Domain 5

Protection of Information Assets

Domain 5

Provide assurance that the enterprise’s

security policies, standards, procedures
and controls ensure the confidentiality,
integrity and availability (CIA) of
information assets.
Domain 5
 The focus of Domain 5 is the need for protecting
information assets through the evaluation of
design, implementation and monitoring of
controls.
Domain Objectives
 The objective of this domain is to ensure that the CISA
candidate understands the following:
o Elements of information security management
o Logical entry points into a system
o Identification and authentication practices
o Network infrastructure security
o Importance of OS and software maintenance
o Environmental exposures
o Risks from mobile devices, social media and cloud
computing
On the CISA Exam
 Domain 5 represents 27% of the questions on the CISA
exam (approximately 40 questions).
Domain Tasks
 5.1 Evaluate the information security and privacy policies,
standards and procedures for completeness, alignment with
generally accepted practices and compliance with applicable
external requirements.
 5.2 Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls to determine whether information assets are
adequately safeguarded.
 5.3 Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls to verify the confidentiality, integrity and availability of
information.
Domain Tasks (cont’d)
 5.4 Evaluate the design, implementation and monitoring of the
data classification processes and procedures for alignment
with the organization’s policies, standards, procedures and
applicable external requirements.
 5.5 Evaluate the processes and procedures used to store,
retrieve, transport and dispose of assets to determine whether
information assets are adequately safeguarded.
 5.6 Evaluate the information security program to determine its
effectiveness and alignment with the organization’s strategies
and objectives.
Task 5.1

Evaluate the information security and

privacy policies, standards and
procedures for completeness, alignment
with generally accepted practices and
compliance with applicable external
requirements.
Key Terms
Key Term Definition
Privacy The rights of an individual to trust that others
will appropriately and respectfully use, store,
share and dispose of his/her associated
personal and sensitive information within the
context, and according to the purposes, for
which it was collected or derived. What is
appropriate depends on the associated
circumstances, laws and the individual’s
reasonable expectations. An individual also
has the right to reasonably control and be
aware of the collection, use and disclosure of
his\her associated personal and sensitive
information.
Key Terms (cont’d)
Key Term Definition
Security The extent to which every member of an
awareness enterprise and every other individual who
potentially has access to the enterprise’s
information understand:
• Security and the levels of security
appropriate to the enterprise
• The importance of security and
consequences of a lack of security
• His/her individual responsibilities regarding
security (and act accordingly)
This definition is based on the definition for IT
security awareness as defined in
Implementation Guide: How to Make Your
Organization Aware of IT Security, European
Security Forum (ESF), London, 1993.
Task to Knowledge Statements
How does Task 5.1 relate to each of the following
knowledge statements?
Knowledge Statement
K5.1 Knowledge of generally
accepted practices and
applicable external requirements
(e.g., laws, regulations) related
to the protection of information
assets
K5.2 Knowledge of privacy
principles
Connection
The IS auditor must understand
key elements of information
security management and the
critical success factors for
information security
management.
The IS auditor must have an
understanding of privacy
principles and knowledge of
privacy laws and regulations.
The IS auditor must also
understand how compliance is
assured.
Task to Knowledge Statements (cont’d)

How does Task 5.1 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.3 Knowledge of the The IS auditor must understand
techniques for the design, the different types of controls
implementation, maintenance, (preventive, detective and
monitoring and reporting of corrective) and when to apply
security controls them.
K5.6 Knowledge of logical Throughout all IS audits, the IS
access controls for the auditor must have a keen
identification, authentication understanding of key
and restriction of users to elements of logical access
authorized functions and data controls.
Security Objectives
 Security objectives to meet an organization’s business
requirements should ensure the following:
o Continued availability of information systems and data
o Integrity of the information stored on computer systems
and while in transit
o Confidentiality of sensitive data is preserved while stored
and in transit
o Conformity to applicable laws, regulations and standards
o Adherence to trust and obligation requirements in relation
to any information relating to an identified or identifiable
individual (i.e., data subject) in accordance with internal
privacy policy or applicable privacy laws and regulations
o Adequate protection for sensitive data while stored and
when in transit, based on organizational requirements
Information Security Management

 Information security management is the most critical

factor in protecting information assets and privacy.
 Key elements include:
Senior management
leadership, Policies and
commitment and
support
procedures

Security
Organiza awareness
tion and education
ISMS
 An information security management system (ISMS) is a
framework of policies, procedures, guidelines and
associated resources to establish, implement, operate,
monitor, review, maintain and improve information
security for all types of organizations.
ISMS (cont’d)
 An ISMS is defined in these guidelines and standards:
o ISO/IEC 2700X—Guidance for managing information
security in specific industries and situations
o ISO/IEC 27000—Defines the scope and vocabulary
and establishes the basis for certification
o ISO/IEC 27001—Formal set of specifications against
which organizations may seek independent
certification of their information security management
system
o ISO/IEC 27002—Structured set of suggested controls
to address information security risk
ISM Roles
Information
security Executive Security Chief privacy
steering management advisory group officer (CPO)
committee

Chief Information
information Chief security Process asset owners
security officer officer (CSO) owners and data
(CISO) owners

Information Security
External
Users security specialist/
parties
administrator advisors

IT developers IS auditors
Privacy
 Privacy means freedom from unauthorized intrusion or
disclosure of information about an individual (also
referred to as a “data subject”).
 Management should perform a privacy impact analysis.
Privacy (cont’d)
 The IS auditor may be asked to support or perform this
assessment, which should:
o Pinpoint the nature of personally identifiable information
associated with business processes.
o Document the collection, use, disclosure and destruction
of personally identifiable information.
o Ensure that accountability for privacy issues exists.
o Identify legislative, regulatory and contractual
requirements for privacy.
o Be the foundation for informed policy, operations and
system design decisions based on an understanding of
privacy risk and the options available for mitigating that
risk.
Human Resources Security
 Security roles and responsibilities of employees,
contractors and third-party users should be defined and
documented in accordance with the organization’s
information security policy.
Human Resources Security (cont’d)

 Human resources-related security practices include the

following:
o Security responsibilities should be addressed prior to
employment in adequate job descriptions, and in terms
and conditions of employment.
o All candidates for employment, contractors and third-party
users should be adequately screened, especially for
sensitive jobs.
o Employees, contractors and third-party users of
information processing facilities should sign an agreement
on their security roles and responsibilities, including the
need to maintain confidentiality.
o When an employee, contractor or third-party user exits the
organization, procedures should be in place to remove
access rights and return all equipment.
Third Party Access
 Third party access to an organization’s information
processing facilities and processing and communication
of information must be controlled.
 These controls must be agreed to and defined in a
contract with the third party.
Third Party Access (cont’d)
 Some recommended contract terms include:
o Compliance with the organization’s information security
policy
o A clear reporting structure and agreed reporting formats
o A clear and specified process for change management
o An access control policy
o Arrangements for reporting, notifying and investigating
information security incidents and security breaches
o Service continuity requirements
o The right to monitor and revoke any activity related to the
organization’s assets
Security Controls
 An effective control is one that prevents, detects, and/or
contains an incident and enables recovery from an
event.
 Controls can be:

Reactive
Proactive
• Countermeasures
• Safeguards
• Controls that allow the detection, containment and recovery from
• Controls that attempt to prevent an incident
an incident
Security Awareness Training
 An active security awareness program can greatly
reduce risk by addressing the behavioral element of
security through education and consistent application of
awareness techniques.
 All employees of an organization and third-party users
must receive appropriate training and regular updates on
the importance of security policies, standards and
procedures in the organization.
 In addition, all personnel must be trained in their specific
responsibilities related to information security.
Control Methods

Managerial Controls related to the

oversight, reporting,
procedures and
operations of a
process. These
include policy,
Technical procedures,
Controls also known
balancing, employee
as logical controls and
development and
are provided through
compliance reporting.
the use of technology,
piece of equipment or
device. Examples
Physical include
Controlsfirewalls,
that are
network or host-based
locks, fences, closed-
intrusion
circuit TVdetection
(CCTV) and
systems (IDSs),
devices that are
Control Monitoring
 To ensure controls are effective and properly monitored,
the IS auditor should:
o Validate that processes, logs and audit hooks have
been placed into the control framework.
o Ensure that logs are enabled, controls can be tested
and regular reporting procedures are developed.
o Ensure that control monitoring is built into the control
design.
System Access Permission
 System access permission generally refers to a technical
privilege, such as the ability to read, create, modify or delete a
file or data; execute a program; or open or use an external
connection.
 System access to computerized information resources is
established, managed and controlled at the physical and/or
logical level.

Physical access controls Logical access controls

• Restrict the entry and exit • Restrict the logical
of personnel to an area, resources of the system
such as an office building, (transactions, data,
suite, data center or room, programs, applications) and
containing information are applied when the
processing equipment. subject resource is needed.
System Access Reviews
 Roles should be assigned by the information owner or
manager.
 Access authorization should be regularly reviewed to
ensure they are still valid.
 The IS auditor should evaluate the following criteria for
defining permissions and granting access:
o Need-to-know
o Accountability
o Traceability
o Least privilege
o SoD
In the Big Picture

Task 5.1 The Big

Evaluate the information
security and privacy policies, Picture
standards and procedures for The foundation of
completeness, alignment with information security
generally accepted practices is based on well-
and compliance with aligned security
applicable external management
requirements. policies and
procedures.
Task 5.1 Activity
 During your ERP upgrade audit, you identify the
following findings:
1. Logical access controls to the administrative
application server accounts are comprised of
non-complex single factor authentication with
password length required to be six characters
changed every 360 days.
2. There was no policy in place for Classification of
Information Assets.
 What is the purpose of assigning classes or levels of
sensitivity and criticality to information resources and
establishing specific security rules for each class?
Discussion Question
An information security policy stating that “the display of
passwords must be masked or suppressed” addresses
which of the following attack methods?
A. Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation
Discussion Question
With the help of a security officer, granting access to data is
the responsibility of:
A. data owners.
B. programmers.
C. system analysts.
D. librarians.
Task 5.2

Evaluate the design, implementation,

maintenance, monitoring and reporting
of physical and environmental controls
to determine whether information assets
are adequately safeguarded.
Key Terms
Key Term Definition

Environmental Environmental exposures are due

Exposures primarily to naturally occurring events
such as lightning storms, earthquakes,
volcanic eruptions, hurricanes, tornados
and other types of extreme weather
conditions.
Task to Knowledge Statements
How does Task 5.2 relate to each of the following
knowledge statements?
Knowledge Statement Connection
K5.4 Knowledge of physical The IS auditor needs to
and environmental controls and understand the common types
supporting practices related to of environmental controls and
the protection of information good practices for their
assets deployment and periodic
testing.
K5.5 Knowledge of physical The IS auditor must understand
access controls for the physical
identification, authentication access controls and their
and restriction of users to potential for
authorized facilities and circumvention.
hardware
Task to Knowledge Statements (cont’d)

How does Task 5.2 relate to each of the following

knowledge statements?
Knowledge Statement
K5.23 Knowledge of security
testing techniques (e.g.,
penetration testing,
vulnerability scanning)
Connection
Key to an IS auditor’s
understanding of physical
security effectiveness is the
methodology used to test the
physical security controls.
Physical Access Issues
 Physical access exposures may originate from natural
and
man-made hazards, and can result in unauthorized
access and interruptions in information availability.
 Exposures include:
Unauthorized entry
Damage, vandalism or theft to equipment or documents
Copying or viewing of sensitive or copyrighted information
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement
Physical Access Controls

Door locks (cipher,

Manual or electronic Identification
biometric, bolted,
logging badges
electronic)

Controlled visitor
CCTV Security guards
access

Computer Controlled single

Alarm system
workstation locks entry point

Deadman doors
Physical Access Audit
 The IS auditor should begin with a tour of the site and
then test physical safeguards.
 Physical tests can be completed through visual
observations and review of documents such as fire
system tests, inspection tags and key lock logs.
Physical Access Audit (cont’d)
 The test should include all paths of physical entry, as
well as the following locations:
o Computer and printer rooms
o UPS/generator
o Operator consoles
o Computer storage rooms
o Communication equipment
o Offsite backup storage facility
o Media storage
Environmental Exposures
 Environmental exposures are due primarily to naturally
occurring events.
 Common environmental exposures include:

Power failure
• Total failure (blackout)
• Severely reduced voltage (brownout)
• Sags, spikes and surges
• Electromagnetic interference (EMI)
Water damage/flooding
• Terrorist threats/attacks
• Vandalism
• Equipment failure
Manmade concerns
Environmental Controls
 Environmental exposures should be afforded the same
level of protection as other types of exposures. Possible
controls include:

Alarm control panels Water detectors Fire extinguishers

Fireproof and
Fire alarms and Fire suppression fire-resistant
smoke detectors systems building and office
materials

Uninterruptible
Strategically located Electrical surge
power supply/
computer rooms protectors
generator
Environmental Control Audit
 The IS auditor should first establish the environmental risk by
assessing the location of the data center.
 In addition, the IS auditor should verify that the following
safeguards are in place:
o Water and smoke detectors
o Strategic and visible location of handheld fire extinguishers
o Fire suppression system documentation and inspection by
fire department
o UPS/generator test reports
o Electrical surge protectors
o Documentation of fireproof building materials, use of
redundant power lines and wiring located in fire-resistant
panels
o Documented and tested emergency evacuation plans and
BCPs
o Humidity and temperature controls
In the Big Picture

The Big
Task 5.2
Evaluate the design, Picture
implementation, maintenance, Physical security
monitoring and reporting of environmental
physical and environmental controls are the first
controls to determine whether line of defense in
information assets are adequately protecting assets from
safeguarded. loss.
Task 5.2 Activity
 The directory of facility operations has asked the IS audit
team to perform a gap analysis of the current policies
and procedures at the headquarters building that also
houses the primary data center. You find that policies
and procedures are currently focused on operations and
maintenance contracting activities.
 What is an example of an environmental exposure that
controls should be in place to mitigate?
 What would be a means to perform penetration testing of
physical controls?
Discussion Question
Which of the following environmental controls is appropriate
to protect computer equipment against
short-term reductions in electrical power?
A. Power line conditioners
B. Surge protective devices
C. Alternative power supplies
D. Interruptible power supplies
Discussion Question
An IS auditor is reviewing the physical security measures of an
organization. Regarding the access card system, the IS auditor
should be MOST concerned that:
A. nonpersonalized access cards are given to the cleaning
staff, who use a sign-in sheet but show no proof of
identity.
B. access cards are not labeled with the organization’s
name and address to facilitate easy return of a lost card.
C. card issuance and rights administration for the cards are
done by different departments, causing unnecessary lead
time for new cards.
D. the computer system used for programming the cards
can only be replaced after three weeks in the event of a
system failure.
Task 5.3

Evaluate the design, implementation,

maintenance, monitoring and reporting
of system and logical security controls to
verify the confidentiality, integrity and
availability of information.
Key Terms
Key Term Definition
Access control The processes, rules and deployment
mechanisms that control access to information
systems, resources and physical access to
premises.
Access control An internal computerized table of access rules
list (ACL) regarding the levels of computer access
permitted to logon IDs and computer
terminals. Also referred to as access control
tables.
Access path The logical route an end user takes to access
computerized information. Typically, it includes
a route through the operating system,
telecommunications software, selected
application software and the access control
system.
Key Terms (cont’d)
Key Term Definition
Digital A piece of information, a digitized form of
signature a signature, that provides sender
authenticity, message integrity and
nonrepudiation. A digital signature is
generated using the sender’s private key
or applying a one-way hash function.
Encryption The process of taking an unencrypted
message (plaintext), applying a
mathematical function to it (encryption
algorithm with a key) and producing an
encrypted message (ciphertext).
Key Terms (cont’d)
Key Term Definition
Local area Communication network that serves several users within
network a specified geographical area. A personal computer LAN
(LAN) functions as a distributed processing system in which
each computer in the network does its own processing
and manages some of its data. Shared data are stored
in a file server that acts as a remote disk drive for all
users in the network.

Logical The policies, procedures, organizational structure and

access electronic access controls designed to restrict access to
controls computer software and data files.

Network A system of interconnected computers and the

communications equipment used to connect them.
Task to Knowledge Statements
How does Task 5.3 relate to each of the following
knowledge statements?
Knowledge Statement Connection
K5.6 Knowledge of logical access The IS auditor needs to
controls for the identification, understand logical access controls
authentication and restriction of as they apply to systems that may
users to authorized functions and reside on multiple operating
data system platforms and involve
more than one application system
or authentication point.
K5.7 Knowledge of the security The IS auditor needs to
controls related to hardware, understand best practices as they
system software (e.g., apply to identification and
applications, operating systems) authentication.
and database management
systems
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.8 Knowledge of risk and The IS auditor needs to
controls associated with understand
virtualization of systems the advantages and
disadvantages of
virtualization and determine
whether
the enterprise has
considered the applicable
risk in its decision to adopt,
implement and maintain this
technology.
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement
K5.9 Knowledge of risk and
controls associated with the
use of mobile and wireless
devices, including personally
owned devices (bring your
own device [BYOD])
Connection
Policies and procedures and
additional protection
mechanisms must be put
into place to ensure that
data are protected to a
greater extent on portable
devices, because such
devices will most likely
operate in environments in
which physical controls are
lacking or nonexistent.
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.10 Knowledge of voice The increasing complexity and
communications security (e.g., convergence of voice and data
PBX, Voice-over Internet communications introduces
Protocol [VoIP]) additional risk that must be
taken into account by the IS
auditor.
K5.11 Knowledge of network The IS auditor needs to
and Internet security devices, understand best practices for
protocols and techniques the implementation of
encryption and the use and
application of security devices
and methods for securing data.
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement
K5.12 Knowledge of the
configuration,
implementation, operation
and maintenance of network
security controls
Connection
Firewalls and intrusion
detection systems (IDSs)
provide protection and
critical alert information at
borders between trusted and
untrusted networks. The
proper implementation and
maintenance of firewalls and
IDSs are critical to a
successful, in-depth security
program.
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.13 Knowledge of encryption- Fundamentals of encryption
related techniques and their uses techniques
and the relative advantages and
disadvantages of each must be
taken into account by the IS auditor.

K5.14 Knowledge of public key The IS auditor needs to understand

infrastructure (PKI) components the relationships between types of
and digital signature techniques encryption (symmetric and
asymmetric) and their respective
algorithms (e.g., DES3, RSA) and
the basic concepts and
components of PKI in terms of
business.
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement
K5.18 Knowledge of risk and
controls associated with data
leakage
Connection
Understanding how data
leakage can occur and the
methods for limiting data
leakage—from job postings
that list the specific software
and network devices with
which applicants should
have experience to system
administrators posting
questions on technical web
sites
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.19 Knowledge of security risk
The IS auditor should understand
and controls related to end-user
that these tools can be used to
computing create key applications that are
relied upon by the organization but
not controlled by the IT
department.
K5.21 Knowledge of information Understanding the methods,
system attack methods and techniques and exploits used to
techniques compromise an environment
provides the IS auditor with a
more complete context for
understanding the risk that an
enterprise faces.
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.22 Knowledge of prevention The IS auditor needs to
and detection tools and control understand the threats posed by
techniques malicious code and the good
practices for mitigating these
threats.
K5.23 Knowledge of security The IS auditor must have
testing techniques (e.g., knowledge of how assessment
penetration testing, tools can be used to identify
vulnerability scanning) vulnerabilities within the network
infrastructure so that corrective
actions can be taken to remediate
risk.
Task to Knowledge Statements (cont’d)

How does Task 5.3 relate to each of the following

knowledge statements?
Knowledge Statement
K5.26 Knowledge of fraud
risk factors related to the
protection of information
assets
Connection
The IS auditor should be
aware that the risk of fraud is
increased where there is a
perceived opportunity.
Logical Access
 Logical access is the ability to interact with computer
resources, granted using identification, authentication
and authorization.
 Logical access controls are the primary means used to
manage and protect information assets.
 IS auditors should be able to analyze and evaluate the
effectiveness of a logical access control in accomplishing
information security objectives and avoiding losses
resulting from exposures.
Logical Access (cont’d)
 For IS auditors to effectively assess logical access
controls, they first need to gain a technical and
organizational understanding of the organization’s IT
environment, including the following security layers:
o Network
o OS platform
o Database
o Application
Paths of Logical Access
 Access or points of entry to an organization’s IS
infrastructure can be gained through the following paths:
o Direct
o Local network
o Remote
 General points of entry to either front-end or back-end
systems occur through network connectivity or remote
access.
Paths of Logical Access (cont’d)
 Any point of entry not appropriately controlled can
potentially compromise the security of an organization’s
sensitive and critical information resources.
 The IS auditor should determine whether all points of
entry are identified and managed.
Logical Access Exposures
 Technical exposures are the unauthorized activities
interfering with normal processing.
 They include:
o Data leakage—Involves siphoning or leaking
information out of the computer
o Wiretapping—Involves eavesdropping on information
being transmitted over telecommunications lines
o Computer shutdown—Initiated through terminals or
personal computers connected directly (online) or
remotely (via the Internet) to the computer
Access Control Software
 Access control software is used to prevent the
unauthorized access and modification to an
organization’s sensitive data and the use of system
critical functions.
 Access controls must be applied across all layers of an
organization’s IS architecture, including networks,
platforms or OSs, databases and application systems.
 Each access control usually includes:
o Identification and authentication
o Access authorization
o Verification of specific information resources
o Logging and reporting of user activities
Access Control Software Functions
General operating and/or
application systems access
control functions
•Create or change user profiles.
•Assign user identification and
authentication.
•Apply user logon limitation rules.
•Notification concerning proper use and
access prior to initial login.
•Create individual accountability and
auditability by logging user activities.
•Establish rules for access to specific
information resources (e.g., system-
level application resources and data).
•Log events.
•Report capabilities.
Database and/or application-
level access control functions
•Create or change data files and
database profiles.
•Verify user authorization at the
application and transaction level.
•Verify user authorization within the
application.
•Verify user authorization at the field
level for changes within a database.
•Verify subsystem authorization for the
user at the file level.
•Log database/data communications
access activities for monitoring access
violations.
Access Control Types

• Logical access control filters used to

validate access credentials
Mandatory • Cannot be controlled or modified by normal
access controls users or data owners
• Act by default
(MACs) • Prohibitive; anything that is not expressly
permitted is forbidden

• Logical access controls that may be

configured or modified by the users or data
Discretionary owners
access controls • Cannot override MACs
• Act as an additional filter, prohibiting still
(DACs) more access with the same exclusionary
principle
Network Infrastructure Security
 The IS auditor should be familiar with risk and exposures related
to network infrastructure.
 Network control functions should:
o Be performed by trained professionals, and duties should be
rotated on a regular basis.
o Maintain an audit trail of all operator activities.
o Restrict operator access from performing certain functions.
o Periodically review audit trails to detect unauthorized
activities.
o Document standards and protocols.
o Analyze workload balance, response time and system
efficiency.
o Encrypt data, where appropriate, to protect messages from
disclosure during transmission.
LAN Security
 To gain a full understanding of the LAN, the IS auditor
should identify and document the following:
o Users or groups with privileged access rights
o LAN topology and network design
o LAN administrator/LAN owner
o Functions performed by the LAN administrator/owner
o Distinct groups of LAN users
o Computer applications used on the LAN
o Procedures and standards relating to network design,
support, naming conventions and data security
Virtualization
 IS auditors need to understand the advantages and
disadvantages of virtualization to determine whether the
enterprise has considered the applicable risk in its decision to
adopt, implement and maintain this technology.
 Some common advantages and disadvantages include:

Advantages
• Decreased server hardware costs.
• Shared processing capacity and storage
space.
• Decreased physical footprint.
• Multiple versions of the same OS.
Disadvantages
• Inadequate host configuration could
create vulnerabilities that affect not only
the host, but also the guests.
• Data could leak between guests.
• Insecure protocols for remote access
could result in exposure of
administrative credentials.
Client-Server Security
 A client-server is a group of computers connected by a
communications network in which the client is the
requesting machine and the server is the supplying
machine.
 Several access routes exist in a client-server
environment.
Client-Server Security (cont’d)
 The IS auditor should ensure that:
o Application controls cannot be bypassed.
o Passwords are always encrypted.
o Access to configuration or initialization files is kept to
a minimum.
o Access to configuration or initialization files are
audited.
Wireless Security
 Wireless security requirements include the following:
o Authenticity—A third party must be able to verify that
the content of a message has not been changed in
transit.
o Nonrepudiation—The origin or the receipt of a specific
message must be verifiable by a third party.
o Accountability—The actions of an entity must be
uniquely traceable to that entity.
o Network availability—The IT resource must be
available on a timely basis to meet mission
requirements or to avoid substantial losses.
Internet Security
 The IS auditor must understand the risk and security
factors needed to ensure that proper controls are in
place when a company connects to the Internet.
 Network attacks involve probing for network information.
o Examples of passive attacks include network
analysis, eavesdropping and traffic analysis.
Internet Security (cont’d)
 Once enough network information has been gathered,
an intruder can launch an actual attack against a
targeted system to gain control.
o Examples of active attacks include denial of service
(DoS), phishing, unauthorized access, packet replay,
brute force attacks and email spoofing.
 The IS auditor should have a good understanding of the
following types of firewalls:
o Packet filtering
o Application firewall systems
o Stateful inspections
Internet Security (cont’d)
 The IS auditor should also be familiar with common
firewall implementations, including:
o Screened-host firewall
o Dual-homed firewall
o Demilitarized zone (DMZ) or screened-subnet firewall
 The IS auditor should be familiar with the types, features
and limitations of intrusion detection systems and
intrusion prevention systems.
Encryption
 Encryption generally is used to:
o Protect data in transit over networks from
unauthorized interception and manipulation.
o Protect information stored on computers from
unauthorized viewing and manipulation.
o Deter and detect accidental or intentional alterations
of data.
o Verify authenticity of a transaction or document.
Encryption (cont’d)
 Key encryption elements include:
o Encryption algorithm—A mathematically based
function that encrypts/decrypts data
o Encryption keys—A piece of information that is used
by the encryption algorithm to make the encryption or
decryption process unique
o Key length—A predetermined length for the key; the
longer the key, the more difficult it is to compromise
Encryption (cont’d)
 There are two types of encryption schemes:
o Symmetric—a unique key (usually referred to as the
“secret key”) is used for both encryption and decryption.
o Asymmetric—the decryption key is different than the one
used for encryption.
 There are two main advantages of symmetric key systems
over asymmetric ones.
o The keys are much shorter and can be easily
remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.
Encryption (cont’d)
 In a public key cryptography system, two keys work
together as a pair. One of the keys is kept private, while
the other one is publicly disclosed.
 The underlying algorithm works even if the private key is
used for encryption and the public key for decryption.
Encryption (cont’d)
 Digital signature schemes ensure:
o Data integrity— Any change to the plaintext
message would result in the recipient failing to
compute the same document hash.
o Authentication—The recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o Nonrepudiation—The claimed sender cannot later
deny generating the document.
 The IS auditor should be familiar with how a digital
signature functions to protect data.
Malware
 There are two primary methods to prevent and detect
malware that infects computers and network systems.
o Have sound policies and procedures in place
(preventive controls).
o Have technical controls (detective controls), such as
anti-malware software, including:
• Scanners
• Behavior blockers
• Active monitors
• Integrity CRC checkers
• Immunizers
 Neither method is effective without the other.
In the Big Picture

The Big
Task 5.3 Picture
Evaluate the design, implementation,
Evaluation of system
maintenance, monitoring and
security engineering and
reporting of system and logical
architecture ensures the
security controls to verify the
foundations for ISM are
confidentiality, integrity and
in place to meet
availability of information.
organizational goals and
objectives.
Task 5.3 Activity
 Your acquisition due diligence audit scope has been
defined by management sponsors as to evaluate the
design, implementation, maintenance, monitoring and
reporting of system and logical security controls to verify
the confidentiality, integrity and availability of intellectual
property.
 What type of control will reduce the risk of disclosure of
sensitive data stored on mobile devices?
Discussion Question
The PRIMARY purpose of installing data leak prevention
(DLP) software is to control which of the following choices?
A. Access privileges to confidential files stored on
servers
B. Attempts to destroy critical data on the internal
network
C. Which external systems can access internal
resources
D. Confidential documents leaving the internal network
Discussion Question
Neural networks are effective in detecting fraud because
they can:
A. discover new trends because they are inherently
linear.
B. solve problems where large and general sets of
training data are not obtainable.
C. attack problems that require consideration of a large
number of input variables.
D. make assumptions about the shape of any curve
relating variables to the output.
Task 5.4

Evaluate the design, implementation and

monitoring of the data classification
processes and procedures for alignment
with the organization’s policies,
standards, procedures and applicable
external requirements.
Key Terms
Key Term Definition
Authentication The act of verifying the identity of a user and
the
user’s eligibility to access computerized
information. Authentication is designed to
protect against fraudulent logon activity. It can
also refer to the verification of the correctness
of a piece of data.
Data The assignment of a level of sensitivity to data
classification (or information) that results in the specification
of controls for each level of classification.
Levels of sensitivity of data are assigned
according to predefined categories as data
are created, amended, enhanced, stored or
transmitted. The classification level is an
indication of the value or importance of the
data to the enterprise.
Task to Knowledge Statements
How does Task 5.4 relate to each of the following
knowledge statements?
Knowledge Statement Connection
K5.16 Knowledge of data classification The IS auditor should understand the
standards related to the protection of process of classification and the
information assets interrelationship between data
classification and the need for
inventorying information assets and
assigning responsibility to data owners.
Task to Knowledge Statements (cont’d)

How does Task 5.4 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.18 Knowledge of risk and controls Data classification policies, security
associated with data leakage awareness training and periodic audits
for data leakage are elements that the IS
auditor will want to ensure are in place.
K5.25 Knowledge of the processes Measures should be used to preserve
followed in forensics investigation and the integrity of evidence collected and
procedures in collection and provide assurance that the evidence has
preservation of the data and evidences not been altered in any way.
(i.e., chain of custody)
Data Classification
 In order to have effective controls, organizations must have a
detailed inventory of information assets.
 Most organizations use a classification scheme with three to five
levels of sensitivity.
 Data classification provides the following benefits:
o Defines level of access controls
o Reduces risk and cost of over- or under-protecting
information resources
o Maintains consistent security requirements
o Enables uniform treatment of data by applying level-specific
policies and procedures
o Identifies who should have access
Data Classification (cont’d)
 The information owner should decide on the appropriate
classification, based on the organization’s data classification and
handling policy.
 Data classification should define:
o The importance of the information asset
o The information asset owner
o The process for granting access
o The person responsible for approving the access rights and
access levels
o The extent and depth of security controls
 Data classification must also take into account legal, regulatory,
contractual and internal requirements for maintaining privacy,
confidentiality, integrity and availability.
Data Leakage
 Data leakage involves the unauthorized transfer of sensitive
or proprietary information from an internal network to the
outside world.
 Data leak prevention is a suite of technologies and associated
processes that locate, monitor and protect sensitive
information from unauthorized disclosure.
Data Leakage (cont’d)
 DLPs have three key objectives:
o Locate and catalog sensitive information stored throughout
the enterprise.
o Monitor and control the movement of sensitive information
across enterprise networks.
o Monitor and control the movement of sensitive information
on end-user systems.
DLP Solutions

Data in
Data at rest Data in use
motion
Use specific
network Use deep
appliances packet
or inspection
Use an agent to monitor
Use crawlers to search for embedded (DPI) to
data movement stemming
and log the location of technology read
from actions taken by end
specific information sets to contents
users
selectively within a
capture and packet’s
analyze payload
traffic
Identification and Authentication
 Logical access identification and authentication (I&A) is
the process of establishing and proving a user’s identity.
 For most systems, I&A is the first line of defense
because it prevents unauthorized people (or
unauthorized processes) from entering a computer
system or accessing an information asset.
Identification and Authentication (cont’d)

 Some common I&A vulnerabilities include:

o Weak authentication methods
o Use of simple or easily guessed passwords
o The potential for users to bypass the authentication
mechanism
o The lack of confidentiality and integrity for the stored
authentication information
o The lack of encryption for authentication and
protection of information transmitted over a network
o The user’s lack of knowledge on the risk associated
with sharing authentication elements
Authentication Methods
Authentication Methods

Logon IDs and Passwords

Tokens
Biometrics

 Multifactor authentication is the combination of more than one

authentication method.
 Single sign-on (SSO) is the process for consolidating all of an
organization’s platform-based administration, authentication and
authorization functions into a single centralized administrative
function.
 The IS auditor should be familiar with the organization’s
authentication policies.
Authorization
 Authorization refers to the access rules that specify who
can access what.
 Access control is often based on least privilege, which
refers to the granting to users of only those accesses
required to perform their duties.
 The IS auditor needs to know what can be done with the
access and what is restricted.
 The IS auditor must review access control lists (ACLs).
An ACL is a register of users who have permission to
use a particular system and the types of access
permitted.
Authorization Issues
Risks
•Denial of service
•Malicious third parties
•Misconfigured communications
software
•Misconfigured devices on the
corporate computing infrastructure
•Host systems not secured
appropriately
•Physical security issues over
remote users’ computers
Controls
•Policy and standards
•Proper authorizations
•Identification and
authentication mechanisms
•Encryption tools and
techniques such as use of a
VPN
•System and network
management
System Logs
 Audit trail records should be protected by strong access
controls to help prevent unauthorized access.
 The IS auditor should ensure that the logs cannot be
tampered with, or altered, without leaving an audit trail.
 When reviewing or performing security access follow-up,
the IS auditor should look for:
o Patterns or trends that indicate abuse of access
privileges, such as concentration on a sensitive
application
o Violations (such as attempting computer file access
that is not authorized) and/or use of incorrect
passwords
Review of Access Controls
 Access controls and password administration are reviewed to
determine that:
o Procedures exist for adding individuals to the access list,
changing their access capabilities and deleting them from the
list.
o Procedures exist to ensure that individual passwords are not
inadvertently disclosed.
o Passwords issued are of an adequate length, cannot be easily
guessed and do not contain repeating characters.
o Passwords are periodically changed.
o User organizations periodically validate the access capabilities.
o Procedures provide for the suspension of user IDs or the
disabling of systems after a particular number of security
procedure violations.
In the Big Picture

The Big
Task 5.4
Evaluate the design, implementation Picture
and monitoring of the data Data classification,
classification processes and protection and
procedures for alignment with the management processes
organization’s policies, standards, are critical in meeting
procedures and applicable external business and regulatory
requirements. requirements.
Task 5.4 Activity
 You have been assigned to assist the incident response
team in evaluating post-incident lessons learned and
remediation activities to prevent recurrence of the root
causes. Your team has completed the response to data
leakage that resulted in compromising firewall network
administrative access.
 When the firewall was sent off site for vendor
maintenance, what actions should have been taken?
Discussion Question

The FIRST step in data classification is to:

A. establish ownership.
B. perform a criticality analysis.
C. define access rules.
D. create a data dictionary.
Discussion Question
From a control perspective, the PRIMARY objective of
classifying information assets is to:
A. establish guidelines for the level of access controls
that should be assigned.
B. ensure access controls are assigned to all
information assets.
C. assist management and auditors in risk assessment.
D. identify which assets need to be insured against
losses.
Task 5.5

Evaluate the processes and procedures

used to store, retrieve, transport and
dispose of assets to determine whether
information assets are adequately
safeguarded.
Key Terms
Key Term Definition
Private branch A telephone exchange that is owned by a private business,
exchange (PBX) as opposed to one owned by a common carrier or by a
telephone company
Voice-over Internet Also called IP Telephony, Internet Telephony and
Protocol (VoIP) Broadband Phone, a technology that makes it possible to
have a voice conversation over the Internet or over any
dedicated Internet Protocol (IP) network instead of
dedicated voice transmission lines
Task to Knowledge Statements
How does Task 5.5 relate to each of the following
knowledge statements?
Knowledge Statement Connection
K5.13 Knowledge of encryption-related Through the use of the appropriate
techniques and their uses encryption techniques, an organization
can protect data throughout the data life
cycle.
K5.14 Knowledge of public key The auditor needs to evaluate the
infrastructure (PKI) components and manner in which PKI is applied by data
digital signature techniques protection strategies.
Task to Knowledge Statements (cont’d)
How does Task 5.5 relate to each of the following
knowledge statements?
Knowledge Statement
K5.15 Knowledge of risk and controls
associated with peer-to-peer computing,
instant messaging and web-based
technologies (e.g., social networking,
message boards, blogs, cloud
computing)
K5.17 Knowledge of the processes and
procedures used to store, retrieve,
transport and dispose of confidential
information assets
Connection
The risk of data loss or leakage increase
when users employ peer-to-peer and
other collaborative communication
technologies.
In order to control data and information,
the organization must understand the
state of its data and information from
creation, storage, processing and
transmission.
Task to Knowledge Statements (cont’d)

How does Task 5.5 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.18 Knowledge of risk and controls Understanding the category of data and
associated with data leakage the respective states it resides in
through the life cycle will enable the IS
auditor to determine risk and the
appropriate controls.
K5.19 Knowledge of security risk and The IS auditor must determine risk and
controls related to end-user computing the appropriate controls needed to
address end-user computing
technologies from BYOD and client
applications to mobile devices (smart
phones/PDAs).
Task to Knowledge Statements (cont’d)

How does Task 5.5 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.21 Knowledge of information system The IS auditor needs to have the ability
attack methods and techniques to identify and evaluate controls that are
most effective in preventing or detecting
attacks involving social engineering,
wireless access and threats originating
from the Internet.
Data Access Procedures
 Management should define and implement procedures to prevent
access to, or loss of, sensitive information when it is stored,
disposed of or transferred to another user.
 Such procedures must be created for the following:
o Backup files of databases
o Data banks
o Disposal of media previously used to hold confidential
information
o Management of equipment sent for offsite maintenance
o Public agencies and organizations concerned with sensitive,
critical or confidential information
o E-token electronic keys
o Storage records
Media Storage
 To help avoid potential damage to media during shipping and
storage, the following precautions must be present:
o Keep out of direct sunlight.
o Keep free of dust.
o Keep free of liquids.
o Minimize exposure to magnetic fields, radio equipment or any
sources of vibration.
o Do not air transport in areas and at times of exposure to a
strong magnetic storm.
Mobile Computing
 Mobile computing refers to devices that are transported or
moved during normal usage, including tablets, smartphones and
laptops.
 Mobile computing makes it more difficult to implement logical and
physical access controls.
 Common mobile computing vulnerabilities include the following:
o Information may travel across unsecured wireless networks.
o The enterprise may not be managing the device.
o Unencrypted information may be stored on the device.
o The device may have a lack of authentication requirements.
o The device may allow for the installation of unsigned
third-party applications.
Mobile Computing Controls
 The following controls will reduce the risk of disclosure of
sensitive data stored on mobile devices:

Device Physical Data

registration Tagging security storage
Virus
Encryptio Complian
detection and Approval
control n ce

Acceptable Awarenes Network

use policy
Due care authentication
s training

Secure Standard Geolocatio Remote wipe

transmission applications n tracking and lock
Other Data Controls
 Other technologies that should be reviewed by the IS auditor
include:
Technology Threat/Vulnerability Controls
Peer-to-peer • Viruses and malware • Antivirus and anti-malware
computing • Copyrighted content • Block P2P traffic
• Excessive use • Restrict P2P exposure
• Eavesdropping • Establish policies or standards
Instant messaging • Viruses and malware • Antivirus and anti-malware
(IM) • Excessive use • Encrypt IM traffic
• IP address exposure • Block IM traffic
• Restrict IM usage
• Establish policies or standards
Social media • Viruses and malware • Establish clear policies
• Undefined content rights • Capture and log all communications
• Data exposure • Content filtering
• Excessive use
Cloud computing • Lack of control and visibility • Right to audit the contract
• Physical security • Restricted contract terms
• Data disposal • Encryptions
Voice-Over IP (VoIP)
 VoIP has a different architecture than traditional
circuit-based telephony, and these differences result in
significant security issues.
 Security is needed to protect two assets—the data and
the voice.
 Backup communication plans are important because if
the computer system goes down, the telephone system
goes down too.
Private Branch Exchange
 A private branch exchange (PBX) is a sophisticated computer-based
switch that may be thought of as a small, in-house phone company.
 Failure to secure a PBX can result in:
o Theft of service
o Disclosure of information
o Data modification
o Unauthorized access
o Denial of service
o Traffic analysis
 The IS auditor should know the design implementation to determine
how an intruder could exploit weaknesses or normal functions.
In the Big Picture

The Big
Task 5.5 Picture
Evaluate the processes and The IS auditor must
procedures used to store, retrieve, understand and be able
transport and dispose of assets to to evaluate the
determine whether information acceptable methods for
assets are adequately safeguarded. data management from
creation through
destruction.
Task 5.5 Activity
 The CIO and CISO state their objective is to prevent and
detect computer attacks that could result in proprietary or
confidential data being stolen or modified.
 What would be a risk specific to wireless networks?
Discussion Question
When reviewing the procedures for the disposal of computers,
which of the following should be the GREATEST concern for
the IS auditor?
A. Hard disks are overwritten several times at the sector
level but are not reformatted before leaving the
organization.
B. All files and folders on hard disks are separately deleted,
and the hard disks are formatted before leaving the
organization.
C. Hard disks are rendered unreadable by hole-punching
through the platters at specific positions before leaving
the organization.
D. The transport of hard disks is escorted by internal
security staff to a nearby metal recycling company,
where the hard disks are registered and then shredded.
Discussion Question
The risk of dumpster diving is BEST mitigated by:
A. implementing security awareness training.
B. placing shred bins in copy rooms.
C. developing a media disposal policy.
D. placing shredders in individual offices.
Task 5.6

Evaluate the information security

program to determine its effectiveness
and alignment with the organization’s
strategies and objectives.
Key Terms
Key Term Definition
Chain of custody A legal principle regarding the validity and integrity of
evidence. It requires accountability for anything that will be
used as evidence in a legal proceeding to ensure that it can
be accounted for from the time it was collected until the time
it is presented in a court of law.
Computer forensics The application of the scientific method to digital media to
establish factual information for judicial review. This process
often involves investigating computer systems to determine
whether they are or have been used for illegal or
unauthorized activities.
Key Terms (cont’d)
Key Term Definition
Penetration testing A live test of the effectiveness of security defenses through
mimicking the actions of real‐life attackers.
Security incident A series of unexpected events that involves an attack or
series of attacks (compromise and/or breach of security) at
one or more sites. A security incident normally includes an
estimation of its level of impact. A limited number of impact
levels are defined, and for each, the specific actions
required and the people who need to be notified are
identified.
Task to Knowledge Statements
How does Task 5.6 relate to each of the following
knowledge statements?
Knowledge Statement Connection
K5.18 Knowledge of risk and controls The IS auditor must evaluate the data
associated with data leakage categorization and respective controls in
place to mitigate business and
regulatory risks.
K5.19 Knowledge of security risk and With the drive to greater distribution of
controls related to end-user computing computing resources, an organization’s
risk appetite must be balanced in the IS
auditor evaluation of end-user
computing initiatives.
Task to Knowledge Statements (cont’d)

How does Task 5.6 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.20 Knowledge of methods for One of the most cost-effective security
implementing a security awareness measures is an employee with
program deep-seated security awareness based
on both training and regular reminders.
K5.21 Knowledge of information system The IS auditor needs to be aware of the
attack methods and techniques technical and human vulnerabilities and
the techniques used to exploit those
vulnerabilities.
Task to Knowledge Statements (cont’d)

How does Task 5.6 relate to each of the following

knowledge statements?
Knowledge Statement Connection
K5.23 Knowledge of security testing A proactive and holistic security testing
techniques (e.g., penetration testing, program can ensure the correct security
vulnerability scanning) mechanisms are in place and operating
effectively.
K5.24 Knowledge of the processes In order for the IS auditor to evaluate the
related to monitoring and responding to true capabilities of the information
security incidents (e.g., escalation security management program, the IS
procedures, emergency incident auditor must evaluate the organization’s
response team) ability to detect, analyze and respond to
threats regardless of the source.
Computer Crimes
 It is important that the IS auditor knows and understands the
differences between computer crime and computer abuse to
support risk analysis methodologies and related control
practices. Examples of computer crimes include:

Malware,
Denial of
service (DoS) Hacking viruses and
worms

Unauthoriz
Fraud ed access Phishing

Brute force Malicious Network

Security Incident Handling
 To minimize damage from security incidents, a formal
incident response capability should be established.
 Ideally, an organizational computer security incident
response team (CSIRT) or computer emergency
response team (CERT) should be formed with clear lines
of reporting and responsibilities.
Security Incident Handling (cont’d)
 The IS auditor should:
o Ensure that the CSIRT is actively involved with users
to assist them in the mitigation of risk arising from
security failures and also to prevent security incidents.
o Ensure that there is a formal, documented plan and
that it contains vulnerabilities identification, reporting
and incident response procedures to common,
security-related threats/issues.
Auditing ISM Framework
 The IS auditor should review the following elements of the information
security management framework:
o Written policies, procedures and standards
o Logical access security policies
o Formal security awareness and training
o Data ownership
o Data owners
o Data custodians
o Security administrator
o New IT users
o Data users
o Documented authorizations
o Terminated employee access
o Security baselines
o Access standards
Auditing Logical Access
 When evaluating logical access controls, the IS auditor should:
o Obtain a clear understanding of the security risk facing
information processing through a review of relevant
documentation, interviews, physical walk-throughs and risk
assessments.
o Document and evaluate controls over potential access paths into
the system to assess their adequacy, efficiency and
effectiveness by reviewing appropriate hardware and software
security features and identifying any deficiencies or
redundancies.
o Test controls over access paths to determine whether they are
functioning and effective by applying appropriate audit
techniques.
Auditing Logical Access (cont’d)
 In addition, the IS auditor should do the following when auditing
logical access:
o Evaluate the access control environment to determine if the
control objectives are achieved by analyzing test results and
other audit evidence.
o Evaluate the security environment to assess its adequacy and
compare it with appropriate security standards or practices and
procedures used by other organizations.
o Interview the IS manager and security administrator and review
organizational charts and job descriptions.
o Review access control software reports to monitor adherence to
security policies.
o Review application systems operations manual.
Security Testing Techniques

• The IS auditor can use sample cards and keys to

Terminal cards attempt to gain access beyond what is authorized.
and keys • The IS auditor should follow up on any unsuccessful
attempted violations.

Terminal • The IS auditor can inventory terminals to look for

identification incorrectly logged, missing or additional terminals.

• To test confidentiality, the IS auditor can attempt to

guess passwords, find passwords by searching the
office or get a user to divulge a password.
Logon IDs and • To test encryption, the IS auditor should attempt to
passwords view the internal password table.
• To test authorization, the IS auditor should review a
sample of authorization documents to determine if
proper authority was provided.
Security Testing Techniques (cont’d)

• The IS auditor should work with the system software

Computer
analyst to determine if all access is on a need-to-
access controls know basis.

Computer
• The IS auditor should attempt to access computer
access
transactions or data for which access is not
violations
authorized. The unsuccessful attempts should be
logging and identified on security reports.
reporting

Follow-up • The IS auditor should select a sample of security

access reports and look for evidence of follow-up and
violations investigation of access violations.

Bypassing • The IS auditor should work with the system software

security and analyst, network manager, operations manager and
compensating security administrator to determine ways to bypass
controls security.
Investigation Techniques
 If a computer crime occurs, it is very important that proper
procedures are used to collect evidence.
o Damaged evidence can hinder prosecution.
o After a computer crime, the environment and evidence
must be left unaltered and examined by specialist law
enforcement officials.
 Any electronic document or data may be used as digital
evidence.
 An IS auditor may be required or asked to be involved in a
forensic analysis to provide expert opinion or to ensure the
correct interpretation of information gathered.
Investigation Techniques (cont’d)
I
d
e
n
tif
y
R
e
Af
n e
a r
s
l
y t
z o
e t
hI
en
iv
do
el
nv
tif
ce
as
ti
o
ne
x
o
ftr
ia
nc
f
oti
rn
m
ag
ti,
op
nr
to
hc
ae
ts
i
ss
i
an
v
ag
il
a
ba
ln
ed
a
ni
dn
m t
ie
g
hr
tp
fr
oe
rti
m
n
tg
h
e
t
eh
v
ie
d
ee
n
cv
ei
d
o
fe
an
nc
ie
n
c
i
d
e
n
t

P
r
e
s
e
n
t
• I
n
v
o
l
v
e
s

p
r
e
s
e
n
t
a
t
i
o
n

t
o

t
h
e

v
a
r
i
o
u
s

a
u
d
i
e
n
c
e
s
,

s
u
c
h

a
s

m
a
n
a
g
e
m
e
n
t
,

a
t
t
o
r
n
e
y
s
,

c
o
u
r
t
,

e
t
c
.
Computer Forensics
 The IS auditor should give consideration to key elements of
computer forensics during audit planning, including the
following:
o Data protection
o Data acquisition
o Imaging
o Extraction
o Interrogation
o Ingestion/normalization
o Reporting
Auditing Network Infrastructure
 When performing an audit of the network infrastructure, the IS auditor
should:
o Review the following documents:
• Network diagrams
• SLAs
• Network administrator procedures
• Network topology design
o Identify the network design implemented.
o Determine that applicable security policies, standards, procedures and
guidance on network management and usage exist and have been
distributed.
o Identify who is responsible for security and operation of Internet
connections.
o Determine whether consideration has been given to the legal problems
arising from use of the Internet.
o Determine whether a vulnerability scanning process is in place.
Auditing Remote Access
 IS auditors should determine that all remote access
capabilities used by an organization provide for effective
security of the organization’s information resources.
 This includes:
o Ensuring that remote access security controls are
documented and implemented for authorized users
o Reviewing existing remote access architectures for points
of entry
o Testing access controls
Penetration Testing
 During penetration testing, an auditor attempts to circumvent the
security features of a system and exploits the vulnerabilities to
gain access that would otherwise be unauthorized.

Additional Discovery

Planning Discovery Attack

Reporting
Types of Penetration Tests

External testing Refers to attacks and

control circumvention
attempts on the target’s
network perimeter from
Internal testing Refers
outsidetotheattacks and
target’s
control
system circumvention
attempts on the target
from within the perimeter
Blind Refers to the condition of
testing testing when the
penetration tester is
provided with limited or
Double Refers to an extension
no knowledge of the of
blind blind testing,
target’s because
information
testing the administrator and
systems
security staff at the target
Targeted testing Refers
are alsotonot
attacks
awareandof the
control
test circumvention
attempts on the target,
while both the target’s IT
In the Big Picture
Task 5.6
Evaluate the information security
program to determine its
effectiveness and alignment with the
organization’s strategies and
objectives.
The Big
Picture
The information security
program is the Alpha
and the Omega for the
organization to realize
system confidentiality,
integrity and availability.
Task 5.6 Activity
 You have been assigned to a network architecture review. This is
a large multi-campus wide area network that uses the following
technologies:
o External
• Standard ISP provided T1s and OS3
• VerSprinAT&Bell MPLS
• Satellite communications
• Point to Point RF
o Internal
• WIFI for corporate and guests
• Wired with fiber backbone
 When performing an audit of the network infrastructure, what
document should the IS auditor review?
Discussion Question
Which of the following is the BEST way for an IS auditor to
determine the effectiveness of a security awareness and
training program?
A. Review the security training program.
B. Ask the security administrator.
C. Interview a sample of employees.
D. Review the security reminders to employees.
Discussion Question
Which of the following is the MAIN reason an organization
should have an incident response plan? The plan helps to:
A. ensure prompt recovery from system outages.
B. contain costs related to maintaining DRP capabilities.
C. ensure that customers are promptly notified of issues
such as security breaches.
D. minimize the impact of an adverse event.
Domain 5 Summary
 Evaluate the information security and privacy policies,
standards and procedures.
 Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls.
 Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls.
Domain 5 Summary (cont’d)
 Evaluate the design, implementation and monitoring of
the data classification processes and procedures.
 Evaluate the processes and procedures used to store,
retrieve, transport and dispose of assets.
 Evaluate the information security program.
Discussion Question
The CSIRT of an organization disseminates detailed
descriptions of recent threats. An IS auditor’s GREATEST
concern should be that the users may:
A. use this information to launch attacks.
B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.
Question 6
An IS audit department considers implementing continuous
auditing techniques for a multinational retail enterprise that
requires high availability of its key systems. A PRIMARY
benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
Question 7
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has asked
for copies of the scripts so that they can use them for setting up a continuous
monitoring process on key systems. Would sharing these scripts with IT affect
the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to
pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review
all programs and software that runs on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits
may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS
auditors who wrote the scripts would not be permitted to audit any IS
systems where the scripts are being used for monitoring.
Question 8
The success of control self-assessment (CSA) depends
highly on:
A. having line managers assume a portion of the
responsibility for control monitoring.
B. assigning staff managers the responsibility for
building, but not monitoring, controls.
C. the implementation of a stringent control policy and
rule-driven controls.
D. the implementation of supervision and the monitoring
of controls of assigned duties.
Question 9
When conducting an IT security risk assessment, the IS auditor
asked the IT security officer to participate in a risk identification
workshop with users and business unit representatives. What is
the MOST important recommendation that the IS auditor should
make to obtain successful results and avoid future conflicts?
A. Ensure that the IT security risk assessment has a clearly
defined scope.
B. Require the IT security officer to approve each risk rating
during the workshop.
C. Suggest that the IT security officer accept the business
unit risk and rating.
D. Select only commonly accepted risk with the highest
submitted rating.
Question 10
An IS auditor is performing an audit in the data center when
the fire alarm begins sounding. The audit scope includes
disaster recovery, so the auditor observes the data center
staff response to the alarm. Which of the following is the
MOST important action for the data center staff to complete
in this scenario?
A. Notify the local fire department of the alarm condition.
B. Prepare to activate the fire suppression system.
C. Ensure that all persons in the data center are
evacuated.
D. Remove all backup tapes from the data center.
Question 11
When evaluating the controls of an
electronic data interchange (EDI)
application, an IS auditor should
PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D. nonvalidated batch totals.
Question 12
An organization is replacing a payroll program that it
developed in-house, with the relevant subsystem of a
commercial enterprise resource planning (ERP) system.
Which of the following would represent the HIGHEST
potential risk?
A. Undocumented approval of some project changes
B. Faulty migration of historical data from the old
system to the new system
C. Incomplete testing of the standard functionality of
the ERP subsystem
D. Duplication of existing payroll permissions on the
new ERP subsystem
Question 13
An IS auditor reviewing a series of completed projects finds
that the implemented functionality often exceeded
requirements and most of the projects ran significantly over
budget. Which of these areas of the organization’s project
management process is the MOST likely cause of this
issue?
A. Project scope management
B. Project time management
C. Project risk management
D. Project procurement management
Question 14
Which of the following techniques would BEST help an IS
auditor gain reasonable assurance that a project can meet
its target date?
A. Estimation of the actual end date based on the
completion percentages and estimated time to
complete, taken from status reports
B. Confirmation of the target date based on interviews
with experienced managers and staff involved in the
completion of the project deliverables
C. Extrapolation of the overall end date based on
completed work packages and current resources
D. Calculation of the expected end date based on
current resources and remaining available project
budget
Question 15
An IS auditor has been asked to participate in
project initiation meetings for a critical project.
The IS auditor’s MAIN concern should be that
the:
A. complexity and risk associated with the
project have been analyzed.
B. resources needed throughout the project
have been determined.
C. technical deliverables have been identified.
D. a contract for external parties involved in
the project has been completed.
Question 16
The PRIMARY objective of service-level management
(SLM) is to:
A. define, agree on, record and manage the required
levels of service.
B. ensure that services are managed to deliver the
highest achievable level of availability.
C. keep the costs associated with any service at a
minimum.
D. monitor and report any legal noncompliance to
business management.
Question 17
The BEST audit procedure to determine if unauthorized
changes have been made to production code is to:
A. examine the change control system records and trace
them forward to object code files.
B. review access control permissions operating within
the production program libraries.
C. examine object code to find instances of changes and
trace them back to change control records.
D. review change approved designations established
within the change control system.
Question 18
Which of the following is the BEST method for determining
the criticality of each application system in the production
environment?
A. Interview the application programmers.
B. Perform a gap analysis.
C. Review the most recent application audits.
D. Perform a business impact analysis (BIA).
Question 19
Which of the following issues should be the GREATEST concern
to the IS auditor when reviewing an IT disaster recovery test?
A. Due to the limited test time window, only the most
essential systems were tested. The other systems were
tested separately during the rest of the year.
B. During the test, some of the backup systems were
defective or not working, causing the test of these systems
to fail.
C. The procedures to shut down and secure the original
production site before starting the backup site required far
more time than planned.
D. Every year, the same employees perform the test. The
recovery plan documents are not used because every step
is well known by all participants.
Question 20
Which of the following groups is the BEST source of
information for determining the criticality of application
systems as part of a business impact analysis (BIA)?
A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts
Question 21
While designing the business continuity plan (BCP) for an
airline reservation system, the MOST appropriate method
of data transfer/backup at an offsite location would be:
A. shadow file processing.
B. electronic vaulting.
C. hard-disk mirroring.
D. hot-site provisioning.
Question 22
The information security policy that states “each individual
must have his/her badge read at every controlled door”
addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
Question 23
An IS auditor discovers that uniform resource locators
(URLs) for online control self-assessment questionnaires
are sent using URL shortening services. The use of URL
shortening services would MOST likely increase the risk of
which of the following attacks?
A. Internet protocol (IP) spoofing
B. Phishing
C. Structured query language (SQL) injection
D. Denial-of-service (DoS)
Question 24
A company is planning to install a network-based intrusion
detection system (IDS) to protect the web site that it hosts.
Where should the device be installed?
A. On the local network
B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the web site
Question 25
What would be the MOST effective control for enforcing
accountability among database users accessing sensitive
information?
A. Implement a log management process.
B. Implement a two-factor authentication.
C. Use table views to access sensitive data.
D. Separate database and application servers.
Question 26
What is the BEST approach to mitigate the risk of a
phishing attack?
A. Implementation of an intrusion detection system (IDS)
B. Assessment of web site security
C. Strong authentication
D. User education
Question 27
Which of the following BEST encrypts data on mobile
devices?
A. Elliptical curve cryptography (ECC)
B. Data encryption standard (DES)
C. Advanced encryption standard (AES)
D. The Blowfish algorithm
Question 28
When protecting an organization’s IT systems, which of the
following is normally the next line of defense after the
network firewall has been compromised?
A. Personal firewall
B. Antivirus programs
C. Intrusion detection system (IDS)
D. Virtual local area network (VLAN) configuration
Question 29
Which of the following would MOST effectively enhance the
security of a challenge-response based authentication
system?
A. Selecting a more robust algorithm to generate
challenge strings
B. Implementing measures to prevent session hijacking
attacks
C. Increasing the frequency of associated password
changes
D. Increasing the length of authentication strings
Question 30
An IS auditor is reviewing a software-based firewall
configuration. Which of the following represents the
GREATEST vulnerability? The firewall software:
A. is configured with an implicit deny rule as the last rule
in the rule base.
B. is installed on an operating system with default
settings.
C. has been configured with rules permitting or denying
access to systems or networks.
D. is configured as a virtual private network (VPN)
endpoint.
THANK YOU!