CISA Participants2016 CH 5

Domain 5
Protection of Information Assets
©Copyright 2016 ISACA. All rights reserved.

Domain 5
Provide assurance that the enterprise’s

security policies, standards, procedures
and controls ensure the confidentiality,
integrity and availability (CIA) of
information assets.
2 © Copyright 2016 ISACA. All rights reserved.

Domain 5
 The focus of Domain 5 is the need for protecting
information assets through the evaluation of
design, implementation and monitoring of
controls.

Domain Objectives
 The objective of this domain is to ensure that the CISA
candidate understands the following:
o Elements of information security management
o Logical entry points into a system
o Identification and authentication practices
o Network infrastructure security
o Importance of OS and software maintenance
o Environmental exposures
o Risks from mobile devices, social media and cloud
computing

On the CISA Exam
 Domain 5 represents 25% of the questions on the CISA
exam (approximately 38 questions).
 Domain 5 incorporates six tasks related to the protection
of information assets.

Domain Tasks
 5.1 Evaluate the information security and privacy policies,
standards and procedures for completeness, alignment with
generally accepted practices and compliance with applicable
external requirements.
 5.2 Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls to determine whether information assets are
adequately safeguarded.
 5.3 Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls to verify the confidentiality, integrity and availability of
information.

Domain Tasks (cont’d)
 5.4 Evaluate the design, implementation and monitoring of the
data classification processes and procedures for alignment
with the organization’s policies, standards, procedures and
applicable external requirements.
 5.5 Evaluate the processes and procedures used to store,
retrieve, transport and dispose of assets to determine whether
information assets are adequately safeguarded.
 5.6 Evaluate the information security program to determine its
effectiveness and alignment with the organization’s strategies
and objectives.

Task 5.1
Evaluate the information security and

privacy policies, standards and
procedures for completeness, alignment
with generally accepted practices and
compliance with applicable external
requirements.

Key Terms
Key Term Definition
Privacy The rights of an individual to trust that others will
appropriately and respectfully use, store, share and dispose
of his/her associated personal and sensitive information
within the context, and according to the purposes, for which
it was collected or derived. What is appropriate depends on
the associated circumstances, laws and the individual’s
reasonable expectations. An individual also has the right to
reasonably control and be aware of the collection, use and
disclosure of his\her associated personal and sensitive
information.

Key Terms (cont’d)
Key Term Definition
Security awareness The extent to which every member of an enterprise and
every other individual who potentially has access to the
enterprise’s information understand:
• Security and the levels of security appropriate to the
enterprise
• The importance of security and consequences of a lack
of security
• His/her individual responsibilities regarding security (and
act accordingly)
This definition is based on the definition for IT security
awareness as defined in Implementation Guide: How to
Make Your Organization Aware of IT Security, European
Security Forum (ESF), London, 1993.

Task to Knowledge Statements
How does Task 5.1 relate to each of the following
knowledge statements?
Knowledge Statement Connection
K5.1 Knowledge of generally accepted The IS auditor must understand key
practices and applicable external elements of information security
requirements (e.g., laws, regulations) management and the critical success
related to the protection of information factors for information security
assets management.
K5.2 Knowledge of privacy principles The IS auditor must have an
understanding of privacy principles and
knowledge of privacy laws and
regulations. The IS auditor must also
understand how compliance is assured.

Task to Knowledge Statements (cont’d)

K5.3 Knowledge of the techniques for The IS auditor must understand the
the design, implementation, different types of controls (preventive,
maintenance, monitoring and reporting detective and corrective) and when to
of security controls apply them.
K5.6 Knowledge of logical access Throughout all IS audits, the IS auditor
controls for the identification, must have a keen understanding of key
authentication and restriction of users to elements of logical access controls.
authorized functions and data

Security Objectives
 Security objectives to meet an organization’s business requirements
should ensure the following:
o Continued availability of information systems and data
o Integrity of the information stored on computer systems and
while in transit
o Confidentiality of sensitive data is preserved while stored and in
transit
o Conformity to applicable laws, regulations and standards
o Adherence to trust and obligation requirements in relation to any
information relating to an identified or identifiable individual (i.e.,
data subject) in accordance with internal privacy policy or
applicable privacy laws and regulations
o Adequate protection for sensitive data while stored and when in
transit, based on organizational requirements

Information Security Management
 Information security management is the most critical

factor in protecting information assets and privacy.
 Key elements include:
Senior management
leadership, Policies and Security awareness
Organization
commitment and procedures and education
support
Monitoring and Incident handling

Risk management
compliance and response
Source: ISACA, CISA Review Manual 26th Edition, figure 5.2

ISMS
 An information security management system (ISMS) is a
framework of policies, procedures, guidelines and associated
resources to establish, implement, operate, monitor, review,
maintain and improve information security for all types of
organizations.

ISMS (cont’d)
 An ISMS is defined in these guidelines and standards:
o ISO/IEC 2700X—Guidance for managing information
security in specific industries and situations
o ISO/IEC 27000—Defines the scope and vocabulary and
establishes the basis for certification
o ISO/IEC 27001—Formal set of specifications against
which organizations may seek independent certification of
their information security management system
o ISO/IEC 27002—Structured set of suggested controls to
address information security risk

ISM Roles
Information
Executive Security Chief privacy
security steering
management advisory group officer (CPO)
committee
Chief information Information

Chief security
security officer Process owners asset owners
officer (CSO)
(CISO) and data owners
Information Security
Users External parties security specialist/
administrator advisors
IT developers IS auditors

Privacy
 Privacy means freedom from unauthorized intrusion or
disclosure of information about an individual (also
referred to as a “data subject”).
 Management should perform a privacy impact analysis.

Privacy (cont’d)
 The IS auditor may be asked to support or perform this assessment,
which should:
o Pinpoint the nature of personally identifiable information
associated with business processes.
o Document the collection, use, disclosure and destruction of
personally identifiable information.
o Ensure that accountability for privacy issues exists.
o Identify legislative, regulatory and contractual requirements for
privacy.
o Be the foundation for informed policy, operations and system
design decisions based on an understanding of privacy risk and
the options available for mitigating that risk.

Human Resources Security
 Security roles and responsibilities of employees,
contractors and third-party users should be defined and
documented in accordance with the organization’s
information security policy.

Human Resources Security (cont’d)
 Human resources-related security practices include the following:

o Security responsibilities should be addressed prior to
employment in adequate job descriptions, and in terms and
conditions of employment.
o All candidates for employment, contractors and third-party users
should be adequately screened, especially for sensitive jobs.
o Employees, contractors and third-party users of information
processing facilities should sign an agreement on their security
roles and responsibilities, including the need to maintain
confidentiality.
o When an employee, contractor or third-party user exits the
organization, procedures should be in place to remove access
rights and return all equipment.

Third Party Access
 Third party access to an organization’s information
processing facilities and processing and communication
of information must be controlled.
 These controls must be agreed to and defined in a
contract with the third party.

Third Party Access (cont’d)
 Some recommended contract terms include:
o Compliance with the organization’s information security policy
o A clear reporting structure and agreed reporting formats
o A clear and specified process for change management
o An access control policy
o Arrangements for reporting, notifying and investigating
information security incidents and security breaches
o Service continuity requirements
o The right to monitor and revoke any activity related to the
organization’s assets
Source: ISACA, CISA Review Manual 26th Edition, Figure 5.10

Security Controls
 An effective control is one that prevents, detects, and/or
contains an incident and enables recovery from an
event.
 Controls can be:
Proactive
• Safeguards Reactive
• Controls that attempt to • Countermeasures
prevent an incident
• Controls that allow the
detection, containment and
recovery from an incident

Security Awareness Training
 An active security awareness program can greatly reduce risk
by addressing the behavioral element of security through
education and consistent application of awareness
techniques.
 All employees of an organization and third-party users must
receive appropriate training and regular updates on the
importance of security policies, standards and procedures in
the organization.
 In addition, all personnel must be trained in their specific
responsibilities related to information security.

Control Methods
Managerial Controls related to the oversight, reporting, procedures and
operations of a process. These include policy, procedures,
balancing, employee development and compliance reporting.
Technical Controls also known as logical controls and are provided through
the use of technology, piece of equipment or device. Examples
include firewalls, network or host-based intrusion detection
systems (IDSs), passwords and antivirus software. A technical
control requires proper managerial (administrative) controls to
operate correctly.
Physical Controls that are locks, fences, closed-circuit TV (CCTV) and

devices that are installed to physically restrict access to a facility
or hardware. Physical controls require maintenance, monitoring
and the ability to assess and react to an alert should a problem be
indicated.

Control Monitoring
 To ensure controls are effective and properly monitored,
the IS auditor should:
o Validate that processes, logs and audit hooks have
been placed into the control framework.
o Ensure that logs are enabled, controls can be tested
and regular reporting procedures are developed.
o Ensure that control monitoring is built into the control
design.

System Access Permission
 System access permission generally refers to a technical
privilege, such as the ability to read, create, modify or delete a
file or data; execute a program; or open or use an external
connection.
 System access to computerized information resources is
established, managed and controlled at the physical and/or
logical level.
Physical access controls Logical access controls

• Restrict the entry and exit of • Restrict the logical resources of the
personnel to an area, such as an system (transactions, data, programs,
office building, suite, data center or applications) and are applied when
room, containing information the subject resource is needed.
processing equipment.

System Access Reviews
 Roles should be assigned by the information owner or manager.
 Access authorization should be regularly reviewed to ensure they
are still valid.
 The IS auditor should evaluate the following criteria for defining
permissions and granting access:
o Need-to-know
o Accountability
o Traceability
o Least privilege
o SoD

In the Big Picture
The Big
Task 5.1 Picture
Evaluate the information security and
The foundation of
privacy policies, standards and
information security is
procedures for completeness,
based on well-aligned
alignment with generally accepted
security management
practices and compliance with
policies and procedures.
applicable external requirements.

Task 5.1 Activity
 During your ERP upgrade audit, you identify the
following findings:
1. Logical access controls to the administrative
application server accounts are comprised of
non-complex single factor authentication with
password length required to be six characters
changed every 360 days.
2. There was no policy in place for Classification of
Information Assets.
 What is the purpose of assigning classes or levels of
sensitivity and criticality to information resources and
establishing specific security rules for each class?

Discussion Question
An information security policy stating that “the display of
passwords must be masked or suppressed” addresses
which of the following attack methods?
A. Piggybacking
B. Dumpster diving
C. Shoulder surfing
D. Impersonation

Discussion Question
With the help of a security officer, granting access to data is
the responsibility of:
A. data owners.
B. programmers.
C. system analysts.
D. librarians.

Task 5.2
Evaluate the design, implementation,

maintenance, monitoring and reporting
of physical and environmental controls to
determine whether information assets
are adequately safeguarded.

Key Terms
Key Term Definition
Environmental Environmental exposures are due primarily to naturally
Exposures occurring events such as lightning storms, earthquakes,
volcanic eruptions, hurricanes, tornados and other types of
extreme weather conditions.

K5.4 Knowledge of physical and The IS auditor needs to understand the
environmental controls and supporting common types of environmental controls
practices related to the protection of and good practices for their deployment
information assets and periodic testing.
K5.5 Knowledge of physical access The IS auditor must understand physical
controls for the identification, access controls and their potential for
authentication and restriction of users to circumvention.
authorized facilities and hardware


K5.23 Knowledge of security testing Key to an IS auditor’s understanding of
techniques (e.g., penetration testing, physical security effectiveness is the
vulnerability scanning) methodology used to test the physical
security controls.

Physical Access Issues
 Physical access exposures may originate from natural and
man-made hazards, and can result in unauthorized access and
interruptions in information availability.
 Exposures include:
Unauthorized entry
Damage, vandalism or theft to equipment or documents
Copying or viewing of sensitive or copyrighted information
Alteration of sensitive equipment and information
Public disclosure of sensitive information
Abuse of data processing resources
Blackmail
Embezzlement

Physical Access Controls
Door locks
Manual or Identification
(cipher, biometric, CCTV
electronic logging badges
bolted, electronic)
Controlled visitor Computer Controlled single

Security guards
access workstation locks entry point
Deadman doors Alarm system

Physical Access Audit
 The IS auditor should begin with a tour of the site and
then test physical safeguards.
 Physical tests can be completed through visual
observations and review of documents such as fire
system tests, inspection tags and key lock logs.

Physical Access Audit (cont’d)
 The test should include all paths of physical entry, as well as
the following locations:
o Computer and printer rooms
o UPS/generator
o Operator consoles
o Computer storage rooms
o Communication equipment
o Offsite backup storage facility
o Media storage

Environmental Exposures
 Environmental exposures are due primarily to naturally occurring
events.
 Common environmental exposures include:
Power failure
• Total failure (blackout)
• Severely reduced voltage (brownout)
• Sags, spikes and surges
• Electromagnetic interference (EMI)
Water damage/flooding
Manmade concerns
• Terrorist threats/attacks
• Vandalism
• Equipment failure

Environmental Controls
 Environmental exposures should be afforded the same level of
protection as other types of exposures. Possible controls include:
Alarm control Fire alarms and

Water detectors Fire extinguishers
panels smoke detectors
Fireproof and
Strategically
Fire suppression fire-resistant Electrical surge
located computer
systems building and office protectors
rooms
materials
Documented and
Uninterruptible
Power leads from Emergency tested BCPs and
power supply/
two substations power-off switch emergency
generator
evacuation plans

Environmental Control Audit
 The IS auditor should first establish the environmental risk by assessing
the location of the data center.
 In addition, the IS auditor should verify that the following safeguards are
in place:
o Water and smoke detectors
o Strategic and visible location of handheld fire extinguishers
o Fire suppression system documentation and inspection by fire
department
o UPS/generator test reports
o Electrical surge protectors
o Documentation of fireproof building materials, use of redundant
power lines and wiring located in fire-resistant panels
o Documented and tested emergency evacuation plans and BCPs
o Humidity and temperature controls

In the Big Picture
The Big
Task 5.2 Picture
Physical security
maintenance, monitoring and
environmental controls
reporting of physical and
are the first line of
environmental controls to determine
defense in protecting
whether information assets are
assets from loss.
adequately safeguarded.

Task 5.2 Activity
 The directory of facility operations has asked the IS audit
team to perform a gap analysis of the current policies
and procedures at the headquarters building that also
houses the primary data center. You find that policies
and procedures are currently focused on operations and
maintenance contracting activities.
 What is an example of an environmental exposure that
controls should be in place to mitigate?
 What would be a means to perform penetration testing of
physical controls?

Discussion Question
Which of the following environmental controls is
appropriate to protect computer equipment against
short-term reductions in electrical power?
A. Power line conditioners
B. Surge protective devices
C. Alternative power supplies
D. Interruptible power supplies

Discussion Question
An IS auditor is reviewing the physical security measures of an
organization. Regarding the access card system, the IS auditor
should be MOST concerned that:
A. nonpersonalized access cards are given to the cleaning
staff, who use a sign-in sheet but show no proof of
identity.
B. access cards are not labeled with the organization’s name
and address to facilitate easy return of a lost card.
C. card issuance and rights administration for the cards are
done by different departments, causing unnecessary lead
time for new cards.
D. the computer system used for programming the cards can
only be replaced after three weeks in the event of a
system failure.

Task 5.3

maintenance, monitoring and reporting
of system and logical security controls to
verify the confidentiality, integrity and
availability of information.

Key Terms
Key Term Definition
Access control The processes, rules and deployment mechanisms that
control access to information systems, resources and
physical access to premises.
Access control list An internal computerized table of access rules regarding
(ACL) the levels of computer access permitted to logon IDs and
computer terminals. Also referred to as access control
tables.
Access path The logical route an end user takes to access computerized
information. Typically, it includes a route through the
operating system, telecommunications software, selected
application software and the access control system.

Key Term Definition
Digital signature A piece of information, a digitized form of a signature, that
provides sender authenticity, message integrity and
nonrepudiation. A digital signature is generated using the
sender’s private key or applying a one-way hash function.
Encryption The process of taking an unencrypted message (plaintext),
applying a mathematical function to it (encryption algorithm
with a key) and producing an encrypted message
(ciphertext).

Key Term Definition
Local area network Communication network that serves several users within a
(LAN) specified geographical area. A personal computer LAN
functions as a distributed processing system in which each
computer in the network does its own processing and
manages some of its data. Shared data are stored in a file
server that acts as a remote disk drive for all users in the
network.
Logical access The policies, procedures, organizational structure and
controls electronic access controls designed to restrict access to
computer software and data files.
Network A system of interconnected computers and the
communications equipment used to connect them.

K5.6 Knowledge of logical access The IS auditor needs to understand
controls for the identification, logical access controls as they apply to
authentication and restriction of users to systems that may reside on multiple
authorized functions and data operating system platforms and involve
more than one application system or
authentication point.
K5.7 Knowledge of the security controls The IS auditor needs to understand best
related to hardware, system software practices as they apply to identification
(e.g., applications, operating systems) and authentication.
and database management systems


K5.8 Knowledge of risk and controls The IS auditor needs to understand
associated with virtualization of systems the advantages and disadvantages of
virtualization and determine whether
the enterprise has considered the
applicable risk in its decision to adopt,
implement and maintain this technology.


K5.9 Knowledge of risk and controls Policies and procedures and additional
associated with the use of mobile and protection mechanisms must be put into
wireless devices, including personally place to ensure that data are protected
owned devices (bring your own device to a greater extent on portable devices,
[BYOD]) because such devices will most likely
operate in environments in which
physical controls are lacking or
nonexistent.


K5.10 Knowledge of voice The increasing complexity and
communications security (e.g., PBX, convergence of voice and data
Voice-over Internet Protocol [VoIP]) communications introduces additional
risk that must be taken into account by
the IS auditor.
K5.11 Knowledge of network and The IS auditor needs to understand best
Internet security devices, protocols and practices for the implementation of
techniques encryption and the use and application
of security devices and methods for
securing data.


K5.12 Knowledge of the configuration, Firewalls and intrusion detection
implementation, operation and systems (IDSs) provide protection and
maintenance of network security critical alert information at borders
controls between trusted and untrusted networks.
The proper implementation and
maintenance of firewalls and IDSs are
critical to a successful, in-depth security
program.


K5.13 Knowledge of encryption-related Fundamentals of encryption techniques
techniques and their uses and the relative advantages and
disadvantages of each must be taken
into account by the IS auditor.
K5.14 Knowledge of public key The IS auditor needs to understand the
infrastructure (PKI) components and relationships between types of
digital signature techniques encryption (symmetric and asymmetric)
and their respective algorithms (e.g.,
DES3, RSA) and the basic concepts and
components of PKI in terms of business.


K5.18 Knowledge of risk and controls Understanding how data leakage can
associated with data leakage occur and the methods for limiting data
leakage—from job postings that list the
specific software and network devices
with which applicants should have
experience to system administrators
posting questions on technical web sites


K5.19 Knowledge of security risk and The IS auditor should understand that
controls related to end-user computing these tools can be used to create key
applications that are relied upon by the
organization but not controlled by the IT
department.
K5.21 Knowledge of information system Understanding the methods, techniques
attack methods and techniques and exploits used to compromise an
environment provides the IS auditor with
a more complete context for
understanding the risk that an enterprise
faces.


K5.22 Knowledge of prevention and The IS auditor needs to understand the
detection tools and control techniques threats posed by malicious code and the
good practices for mitigating these
threats.
K5.23 Knowledge of security testing The IS auditor must have knowledge of
techniques (e.g., penetration testing, how assessment tools can be used to
vulnerability scanning) identify vulnerabilities within the network
infrastructure so that corrective actions
can be taken to remediate risk.


K5.26 Knowledge of fraud risk factors The IS auditor should be aware that the
related to the protection of information risk of fraud is increased where there is
assets a perceived opportunity.

Logical Access
 Logical access is the ability to interact with computer
resources, granted using identification, authentication
and authorization.
 Logical access controls are the primary means used to
manage and protect information assets.
 IS auditors should be able to analyze and evaluate the
effectiveness of a logical access control in accomplishing
information security objectives and avoiding losses
resulting from exposures.

Logical Access (cont’d)
 For IS auditors to effectively assess logical access
controls, they first need to gain a technical and
organizational understanding of the organization’s IT
environment, including the following security layers:
o Network
o OS platform
o Database
o Application

Paths of Logical Access
 Access or points of entry to an organization’s IS
infrastructure can be gained through the following paths:
o Direct
o Local network
o Remote
 General points of entry to either front-end or back-end
systems occur through network connectivity or remote
access.

Paths of Logical Access (cont’d)
 Any point of entry not appropriately controlled can
potentially compromise the security of an organization’s
sensitive and critical information resources.
 The IS auditor should determine whether all points of
entry are identified and managed.

Logical Access Exposures
 Technical exposures are the unauthorized activities
interfering with normal processing.
 They include:
o Data leakage—Involves siphoning or leaking
information out of the computer
o Wiretapping—Involves eavesdropping on information
being transmitted over telecommunications lines
o Computer shutdown—Initiated through terminals or
personal computers connected directly (online) or
remotely (via the Internet) to the computer

Access Control Software
 Access control software is used to prevent the
unauthorized access and modification to an
organization’s sensitive data and the use of system
critical functions.
 Access controls must be applied across all layers of an
organization’s IS architecture, including networks,
platforms or OSs, databases and application systems.
 Each access control usually includes:
o Identification and authentication
o Access authorization
o Verification of specific information resources
o Logging and reporting of user activities

Access Control Software Functions
General operating and/or application Database and/or application-level

systems access control functions access control functions
• Create or change user profiles. • Create or change data files and
• Assign user identification and database profiles.
authentication. • Verify user authorization at the
• Apply user logon limitation rules. application and transaction level.
• Notification concerning proper use • Verify user authorization within the
and access prior to initial login. application.
• Create individual accountability and • Verify user authorization at the field
auditability by logging user level for changes within a database.
activities. • Verify subsystem authorization for
• Establish rules for access to the user at the file level.
specific information resources (e.g., • Log database/data communications
system-level application resources access activities for monitoring
and data). access violations.
• Log events.
• Report capabilities.

Access Control Types
• Logical access control filters used to validate

access credentials
Mandatory • Cannot be controlled or modified by normal
access controls users or data owners
• Act by default
(MACs) • Prohibitive; anything that is not expressly
permitted is forbidden
• Logical access controls that may be configured

Discretionary or modified by the users or data owners
access controls • Cannot override MACs
• Act as an additional filter, prohibiting still more
(DACs) access with the same exclusionary principle

Network Infrastructure Security
 The IS auditor should be familiar with risk and exposures related
to network infrastructure.
 Network control functions should:
o Be performed by trained professionals, and duties should be
rotated on a regular basis.
o Maintain an audit trail of all operator activities.
o Restrict operator access from performing certain functions.
o Periodically review audit trails to detect unauthorized
activities.
o Document standards and protocols.
o Analyze workload balance, response time and system
efficiency.
o Encrypt data, where appropriate, to protect messages from
disclosure during transmission.

LAN Security
 To gain a full understanding of the LAN, the IS auditor
should identify and document the following:
o Users or groups with privileged access rights
o LAN topology and network design
o LAN administrator/LAN owner
o Functions performed by the LAN administrator/owner
o Distinct groups of LAN users
o Computer applications used on the LAN
o Procedures and standards relating to network design,
support, naming conventions and data security

Virtualization
 IS auditors need to understand the advantages and
disadvantages of virtualization to determine whether the
enterprise has considered the applicable risk in its decision to
adopt, implement and maintain this technology.
 Some common advantages and disadvantages include:
Advantages Disadvantages
• Decreased server hardware costs. • Inadequate host configuration could
• Shared processing capacity and storage create vulnerabilities that affect not only
space. the host, but also the guests.
• Decreased physical footprint. • Data could leak between guests.
• Multiple versions of the same OS. • Insecure protocols for remote access
could result in exposure of
administrative credentials.

Client-Server Security
 A client-server is a group of computers connected by a
communications network in which the client is the
requesting machine and the server is the supplying
machine.
 Several access routes exist in a client-server
environment.

Client-Server Security (cont’d)
 The IS auditor should ensure that:
o Application controls cannot be bypassed.
o Passwords are always encrypted.
o Access to configuration or initialization files is kept to
a minimum.
o Access to configuration or initialization files are
audited.

Wireless Security
 Wireless security requirements include the following:
o Authenticity—A third party must be able to verify that
the content of a message has not been changed in
transit.
o Nonrepudiation—The origin or the receipt of a specific
message must be verifiable by a third party.
o Accountability—The actions of an entity must be
uniquely traceable to that entity.
o Network availability—The IT resource must be
available on a timely basis to meet mission
requirements or to avoid substantial losses.

Internet Security
 The IS auditor must understand the risk and security
factors needed to ensure that proper controls are in
place when a company connects to the Internet.
 Network attacks involve probing for network information.
o Examples of passive attacks include network
analysis, eavesdropping and traffic analysis.

Internet Security (cont’d)
 Once enough network information has been gathered,
an intruder can launch an actual attack against a
targeted system to gain control.
o Examples of active attacks include denial of service
(DoS), phishing, unauthorized access, packet replay,
brute force attacks and email spoofing.
 The IS auditor should have a good understanding of the
following types of firewalls:
o Packet filtering
o Application firewall systems
o Stateful inspections

Internet Security (cont’d)
 The IS auditor should also be familiar with common
firewall implementations, including:
o Screened-host firewall
o Dual-homed firewall
o Demilitarized zone (DMZ) or screened-subnet firewall
 The IS auditor should be familiar with the types, features
and limitations of intrusion detection systems and
intrusion prevention systems.

Encryption
 Encryption generally is used to:
o Protect data in transit over networks from
unauthorized interception and manipulation.
o Protect information stored on computers from
unauthorized viewing and manipulation.
o Deter and detect accidental or intentional alterations
of data.
o Verify authenticity of a transaction or document.

Encryption (cont’d)
 Key encryption elements include:
o Encryption algorithm—A mathematically based
function that encrypts/decrypts data
o Encryption keys—A piece of information that is used
by the encryption algorithm to make the encryption or
decryption process unique
o Key length—A predetermined length for the key; the
longer the key, the more difficult it is to compromise

 There are two types of encryption schemes:
o Symmetric—a unique key (usually referred to as the
“secret key”) is used for both encryption and decryption.
o Asymmetric—the decryption key is different than the one
used for encryption.
 There are two main advantages of symmetric key systems
over asymmetric ones.
o The keys are much shorter and can be easily
remembered.
o Symmetric key cryptosystems are generally less
complicated and, therefore, use less processing power.

 In a public key cryptography system, two keys work
together as a pair. One of the keys is kept private, while
the other one is publicly disclosed.
 The underlying algorithm works even if the private key is
used for encryption and the public key for decryption.

 Digital signature schemes ensure:
o Data integrity— Any change to the plaintext
message would result in the recipient failing to
compute the same document hash.
o Authentication—The recipient can ensure that the
document has been sent by the claimed sender
because only the claimed sender has the private key.
o Nonrepudiation—The claimed sender cannot later
deny generating the document.
 The IS auditor should be familiar with how a digital
signature functions to protect data.

Malware
 There are two primary methods to prevent and detect
malware that infects computers and network systems.
o Have sound policies and procedures in place
(preventive controls).
o Have technical controls (detective controls), such as
anti-malware software, including:
• Scanners
• Behavior blockers
• Active monitors
• Integrity CRC checkers
• Immunizers
 Neither method is effective without the other.

In the Big Picture
The Big
Task 5.3 Picture
Evaluation of system
maintenance, monitoring and
security engineering and
reporting of system and logical
architecture ensures the
security controls to verify the
foundations for ISM are
confidentiality, integrity and
in place to meet
availability of information.
organizational goals and
objectives.

Task 5.3 Activity
 Your acquisition due diligence audit scope has been
defined by management sponsors as to evaluate the
design, implementation, maintenance, monitoring and
reporting of system and logical security controls to verify
the confidentiality, integrity and availability of intellectual
property.
 What type of control will reduce the risk of disclosure of
sensitive data stored on mobile devices?

Discussion Question
The PRIMARY purpose of installing data leak prevention
(DLP) software is to control which of the following choices?
A. Access privileges to confidential files stored on
servers
B. Attempts to destroy critical data on the internal
network
C. Which external systems can access internal
resources
D. Confidential documents leaving the internal network

Discussion Question
Neural networks are effective in detecting fraud because
they can:
A. discover new trends because they are inherently
linear.
B. solve problems where large and general sets of
training data are not obtainable.
C. attack problems that require consideration of a large
number of input variables.
D. make assumptions about the shape of any curve
relating variables to the output.

Task 5.4
Evaluate the design, implementation and

monitoring of the data classification
processes and procedures for alignment
with the organization’s policies,
standards, procedures and applicable
external requirements.

Key Terms
Key Term Definition
Authentication The act of verifying the identity of a user and the
user’s eligibility to access computerized information.
Authentication is designed to protect against fraudulent
logon activity. It can also refer to the verification of the
correctness of a piece of data.
Data classification The assignment of a level of sensitivity to data (or
information) that results in the specification of controls for
each level of classification. Levels of sensitivity of data are
assigned according to predefined categories as data are
created, amended, enhanced, stored or transmitted. The
classification level is an indication of the value or
importance of the data to the enterprise.

K5.16 Knowledge of data classification The IS auditor should understand the
standards related to the protection of process of classification and the
information assets interrelationship between data
classification and the need for
inventorying information assets and
assigning responsibility to data owners.


K5.18 Knowledge of risk and controls Data classification policies, security
associated with data leakage awareness training and periodic audits
for data leakage are elements that the IS
auditor will want to ensure are in place.
K5.25 Knowledge of the processes Measures should be used to preserve
followed in forensics investigation and the integrity of evidence collected and
procedures in collection and provide assurance that the evidence has
preservation of the data and evidences not been altered in any way.
(i.e., chain of custody)

Data Classification
 In order to have effective controls, organizations must have a
detailed inventory of information assets.
 Most organizations use a classification scheme with three to five
levels of sensitivity.
 Data classification provides the following benefits:
o Defines level of access controls
o Reduces risk and cost of over- or under-protecting
information resources
o Maintains consistent security requirements
o Enables uniform treatment of data by applying level-specific
policies and procedures
o Identifies who should have access

Data Classification (cont’d)
 The information owner should decide on the appropriate
classification, based on the organization’s data classification and
handling policy.
 Data classification should define:
o The importance of the information asset
o The information asset owner
o The process for granting access
o The person responsible for approving the access rights and
access levels
o The extent and depth of security controls
 Data classification must also take into account legal, regulatory,
contractual and internal requirements for maintaining privacy,
confidentiality, integrity and availability.

Data Leakage
 Data leakage involves the unauthorized transfer of sensitive
or proprietary information from an internal network to the
outside world.
 Data leak prevention is a suite of technologies and associated
processes that locate, monitor and protect sensitive
information from unauthorized disclosure.

Data Leakage (cont’d)
 DLPs have three key objectives:
o Locate and catalog sensitive information stored throughout
the enterprise.
o Monitor and control the movement of sensitive information
across enterprise networks.
o Monitor and control the movement of sensitive information
on end-user systems.

DLP Solutions
Data at Data in
Data in motion
rest use
Use specific Use an agent to

Use crawlers to Use deep packet
network appliances monitor data
search for and log inspection (DPI) to
or embedded movement
the location of read contents
technology to stemming from
specific information within a packet’s
selectively capture actions taken by
sets payload
and analyze traffic end users

Identification and Authentication
 Logical access identification and authentication (I&A) is
the process of establishing and proving a user’s identity.
 For most systems, I&A is the first line of defense
because it prevents unauthorized people (or
unauthorized processes) from entering a computer
system or accessing an information asset.

Identification and Authentication (cont’d)
 Some common I&A vulnerabilities include:

o Weak authentication methods
o Use of simple or easily guessed passwords
o The potential for users to bypass the authentication
mechanism
o The lack of confidentiality and integrity for the stored
authentication information
o The lack of encryption for authentication and
protection of information transmitted over a network
o The user’s lack of knowledge on the risk associated
with sharing authentication elements

Authentication Methods
Authentication Methods
Logon IDs and Passwords
Tokens
Biometrics
 Multifactor authentication is the combination of more than one

authentication method.
 Single sign-on (SSO) is the process for consolidating all of an
organization’s platform-based administration, authentication and
authorization functions into a single centralized administrative
function.
 The IS auditor should be familiar with the organization’s
authentication policies.

Authorization
 Authorization refers to the access rules that specify who
can access what.
 Access control is often based on least privilege, which
refers to the granting to users of only those accesses
required to perform their duties.
 The IS auditor needs to know what can be done with the
access and what is restricted.
 The IS auditor must review access control lists (ACLs).
An ACL is a register of users who have permission to
use a particular system and the types of access
permitted.

Authorization Issues
Risks Controls
• Denial of service • Policy and standards

• Malicious third parties • Proper authorizations
• Misconfigured • Identification and
communications software authentication mechanisms
• Misconfigured devices on the • Encryption tools and
corporate computing techniques such as use of a
infrastructure VPN
• Host systems not secured • System and network
appropriately management
• Physical security issues over
remote users’ computers

System Logs
 Audit trail records should be protected by strong access
controls to help prevent unauthorized access.
 The IS auditor should ensure that the logs cannot be
tampered with, or altered, without leaving an audit trail.
 When reviewing or performing security access follow-up,
the IS auditor should look for:
o Patterns or trends that indicate abuse of access
privileges, such as concentration on a sensitive
application
o Violations (such as attempting computer file access
that is not authorized) and/or use of incorrect
passwords

Review of Access Controls
 Access controls and password administration are reviewed to
determine that:
o Procedures exist for adding individuals to the access list,
changing their access capabilities and deleting them from the
list.
o Procedures exist to ensure that individual passwords are not
inadvertently disclosed.
o Passwords issued are of an adequate length, cannot be easily
guessed and do not contain repeating characters.
o Passwords are periodically changed.
o User organizations periodically validate the access capabilities.
o Procedures provide for the suspension of user IDs or the
disabling of systems after a particular number of security
procedure violations.

In the Big Picture
The Big
Task 5.4
Evaluate the design, implementation Picture
and monitoring of the data Data classification,
classification processes and protection and
procedures for alignment with the management processes
organization’s policies, standards, are critical in meeting
procedures and applicable external business and regulatory
requirements. requirements.

Task 5.4 Activity
 You have been assigned to assist the incident response
team in evaluating post-incident lessons learned and
remediation activities to prevent recurrence of the root
causes. Your team has completed the response to data
leakage that resulted in compromising firewall network
administrative access.
 When the firewall was sent off site for vendor
maintenance, what actions should have been taken?

Discussion Question
The FIRST step in data classification is to:

A. establish ownership.
B. perform a criticality analysis.
C. define access rules.
D. create a data dictionary.

Discussion Question
From a control perspective, the PRIMARY objective of
classifying information assets is to:
A. establish guidelines for the level of access controls
that should be assigned.
B. ensure access controls are assigned to all
information assets.
C. assist management and auditors in risk assessment.
D. identify which assets need to be insured against
losses.

Task 5.5
Evaluate the processes and procedures

used to store, retrieve, transport and
dispose of assets to determine whether
information assets are adequately
safeguarded.

Key Terms
Key Term Definition
Private branch A telephone exchange that is owned by a private business,
exchange (PBX) as opposed to one owned by a common carrier or by a
telephone company
Voice-over Internet Also called IP Telephony, Internet Telephony and
Protocol (VoIP) Broadband Phone, a technology that makes it possible to
have a voice conversation over the Internet or over any
dedicated Internet Protocol (IP) network instead of
dedicated voice transmission lines

K5.13 Knowledge of encryption-related Through the use of the appropriate
techniques and their uses encryption techniques, an organization
can protect data throughout the data life
cycle.
K5.14 Knowledge of public key The auditor needs to evaluate the
infrastructure (PKI) components and manner in which PKI is applied by data
digital signature techniques protection strategies.


K5.15 Knowledge of risk and controls The risk of data loss or leakage increase
associated with peer-to-peer computing, when users employ peer-to-peer and
instant messaging and web-based other collaborative communication
technologies (e.g., social networking, technologies.
message boards, blogs, cloud
computing)
K5.17 Knowledge of the processes and In order to control data and information,
procedures used to store, retrieve, the organization must understand the
transport and dispose of confidential state of its data and information from
information assets creation, storage, processing and
transmission.


K5.18 Knowledge of risk and controls Understanding the category of data and
associated with data leakage the respective states it resides in
through the life cycle will enable the IS
auditor to determine risk and the
appropriate controls.
K5.19 Knowledge of security risk and The IS auditor must determine risk and
controls related to end-user computing the appropriate controls needed to
address end-user computing
technologies from BYOD and client
applications to mobile devices (smart
phones/PDAs).


K5.21 Knowledge of information system The IS auditor needs to have the ability
attack methods and techniques to identify and evaluate controls that are
most effective in preventing or detecting
attacks involving social engineering,
wireless access and threats originating
from the Internet.

Data Access Procedures
 Management should define and implement procedures to prevent
access to, or loss of, sensitive information when it is stored,
disposed of or transferred to another user.
 Such procedures must be created for the following:
o Backup files of databases
o Data banks
o Disposal of media previously used to hold confidential
information
o Management of equipment sent for offsite maintenance
o Public agencies and organizations concerned with sensitive,
critical or confidential information
o E-token electronic keys
o Storage records

Media Storage
 To help avoid potential damage to media during shipping and
storage, the following precautions must be present:
o Keep out of direct sunlight.
o Keep free of dust.
o Keep free of liquids.
o Minimize exposure to magnetic fields, radio equipment or any
sources of vibration.
o Do not air transport in areas and at times of exposure to a
strong magnetic storm.

Mobile Computing
 Mobile computing refers to devices that are transported or moved
during normal usage, including tablets, smartphones and laptops.
 Mobile computing makes it more difficult to implement logical and
physical access controls.
 Common mobile computing vulnerabilities include the following:
o Information may travel across unsecured wireless networks.
o The enterprise may not be managing the device.
o Unencrypted information may be stored on the device.
o The device may have a lack of authentication requirements.
o The device may allow for the installation of unsigned
third-party applications.

Mobile Computing Controls
 The following controls will reduce the risk of disclosure of
sensitive data stored on mobile devices:
Virus
Device Physical
Tagging Data storage detection and
registration security
control
Acceptable
Encryption Compliance Approval Due care
use policy
Awareness Network Secure Standard Geolocation

training authentication transmission applications tracking
Secure
Remote wipe BYOD
remote
and lock agreement
support

Other Data Controls
 Other technologies that should be reviewed by the IS auditor
include:
Technology Threat/Vulnerability Controls
Peer-to-peer • Viruses and malware • Antivirus and anti-malware
computing • Copyrighted content • Block P2P traffic
• Excessive use • Restrict P2P exposure
• Eavesdropping • Establish policies or standards
Instant messaging • Viruses and malware • Antivirus and anti-malware
(IM) • Excessive use • Encrypt IM traffic
• IP address exposure • Block IM traffic
• Restrict IM usage
• Establish policies or standards
Social media • Viruses and malware • Establish clear policies
• Undefined content rights • Capture and log all communications
• Data exposure • Content filtering
• Excessive use
Cloud computing • Lack of control and visibility • Right to audit the contract
• Physical security • Restricted contract terms
• Data disposal • Encryptions

Voice-Over IP (VoIP)
 VoIP has a different architecture than traditional
circuit-based telephony, and these differences result in
significant security issues.
 Security is needed to protect two assets—the data and
the voice.
 Backup communication plans are important because if
the computer system goes down, the telephone system
goes down too.

Private Branch Exchange
 A private branch exchange (PBX) is a sophisticated computer-based
switch that may be thought of as a small, in-house phone company.
 Failure to secure a PBX can result in:
o Theft of service
o Disclosure of information
o Data modification
o Unauthorized access
o Denial of service
o Traffic analysis
 The IS auditor should know the design implementation to determine
how an intruder could exploit weaknesses or normal functions.

In the Big Picture
The Big
Task 5.5 Picture
Evaluate the processes and The IS auditor must
procedures used to store, retrieve, understand and be able
transport and dispose of assets to to evaluate the
determine whether information acceptable methods for
assets are adequately safeguarded. data management from
creation through
destruction.

Task 5.5 Activity
 The CIO and CISO state their objective is to prevent and
detect computer attacks that could result in proprietary or
confidential data being stolen or modified.
 What would be a risk specific to wireless networks?

Discussion Question
When reviewing the procedures for the disposal of computers,
which of the following should be the GREATEST concern for the
IS auditor?
A. Hard disks are overwritten several times at the sector
level but are not reformatted before leaving the
organization.
B. All files and folders on hard disks are separately deleted,
and the hard disks are formatted before leaving the
organization.
C. Hard disks are rendered unreadable by hole-punching
through the platters at specific positions before leaving
the organization.
D. The transport of hard disks is escorted by internal security
staff to a nearby metal recycling company, where the hard
disks are registered and then shredded.

Discussion Question
The risk of dumpster diving is BEST mitigated by:
A. implementing security awareness training.
B. placing shred bins in copy rooms.
C. developing a media disposal policy.
D. placing shredders in individual offices.

Task 5.6
Evaluate the information security

program to determine its effectiveness
and alignment with the organization’s
strategies and objectives.

Key Terms
Key Term Definition
Chain of custody A legal principle regarding the validity and integrity of
evidence. It requires accountability for anything that will be
used as evidence in a legal proceeding to ensure that it can
be accounted for from the time it was collected until the time
it is presented in a court of law.
Computer forensics The application of the scientific method to digital media to
establish factual information for judicial review. This process
often involves investigating computer systems to determine
whether they are or have been used for illegal or
unauthorized activities.

Key Term Definition
Penetration testing A live test of the effectiveness of security defenses through
mimicking the actions of real‐life attackers.
Security incident A series of unexpected events that involves an attack or
series of attacks (compromise and/or breach of security) at
one or more sites. A security incident normally includes an
estimation of its level of impact. A limited number of impact
levels are defined, and for each, the specific actions
required and the people who need to be notified are
identified.

K5.18 Knowledge of risk and controls The IS auditor must evaluate the data
associated with data leakage categorization and respective controls in
place to mitigate business and
regulatory risks.
K5.19 Knowledge of security risk and With the drive to greater distribution of
controls related to end-user computing computing resources, an organization’s
risk appetite must be balanced in the IS
auditor evaluation of end-user
computing initiatives.


K5.20 Knowledge of methods for One of the most cost-effective security
implementing a security awareness measures is an employee with
program deep-seated security awareness based
on both training and regular reminders.
K5.21 Knowledge of information system The IS auditor needs to be aware of the
attack methods and techniques technical and human vulnerabilities and
the techniques used to exploit those
vulnerabilities.


K5.23 Knowledge of security testing A proactive and holistic security testing
techniques (e.g., penetration testing, program can ensure the correct security
vulnerability scanning) mechanisms are in place and operating
effectively.
K5.24 Knowledge of the processes In order for the IS auditor to evaluate the
related to monitoring and responding to true capabilities of the information
security incidents (e.g., escalation security management program, the IS
procedures, emergency incident auditor must evaluate the organization’s
response team) ability to detect, analyze and respond to
threats regardless of the source.

Computer Crimes
 It is important that the IS auditor knows and understands the
differences between computer crime and computer abuse to
support risk analysis methodologies and related control
practices. Examples of computer crimes include:
Malware,
Denial of
Hacking viruses and Fraud
service (DoS)
worms
Unauthorized Brute force Malicious

Phishing
access attacks codes
Network
Packet replay Masquerading Eavesdropping
analysis
Source: ISACA, CISA Review Manual, 26th Edition, figures 5.11 and 5.12

Security Incident Handling
 To minimize damage from security incidents, a formal
incident response capability should be established.
 Ideally, an organizational computer security incident
response team (CSIRT) or computer emergency
response team (CERT) should be formed with clear lines
of reporting and responsibilities.

Security Incident Handling (cont’d)
 The IS auditor should:

o Ensure that the CSIRT is actively involved with users
to assist them in the mitigation of risk arising from
security failures and also to prevent security
incidents.
o Ensure that there is a formal, documented plan and
that it contains vulnerabilities identification, reporting
and incident response procedures to common,
security-related threats/issues.

Auditing ISM Framework
 The IS auditor should review the following elements of the information
security management framework:
o Written policies, procedures and standards
o Logical access security policies
o Formal security awareness and training
o Data ownership
o Data owners
o Data custodians
o Security administrator
o New IT users
o Data users
o Documented authorizations
o Terminated employee access
o Security baselines
o Access standards

Auditing Logical Access
 When evaluating logical access controls, the IS auditor should:
o Obtain a clear understanding of the security risk facing
information processing through a review of relevant
documentation, interviews, physical walk-throughs and risk
assessments.
o Document and evaluate controls over potential access paths into
the system to assess their adequacy, efficiency and
effectiveness by reviewing appropriate hardware and software
security features and identifying any deficiencies or
redundancies.
o Test controls over access paths to determine whether they are
functioning and effective by applying appropriate audit
techniques.

Auditing Logical Access (cont’d)
 In addition, the IS auditor should do the following when auditing
logical access:
o Evaluate the access control environment to determine if the
control objectives are achieved by analyzing test results and
other audit evidence.
o Evaluate the security environment to assess its adequacy and
compare it with appropriate security standards or practices and
procedures used by other organizations.
o Interview the IS manager and security administrator and review
organizational charts and job descriptions.
o Review access control software reports to monitor adherence to
security policies.
o Review application systems operations manual.

Security Testing Techniques
• The IS auditor can use sample cards and keys to
Terminal cards attempt to gain access beyond what is authorized.
and keys • The IS auditor should follow up on any unsuccessful
attempted violations.
Terminal • The IS auditor can inventory terminals to look for

identification incorrectly logged, missing or additional terminals.
• To test confidentiality, the IS auditor can attempt to

guess passwords, find passwords by searching the
office or get a user to divulge a password.
Logon IDs and • To test encryption, the IS auditor should attempt to
passwords view the internal password table.
• To test authorization, the IS auditor should review a
sample of authorization documents to determine if
proper authority was provided.

Security Testing Techniques (cont’d)
Computer • The IS auditor should work with the system software

analyst to determine if all access is on a need-to-know
access controls basis.
Computer
access • The IS auditor should attempt to access computer
transactions or data for which access is not authorized.
violations The unsuccessful attempts should be identified on
logging and security reports.
reporting
Follow-up • The IS auditor should select a sample of security

access reports and look for evidence of follow-up and
violations investigation of access violations.
Bypassing • The IS auditor should work with the system software

security and analyst, network manager, operations manager and
compensating security administrator to determine ways to bypass
controls security.

Investigation Techniques
 If a computer crime occurs, it is very important that proper
procedures are used to collect evidence.
o Damaged evidence can hinder prosecution.
o After a computer crime, the environment and evidence
must be left unaltered and examined by specialist law
enforcement officials.
 Any electronic document or data may be used as digital
evidence.
 An IS auditor may be required or asked to be involved in a
forensic analysis to provide expert opinion or to ensure the
correct interpretation of information gathered.

Investigation Techniques (cont’d)
Identify
• Refers to the identification of information that is
available and might form the evidence of an incident
Preserve
• Refers to the practice of retrieving identified
information and preserving it as evidence
Analyze
• Involves extracting, processing and interpreting the
evidence
Present
• Involves a presentation to the various audiences, such
as management, attorneys, court, etc.

Computer Forensics
 The IS auditor should give consideration to key elements of
computer forensics during audit planning, including the
following:
o Data protection
o Data acquisition
o Imaging
o Extraction
o Interrogation
o Ingestion/normalization
o Reporting

Auditing Network Infrastructure
 When performing an audit of the network infrastructure, the IS auditor
should:
o Review the following documents:
• Network diagrams
• SLAs
• Network administrator procedures
• Network topology design
o Identify the network design implemented.
o Determine that applicable security policies, standards, procedures and
guidance on network management and usage exist and have been
distributed.
o Identify who is responsible for security and operation of Internet
connections.
o Determine whether consideration has been given to the legal problems
arising from use of the Internet.
o Determine whether a vulnerability scanning process is in place.

Auditing Remote Access
 IS auditors should determine that all remote access
capabilities used by an organization provide for effective
security of the organization’s information resources.
 This includes:
o Ensuring that remote access security controls are
documented and implemented for authorized users
o Reviewing existing remote access architectures for points
of entry
o Testing access controls

Penetration Testing
 During penetration testing, an auditor attempts to circumvent the
security features of a system and exploits the vulnerabilities to
gain access that would otherwise be unauthorized.
Additional Discovery
Planning Discovery Attack
Reporting

Types of Penetration Tests
External Refers to attacks and control circumvention attempts on the
testing target’s network perimeter from outside the target’s system
Internal Refers to attacks and control circumvention attempts on the

testing target from within the perimeter
Blind Refers to the condition of testing when the penetration tester

testing is provided with limited or no knowledge of the target’s
information systems
Double Refers to an extension of blind testing, because the

blind administrator and security staff at the target are also not
testing aware of the test
Targeted Refers to attacks and control circumvention attempts on the

testing target, while both the target’s IT team and penetration testers
are aware of the testing activities

In the Big Picture
The Big
Task 5.6 Picture
Evaluate the information security The information security
program to determine its program is the Alpha
effectiveness and alignment with the and the Omega for the
organization’s strategies and organization to realize
objectives. system confidentiality,
integrity and availability.

Task 5.6 Activity
 You have been assigned to a network architecture review. This is
a large multi-campus wide area network that uses the following
technologies:
o External
• Standard ISP provided T1s and OS3
• VerSprinAT&Bell MPLS
• Satellite communications
• Point to Point RF
o Internal
• WIFI for corporate and guests
• Wired with fiber backbone
 When performing an audit of the network infrastructure, what
document should the IS auditor review?

Discussion Question
Which of the following is the BEST way for an IS auditor to
determine the effectiveness of a security awareness and
training program?
A. Review the security training program.
B. Ask the security administrator.
C. Interview a sample of employees.
D. Review the security reminders to employees.

Discussion Question
Which of the following is the MAIN reason an organization
should have an incident response plan? The plan helps to:
A. ensure prompt recovery from system outages.
B. contain costs related to maintaining DRP capabilities.
C. ensure that customers are promptly notified of issues
such as security breaches.
D. minimize the impact of an adverse event.

Domain 5 Summary
 Evaluate the information security and privacy policies,
standards and procedures.
 Evaluate the design, implementation, maintenance,
monitoring and reporting of physical and environmental
controls.
 Evaluate the design, implementation, maintenance,
monitoring and reporting of system and logical security
controls.

Domain 5 Summary (cont’d)
 Evaluate the design, implementation and monitoring of
the data classification processes and procedures.
 Evaluate the processes and procedures used to store,
retrieve, transport and dispose of assets.
 Evaluate the information security program.

Discussion Question
The CSIRT of an organization disseminates detailed
descriptions of recent threats. An IS auditor’s GREATEST
concern should be that the users may:
A. use this information to launch attacks.
B. forward the security alert.
C. implement individual solutions.
D. fail to understand the threat.

THANK YOU!

CISA Participants2016 CH 5

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CISA Participants2016 CH 5

Uploaded by

Copyright:

Available Formats

Domain 5

Protection of Information Assets

©Copyright 2016 ISACA. All rights reserved.

Provide assurance that the enterprise’s

2 © Copyright 2016 ISACA. All rights reserved.

3 © Copyright 2016 ISACA. All rights reserved.

4 © Copyright 2016 ISACA. All rights reserved.

5 © Copyright 2016 ISACA. All rights reserved.

6 © Copyright 2016 ISACA. All rights reserved.

7 © Copyright 2016 ISACA. All rights reserved.

Evaluate the information security and

8 © Copyright 2016 ISACA. All rights reserved.

9 © Copyright 2016 ISACA. All rights reserved.

10 © Copyright 2016 ISACA. All rights reserved.

11 © Copyright 2016 ISACA. All rights reserved.

How does Task 5.1 relate to each of the following

12 © Copyright 2016 ISACA. All rights reserved.

13 © Copyright 2016 ISACA. All rights reserved.

 Information security management is the most critical

Monitoring and Incident handling

Source: ISACA, CISA Review Manual 26th Edition, figure 5.2

14 © Copyright 2016 ISACA. All rights reserved.

15 © Copyright 2016 ISACA. All rights reserved.

16 © Copyright 2016 ISACA. All rights reserved.

Chief information Information

Source: ISACA, CISA Review Manual 26th Edition, figure 5.3

17 © Copyright 2016 ISACA. All rights reserved.

18 © Copyright 2016 ISACA. All rights reserved.

19 © Copyright 2016 ISACA. All rights reserved.

20 © Copyright 2016 ISACA. All rights reserved.

 Human resources-related security practices include the following:

21 © Copyright 2016 ISACA. All rights reserved.

22 © Copyright 2016 ISACA. All rights reserved.

Source: ISACA, CISA Review Manual 26th Edition, Figure 5.10

23 © Copyright 2016 ISACA. All rights reserved.

24 © Copyright 2016 ISACA. All rights reserved.

25 © Copyright 2016 ISACA. All rights reserved.

Physical Controls that are locks, fences, closed-circuit TV (CCTV) and

Source: ISACA, CISA Review Manual 26th Edition, figure 5.5

26 © Copyright 2016 ISACA. All rights reserved.

27 © Copyright 2016 ISACA. All rights reserved.

Physical access controls Logical access controls

28 © Copyright 2016 ISACA. All rights reserved.

29 © Copyright 2016 ISACA. All rights reserved.

30 © Copyright 2016 ISACA. All rights reserved.

31 © Copyright 2016 ISACA. All rights reserved.

32 © Copyright 2016 ISACA. All rights reserved.

33 © Copyright 2016 ISACA. All rights reserved.

Evaluate the design, implementation,

34 © Copyright 2016 ISACA. All rights reserved.

35 © Copyright 2016 ISACA. All rights reserved.

36 © Copyright 2016 ISACA. All rights reserved.

How does Task 5.2 relate to each of the following

37 © Copyright 2016 ISACA. All rights reserved.

Damage, vandalism or theft to equipment or documents

Copying or viewing of sensitive or copyrighted information

Alteration of sensitive equipment and information

Public disclosure of sensitive information

Abuse of data processing resources

38 © Copyright 2016 ISACA. All rights reserved.

Controlled visitor Computer Controlled single

Deadman doors Alarm system

39 © Copyright 2016 ISACA. All rights reserved.