Documente Academic
Documente Profesional
Documente Cultură
CISAsummary
Version1.0
Thisdocumentmaybeusedonlyforinformational,trainingandnoncommercialpurposes.Youarefreetocopy,distribute,publishandalterthisdocumentundertheconditionsthatyougivecredittotheoriginalauthor.
2010ChristianReina,CISSP.
Policy
Priorities
Standards
Vendor Management
Program/Project Management
IT Strategy Committee
Advise board of directors on strategies.
Domain1ITGovernance
Balanced Scorecard
Measure performance and effectiveness.
User: Satisfaction
Risk Management
Seek, identify, and manage risk.
Accept
Mitigate
Transfer
Avoid
Risk Management Program
Scope
Resources:
IT Management Practices
1.
2.
2.
3.
4.
5.
6.
Personnel Management
a. Hiring: Background check, Employee Policy
Manual, Job Description
b. Employee Development: Training,
Performance evaluation, Career path
c. Mandatory vacations: Audit, cross training,
reduced risk
d. Termination
e. Transfers and reassignments
Sourcing
a. Insource
b. Outsource: risks, SLA, policy, governance
(service level agreements, change
management, security, quality, audits), SaaS
Change Management
a. Request
b. Review
c. Approve
d. Perform change
e. Verify change
Financial Management
a. Develop
b. Purchase
c. Rent
Quality Management
a. Software development
b. Software acquisition
c. Service desk
d. IT operations
e. Security
f.
Standards:
i. ISO 9000: Superseded by ISO
9001:2008 Quality Management
System
ii. ISO 20000: IT Service
Management for organization
adopting ITIL
iii. ITIL
1. Service Delivery
2. Control Processes
3. Release Processes
4. Relationship Processes
5. Resolution Processes
Security Management
a. Security Governance
b. Risk Assessment
c. Incident Management
d. Vulnerability Management
e. Access and Identity management
f.
Compliance management
7.
g. BCP
Performance Management
a. COBIT
b. SEI CMMI
Domain1ITGovernance
8.
Auditing IT Governance
1.
2.
3.
Reviewing Outsourcing
a. Distance
b. Lack of audit contract terms
c. Lack of cooperation
AUDIT MANAGEMENT
main2TheAuditProcess
3.
4.
5.
6.
Canadian Regulations:
2.
Audit Standards
Audit Guidelines
Code of Ethics:
1.
7.
Domain2TheAuditProcess
PERFORMING AN AUDIT
RISK ANALYSIS
INTERNAL CONTROLS
Audit Procedures
Control Classification
o
Types: Technical, Administrative, Physical
o
Classes: Preventative, Detective, Deterrent,
Corrective, Compensating, Recovery
o
Categories: Manual, Automatic
Internal Control Objectives: Statements of desired
outcomes from business operations. Protection of IT
assets, Availability of IT systems
o
IS Control Objectives: Protection of
information from unauthorized personnel,
Integrity of Operating Systems
General Computing Controls: GCCs are controls that
apply across all applications and services. Passwords
are encrypted, Strong passwords
IS Controls: Each GCC is mapped to a specific IS
control on each system type.
Formal Planning:
o
Purpose
o
Scope
o
Risk Analysis
o
Audit procedures
o
Resources
o
Schedule
Types
o
Operational
o
Financial
o
IS audit
o
Administrative
o
Compliance
o
Forensic
o
Service provider
o
Pre-audit
Compliance vs. Substantive Testing
o
Compliance: Determine if control procedures
have been properly designed and
implemented and operating properly.
o
Substantive: Determine accuracy and
integrity of transactions that flow through
processes and information systems
Audit Methodology
o
Audit Subject
o
Audit Objective
o
Audit type
o
Audit Scope
o
Pre-Audit planning
o
Audit SoW
o
Audit Procedures
o
Communication plan
o
Report preparation
o
Wrap-up
o
Post-audit Follow-up
Audit Evidence
Independence of the evidenceprovider
o
Qualifications of the evidence provider
o
Objectivity
o
Timing
Gathering Evidence
o
Org Chart
o
Review dept and project charters
rd
o
Review 3 party contracts
o
Review IS policies and procedures
o
Review IS Standards
Domain2TheAuditProcess
o
Review IS documentation
o
Personnel Interviews
o
Passive observation
Observing Personnel
o
Real tasks
o
Skills and experience
o
Security awareness
o
Segregation of Duties
Sampling
o
Statistical: Reflect the entire population
o
Judgmental: Subjectively selects samples
based on established criteria
o
Attribute: Samples are examined and a
specific attribute is chosen
o
Variable: Determine the characteristic of a
given population to determine total value
o
Stop-or-go: Sampling can stop at the earliest
possible time due to low risk and rate of
exceptions
o
Discovery: Trying to find at least one
exception in a population
o
Stratified: Create different classes and review
one attribute common to all classes
Computer-Assisted Audit: CAATs help examine and
evaluate data across complex environments
Reporting Audit Results
o
Cover letter
o
Intro
o
Summary
o
Description
o
Listing of systems and processes examined
o
Listing of interviewees
o
Listing of evidence obtained
o
Explanation of sampling technique
o
Description of findings and recommendations
Audit Risk
o
Control risk: undetected error by an internal
control
o
Detection risk: IS auditor will overlook errors
o
Inherent risk: Inherent risks exist independent
of the audit.
o
Overall audit risk: summation of all of the
residual risks
o
Sampling risk: sampling technique will not
detect
Materiality: A monetary threshold in financial audits
CONTROL SELF-ASSESSMENT
Methodology used by an organization to review key business
objectives, and the key controls designed to manage those risks.
Advantages
o
Risks detected earlier
o
Improvement of internal controls
Ownership of controls
Improved employee awareness
Improved relationship between
departments and auditors
Disadvantages
o
Mistaken as a substitute for internal audit
o
May be considered extra work
o
May be considered an attempt by an
auditor to shrug off responsibilities
o
Lack of employee involvement has no
results
Life Cycle
o
Identify and assess risks
o
Identify and assess controls
o
Develop questionnaire or workshop
o
Analyze completed questionnaire
o
Control remediation
o
Awareness training
o
o
o
Domain3ITLifeCycleManagement
Starting a Program:
o
Program charter
o
Identification of available resources
Running a Program:
o
Monitoring project schedules
o
Managing project budgets
o
Managing resources
o
Identifying and managing conflicts
o
Creating status reports
Project Portfolio Management
o
Executive sponsor
o
Program manager
o
Project manager
o
Start and end dates
o
Names of participants
o
Objectives or goals that the project supports
o
Budget
o
Resources
o
Dependencies
Business Case development
o
Business problem
o
Feasibility study results
o
High-level project plan
o
Budget
o
Metrics
o
Risks
PROJECT MANAGEMENT
Organizing Projects
Managing Projects
o
Managing the project schedule
o
Recording task completion
o
Running project meetings
o
Tracking project expenditures
o
Communicating project status
Project Roles and Responsibilities
o
Senior management: support the approval of
the project
o
IT steering committee: Commission the
feasibility study, approve project
o
Project manager
o
Project team members
o
End-user management: Assign staff to the
project team. Support development of cases
o
End users
o
Project sponsor: define project objectives,
provide budget
o
Systems development management
o
System developers
o
Security manager
o
IT Operations
Project Planning
Task identification
Task estimation
Task resources
Task dependencies
Milestone tracking
Task tracking
o
Estimating and sizing software projects
o
o
Gantt Chart
Project plans
Project changes
Resource consumption
Task information
Project Documentation: Helps users, support
staff, IT operations, developers, and auditors
Project Change Management: The
procedures for making changes to the project
should be done in two basic steps:
Project debrief
Management review
Training
Processes:
o
Inputs
o
Techniques
o
Outputs
Domain3ITLifeCycleManagement
Process groups
Initiating
Planning
Executing
Controlling and
monitoring
Closing
Projects IN Controlled Environments
(PRINCE2): Project management framework
Planning (PL)
Team
Users
Stakeholders
Managers
3.
4.
2.
Authentication
Authorization
5.
Access control
Encryption
Data validation
Audit logging
Requirements
Product roadmap
Experience
Vision
References
Questions for clients:
Satisfaction with
installation
Satisfaction with
migration
Contract negotiation
Developing in a software
acquisition setting:
Customizations
Interfaces of other
systems
Authentication
Reports
Debugging
Correct operations
Input validation
Resource usage
Protection
Control
Version control
Recordkeeping
Testing
Migrate data
o
Training:
End users
Customers
Support staff
Trainers
o
Data migration
Record counts
Batch totals
Checksums
o
Cutover
Parallel
Geographic
Module by module
Roll-back
o
Rollback Planning
Post Implementation
o
Implementation review
System adequacy
Security review
Issues
ROI
o
Software maintenance
o
6.
7.
Development Risks
o
Application inadequacy
o
Project risk
o
Business inefficiency
o
Market changes
o
o
o
o
o
o
Domain3ITLifeCycleManagement
3.
4.
5.
6.
Change request
Change review
Perform change
Emergency changes
Configuration Management
4.
5.
6.
7.
8.
Development
Testing
Implementation
Monitoring
Post-implementation
Benchmarking a Process
Plan
Research
Analyze
Improve
Capability Maturity Models
APPLICATION CONTROLS
Input Controls
Authorization
o
User access controls
o
Workstation identification
o
Approved transactions and batches
o
Source documents
Input validation
o
Type checking
o
Range and value checking
o
Existence
o
Consistency
o
Length
o
Check digits
o
Spelling
o
Unwanted characters
o
Batch controls
Error handling
o
Batch rejection
o
Transaction rejection
o
Request re-input
Processing Controls
Editing
Calculations
o
Run-to-run totals
o
Limit checking
o
Batch totals
o
Manual recalculation
o
Reconciliation
o
Hash values
Data file controls
o
Data file security
o
Error handling
o
Internal and external labeling
o
Data file version
o
Source files
o
Transaction logs
Processing errors
Output Controls
Auditing Development
Domain3ITLifeCycleManagement
Auditing Requirements
Auditing Post-Implementation
Auditing Design
Observations
Domain3ITLifeCycleManagement
Auditing Applications
Domain4ITServiceDelivery&Infrastructure
Enhancements
Periodic measurements
Changes in technology
o
Service continuity mgt
o
Availability mgt
Resilient architecture
Serviceable components
Infrastructure Operations
o
Running scheduled jobs
o
Restarting failed jobs/processes
o
Facilitating backup jobs
o
Monitoring systems/apps/networks
Monitoring
Software Program Library Management: System that
is used to store and manage access to an
organizations application source and object code
o
Access and authorization controls
o
Program checkout
o
Program check in
o
Version control
o
Code analysis
Quality Assurance
Security Management
o
Policies, procedures, processes, and
standards
o
Risk Assessments
o
Impact analysis
o
Vulnerability management
Computer usage
o
Types: supercomputer, mainframe, midrange,
server, desktop, laptop, mobile
o
Uses: app server, web server, file server, db
server, print server, test server, thin client,
thick client, workstation
Computer architecture
o
CPU: CISC (Complex Instruction Set
Computer), RISC (Reduced Instruction Set
Computer), Single processor, Multi-processor
o
Bus: PCI, PC Card, MBus, Sbus
o
Main Storage
o
Secondary Storage: Program storage, data
storage, temporary files, OS, virtual memory,
o
Firmware: Flash, EPROM, PROM, ROM,
EEPROM
o
I/O and Networking
o
Multi-computer: Blade computers, grid
computing, server clusters, virtual servers
Hardware maintenance
Hardware monitoring
NETWORK INFRASTRUCTURE
Access to peripherals
Storage mgt
Process mgt
Resource allocation
Communication
Security
o
OS Virtualization
o
Clustering: using special software
o
Grid Computing: a form of distributed
computing
Network Architecture
o
Physical network architecture
o
Logical network architecture
o
Data flow architecture
o
Network standards and services
Types of networks
o
Personal Area Network (PAN): up to 3 meters
and use to connect peripherals for use by an
individual
o
LAN
o
Campus Area Network (CAN)
o
Metropolitan Area Network (MAN)
o
WAN
Network-based Services: email, print, file storage,
remote access, directory, terminal emulation, time
synch, network authentication, web security, antimalware, network management
Network Models
o
OSI: Application, presentation, session,
transport, network, data link, physical
o
TCP/IP: Link, internet, transport, application
Network Technologies
o
LAN
Domain4ITServiceDelivery&Infrastructure
Ethernet: Broadcast or
shared medium, collision
avoidance
o
ATM: Synchronous network. Connection
oriented link-layer protocol.
o
Token Ring
o
Universal Serial Bus
o
FDDI: Fiber distributed data interface. Range
up to 200km and capable of 200mb/sec
o
WAN
MPLS
SONET
Frame Relay
ISDN
X.25
o
Wireless
Wi-Fi
Bluetooth
Wireless USB
PPP
IP
ICMP
IGMP
IPSec
o
Internet Layer
TCP
UDP
o
Application layer
FTP
FTPS
SFTP
SCP
Rcp
Messaging protocols
SMTP
POP
IMAP
NNTP
NFS
RPC
Session protocols
TELNET
rlogin
SSH
HTTP
HTTPS
Management protocols
SNMP
NTP
DNS
LDAP
X.500
Global Internet: Email, IM, VPN, WWW
Network Management
o
Tools
Protocol analyzers
Sniffers
Networked Applications
o
ClientServer
o
Web-based
Auditing IS Hardware
o
Standards: procurement stds
o
Maintenance: records, service contracts
o
Capacity: systems capacity monitoring
Domain4ITServiceDelivery&Infrastructure
o
Correction procedures
Auditing Lights-Out operations
o
Remote administration procedures
o
Remote monitoring procedures
Auditing Problem Management Operations
o
Problem management policy and processes
o
Problem management records
o
Problem management timelines
o
Problem management reports
o
Problem resolution
o
Problem recurrence
Auditing Monitoring Operations
o
Monitoring plan
o
Problem log
o
Preventative maintenance
o
Management review and action
Auditing Procurement
o
Requirements definition: functional, technical,
and security requirements approved by
management. Policies, procedures, and
records.
o
Feasibility studies
Domain5InformationAssetProtection
Aspects
o
Executive support
o
Policies and procedures
o
Security Awareness
o
Security monitoring and auditing
o
Incident response
o
Corrective and preventive action.
Roles and responsibilities
o
Executive mgt: support and overall
responsibility for asset protection
o
Security steering committee: approval of
security policies, risk related matters.
o
CISO: development and enforcement of
policy and asset protection
o
Chief privacy officer
o
Security auditor: monitoring and testing
security controls
o
Security administrator
o
Security analyst: implementing security policy
by designing and improving security controls
and processes
o
Systems analyst: by designing application
software that includes adequate controls
o
Software developers: coding applications that
include controls to prevent application misuse
or bypass of controls
o
Managers
o
Asset owners: responsible for protection and
integrity of assets
o
Employees
Asset Inventory and Classification
o
Hardware
o
Information
Access Control
o
AC Management: request, review,
segregation of duties, transfer, termination
o
Logs
Privacy
o
PII: DL, SSN, Passport, phone, address,
DoB, Accounts
3rd Party Management
rd
o
3 Party access countermeasures: logs,
video, access controls, logical access, audits
o
Legal agreements: liabilities, controls
required, nondisclosure, security training,
steps for a security breach, steps to be taken
to reduce the likelihood of data loss caused
by a disaster, right to inspect, compliance,
destroy copies of information on request.
HR Security
o
Screening
o
Agreements
o
Job descriptions
o
Transfer and termination
o
Contractors and temps
Computer Crime
o
Roles
Target of a crime
Instrument of a crime
Support of a crime
o
Categories
Military
Political
Terrorist
Financial
Business
Grudge
Amusement
o
Perpetrators
Hackers
Cybercriminals
Spies
Terrorists
Script kiddies
Social engineers
Employees
Former employees
Knowledgeable outsiders
Planning
Detection
Initiation
Evaluation
Eradication
Remediation
Closure
Post-Incident Review
o
Testing Incident Response
Document review
Walkthrough
Simulation
o
Incident prevention
Vulnerability monitoring
Patch management
System hardening
IDS
Chain of custody:
Identification
Preservation
Analysis
Presentation
Models
o
o
Threats
o
Malware
o
Eavesdropping
o
Logic bombs
o
Scanning attacks
Vulnerabilities
o
Unpatched systems
o
Default system settings
o
Default passwords
o
Incorrect permissions settings
o
Application logic
Points of Entry
o
Exposure to malware
o
Eavesdropping
o
Open access
Identification, Authentication, and Authorization
o
Identification: asserting an identity without
providing any proof of it.
o
Authentication: Subject asserts an identity,
but some proof of the subjects identity is
required
o
Authorization: System determines resource
access to the subject
User account provisioning
o
Factors: user location, system limitations,
data sensitivity
o
Risks: Finding a password, eavesdropping
Two Factor authentication: Digital certificates, smart
cards, tokens
Something you are: Biometrics such as hand print,
fingerprint, palm vein, voice, facial scan, handwriting,
iris scan
o
Measurement variances: False reject rate,
False accept rate, crossover error rate
Domain5InformationAssetProtection
Automated tools
Restoration testing
Media inventory
Patch Management
Vulnerability Management
o
Subscribing to security alerts
o
Scanning
o
Patch management
o
Corrective action process
System Hardening: remove services, change
functions to unique system function, changed default
password, non-predictable passwords, reduce
privileges, eliminate interserver trust
Managing User Access
o
User Access Provisioning: Risk of errors
can be devastating for an organization
o
Termination: Some safeguards are
needed like review of terminated
employees actions before and after,
periodic reviews, and review logs
o
Transfers: Risk is privilege creep
o
Password management: provisioning,
lockout, forgotten passwords. Password
length, complexity, expiration, reuse,
rechange
Protecting Mobile Devices: Encryption, strong
access control, remote destruct, hardening, logical
locking system, physical locking system
Network Security
o
Threats: access by unauthorized persons,
spoofing, eavesdropping, malware, DoS,
access bypass, MITM
o
Countermeasures: User authentication
controls, machine authentication controls,
anti-malware, encryption, switched
networks, IDS/IPS
Securing Client-Server Applications
o
Access controls: strong authentication
o
Interception of client-server
communication: Network encryption
o
Network Failure
o
Change management
o
Disruption of client software updates
o
Stealing data
Securing Wireless Networks
o
Threats and vulnerabilities
Eavesdropping
Encryption
Spoofing
o
Countermeasures
Obscure SSID
MAC filtering
WPA
Require VPN
Patches
Protecting Internet Communications
o
Threats and vulnerabilities
Eavesdropping
Targeted attacks
Malware
DoS
Fraud
o
Countermeasures
Firewalls
IDS
Incident management
Plaintext
Ciphertext
Hash function
Message digest
Digital signature
Algorithm
Decryption
Encryption key
Cryptanalysis
Key length
Block cipher
Stream cipher
Symmetric encryption
Asymmetric encryption
Key exchange
Nonrepudiation
o
o
o
o
Challenges
Key exchange: Out of
Scalability
Public Key Cryptosystem: Asymmetric
cryptosystem
Certificate authority
Email address
Digital certificates
Key protection
Key compromise
Key expiration
Rotation of staff
Key disposal
Encryption applications
SSL/TLS
S-HTTP
S/MIME
SSH
Domain5InformationAssetProtection
SET
Voice over IP (VoIP)
o
Threats and vulnerabilities
Eavesdropping
Spoofing
Malware
DoS
Toll fraud
o
Protecting: IDS, access management,
firewalls, hardening, malware controls
Private Branch Exchange (PBX)
o
Threats and vulnerabilities
Default passwords on
administrator console
Dial-in modem
Toll fraud
Espionage
o
Countermeasures
Viruses
Worms
Trojan horses
Spyware
Root kits
Bots
Missing patches
Unsecure configuration
Faulty architecture
Faulty judgment
Spam
Phishing
DoS
o
Anti-Malware Administrative controls
Spam policy
No removable media
No downloading
On workstations
On web servers
IDS
Spam filters
Access logging
Job rotation
o
o
o
o
ENVIRONMENTAL CONTROLS
Temperature
Humidity
UPS
Electric generator
Prevention:
Cleanliness
Electrical equipment
maintenance
Suppression:
Classes:
o
A: wood, paper
B: liquids and
gases
C: electrical
D: combustible
metals
K: cooking oils
and fats
Security Management
o
Policies, processes, procedures, and
standards
o
Records
o
Training
o
Data ownership and management
o
Data custodians
o
Security administrators
o
New and existing employees
Logical Access controls
o
Network access paths
IT infrastructure
Password vaulting
User access provisioning:
Access approvals
Access reviews
o
Employee terminations
Termination process
Timeliness
Access reviews
Log review
Log retention
o
Investigative procedures
Computer forensics
o
Internet points of presence
Domain names
Network Security Controls
o
Architecture review
Diagrams
Documents
Comparison of documented vs
actual
o
Network access controls
Firewalls
IDS
Remote access
Dial-up modems
o
Change management
Change logs
Emergency changes
Rolled-back changes
Domain5InformationAssetProtection
Alert management
Penetration testing
Application scanning
Patch management
Environmental Controls
o
Power conditioning
o
Backup power
o
HVAC
o
Water detection
o
Fire detection and suppression
o
Cleanliness
Physical Controls
o
Siting and Marking
Proximity to hazards
o
Physical access controls
Physical barriers
Surveillance
Keycard systems
DISASTERS
Types
o
Utility outage
Transportation
Staff availability
Customer availability
Domain6BC&DR
BCP Process
Develop Policy: formal policy included in the overall
governance model
Strategies:
o
Site options: Hot, warm, cold, mobile,
reciprocal (at another company)
o
Recovery and resilience technologies
RAID-0: stripped
RAID-1: mirror
RAID-6: Withstands
failure of any two disks
drives in the array.
Operating system
Application
o
Server clusters
o
Network connectivity and services
Plans
o
Evacuation procedures
o
Disaster declaration procedures
Core team
Declaration criteria
False alarms
o
Responsibilities: injured, caring for family
members, transportation unavailable, out of
the area, communications, fear
o
o
o
Internal Communications
External communications
Damage assessment
Salvage
Physical security
Supplies
Transportation
Network
Network services
Systems
Databases
Applications
Access management
Information security
Off-site storage
User hardware
Training
Relocation
Contract Information
Recovery procedures: should be hand in
hand with the technologies that may have
been added to IT systems to make them
more resilient
Continuing Operations
Restoration procedures
Considerations:
Availability of personnel
Emergency supplies
Transportation
Documentation
Domain6BC&DR
Document review
Walkthrough
Simulation
Parallel test
Cutover test
Documenting results
Online access
Wallet cards
Maintaining Recovery and Continuity Plans