Subject: AUDITING IN CIS ENVIRONMENT

VIDEO DISCUSSION 13

Security and Service Community

During an audit of such operating system as well as other software,

it is critical that auditor develop a rational and reasonable audit
program to improve the assessment of the software that runs the
operating system and assist the audit results and suggestions.

Information Systems Security

One of the many elements of both knowledge administration and

information management systems is preserving a suitable degree of
safety. The objective of data security is to aid in the achievement of
the firm's business goals.
CONFIDENTIALITY

 The protection of information from unauthorized access is

essential for maintaining company image and complying with
privacy laws, but security breaches can lead to unauthorized
access or disclosure of sensitive data to competitors or public.

AVAILABILITY

 Maintaining information systems in support of business process;

This is important in maintaining operational efficiency and
effectiveness.

 The possible risks associated with availability includes significant

disruption or failure of information systems, including loss of
ability to process business and crash of systems due to a variety
of sources, such as catastrophes viruses, or sabotage.

INTEGRITY

 The correctness and completeness of information; This is

important in maintaining the quality of information for decision
making.

 The possible risks associated with information integrity includes

security breaches that allow unauthorized access to information
systems, resulting in corrupted information and security
breaches that allow unauthorized access to information systems,
resulting in fraud or misuse of company information or systems.

Security Threats & Risks

 Expanding computer use has resulted in serious abuses of data

communications systems. Computer hackers and sometimes
employees use an organization's data communications system to
tamper with the organization's data, destroying information,
introducing fraudulent records, and stealing assets with the
touch of a few keys.

The most common techniques used to commit cybercrimes are the

following:
 Spamming- It is described as the sending of unsolicited e-mail
advertising for products, services, and Websites.

 Phishing- A high-tech scam that frequently uses spam or pop-up

messages to deceive people into disclosing people their sensitive
information.

 Spoofing- It is an act of creating a fraudulent Website to mimic

an actual, well known Website run by another party.

 Pharming- It is a method used by phishers to deceive users into

believing that they are communicating with a legitimate
Website.

Security Standards
Framework

 Security standards and guidelines provide a framework for

implementing comprehensive security processes and controls. 
 International Organization for Standardization the world's largest
developer and publisher of international standards. It is intended
to provide a guide for the development of "organizational
security standards and effective security management practices
and to help build confidence in inter-organizational activities"
 National Institute of Standards and Technology focuses on
developing tests, measurements, proofs of concept, reference
data, and other technical tools to support the development of
pivotal, forward looking technology.
 ISO 27002 standard (formerly ISO 17799) - a code of practice
for information security: It outlines hundreds of potential
controls and control mechanism in 12 major sections.

The 10 Areas Covered by the ISO 27002 Standards

 Security Policy. Adopting a security process that outlines an
organization's expectations for security, this can then
demonstrate management's support and commitment to
security.
 Security Organization. Having a management structure for
security, including appointing security coordinators, delegating
security management responsibilities, and establishing a
security incident response process.
 Asset Classification and Control, Conducting a detailed
assessment and inventory of an organization's information
infrastructure and information assets to determine an
appropriate level of security. 
 Personnel Security .Making security a key component of the
human resources and business operations. 
 Physical and Environmental security .Establishing a policy that
protects the IT infrastructure, physical plant, and employees. 
 Communications and Operations Management. Preventing
security incidents by implementing preventive measures such as
using anti-virus protection, maintaining and monitoring logs,
securing remote connections, and having incident response
procedures.
 Access Control . Protecting against internal abuses and external
intrusions by controlling access to network and application
resources through measures such as password management,
authentication, and event logging.
 Systems Development and Maintenance. Ensuring that security
is an integral part of any network deployment of expansion and
that existing systems are properly maintained. Business
Continuity Management. Planning for disasters-natural and man-
made and recovering from them.
 Compliance. Complying with any applicable regulatory and legal
requirements.

Information Security Controls

As the number of online threats continues to rise, businesses must

take the security issue seriously and find solutions as soon as
possible. To effectively combat these potential threats, they must
first carefully design and develop a good security plan, which they
must then fully implement and enforce. When investing in security,
they must consider and value its long-term effectiveness rather
than the immediate savings from security investments.

Management Controls Operational Controls Technical Controls

Computer security policy personnel/ user issues Identification and

authentication

Computer security risk Preparing for contingencies Logical access

management and disasters control

Computer security incident

handling Audit trails

Security and planning in Awareness, training and cryptography

the computer system life education
cycle
Security considerations in
 computer support and
operations.

Assurance Physical and

environmental security

Information Owners Responsibilities

Information owners are the department managers, senior

management, or their designers within the organization who bear
the responsibility for the acquisition, development, and
maintenance of production applications that process information. 

Information Custodian Responsibilities

Custodians are in physical or logical possession of either

organization information or information that has been entrusted to
the organization. Whereas IT staff members clearly are custodians,
local system administrators are also custodians.

Information Classification Designations

In the realm of Information Security, it is well understood that not

all information is treated equally. Security is expensive and we must
layer controls to ensure our most critical information is protected.
This is where data classification comes in.

 Public. This information is public information, and can be openly

shared on your website, discussed in public and with anyone.
Public information as the name implies, is public, and does not
require any additional controls when used

 Internal. Internal information is company wide and should be

protected with limited controls Internal information may include
the employee handbook, various policies and company-wide
memos. If disclosed internal information has a minimal impact
to the business.

 Confidential. Confidential information is team wide and its use

should be contained within the business. This information may
include pricing, marketing materials, or contact information If
disclosed, confidential information could negatively affect your
business and ultimately your brand.
 Restricted. Restricted information is highly sensitive and its use
should be limited on a need to know basis. Restricted
information is typically protected with a Non-disclosure
Agreement (NDA) to minimize legal sk Restricted information
includes trade secrets, potentially identifiable information (PU)
cardholder data (credit cards), or health information. If
disclosed, there would be a significant financial or legal impact
to the business.

Contingency and Disaster Recovery Planning

 The contingency plan or disaster recovery plan is an important

tool to business. It is a survival tool to help a business recover
in the wake of an event that disrupts normal business
operations. It requires significant resources to develop. Should a
disaster occur, the payoff is to recover without significant
business or operations downtime and loss.

 The first step in disaster recovery planning is identifying who is

responsible for distributed disaster recovery. The responsible for
recovery depends on who has control over the hardware,
software and data. In most cases, IT and users must work
together to identify critical information and resources that will
need to be recovered in the event of a disaster. It should
address both partial and total destruction of computing
resources.

Written and Mission Statement for Disaster Recovery Plan

 Once the plan is now done, all of the members of the

organization should be familiar with it. If there is an emergency,
it is easy for staff members to execute their designated roles in
the plan

 Exercising the plan confirms that efforts are not duplicated and
all the necessary steps are taken. It is important to have a
written disaster recovery plan with detailed steps as individuals
unfamiliar with the process may need to perform the disaster
recovery process in a real emergency.
DRP Tests and Drill

Disaster simulation drills or tests are used to test the staffing,

management, and decision making of both the technical and
procedural aspects of an organization's disaster recovery plan.

1.Begin testing by using desk checks, inspections, and walk

through.

2.Next, a disaster can be simulated at a convenient time (during a

slow period in the day).

Personnel also might be given prior notice of the test so that they
are prepared. 

3. Finally, simulate a disaster without warning.