ChristianReina,CISSP

CISAsummary
Version1.0

Thisdocumentmaybeusedonlyforinformational,trainingandnoncommercialpurposes.Youarefreetocopy,distribute,publishandalterthisdocumentundertheconditionsthatyougivecredittotheoriginalauthor.
2010ChristianReina,CISSP.

Collection of top-down activities intended to control the IT

organization from a strategic perspective.

Policy

Priorities

Standards

Vendor Management

Program/Project Management
IT Strategy Committee
Advise board of directors on strategies.

Domain1ITGovernance

Balanced Scorecard
Measure performance and effectiveness.

Business contribution: Perception from Non-IT

executives

User: Satisfaction

Operational excellence: downtime, defects, support

tickets

Innovation: increase IT value w/ innovation

Information Security Governance
Roles and responsibilities

Board of Directors: risk appetite and risk management

Steering Committee: Operational strategy for security

and risk management

CISO: conducting risk assessment, developing security

policy, vulnerability management, incident
management, compliance

Employees: Comply with policies

Risk Management
Seek, identify, and manage risk.

Accept

Mitigate

Transfer

Avoid
Risk Management Program

Objectives: reduce costs, incidents

Scope

Authority: Executive level of commitment

Resources:

Policies, processes, procedures, and records

IT Management Practices
1.

2.

Risk Management Process

1.

2.

Enterprise Architecture (EA)

Map business functions into the IT environment as a model.
Activities to ensure business needs are met
Zachman Model
IT Systems and environments are described at a high, functional
level, and then in increasing detail
DFD
Illustrate the flow of information
3.

Asset Identification: Equipment, information, records,

reputation, personnel
o
Grouping Assets
o
Sources of asset data: Interviews, IT
systems, Online data
o
Organizing data: Business process,
Geography, OU, Sensitivity, Regulated
Risk Analysis
o
Threat analysis: All threats with realistic
opportunity of occurrence
o
Vulnerability Identification: Ranked by
severity or criticality
o
Probability analysis: Requires research to
develop best guesses
o
Impact analysis: Study of estimating the
impact of specific threats on specific assets
o
Qualitative: Subjective using numeric scale
o
Quantitative:

Asset Value (AV)

Exposure Factor (EF)

Single Loss Expectancy (SLE): AV

x EF

Annualized rate of occurrence

(ARO)

Annualized loss expectancy (ALE):

SLE x ARO
Risk Treatments
o
Risk Mitigation
o
Risk Transfer
o
Risk Avoidance
o
Risk Acceptance
o
Residual Risk

3.

4.

5.

6.

Personnel Management
a. Hiring: Background check, Employee Policy
Manual, Job Description
b. Employee Development: Training,
Performance evaluation, Career path
c. Mandatory vacations: Audit, cross training,
reduced risk
d. Termination
e. Transfers and reassignments
Sourcing
a. Insource
b. Outsource: risks, SLA, policy, governance
(service level agreements, change
management, security, quality, audits), SaaS
Change Management
a. Request
b. Review
c. Approve
d. Perform change
e. Verify change
Financial Management
a. Develop
b. Purchase
c. Rent
Quality Management
a. Software development
b. Software acquisition
c. Service desk
d. IT operations
e. Security
f.
Standards:
i. ISO 9000: Superseded by ISO
9001:2008 Quality Management
System
ii. ISO 20000: IT Service
Management for organization
adopting ITIL
iii. ITIL
1. Service Delivery
2. Control Processes
3. Release Processes
4. Relationship Processes
5. Resolution Processes
Security Management
a. Security Governance
b. Risk Assessment
c. Incident Management
d. Vulnerability Management
e. Access and Identity management
f.
Compliance management

7.

g. BCP
Performance Management
a. COBIT
b. SEI CMMI

Roles and Responsibilities

1.
2.
3.
4.
5.
6.
7.

Domain1ITGovernance

8.

Executive Management: CIO, CTO, CSO, CISO, CPO

Software Development: Architect, Analyst, developer,
programmer, tester
Data Management: architect, DBA, analyst
Network Management: architect, engineer,
administrator, telecom
Systems Management: architect, engineer, storage,
systems administrator
Operations: manager, analyst, controls analyst, data
entry, media librarian
Security Operations: architect, engineer, analyst,
account management, auditor
Service Desk: Help desk, technical support

Segregation of Duties Controls

1. Transaction authorization
2. Split custody
3. Workflow: extra approval
4. Periodic reviews

Auditing IT Governance
1.

2.

Reviewing Documentation and Records:

a. IT Charter, strategy
b. IT org chart
c. HR/IT performance
d. HR promotion policy
e. HR manuals
f.
Life-cycle processes and procedures
g. IT operations procedures
h. IT procurement process
i.
Quality management documents
Reviewing Contracts
a. Service levels
b. Quality levels
c. Right to audit
rd
d. 3 party audit
e. Conformance to policies, laws, regulations
f.
Incident notification
g. Liabilities
h. Termination terms
i.
Protection of PII

3.

Reviewing Outsourcing
a. Distance
b. Lack of audit contract terms
c. Lack of cooperation

Assess and evaluate the effectiveness of IT

AUDIT MANAGEMENT

The Audit Charter: Define roles and responsibilities. Sufficient

authority
The Audit Program: scope, objectives, resources, procedures
Strategic Audit Planning:

Factors: Business goals and objectives, Initiatives,

market conditions, changes in technology, regulatory
requirements.

Changes in Audit Activities: New internal audits, new

external audits, increase in audit scope, impact on
business process

Resource planning: Budget and manpower

main2TheAuditProcess

Audit and Technology: Continue learning about new

technologies
Audit Laws and Regulations:

Characteristics: Security, Integrity, Privacy

Computer Security and Privacy Regulations:

o
Categories: Computer trespass, protection of
sensitive information, collection and use of
information, law enforcement investigative
powers
o
Consequences: Loss of reputation,
competitive advantage, sanctions, lawsuits,
fines, prosecution
An organization should take a systematic approach to determine
the applicability of regulations as well as the steps required to
attain compliance and remain in this state.
US Regulations:

Access Device Fraud 1984

Computer Fraud and Abuse Act 1984

Electronic Communications Act 1986

Electronic Communications Privacy Act (ECPA) 1986

Computer Security Act 1987

Computer Matching and Privacy Protection Act 1988

Communications Assistance for Law Enforcement Act

(CALEA) 1994

Economic and Protection of Proprietary Information Act

1996

Health Insurance Portability and Accountability Act

(HIPPA) 1996

Childrens Online Privacy Protection Act (COPPA) 1998

Identity Theft and Assumption Deterrence Act 1998

Gramm-Leach-Bliley Act 1999

Federal Energy Regulatory Commission (FERC)

3.

Provide Appropriate Tools Required to Intercept and

Obstruct Terrorism Act (PATRIOT) 2001
Sarbanes-Oxley Act 2002
Federal Information Security Management Act (FISMA)
2002
Controlling the Assault of Non-Solicited Pornography
and Marketing Act (CAN-SPAM) 2003
California Privacy Act SB1386 2003
Identity Theft and Assumption Deterrence Act 2003
Basel II 2004
Payment Card Industry Data Security Standard (PCIDSS) 2004
North American Electric Reliability Corporation (NERC)
1968/2006
Massachusetts Security Breach Law 2007

4.

5.

6.

Canadian Regulations:

Interception of Communications Section 184

Unauthorized Use of Computer, Section 342.1

Privacy Act 1983

Personal Information Protection and Electronic

Documents Act (PIPEDA)
European Regulations

Convention for the Protection of Individuals with Regard

to Automatic Processing of Personal Data 1981

Computer Misuse Act (CMA) 1990

Directive on the Protection of Personal Data 2003

European Union

Data Protection Act (DPA) 1998

Regulation of Investigatory Powers Act 2000

Anti-Terrorism Crime and Security Act 2001

Privacy and Electronic Communications Regulations

2003

Fraud Act 2006

Police and Justice Act 2006

Other Regulations

Cybercrime Act 2001 Australia

Information Technology Act 2000 India

ISACA AUDITING STANDARS

Members and ISACA certification holders shall:

2.

Audit Standards

S1, Audit Charter

S2, Independence
S3, Professional Ethics and Standards
S4, Professional Competence
S5, Planning
S6, Performance of Audit Work
S7, Reporting
S8, Follow-up Activities
S9, Irregularities and Illegal Acts
S10, IT Governance
S11, Use of Risk Assessment in Audit Planning
S12, Audit Materiality
S13, Use the Work of Other Experts
S14, Audit Evidence
S15, IT Controls
S16, E-Commerce

Audit Guidelines

Code of Ethics:

1.

7.

Serve in the interest of stakeholders in a

lawful and honest manner, while maintaining
high standards of conduct and character, and
not engage in acts discreditable to the
profession.
Maintain the privacy and confidentiality of
information obtained in the course of their
duties unless disclosure is required by legal
authority. Such information shall not be used
for personal benefit or released to
inappropriate parties.
Maintain competency in their respective fields
and agree to undertake only those activities,
which they can reasonably expect to
complete with professional competence.
Inform appropriate parties of the results of
work performed; revealing all significant facts
known to them.
Support the professional education of
stakeholders in enhancing their
understanding of information systems security
and control.

Support the implementation of, and

encourage compliance with, appropriate
standards, procedures and controls for
information systems.
Perform their duties with objectivity, due
diligence and professional care, in
accordance with professional standards and
best practices.

G1, Using the Work of Other Auditors

G2, Audit Evidence Requirement
G3, Use of Computer-Assisted Audit Techniques
(CAATs)
G4, Outsourcing of IS Activities to Other Organizations
G5, Audit Charter
G6, Materiality Concepts for Auditing IS
G7, Due Professional Care
G8, Audit Documentation

Domain2TheAuditProcess

G9, Audit Considerations for Irregularities and Illegal

Acts
G10, Audit Sampling
G11, Effect of Pervasive IS Controls
G12, Organizational Relationship and Independence
G13, Use of Risk Assessment in Audit Planning
G14, Application Systems Review
G15, Planning
G16, Effect of Third Parties on an Organizations IT
Controls
G17, Efect of Nonaudit Role on the IS Auditors
Independence
G18, IT Governance
G19, Irregularities and Illegal Acts
G20, Reporting
G21, Enterprise Resource Planning (ERP) Systems
Review
G22, Business to Consumer (B2C) E-Commerce
Review
G23, SDLC Review
G24, Internet Banking
G25, Review of VPN
G26, Business Process Reengineering (BRP) Review
G27, Mobile Computing
G28, Computer Forensics
G29, Post-implementation Review
G30, Competence
G31, Privacy
G32, BCP
G33, General Consideration on the Use of the Internet
G34, Responsibility, Authority, and Accountability
G35, Follow up Activities
G36, Biometric Controls
G37, Configuration Management
G38, Access Controls
G39, IT Organization
G40, Review of Security Management Practices

P1, Risk Assessment

P2, Digital Signature and Key management
P3, IDS
P4, Viruses
P5, Control Risk Self-Assessment
P6, Firewall
P7, Irregularities and Illegal Acts
P8, Security Assessment (Pen test, vulnerability
analysis)
P9, Encryption

PERFORMING AN AUDIT

RISK ANALYSIS

Evaluating Business Processes

Identifying Business Risks
Risk Mitigation
Countermeasures Assessment
Monitoring

INTERNAL CONTROLS

Audit Procedures

P10, Business Application Change Control

P11, Electronic Funds Transfer

Control Classification
o
Types: Technical, Administrative, Physical
o
Classes: Preventative, Detective, Deterrent,
Corrective, Compensating, Recovery
o
Categories: Manual, Automatic
Internal Control Objectives: Statements of desired
outcomes from business operations. Protection of IT
assets, Availability of IT systems
o
IS Control Objectives: Protection of
information from unauthorized personnel,
Integrity of Operating Systems
General Computing Controls: GCCs are controls that
apply across all applications and services. Passwords
are encrypted, Strong passwords
IS Controls: Each GCC is mapped to a specific IS
control on each system type.

Formal Planning:
o
Purpose
o
Scope
o
Risk Analysis
o
Audit procedures
o
Resources
o
Schedule
Types
o
Operational
o
Financial
o
IS audit
o
Administrative
o
Compliance
o
Forensic
o
Service provider
o
Pre-audit
Compliance vs. Substantive Testing
o
Compliance: Determine if control procedures
have been properly designed and
implemented and operating properly.
o
Substantive: Determine accuracy and
integrity of transactions that flow through
processes and information systems
Audit Methodology
o
Audit Subject
o
Audit Objective
o
Audit type
o
Audit Scope
o
Pre-Audit planning
o
Audit SoW
o
Audit Procedures
o
Communication plan
o
Report preparation
o
Wrap-up
o
Post-audit Follow-up
Audit Evidence
Independence of the evidenceprovider
o
Qualifications of the evidence provider
o
Objectivity
o
Timing
Gathering Evidence
o
Org Chart
o
Review dept and project charters
rd
o
Review 3 party contracts
o
Review IS policies and procedures
o
Review IS Standards

Domain2TheAuditProcess

o
Review IS documentation
o
Personnel Interviews
o
Passive observation
Observing Personnel
o
Real tasks
o
Skills and experience
o
Security awareness
o
Segregation of Duties
Sampling
o
Statistical: Reflect the entire population
o
Judgmental: Subjectively selects samples
based on established criteria
o
Attribute: Samples are examined and a
specific attribute is chosen
o
Variable: Determine the characteristic of a
given population to determine total value
o
Stop-or-go: Sampling can stop at the earliest
possible time due to low risk and rate of
exceptions
o
Discovery: Trying to find at least one
exception in a population
o
Stratified: Create different classes and review
one attribute common to all classes
Computer-Assisted Audit: CAATs help examine and
evaluate data across complex environments
Reporting Audit Results
o
Cover letter
o
Intro
o
Summary
o
Description
o
Listing of systems and processes examined
o
Listing of interviewees
o
Listing of evidence obtained
o
Explanation of sampling technique
o
Description of findings and recommendations
Audit Risk
o
Control risk: undetected error by an internal
control
o
Detection risk: IS auditor will overlook errors
o
Inherent risk: Inherent risks exist independent
of the audit.
o
Overall audit risk: summation of all of the
residual risks
o
Sampling risk: sampling technique will not
detect
Materiality: A monetary threshold in financial audits

CONTROL SELF-ASSESSMENT
Methodology used by an organization to review key business
objectives, and the key controls designed to manage those risks.

Advantages
o
Risks detected earlier
o
Improvement of internal controls

Ownership of controls
Improved employee awareness
Improved relationship between
departments and auditors
Disadvantages
o
Mistaken as a substitute for internal audit
o
May be considered extra work
o
May be considered an attempt by an
auditor to shrug off responsibilities
o
Lack of employee involvement has no
results
Life Cycle
o
Identify and assess risks
o
Identify and assess controls
o
Develop questionnaire or workshop
o
Analyze completed questionnaire
o
Control remediation
o
Awareness training
o
o
o

Organizations methodologies and practices for the development

and management of software, infrastructure, and business
processes.

PORTFOLIO AND PROGRAM MANAGEMENT:

A program is an organization of many large, complex activities,
and can be thought of as a set of projects that work to fulfill one or
more key business objectives or goals.

Domain3ITLifeCycleManagement

Starting a Program:
o
Program charter
o
Identification of available resources
Running a Program:
o
Monitoring project schedules
o
Managing project budgets
o
Managing resources
o
Identifying and managing conflicts
o
Creating status reports
Project Portfolio Management
o
Executive sponsor
o
Program manager
o
Project manager
o
Start and end dates
o
Names of participants
o
Objectives or goals that the project supports
o
Budget
o
Resources
o
Dependencies
Business Case development
o
Business problem
o
Feasibility study results
o
High-level project plan
o
Budget
o
Metrics
o
Risks

PROJECT MANAGEMENT

Organizing Projects

Direct report: Project team leader

Influencer: Influence members but

does not manage them directly

Pure project: Given authority

Matrix: Authority over each project

team member
o
Initiating a project
Developing Project Objectives
o
Object Breakdown Structure (OBS): Visual
representation of the system, software, or
application, in a hierarchical form.
o
Work Breakdown Structure (WBS): Logical
representation of the high-level and detailed
tasks that must be performed to complete the
project.

Managing Projects
o
Managing the project schedule
o
Recording task completion
o
Running project meetings
o
Tracking project expenditures
o
Communicating project status
Project Roles and Responsibilities
o
Senior management: support the approval of
the project
o
IT steering committee: Commission the
feasibility study, approve project
o
Project manager
o
Project team members
o
End-user management: Assign staff to the
project team. Support development of cases
o
End users
o
Project sponsor: define project objectives,
provide budget
o
Systems development management
o
System developers
o
Security manager
o
IT Operations
Project Planning

Task identification

Task estimation

Task resources

Task dependencies

Milestone tracking

Task tracking
o
Estimating and sizing software projects

Object Breakdown Structure (OBS)

Work Breakdown Structure (WBS)

Source Lines of Code (SLOC):

accurate estimate based on
previous analysis for the time to
develop a program.

COCOMO: Constructive Cost

Model method for estimating
software development projects

o
o

Function Point Analysis (FPA):

time-proven estimation technique
for larger software projects. It
studies the detailed design
specifications for an application
program and counts the number of
user inputs, user outputs, user
queries, files, and external
interfaces.

Other costs: development tools,

workstations, servers, software
licenses, network devices, training,
equipment
Scheduling Project Tasks: Critical phase

Gantt Chart

Program Evaluation and Review

Technique (PERT)

Critical path Methodology (CPM): It

is important to identify the critical
path in a project, because this
allows the project manager to
understand which tasks are most
likely to impact the project schedule
and to determine when the project
will finally conclude.

Timebox Management: A period in

which a project must be completed.
Project Records:

Project plans

Project changes

Meetings agendas and minutes

Resource consumption

Task information
Project Documentation: Helps users, support
staff, IT operations, developers, and auditors
Project Change Management: The
procedures for making changes to the project
should be done in two basic steps:

The project team should identify the

specific use, impact, and remedy.
Make a formal request

This change request should be

presented to management along
with its impact. Management
should make a decision.
Project closure

Project debrief

Project documentation archival

Management review

Training

Formal turnover to users,

operations and support
Methodologies

Project Management Body of

Knowledge (PMBOK): Process
based

Processes:
o
Inputs
o
Techniques
o
Outputs

Domain3ITLifeCycleManagement

Process groups

Initiating

Planning

Executing

Controlling and
monitoring

Closing
Projects IN Controlled Environments
(PRINCE2): Project management framework

Starting up a project (SU)

Planning (PL)

Initiating a project (IP)

Directing a project (DP)

Controlling a stage (CS)

Managing product delivery (MP)

Managing Stage Boundaries (SB)

Closing a project (CP)

Scrum: Iterative and incremental

process most commonly used to
project manage an agile software
development effort.

Scrum master: this is the

project manager

Product owner: This is

the customer

Team

Users

Stakeholders

Managers

3.
4.

SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC)

1.

2.

Feasibility Study: Determine whether a specific

change or set of changes in business processes and
underlying applications is practical to undertake.
o
Time required to develop / acquire software
o
A comparison between the cost of developing
the application vs buying
o
Whether an existing system can meet the
business need
o
Whether the application supports strategic
business objectives
o
Whether a solution can be developed that is
compatible with other IT systems
o
The impact of the proposed changes to the
business on regulatory compliance
o
Whether future requirements can be met by
the system
Requirements: Characteristics of a new application or
changes being made.
o
Business functional requirements: Must have
to support the business
o
Technical requirements and standards: Use
the same basic technologies already in use
as well as formal technical standards.
o
Security and Regulatory Requirements:

Authentication

Authorization

5.

Access control

Encryption

Data validation

Audit logging

Security operational requirements

o
DR/BCP Requirements
o
Privacy Requirements
o
RFP Process: Request For Proposal

Requirements

Vendor financial stability

Product roadmap

Experience

Vision

References
Questions for clients:

Satisfaction with
installation

Satisfaction with
migration

Satisfaction with support

Satisfaction with longterm roadmap

What went well

What did not go well

Contract negotiation

Closing the RFP

Design: A top down approach
Development:

Coding the application

Developing program and system

level documents

Developing user procedures

Working with users

Developing in a software
acquisition setting:

Customizations

Interfaces of other
systems

Authentication

Reports

Debugging

Correct operations

Input validation

Proper output validation

Resource usage

Source Code Management (SCM)

Protection

Control

Version control

Recordkeeping
Testing

Unit testing: by developers during the coding

phase. Should be a part of the development
of each module in the application.
o
System testing: end to end testing. Includes
interface testing, migration testing.
o
Functional testing: Verification of functional
requirements
o
User Acceptance Testing (UAT): In most
cases, it is a formal step to find out if
organization accepts the software developed
rd
by a 3 party.
o
Quality Assurance Testing (QAT):
Implementation
o
Planning:

Prepare physical space for

production systems

Build production systems

Install application software

Migrate data
o
Training:

End users

Customers

Support staff

Trainers
o
Data migration

Record counts

Batch totals

Checksums
o
Cutover

Parallel

Geographic

Module by module

Roll-back
o
Rollback Planning
Post Implementation
o
Implementation review

System adequacy

Security review

Issues

ROI
o
Software maintenance
o

6.

7.

Development Risks
o
Application inadequacy
o
Project risk
o
Business inefficiency
o
Market changes

Development Approaches and Techniques

o
Agile Development
o
Prototyping

o
o
o
o
o
o

Domain3ITLifeCycleManagement

Rapid Application Development (RAD)

Data Oriented System Development (DOSD)
Object-Oriented System Development (OO)
Component based development: CORBA,
DCOM, SOA
Web-Based Application Development: HTML,
SOAP, XML
Reverse Engineering

System Development Tools

o
Computer-Aided Software Engineering
(CASE)

Upper CASE: requirements

gathering, DFDs, interfaces

Lower CASE: Creation of program

source code and data schemas
o
Fourth Generation Languages

INFRASTRUCTURAL DEVELOPMENT AND

IMPLEMENTATION
1.
2.

3.
4.
5.
6.

Review of existing architecture

Requirements
a. Business functional requirements
b. Technical requirements and standards
c. Security and regulatory requirements
d. Privacy requirements
Design
a. Procurement
Testing
Implementation
Maintenance

MAINTAINING INFORMATION SYSTEMS

Change Management Process

Change request

Change review

Perform change

Emergency changes
Configuration Management

Recovery: stored independent of the systems

themselves

Consistency: It will simplify administration, reduce

mistakes, and result in less unscheduled downtime.
BUSINESS PROCESSES
Business Process Life Cycle (BPLC)
1. Feasibility study
2. Requirements definition
3. Design

4.
5.
6.
7.
8.

Development
Testing
Implementation
Monitoring
Post-implementation

Benchmarking a Process

Plan

Research

Measure and observe

Analyze

Adapt: understand the fundamental reasons why other

organizations measurements are better than its own.

Improve
Capability Maturity Models

Software Engineering Institute Capability Maturity Model

(SEI CMM)
o
Initial
o
Repeatable
o
Defined
o
Managed
o
Optimizing
Capability Maturity Model Integration (CMMI): An
aggregation of these other models into an overall
maturity model.
ISO 15504: Software Process Improvement and
Capability dEtermination (SPICE).
o
Level 0 incomplete
o
Level 1 performed
o
Level 2 managed
o
Level 3 established
o
Level 4 predictable
o
Level 5 optimizing

APPLICATION CONTROLS
Input Controls

Authorization
o
User access controls
o
Workstation identification
o
Approved transactions and batches
o
Source documents

Input validation
o
Type checking
o
Range and value checking

o
Existence
o
Consistency
o
Length
o
Check digits
o
Spelling
o
Unwanted characters
o
Batch controls
Error handling
o
Batch rejection
o
Transaction rejection
o
Request re-input

Processing Controls

Editing
Calculations
o
Run-to-run totals
o
Limit checking
o
Batch totals
o
Manual recalculation
o
Reconciliation
o
Hash values
Data file controls
o
Data file security
o
Error handling
o
Internal and external labeling
o
Data file version
o
Source files
o
Transaction logs
Processing errors

Output Controls

Controlling special forms

Report distribution and receipt
Reconciliation
Retention

Auditing Software Acquisition

Auditing Change Management

AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE

Auditing Project Management

Auditing Development

Auditing Configuration Management

Domain3ITLifeCycleManagement

Auditing the Feasibility Study

Auditing Requirements

AUDITING BUSINESS CONTROLS

Auditing Implementation

Identify the key processes in an organization and to understand

the controls that are in place or should be in place that govern the
integrity of those processes
AUDITING APPLICATION CONTROLS
Transaction Flow

Auditing Post-Implementation
Auditing Design

Observations

Data Integrity Testing: Used to confirm whether an application

properly accepts, processes, and stores information.
Testing Online Processing Systems:

Domain3ITLifeCycleManagement

Auditing Applications

Continuous Auditing: Several techniques are available to

perform online auditing:

IT organizations are effective if their operations are effective. IT

organizations are service organizations their existence is to
serve the organization and support its business processes.

Domain4ITServiceDelivery&Infrastructure

INFORMATION SYSTEMS OPERATIONS

Management and control of operations

o
Process and procedures
o
Standards
o
Resource allocation
o
Process management
IT Service management (ITSM)
o
Service desk
o
Incident mgt
o
Problem mgt
o
Change mgt
o
Configuration mgt
o
Release mgt: ITIL terms used to describe
SDLC. Used for changes in a system such
as:

Incidents and problem resolution

Enhancements

Subsystem patches and changes

o
Service-level mgt
o
Financial mgt
o
Capacity mgt

Periodic measurements

Considering planned changes

Understanding long-term strategies

Changes in technology
o
Service continuity mgt
o
Availability mgt

Effective change mgt

Effective application testing

Resilient architecture

Serviceable components
Infrastructure Operations
o
Running scheduled jobs
o
Restarting failed jobs/processes
o
Facilitating backup jobs
o
Monitoring systems/apps/networks
Monitoring
Software Program Library Management: System that
is used to store and manage access to an
organizations application source and object code
o
Access and authorization controls

o
Program checkout
o
Program check in
o
Version control
o
Code analysis
Quality Assurance
Security Management
o
Policies, procedures, processes, and
standards
o
Risk Assessments
o
Impact analysis
o
Vulnerability management

INFORMATION SYSTEMS HARDWARE

Computer usage
o
Types: supercomputer, mainframe, midrange,
server, desktop, laptop, mobile
o
Uses: app server, web server, file server, db
server, print server, test server, thin client,
thick client, workstation
Computer architecture
o
CPU: CISC (Complex Instruction Set
Computer), RISC (Reduced Instruction Set
Computer), Single processor, Multi-processor
o
Bus: PCI, PC Card, MBus, Sbus
o
Main Storage
o
Secondary Storage: Program storage, data
storage, temporary files, OS, virtual memory,
o
Firmware: Flash, EPROM, PROM, ROM,
EEPROM
o
I/O and Networking
o
Multi-computer: Blade computers, grid
computing, server clusters, virtual servers
Hardware maintenance
Hardware monitoring

NETWORK INFRASTRUCTURE

INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE

Computer Operating Systems

Access to peripherals

Storage mgt

Process mgt

Resource allocation

Communication

Security
o
OS Virtualization
o
Clustering: using special software
o
Grid Computing: a form of distributed
computing

Cloud Computing: dynamically scalable and

usually virtualized
Data Communication Software
File Systems: Directories, files, FAT, NTFS, HFS
(Hierarchical File System) ISO 9660 (CD-ROM, DVD),
UDF (Universal Disk Format)
Database Management Systems
o
Relational DB Management (rDBMS):
Primary key, one or more indexes, referential
integrity, Encryption, Audit logging, access
controls,
o
Object Database (ODBMS): Represented as
objects, Data and the programming method
are contained in an object,
o
Hierarchical Database : Top-down
Media Management System: Tape management
systems (TMS) or Disk Management Systems (DMS)
Utility software
o
Software and data design
o
Software development
o
Software testing
o
Security testing
o
Data management
o
System health
o
Network
o

Network Architecture
o
Physical network architecture
o
Logical network architecture
o
Data flow architecture
o
Network standards and services
Types of networks
o
Personal Area Network (PAN): up to 3 meters
and use to connect peripherals for use by an
individual
o
LAN
o
Campus Area Network (CAN)
o
Metropolitan Area Network (MAN)
o
WAN
Network-based Services: email, print, file storage,
remote access, directory, terminal emulation, time
synch, network authentication, web security, antimalware, network management
Network Models
o
OSI: Application, presentation, session,
transport, network, data link, physical
o
TCP/IP: Link, internet, transport, application
Network Technologies
o
LAN

Physical topology: Star, Ring, Bus

Domain4ITServiceDelivery&Infrastructure

Cable types: Shield twisted pair

(STP), screened unshielded twisted
pair (S/UTP), screened shielded
twisted pair (S/STP), unshielded
twisted pair (UTP)

Other types: Fiber,

coaxial, serial

Network Transport protocols

Ethernet: Broadcast or
shared medium, collision
avoidance
o
ATM: Synchronous network. Connection
oriented link-layer protocol.
o
Token Ring
o
Universal Serial Bus
o
FDDI: Fiber distributed data interface. Range
up to 200km and capable of 200mb/sec
o
WAN

MPLS

SONET

Frame Relay

ISDN

X.25
o
Wireless

Wi-Fi

Bluetooth

Wireless USB

NFC (Near Field Communication):

extremely short distance radio
frequencies that are commonly
used for merchant payment
applications.

IrDA: Infrared Data Association.

TCP/IP Protocols
o
Link Layer / network access layer

ARP (Address resolution)

RARP (Reverse address

resolution)

OSPF (Open Shortest Path First)

L2TP (Layer 2 Tunneling Protocol)

PPP

Media Access Control (MAC)

o
Internet Layer / Layer 3

IP
ICMP

IGMP

IPSec
o
Internet Layer

IP Addresses, subnets, masks,

gateway, classless and classful
networks.
o
Transport Layer

TCP

UDP
o
Application layer

File Transfer Protocols

FTP

FTPS

SFTP

SCP

Rcp

Messaging protocols

SMTP

POP

IMAP

NNTP

File and directory sharing protocols

NFS

RPC

Session protocols

TELNET

rlogin

SSH

HTTP

HTTPS

Management protocols

SNMP

NTP

Directory service protocols

DNS

LDAP

X.500
Global Internet: Email, IM, VPN, WWW
Network Management
o
Tools

Network management systems

Network management agents

Incident management systems

Protocol analyzers

Sniffers
Networked Applications
o
ClientServer
o
Web-based

AUDITING IS INFRASTRUCTURE AND OPERATIONS

Auditing IS Hardware
o
Standards: procurement stds
o
Maintenance: records, service contracts
o
Capacity: systems capacity monitoring

Change mgt: requested, reviewed prior to

approval
Auditing OSs
o
Standards: written stds
o
Maintenance and support: support contracts
o
Change mgt
o
Configuration mgt: tools, recordkeeping,
config processes
o
Security mgt: hardening
Auditing File Systems
o
Capacity: storage
o
Access control
Auditing DB Management Systems
o
Configuration mgt: centrally controlled
o
Change mgt: changes should be consistent
and systematic
o
Capacity mgt: ability to support business
processes
o
Security mgt: access controls, logs
Auditing Network Infrastructure
o
Network architecture
o
Security architecture
o
Standards
o
Change mgt
o
Capacity mgt
o
Configuration mgt
o
Administrative access management
o
Network components
o
Log management
o
User access management
Auditing Network Operating Controls
Network operating procedures
o
o
Restart procedures
o
Troubleshooting procedures
o
Security controls
o
Change management
Auditing computer operations
o
System configuration standards
o
System build procedures
o
System recovery procedures
o
System update procedures
o
Patch management
o
Daily tasks
o
Backup
o
Media control
o
Monitoring
Auditing Data Entry
o
Data entry procedures
o
Input verification
o
Batch verification
o

Domain4ITServiceDelivery&Infrastructure

o
Correction procedures
Auditing Lights-Out operations
o
Remote administration procedures
o
Remote monitoring procedures
Auditing Problem Management Operations
o
Problem management policy and processes
o
Problem management records
o
Problem management timelines
o
Problem management reports
o
Problem resolution
o
Problem recurrence
Auditing Monitoring Operations
o
Monitoring plan
o
Problem log
o
Preventative maintenance
o
Management review and action
Auditing Procurement
o
Requirements definition: functional, technical,
and security requirements approved by
management. Policies, procedures, and
records.
o
Feasibility studies

INFORMATION SECURITY MANAGEMENT

Domain5InformationAssetProtection

Aspects
o
Executive support
o
Policies and procedures
o
Security Awareness
o
Security monitoring and auditing
o
Incident response
o
Corrective and preventive action.
Roles and responsibilities
o
Executive mgt: support and overall
responsibility for asset protection
o
Security steering committee: approval of
security policies, risk related matters.
o
CISO: development and enforcement of
policy and asset protection
o
Chief privacy officer
o
Security auditor: monitoring and testing
security controls
o
Security administrator
o
Security analyst: implementing security policy
by designing and improving security controls
and processes
o
Systems analyst: by designing application
software that includes adequate controls
o
Software developers: coding applications that
include controls to prevent application misuse
or bypass of controls
o
Managers
o
Asset owners: responsible for protection and
integrity of assets
o
Employees
Asset Inventory and Classification
o
Hardware
o
Information
Access Control
o
AC Management: request, review,
segregation of duties, transfer, termination
o
Logs
Privacy
o
PII: DL, SSN, Passport, phone, address,
DoB, Accounts
3rd Party Management
rd
o
3 Party access countermeasures: logs,
video, access controls, logical access, audits
o
Legal agreements: liabilities, controls
required, nondisclosure, security training,
steps for a security breach, steps to be taken
to reduce the likelihood of data loss caused
by a disaster, right to inspect, compliance,
destroy copies of information on request.

HR Security
o
Screening
o
Agreements
o
Job descriptions
o
Transfer and termination
o
Contractors and temps
Computer Crime
o
Roles

Target of a crime

Instrument of a crime

Support of a crime
o
Categories

Military

Political

Terrorist

Financial

Business

Grudge

Amusement
o
Perpetrators

Hackers

Cybercriminals

Spies

Terrorists

Script kiddies

Social engineers

Employees

Former employees

Knowledgeable outsiders

Service providers employees

Security Incident Management
o
Incident Response

Planning

Detection

Initiation

Evaluation

Eradication

Remediation

Closure

Post-Incident Review
o
Testing Incident Response

Document review

Walkthrough

Simulation
o
Incident prevention

Vulnerability monitoring

Patch management

System hardening

IDS
Chain of custody:

Identification

Preservation

Analysis

Presentation

LOGICAL ACCESS CONTROLS: Subject access controls are in

place to determine the identity of the subject. Service access is
used to control the types of messages that are allowed to pass
through a control point.

Models
o
o

MAC: Mandatory Access Control: Access to

objects by subjects
DAC: Discretionary Access Control: Owner of
an object is able to determine how and by
whom the object may be accessed.

Threats
o
Malware
o
Eavesdropping
o
Logic bombs
o
Scanning attacks
Vulnerabilities
o
Unpatched systems
o
Default system settings
o
Default passwords
o
Incorrect permissions settings
o
Application logic
Points of Entry
o
Exposure to malware
o
Eavesdropping
o
Open access
Identification, Authentication, and Authorization
o
Identification: asserting an identity without
providing any proof of it.
o
Authentication: Subject asserts an identity,
but some proof of the subjects identity is
required
o
Authorization: System determines resource
access to the subject
User account provisioning
o
Factors: user location, system limitations,
data sensitivity
o
Risks: Finding a password, eavesdropping
Two Factor authentication: Digital certificates, smart
cards, tokens
Something you are: Biometrics such as hand print,
fingerprint, palm vein, voice, facial scan, handwriting,
iris scan
o
Measurement variances: False reject rate,
False accept rate, crossover error rate

Domain5InformationAssetProtection

Reduced Sign On: changing from stand alone

application authentication to centralized
authentication like LDAP, RADIUS, Active Directory
Single Sign On: one login authentication for
multiple authorized applications
Access Control Lists: common way to administer
access controls
Protecting Information
o
Access controls
o
Access Logging
o
Backups

Automated tools

Protection of backup data

Offsite backup media storage

Restoration testing

Media inventory
Patch Management
Vulnerability Management
o
Subscribing to security alerts
o
Scanning
o
Patch management
o
Corrective action process
System Hardening: remove services, change
functions to unique system function, changed default
password, non-predictable passwords, reduce
privileges, eliminate interserver trust
Managing User Access
o
User Access Provisioning: Risk of errors
can be devastating for an organization
o
Termination: Some safeguards are
needed like review of terminated
employees actions before and after,
periodic reviews, and review logs
o
Transfers: Risk is privilege creep
o
Password management: provisioning,
lockout, forgotten passwords. Password
length, complexity, expiration, reuse,
rechange
Protecting Mobile Devices: Encryption, strong
access control, remote destruct, hardening, logical
locking system, physical locking system

NETWORK SECURITY CONTROLS

Network Security
o
Threats: access by unauthorized persons,
spoofing, eavesdropping, malware, DoS,
access bypass, MITM
o
Countermeasures: User authentication
controls, machine authentication controls,
anti-malware, encryption, switched
networks, IDS/IPS
Securing Client-Server Applications
o
Access controls: strong authentication
o
Interception of client-server
communication: Network encryption
o
Network Failure
o
Change management
o
Disruption of client software updates

o
Stealing data
Securing Wireless Networks
o
Threats and vulnerabilities

Eavesdropping

War driving and chalking

Encryption

Spoofing
o
Countermeasures

Obscure SSID

Stop SSID broadcast

Reduce transmit power

MAC filtering

WPA

Require VPN

Change default passwords

Patches
Protecting Internet Communications
o
Threats and vulnerabilities

Eavesdropping

Network analysis: reconnaissance

phase of some bigger effort

Targeted attacks

Malware

Masquerading: forge messages that

have the appearance of originating
elsewhere.

DoS

Fraud
o
Countermeasures

Firewalls

Honeypots and Honeynets

IDS

Change management and

configuration management

Incident management

Security awareness training

Encryption
o
Terms:

Plaintext

Ciphertext

Hash function

Message digest

Digital signature

Algorithm

Decryption

Encryption key

Cryptanalysis

Key length

Block cipher

Stream cipher

Initialization Vector (IV): random

number to begin encryption process

Symmetric encryption

Asymmetric encryption

Key exchange

Nonrepudiation

o
o
o
o

Private Key Cryptosystem: Symmetric

cryptography

Challenges
Key exchange: Out of

band method is required.

Scalability
Public Key Cryptosystem: Asymmetric
cryptosystem

Key pair: public and private keys

Message security: no need to

establish and communicate
symmetric encryption keys through
a secure channel.

Verifying public keys:

Certificate authority

Email address

Key fingerprint: retrieve

the public key and
calculate the key
fingerprint.
Hashing and Message Digests
Digital Signatures: Seals a message or file
using the senders identity
Digital Envelopes: Combining private and
public
Public Key Infrastructure (PKI):

Digital certificates

Certificate Authority (CA)

Registration Authority (RA)

Certificate Revocation List (CRL)

Certification Practice Statement

(CPS)
Key Management

Key generation: system must be

highly protected, isolated, and used
by a few people. System should
include some randomness

Key protection

Key custody: policies, processes,

and procedures regarding the
management of keys.

Key rotation: only when one of the

following occurs:

Key compromise

Key expiration

Rotation of staff

Key disposal
Encryption applications

SSL/TLS

S-HTTP

S/MIME

SSH

Domain5InformationAssetProtection

SET
Voice over IP (VoIP)
o
Threats and vulnerabilities

Eavesdropping

Spoofing

Malware

DoS

Toll fraud
o
Protecting: IDS, access management,
firewalls, hardening, malware controls
Private Branch Exchange (PBX)
o
Threats and vulnerabilities

Default passwords on
administrator console

Dial-in modem

Toll fraud

Espionage
o
Countermeasures

Administrative access control

Physical access control

Regular log review

Malware
o
Threats and vulnerabilities

Viruses

Worms

Trojan horses

Spyware

Root kits

Bots

Missing patches

Unsecure configuration

Faulty architecture

Faulty judgment

Spam
Phishing

DoS
o
Anti-Malware Administrative controls

Spam policy

Business related internet

No removable media

No downloading

No personally owned computers

o
Anti-Malware Technical controls

Anti-malware on email servers

On workstations

On web servers

Centralized malware console

IDS

Spam filters

Blocking use of removable media

Information Leakage
o
Countermeasures

Outbound email filters

Block removable media

Blocking internet access

Tighter access controls

Access logging

Job rotation

Periodic background checks

o
o
o
o

PHYSICAL SECURITY CONTROLS

ENVIRONMENTAL CONTROLS

Threats and vulnerabilities

o
Electric power vulnerabilities

Spike: sharp increase

Inrush: sudden increase

Noise: presence of other

electromagnetic signals

Dropout: momentary loss

Brownout: sustained drop

Blackout: complete loss

o
Physical environment vulnerabilities

Temperature

Humidity

Dust and dirt

Smoke and fire

Sudden unexpected movement

Countermeasures
o
Electric power

UPS

Electric generator

Dual power feeds

Power distribution unit (PDU)

o
Temperature and humidity controls: HVAC
o
Fire Prevention, detection, and suppression
controls

Prevention:

Combustibles: stored away

Cleanliness

Electrical equipment
maintenance

Detection: pull down stations, manual

alarms, detectors

Suppression:

Types: wet pipe, dry pipe,

pre-action, deluge, inert gas

Classes:
o
A: wood, paper

B: liquids and
gases
C: electrical
D: combustible
metals
K: cooking oils
and fats

Threats and vulnerabilities

o
Theft
o
Sabotage
o
Espionage
o
Covert listening devices
o
Tailgating
o
Propped doors
o
Poor visibility
Countermeasures
o
Keycard systems
o
Cipher locks
o
Fences, walls, and barbed wire
o
Bollards and crash gates
o
Video
o
Visual notices
o
Bug sweeping
o
Guards
o
Guard dogs

AUDITING ASSET PROTECTION

Security Management
o
Policies, processes, procedures, and
standards
o
Records
o
Training
o
Data ownership and management
o
Data custodians
o
Security administrators
o
New and existing employees
Logical Access controls
o
Network access paths

IT infrastructure

Network architecture and access

documentation
o
User Access Controls

User access controls:

authentication, bypass, access
violations, user account lockout,
IDS/IPS, shared accounts, dormant
accounts, system accounts
Password management:password
standards, account lockout, access
to encrypted passwords


Password vaulting
User access provisioning:

Access request process

Access approvals

Segregation of duties (SOD)

Access reviews
o
Employee terminations

Termination process

Timeliness

Access reviews

Contractor access and termination

o
Access logs

Access log controls

Centralized access logs

Access log protection

Log review

Log retention
o
Investigative procedures

Policies and procedures

Computer crime investigations

Computer forensics
o
Internet points of presence

Search engines: what information is

available

Social networking sites: what

others are saying

Online sales sites: whats being

sold

Domain names
Network Security Controls
o
Architecture review

Diagrams

Documents

Support of business objectives

Compliance with security policy

Comparison of documented vs
actual
o
Network access controls

User authentication: Active

Directory, LDAP

Firewalls

IDS

Remote access

Dial-up modems
o
Change management

Change control policy

Change logs

Change control procedures

Emergency changes

Rolled-back changes

Linkage to SDLC: change

management and SDLC

Domain5InformationAssetProtection

Alert management

Penetration testing

Application scanning

Patch management
Environmental Controls
o
Power conditioning
o
Backup power
o
HVAC
o
Water detection
o
Fire detection and suppression
o
Cleanliness
Physical Controls
o
Siting and Marking

Proximity to hazards
o
Physical access controls

Physical barriers

Surveillance

Guards and dogs

Keycard systems

DISASTERS

Types
o

Natural: Earthquakes, volcanoes, landslides,

avalanches, wildfires, tropical cyclones,
tornadoes, windstorms, lighting, ice storms,
hail, flooding, tsunamis, pandemic,
extraterrestrial impacts
Man-Made: Civil disturbances, Utility outages,
materials shortages, fires, hazardous
materials spills, transportation accidents,
security events, terrorism and wars
How they affect organizations

Direct damage: earthquakes etc

Utility outage

Transportation

Services and supplier shortage

Staff availability

Customer availability

Domain6BC&DR

BCP Process
Develop Policy: formal policy included in the overall
governance model

BCP and COBIT Controls

o
Develop IT continuity framework
o
Conduct business impact analysis
o
Develop and maintain IT continuity plans
o
Identify and categorize IT resources based on
recovery objectives
o
Define and execute change control
procedures to ensure IT continuity plan is
current
o
Regularly test IT continuity plan
o
Develop follow-on action plan from test
results
o
Plan and conduct IT continuity training
o
Plan IT services recovery and resumption
o
Plan and implement backup storage and
protection
o
Establish procedures for conducting postresumption reviews
Business Impact Analysis (BIA)

Inventory Key processes and systems

Statement of impact: qualitative or quantitative

description of the impact if the process or system were
incapacitated for a time
Criticality Analysis: study of each system and process, a
consideration of the impact on the organization if it is
incapacitated, the likelihood of incapacitation, and the
estimated cost of mitigating the risk or impact of
incapacitation. (risk analysis)

Establishing key targets

Recovery Time Objective (RTO): Time from onset of an

outage until the resumption of service. ** An
organization could establish two RTO targets, one for
partial capacity and one for full capacity.

Recovery Point Objective (RPO): Time for which recent

data will be irretrievably lost in a disaster. For critical
transactions it is measure in minutes.
Developing Recovery Strategies and Plans

Strategies:
o
Site options: Hot, warm, cold, mobile,
reciprocal (at another company)
o
Recovery and resilience technologies

RAID: Redundant Array of

Independent Disks

RAID-0: stripped

RAID-1: mirror

RAID-4: Data stripping.

RAID 4-5 allows for
failure of one disk without
losing information

RAID-6: Withstands
failure of any two disks
drives in the array.

SAN: Storage Area

Network

NAS: Network Attached

Storage.
o
Replication:

Disk storage system

Operating system

Database management system

Transaction management system

Application
o
Server clusters
o
Network connectivity and services

Redundant network connection

Redundant network services

o
Backup and restoration

Plans
o
Evacuation procedures
o
Disaster declaration procedures

Core team

Declaration criteria

Pulling the trigger: any single core

member

Next Steps: Declaration will trigger

other response procedures.

False alarms
o
Responsibilities: injured, caring for family
members, transportation unavailable, out of
the area, communications, fear

o
o
o

Emergency Response: evacuation,

first aid, firefighting

Command and Control (Emergency

Management)

Scribe: Document the important

events during disaster response
operations

Internal Communications

External communications

Legal and compliance

Damage assessment
Salvage

Physical security

Supplies

Transportation

Network

Network services

Systems

Databases

Data and records

Applications

Access management

Information security

Off-site storage

User hardware

Training

Relocation

Contract Information
Recovery procedures: should be hand in
hand with the technologies that may have
been added to IT systems to make them
more resilient
Continuing Operations
Restoration procedures
Considerations:

Availability of personnel

Emergency supplies

Communications: identifying Critical

personnel, suppliers, customers,
and other parties, call trees, wallet
cards

Transportation
Documentation

Supporting project documents

Analysis documents: BIA, RTP,

RPO, Criticality analysis

Response documents: Business

recovery plan, Occupant
emergency plan (OEP), Emergency
communications plan, contact lists,
DR plan,

Continuity of operations plan

(COOP), Security incident
response plan (SIRT)
Test and review documents

Domain6BC&DR

Testing Recovery Plans

Test preparation: schedule, facilities, scripting,

participants, recordkeeping, contingency plan,

Document review

Walkthrough

Simulation

Parallel test

Cutover test

Documenting results

Improving recovery and continuity plans

Training Personnel: Document review, participation in
walkthroughs, participation in simulations, participation in
parallel and cutover tests

Hard copy of plan

Soft copy of plan

Online access

Wallet cards
Maintaining Recovery and Continuity Plans

Auditing Business Continuity and Disaster Recovery: An audit

of an organizations BC program is a top-down analysis of key
business objectives and a review of documentation and interviews
to determine whether the BC strategy and program details support
those key business objectives.
o
Reviewing Business Continuity and Disaster
Recovery Plans
o
Reviewing Prior Test Results and Action
Plans
o
Evaluating off-site storage
o
Evaluating alternate processing facilities
o
Interviewing key personnel
o
Reviewing service provider contracts
o
Reviewing insurance coverage