights reserved. Page 36
Reference
Target
HyperComments
Maturity
link
COBIT Control Practice
against malicious software, and their responsibilities relative to same.
2. Install and activate malicious software protection tools on all processing facilities, with
malicious software definition files that are updated as required (automatically or semiautomatically).
3. Distribute all protection software centrally (version and patch-level) using centralised
configuration and change management.
4. Regularly review and evaluate information on new potential threats.
5. Filter incoming traffic, such as e-mail and downloads, to protect against unsolicited
information (e.g., spyware, phishing e-mails).
Assessed
Maturity
DS5.10 Network Security
1. Establish, maintain, communicate and enforce a network security policy (e.g., provided
services, allowed traffic, types of connections permitted) that is reviewed and updated on a
regular basis (at least annually).
2. Establish and regularly update the standards and procedures for administering all
networking components (e.g., core routers, DMZ, VPN switches, wireless).
3. Properly secure network devices with special mechanisms and tools (e.g., authentication for
device management, secure communications, strong authentication mechanisms).
Implement active monitoring and pattern recognition to protect devices from attack.
4. Configure operating systems with minimal features enabled (e.g., features that are
necessary for functionality and are hardened for security applications). Remove all
unnecessary services, functionalities and interfaces (e.g., graphical user interface [GUI]).
Apply all relevant security patches and major updates to the system in a timely manner.
5. Plan the network security architecture (e.g., DMZ architectures, internal and external
network, IDS placement and wireless) to address processing and security requirements.
Ensure that documentation contains information on how traffic is exchanged through
systems and how the structure of the organisation’s internal network is hidden from the
outside world.
6. Subject devices to reviews by experts who are independent of the implementation or
maintenance of the devices.
DS5.11 Exchange Of Sensitive Data
1. Determine by using the established information classification scheme how the data should
be protected when exchanged.
2. Apply appropriate application controls to protect the data exchange.
3. Apply appropriate infrastructure controls, based on information classification and
technology in use, to protect the data exchange.
© 2010 ISACA. All rights reserved. Page 37
Reference
Target
HyperComments
Maturity
link
VIII. Assessment Maturity vs. Target Maturity
This spider graph is an example of the assessment results and maturity target for a specific company.
DS5.1 Management of IT Security
5
DS5.11 Exchange of Sensitive Data
DS5.2 IT Security Plan
4
3
DS5.10 Network Security
DS5.3 Identity Management
2
1
0
DS5.9 Malicious Software Management
DS5.4 User Account Management
DS5.8 Cryptographic Key Management
DS5.5 Security Testing and Monitoring
DS5.7 Protection of Security Technology
DS5.6 Security Incident Definition
Assessment
Target
© 2010 ISACA. All rights reserved. Page 38
