Professional Documents
Culture Documents
CISA-Domain-5-Protection of Information Assets
CISA-Domain-5-Protection of Information Assets
Security
Organiza awareness
tion and education
ISMS
An information security management system (ISMS) is a
framework of policies, procedures, guidelines and
associated resources to establish, implement, operate,
monitor, review, maintain and improve information
security for all types of organizations.
ISMS (cont’d)
An ISMS is defined in these guidelines and standards:
o ISO/IEC 2700X—Guidance for managing information
security in specific industries and situations
o ISO/IEC 27000—Defines the scope and vocabulary
and establishes the basis for certification
o ISO/IEC 27001—Formal set of specifications against
which organizations may seek independent
certification of their information security management
system
o ISO/IEC 27002—Structured set of suggested controls
to address information security risk
ISM Roles
Information
security Executive Security Chief privacy
steering management advisory group officer (CPO)
committee
Chief Information
information Chief security Process asset owners
security officer officer (CSO) owners and data
(CISO) owners
Information Security
External
Users security specialist/
parties
administrator advisors
IT developers IS auditors
Privacy
Privacy means freedom from unauthorized intrusion or
disclosure of information about an individual (also
referred to as a “data subject”).
Management should perform a privacy impact analysis.
Privacy (cont’d)
The IS auditor may be asked to support or perform this
assessment, which should:
o Pinpoint the nature of personally identifiable information
associated with business processes.
o Document the collection, use, disclosure and destruction
of personally identifiable information.
o Ensure that accountability for privacy issues exists.
o Identify legislative, regulatory and contractual
requirements for privacy.
o Be the foundation for informed policy, operations and
system design decisions based on an understanding of
privacy risk and the options available for mitigating that
risk.
Human Resources Security
Security roles and responsibilities of employees,
contractors and third-party users should be defined and
documented in accordance with the organization’s
information security policy.
Human Resources Security (cont’d)
Reactive
Proactive
• Countermeasures
• Safeguards
• Controls that allow the detection, containment and recovery from
• Controls that attempt to prevent an incident
an incident
Security Awareness Training
An active security awareness program can greatly
reduce risk by addressing the behavioral element of
security through education and consistent application of
awareness techniques.
All employees of an organization and third-party users
must receive appropriate training and regular updates on
the importance of security policies, standards and
procedures in the organization.
In addition, all personnel must be trained in their specific
responsibilities related to information security.
Control Methods
Controlled visitor
CCTV Security guards
access
Deadman doors
Physical Access Audit
The IS auditor should begin with a tour of the site and
then test physical safeguards.
Physical tests can be completed through visual
observations and review of documents such as fire
system tests, inspection tags and key lock logs.
Physical Access Audit (cont’d)
The test should include all paths of physical entry, as
well as the following locations:
o Computer and printer rooms
o UPS/generator
o Operator consoles
o Computer storage rooms
o Communication equipment
o Offsite backup storage facility
o Media storage
Environmental Exposures
Environmental exposures are due primarily to naturally
occurring events.
Common environmental exposures include:
Power failure
• Total failure (blackout)
• Severely reduced voltage (brownout)
• Sags, spikes and surges
• Electromagnetic interference (EMI)
Water damage/flooding
• Terrorist threats/attacks
• Vandalism
• Equipment failure
Manmade concerns
Environmental Controls
Environmental exposures should be afforded the same
level of protection as other types of exposures. Possible
controls include:
Fireproof and
Fire alarms and Fire suppression fire-resistant
smoke detectors systems building and office
materials
Uninterruptible
Strategically located Electrical surge
power supply/
computer rooms protectors
generator
Environmental Control Audit
The IS auditor should first establish the environmental risk by
assessing the location of the data center.
In addition, the IS auditor should verify that the following
safeguards are in place:
o Water and smoke detectors
o Strategic and visible location of handheld fire extinguishers
o Fire suppression system documentation and inspection by
fire department
o UPS/generator test reports
o Electrical surge protectors
o Documentation of fireproof building materials, use of
redundant power lines and wiring located in fire-resistant
panels
o Documented and tested emergency evacuation plans and
BCPs
o Humidity and temperature controls
In the Big Picture
The Big
Task 5.2
Evaluate the design, Picture
implementation, maintenance, Physical security
monitoring and reporting of environmental
physical and environmental controls are the first
controls to determine whether line of defense in
information assets are adequately protecting assets from
safeguarded. loss.
Task 5.2 Activity
The directory of facility operations has asked the IS audit
team to perform a gap analysis of the current policies
and procedures at the headquarters building that also
houses the primary data center. You find that policies
and procedures are currently focused on operations and
maintenance contracting activities.
What is an example of an environmental exposure that
controls should be in place to mitigate?
What would be a means to perform penetration testing of
physical controls?
Discussion Question
Which of the following environmental controls is appropriate
to protect computer equipment against
short-term reductions in electrical power?
A. Power line conditioners
B. Surge protective devices
C. Alternative power supplies
D. Interruptible power supplies
Discussion Question
An IS auditor is reviewing the physical security measures of an
organization. Regarding the access card system, the IS auditor
should be MOST concerned that:
A. nonpersonalized access cards are given to the cleaning
staff, who use a sign-in sheet but show no proof of
identity.
B. access cards are not labeled with the organization’s
name and address to facilitate easy return of a lost card.
C. card issuance and rights administration for the cards are
done by different departments, causing unnecessary lead
time for new cards.
D. the computer system used for programming the cards
can only be replaced after three weeks in the event of a
system failure.
Task 5.3
Advantages Disadvantages
• Decreased server hardware costs. • Inadequate host configuration could
• Shared processing capacity and storage create vulnerabilities that affect not only
space. the host, but also the guests.
• Decreased physical footprint. • Data could leak between guests.
• Multiple versions of the same OS. • Insecure protocols for remote access
could result in exposure of
administrative credentials.
Client-Server Security
A client-server is a group of computers connected by a
communications network in which the client is the
requesting machine and the server is the supplying
machine.
Several access routes exist in a client-server
environment.
Client-Server Security (cont’d)
The IS auditor should ensure that:
o Application controls cannot be bypassed.
o Passwords are always encrypted.
o Access to configuration or initialization files is kept to
a minimum.
o Access to configuration or initialization files are
audited.
Wireless Security
Wireless security requirements include the following:
o Authenticity—A third party must be able to verify that
the content of a message has not been changed in
transit.
o Nonrepudiation—The origin or the receipt of a specific
message must be verifiable by a third party.
o Accountability—The actions of an entity must be
uniquely traceable to that entity.
o Network availability—The IT resource must be
available on a timely basis to meet mission
requirements or to avoid substantial losses.
Internet Security
The IS auditor must understand the risk and security
factors needed to ensure that proper controls are in
place when a company connects to the Internet.
Network attacks involve probing for network information.
o Examples of passive attacks include network
analysis, eavesdropping and traffic analysis.
Internet Security (cont’d)
Once enough network information has been gathered,
an intruder can launch an actual attack against a
targeted system to gain control.
o Examples of active attacks include denial of service
(DoS), phishing, unauthorized access, packet replay,
brute force attacks and email spoofing.
The IS auditor should have a good understanding of the
following types of firewalls:
o Packet filtering
o Application firewall systems
o Stateful inspections
Internet Security (cont’d)
The IS auditor should also be familiar with common
firewall implementations, including:
o Screened-host firewall
o Dual-homed firewall
o Demilitarized zone (DMZ) or screened-subnet firewall
The IS auditor should be familiar with the types, features
and limitations of intrusion detection systems and
intrusion prevention systems.
Encryption
Encryption generally is used to:
o Protect data in transit over networks from
unauthorized interception and manipulation.
o Protect information stored on computers from
unauthorized viewing and manipulation.
o Deter and detect accidental or intentional alterations
of data.
o Verify authenticity of a transaction or document.
Encryption (cont’d)
Key encryption elements include:
o Encryption algorithm—A mathematically based
function that encrypts/decrypts data
o Encryption keys—A piece of information that is used
by the encryption algorithm to make the encryption or
decryption process unique
o Key length—A predetermined length for the key; the
longer the key, the more difficult it is to compromise
Encryption (cont’d)
There are two types of encryption schemes:
o Symmetric—a unique key (usually referred to as the
“secret key”) is used for both encryption and decryption.
o Asymmetric—the decryption key is different than the one
used for encryption.
There are two main advantages of symmetric key systems
over asymmetric ones.
o The keys are much shorter and can be easily
remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.
Encryption (cont’d)
In a public key cryptography system, two keys work
together as a pair. One of the keys is kept private, while
the other one is publicly disclosed.
The underlying algorithm works even if the private key is
used for encryption and the public key for decryption.
Encryption (cont’d)
Digital signature schemes ensure:
o Data integrity— Any change to the plaintext
message would result in the recipient failing to
compute the same document hash.
o Authentication—The recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o Nonrepudiation—The claimed sender cannot later
deny generating the document.
The IS auditor should be familiar with how a digital
signature functions to protect data.
Malware
There are two primary methods to prevent and detect
malware that infects computers and network systems.
o Have sound policies and procedures in place
(preventive controls).
o Have technical controls (detective controls), such as
anti-malware software, including:
• Scanners
• Behavior blockers
• Active monitors
• Integrity CRC checkers
• Immunizers
Neither method is effective without the other.
In the Big Picture
The Big
Task 5.3 Picture
Evaluate the design, implementation,
Evaluation of system
maintenance, monitoring and
security engineering and
reporting of system and logical
architecture ensures the
security controls to verify the
foundations for ISM are
confidentiality, integrity and
in place to meet
availability of information.
organizational goals and
objectives.
Task 5.3 Activity
Your acquisition due diligence audit scope has been
defined by management sponsors as to evaluate the
design, implementation, maintenance, monitoring and
reporting of system and logical security controls to verify
the confidentiality, integrity and availability of intellectual
property.
What type of control will reduce the risk of disclosure of
sensitive data stored on mobile devices?
Discussion Question
The PRIMARY purpose of installing data leak prevention
(DLP) software is to control which of the following choices?
A. Access privileges to confidential files stored on
servers
B. Attempts to destroy critical data on the internal
network
C. Which external systems can access internal
resources
D. Confidential documents leaving the internal network
Discussion Question
Neural networks are effective in detecting fraud because
they can:
A. discover new trends because they are inherently
linear.
B. solve problems where large and general sets of
training data are not obtainable.
C. attack problems that require consideration of a large
number of input variables.
D. make assumptions about the shape of any curve
relating variables to the output.
Task 5.4
Data in
Data at rest Data in use
motion
Use specific
network Use deep
appliances packet
or inspection
Use an agent to monitor
Use crawlers to search for embedded (DPI) to
data movement stemming
and log the location of technology read
from actions taken by end
specific information sets to contents
users
selectively within a
capture and packet’s
analyze payload
traffic
Identification and Authentication
Logical access identification and authentication (I&A) is
the process of establishing and proving a user’s identity.
For most systems, I&A is the first line of defense
because it prevents unauthorized people (or
unauthorized processes) from entering a computer
system or accessing an information asset.
Identification and Authentication (cont’d)
Risks Controls
The Big
Task 5.4
Evaluate the design, implementation Picture
and monitoring of the data Data classification,
classification processes and protection and
procedures for alignment with the management processes
organization’s policies, standards, are critical in meeting
procedures and applicable external business and regulatory
requirements. requirements.
Task 5.4 Activity
You have been assigned to assist the incident response
team in evaluating post-incident lessons learned and
remediation activities to prevent recurrence of the root
causes. Your team has completed the response to data
leakage that resulted in compromising firewall network
administrative access.
When the firewall was sent off site for vendor
maintenance, what actions should have been taken?
Discussion Question
The Big
Task 5.5 Picture
Evaluate the processes and The IS auditor must
procedures used to store, retrieve, understand and be able
transport and dispose of assets to to evaluate the
determine whether information acceptable methods for
assets are adequately safeguarded. data management from
creation through
destruction.
Task 5.5 Activity
The CIO and CISO state their objective is to prevent and
detect computer attacks that could result in proprietary or
confidential data being stolen or modified.
What would be a risk specific to wireless networks?
Discussion Question
When reviewing the procedures for the disposal of computers,
which of the following should be the GREATEST concern for
the IS auditor?
A. Hard disks are overwritten several times at the sector
level but are not reformatted before leaving the
organization.
B. All files and folders on hard disks are separately deleted,
and the hard disks are formatted before leaving the
organization.
C. Hard disks are rendered unreadable by hole-punching
through the platters at specific positions before leaving
the organization.
D. The transport of hard disks is escorted by internal
security staff to a nearby metal recycling company,
where the hard disks are registered and then shredded.
Discussion Question
The risk of dumpster diving is BEST mitigated by:
A. implementing security awareness training.
B. placing shred bins in copy rooms.
C. developing a media disposal policy.
D. placing shredders in individual offices.
Task 5.6
Malware,
Denial of
service (DoS) Hacking viruses and
worms
Unauthoriz
Fraud ed access Phishing
Computer
• The IS auditor should attempt to access computer
access
transactions or data for which access is not
violations
authorized. The unsuccessful attempts should be
logging and identified on security reports.
reporting
P
r
e
s
e
n
t
• I
n
v
o
l
v
e
s
p
r
e
s
e
n
t
a
t
i
o
n
t
o
t
h
e
v
a
r
i
o
u
s
a
u
d
i
e
n
c
e
s
,
s
u
c
h
a
s
m
a
n
a
g
e
m
e
n
t
,
a
t
t
o
r
n
e
y
s
,
c
o
u
r
t
,
e
t
c
.
Computer Forensics
The IS auditor should give consideration to key elements of
computer forensics during audit planning, including the
following:
o Data protection
o Data acquisition
o Imaging
o Extraction
o Interrogation
o Ingestion/normalization
o Reporting
Auditing Network Infrastructure
When performing an audit of the network infrastructure, the IS auditor
should:
o Review the following documents:
• Network diagrams
• SLAs
• Network administrator procedures
• Network topology design
o Identify the network design implemented.
o Determine that applicable security policies, standards, procedures and
guidance on network management and usage exist and have been
distributed.
o Identify who is responsible for security and operation of Internet
connections.
o Determine whether consideration has been given to the legal problems
arising from use of the Internet.
o Determine whether a vulnerability scanning process is in place.
Auditing Remote Access
IS auditors should determine that all remote access
capabilities used by an organization provide for effective
security of the organization’s information resources.
This includes:
o Ensuring that remote access security controls are
documented and implemented for authorized users
o Reviewing existing remote access architectures for points
of entry
o Testing access controls
Penetration Testing
During penetration testing, an auditor attempts to circumvent the
security features of a system and exploits the vulnerabilities to
gain access that would otherwise be unauthorized.
Additional Discovery
Reporting
Types of Penetration Tests
The Big
Task 5.6 Picture
Evaluate the information security The information security
program to determine its program is the Alpha
effectiveness and alignment with the and the Omega for the
organization’s strategies and organization to realize
objectives. system confidentiality,
integrity and availability.
Task 5.6 Activity
You have been assigned to a network architecture review. This is
a large multi-campus wide area network that uses the following
technologies:
o External
• Standard ISP provided T1s and OS3
• VerSprinAT&Bell MPLS
• Satellite communications
• Point to Point RF
o Internal
• WIFI for corporate and guests
• Wired with fiber backbone
When performing an audit of the network infrastructure, what
document should the IS auditor review?
Discussion Question
Which of the following is the BEST way for an IS auditor to
determine the effectiveness of a security awareness and
training program?
A. Review the security training program.
B. Ask the security administrator.
C. Interview a sample of employees.
D. Review the security reminders to employees.
Discussion Question
Which of the following is the MAIN reason an organization
should have an incident response plan? The plan helps to:
A. ensure prompt recovery from system outages.
B. contain costs related to maintaining DRP capabilities.
C. ensure that customers are promptly notified of issues
such as security breaches.
D. minimize the impact of an adverse event.
Domain 5 Summary
Evaluate the information security and privacy policies,
standards and procedures.
Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls.
Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls.
Domain 5 Summary (cont’d)
Evaluate the design, implementation and monitoring of
the data classification processes and procedures.
Evaluate the processes and procedures used to store,
retrieve, transport and dispose of assets.
Evaluate the information security program.
Discussion Question
The CSIRT of an organization disseminates detailed
descriptions of recent threats. An IS auditor’s GREATEST
concern should be that the users may:
A. use this information to launch attacks.
B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.
Question 6
An IS audit department considers implementing continuous
auditing techniques for a multinational retail enterprise that
requires high availability of its key systems. A PRIMARY
benefit of continuous auditing is that:
A. effective preventive controls are enforced.
B. system integrity is ensured.
C. errors can be corrected in a timely fashion.
D. fraud can be detected more quickly.
Question 7
The internal audit department has written some scripts that are used for
continuous auditing of some information systems. The IT department has asked
for copies of the scripts so that they can use them for setting up a continuous
monitoring process on key systems. Would sharing these scripts with IT affect
the ability of the IS auditors to independently and objectively audit the IT
function?
A. Sharing the scripts is not permitted because it would give IT the ability to
pre-audit systems and avoid an accurate, comprehensive audit.
B. Sharing the scripts is required because IT must have the ability to review
all programs and software that runs on IS systems regardless of audit
independence.
C. Sharing the scripts is permissible as long as IT recognizes that audits
may still be conducted in areas not covered in the scripts.
D. Sharing the scripts is not permitted because it would mean that the IS
auditors who wrote the scripts would not be permitted to audit any IS
systems where the scripts are being used for monitoring.
Question 8
The success of control self-assessment (CSA) depends
highly on:
A. having line managers assume a portion of the
responsibility for control monitoring.
B. assigning staff managers the responsibility for
building, but not monitoring, controls.
C. the implementation of a stringent control policy and
rule-driven controls.
D. the implementation of supervision and the monitoring
of controls of assigned duties.
Question 9
When conducting an IT security risk assessment, the IS auditor
asked the IT security officer to participate in a risk identification
workshop with users and business unit representatives. What is
the MOST important recommendation that the IS auditor should
make to obtain successful results and avoid future conflicts?
A. Ensure that the IT security risk assessment has a clearly
defined scope.
B. Require the IT security officer to approve each risk rating
during the workshop.
C. Suggest that the IT security officer accept the business
unit risk and rating.
D. Select only commonly accepted risk with the highest
submitted rating.
Question 10
An IS auditor is performing an audit in the data center when
the fire alarm begins sounding. The audit scope includes
disaster recovery, so the auditor observes the data center
staff response to the alarm. Which of the following is the
MOST important action for the data center staff to complete
in this scenario?
A. Notify the local fire department of the alarm condition.
B. Prepare to activate the fire suppression system.
C. Ensure that all persons in the data center are
evacuated.
D. Remove all backup tapes from the data center.
Question 11
When evaluating the controls of an
electronic data interchange (EDI)
application, an IS auditor should
PRIMARILY be concerned with the risk of:
A. excessive transaction turnaround time.
B. application interface failure.
C. improper transaction authorization.
D. nonvalidated batch totals.
Question 12
An organization is replacing a payroll program that it
developed in-house, with the relevant subsystem of a
commercial enterprise resource planning (ERP) system.
Which of the following would represent the HIGHEST
potential risk?
A. Undocumented approval of some project changes
B. Faulty migration of historical data from the old
system to the new system
C. Incomplete testing of the standard functionality of
the ERP subsystem
D. Duplication of existing payroll permissions on the
new ERP subsystem
Question 13
An IS auditor reviewing a series of completed projects finds
that the implemented functionality often exceeded
requirements and most of the projects ran significantly over
budget. Which of these areas of the organization’s project
management process is the MOST likely cause of this
issue?
A. Project scope management
B. Project time management
C. Project risk management
D. Project procurement management
Question 14
Which of the following techniques would BEST help an IS
auditor gain reasonable assurance that a project can meet
its target date?
A. Estimation of the actual end date based on the
completion percentages and estimated time to
complete, taken from status reports
B. Confirmation of the target date based on interviews
with experienced managers and staff involved in the
completion of the project deliverables
C. Extrapolation of the overall end date based on
completed work packages and current resources
D. Calculation of the expected end date based on
current resources and remaining available project
budget
Question 15
An IS auditor has been asked to participate in
project initiation meetings for a critical project.
The IS auditor’s MAIN concern should be that
the:
A. complexity and risk associated with the
project have been analyzed.
B. resources needed throughout the project
have been determined.
C. technical deliverables have been identified.
D. a contract for external parties involved in
the project has been completed.
Question 16
The PRIMARY objective of service-level management
(SLM) is to:
A. define, agree on, record and manage the required
levels of service.
B. ensure that services are managed to deliver the
highest achievable level of availability.
C. keep the costs associated with any service at a
minimum.
D. monitor and report any legal noncompliance to
business management.
Question 17
The BEST audit procedure to determine if unauthorized
changes have been made to production code is to:
A. examine the change control system records and trace
them forward to object code files.
B. review access control permissions operating within
the production program libraries.
C. examine object code to find instances of changes and
trace them back to change control records.
D. review change approved designations established
within the change control system.
Question 18
Which of the following is the BEST method for determining
the criticality of each application system in the production
environment?
A. Interview the application programmers.
B. Perform a gap analysis.
C. Review the most recent application audits.
D. Perform a business impact analysis (BIA).
Question 19
Which of the following issues should be the GREATEST concern
to the IS auditor when reviewing an IT disaster recovery test?
A. Due to the limited test time window, only the most
essential systems were tested. The other systems were
tested separately during the rest of the year.
B. During the test, some of the backup systems were
defective or not working, causing the test of these systems
to fail.
C. The procedures to shut down and secure the original
production site before starting the backup site required far
more time than planned.
D. Every year, the same employees perform the test. The
recovery plan documents are not used because every step
is well known by all participants.
Question 20
Which of the following groups is the BEST source of
information for determining the criticality of application
systems as part of a business impact analysis (BIA)?
A. Business processes owners
B. IT management
C. Senior business management
D. Industry experts
Question 21
While designing the business continuity plan (BCP) for an
airline reservation system, the MOST appropriate method
of data transfer/backup at an offsite location would be:
A. shadow file processing.
B. electronic vaulting.
C. hard-disk mirroring.
D. hot-site provisioning.
Question 22
The information security policy that states “each individual
must have his/her badge read at every controlled door”
addresses which of the following attack methods?
A. Piggybacking
B. Shoulder surfing
C. Dumpster diving
D. Impersonation
Question 23
An IS auditor discovers that uniform resource locators
(URLs) for online control self-assessment questionnaires
are sent using URL shortening services. The use of URL
shortening services would MOST likely increase the risk of
which of the following attacks?
A. Internet protocol (IP) spoofing
B. Phishing
C. Structured query language (SQL) injection
D. Denial-of-service (DoS)
Question 24
A company is planning to install a network-based intrusion
detection system (IDS) to protect the web site that it hosts.
Where should the device be installed?
A. On the local network
B. Outside the firewall
C. In the demilitarized zone (DMZ)
D. On the server that hosts the web site
Question 25
What would be the MOST effective control for enforcing
accountability among database users accessing sensitive
information?
A. Implement a log management process.
B. Implement a two-factor authentication.
C. Use table views to access sensitive data.
D. Separate database and application servers.
Question 26
What is the BEST approach to mitigate the risk of a
phishing attack?
A. Implementation of an intrusion detection system (IDS)
B. Assessment of web site security
C. Strong authentication
D. User education
Question 27
Which of the following BEST encrypts data on mobile
devices?
A. Elliptical curve cryptography (ECC)
B. Data encryption standard (DES)
C. Advanced encryption standard (AES)
D. The Blowfish algorithm
Question 28
When protecting an organization’s IT systems, which of the
following is normally the next line of defense after the
network firewall has been compromised?
A. Personal firewall
B. Antivirus programs
C. Intrusion detection system (IDS)
D. Virtual local area network (VLAN) configuration
Question 29
Which of the following would MOST effectively enhance the
security of a challenge-response based authentication
system?
A. Selecting a more robust algorithm to generate
challenge strings
B. Implementing measures to prevent session hijacking
attacks
C. Increasing the frequency of associated password
changes
D. Increasing the length of authentication strings
Question 30
An IS auditor is reviewing a software-based firewall
configuration. Which of the following represents the
GREATEST vulnerability? The firewall software:
A. is configured with an implicit deny rule as the last rule
in the rule base.
B. is installed on an operating system with default
settings.
C. has been configured with rules permitting or denying
access to systems or networks.
D. is configured as a virtual private network (VPN)
endpoint.
THANK YOU!