CISA Summary V1.0

  • date post

  • Category

  • view

  • download


Embed Size (px)


Version: 1.0Date: June 7, 2010


  • 1. CISAsummary Version1.0 ChristianReina,CISSPThisdocumentmaybeusedonlyforinformational,trainingandnoncommercialpurposes.Youarefreetocopy,distribute,publishandalterthisdocumentundertheconditionsthatyougivecredittotheoriginalauthor.2010ChristianReina,CISSP.

2. Risk Management IT Management PracticesCollection of top-down activities intended to control the IT Seek, identify, and manage risk.organization from a strategic perspective.Accept1. Personnel Management Policy Mitigate a. Hiring: Background check, Employee Policy Priorities Transfer Manual, Job Description StandardsAvoidb. Employee Development: Training, Vendor ManagementPerformance evaluation, Career path Program/Project ManagementRisk Management Programc. Mandatory vacations: Audit, cross training, Objectives: reduce costs, incidentsreduced riskIT Strategy CommitteeScoped. TerminationAdvise board of directors on strategies. Authority: Executive level of commitment e. Transfers and reassignments2. Sourcing Resources: a. InsourceBalanced Scorecard Policies, processes, procedures, and recordsMeasure performance and effectiveness. b. Outsource: risks, SLA, policy, governanceBusiness contribution: Perception from Non-IT (service level agreements, changeRisk Management Process executivesmanagement, security, quality, audits), SaaSUser: Satisfaction 3. Change Management 1. Asset Identification: Equipment, information, records, a. RequestOperational excellence: downtime, defects, support reputation, personnel b. Review tickets oGrouping Assets c. ApproveInnovation: increase IT value w/ innovation oSources of asset data: Interviews, IT d. Perform changesystems, Online data e. Verify changeInformation Security GovernanceoOrganizing data: Business process,4. Financial ManagementRoles and responsibilitiesGeography, OU, Sensitivity, Regulated a. Develop Board of Directors: risk appetite and risk management 2. Risk Analysis b. Purchase Steering Committee: Operational strategy for security oThreat analysis: All threats with realistic c. RentDomain1ITGovernance and risk managementopportunity of occurrence5. Quality Management CISO: conducting risk assessment, developing security oVulnerability Identification: Ranked by a. Software development policy, vulnerability management, incident severity or criticality b. Software acquisition management, complianceoProbability analysis: Requires research to c. Service desk Employees: Comply with policiesdevelop best guesses d. IT operations oImpact analysis: Study of estimating the e. SecurityEnterprise Architecture (EA)impact of specific threats on specific assets f.Standards:Map business functions into the IT environment as a model. oQualitative: Subjective using numeric scalei. ISO 9000: Superseded by ISOActivities to ensure business needs are metoQuantitative:9001:2008 Quality ManagementAsset Value (AV)SystemZachman Model Exposure Factor (EF) ii. ISO 20000: IT ServiceIT Systems and environments are described at a high, functional Single Loss Expectancy (SLE): AVManagement for organizationlevel, and then in increasing detail x EFadopting ITILAnnualized rate of occurrenceiii. ITILDFD(ARO) 1. Service DeliveryIllustrate the flow of informationAnnualized loss expectancy (ALE): 2. Control Processes SLE x ARO 3. Release Processes 3. Risk Treatments 4. Relationship Processes oRisk Mitigation 5. Resolution Processes oRisk Transfer6. Security Management oRisk Avoidance a. Security Governance oRisk Acceptance b. Risk Assessment oResidual Risk c. Incident Management d. Vulnerability Management e. Access and Identity management f.Compliance management 3. g. BCP3. Reviewing Outsourcing7. Performance Managementa. Distancea. COBIT b. Lack of audit contract termsb. SEI CMMIc. Lack of cooperationRoles and Responsibilities1. Executive Management: CIO, CTO, CSO, CISO, CPO2. Software Development: Architect, Analyst, developer, programmer, tester3. Data Management: architect, DBA, analyst4. Network Management: architect, engineer, administrator, telecom5. Systems Management: architect, engineer, storage, systems administrator6. Operations: manager, analyst, controls analyst, data entry, media librarian7. Security Operations: architect, engineer, analyst, account management, auditor8. Service Desk: Help desk, technical supportSegregation of Duties Controls1. Transaction authorization2. Split custodyDomain1ITGovernance3. Workflow: extra approval4. Periodic reviewsAuditing IT Governance1. Reviewing Documentation and Records: a. IT Charter, strategy b. IT org chart c. HR/IT performance d. HR promotion policy e. HR manuals f.Life-cycle processes and procedures g. IT operations procedures h. IT procurement process i.Quality management documents2. Reviewing Contracts a. Service levels b. Quality levels c. Right to auditrd d. 3 party audit e. Conformance to policies, laws, regulations f.Incident notification g. Liabilities h. Termination terms i.Protection of PII 4. Assess and evaluate the effectiveness of IT Provide Appropriate Tools Required to Intercept and 3. Serve in the interest of stakeholders in a Obstruct Terrorism Act (PATRIOT) 2001lawful and honest manner, while maintainingSarbanes-Oxley Act 2002high standards of conduct and character, andAUDIT MANAGEMENTFederal Information Security Management Act (FISMA)not engage in acts discreditable to the 2002 profession.The Audit Charter: Define roles and responsibilities. SufficientControlling the Assault of Non-Solicited Pornography4. Maintain the privacy and confidentiality ofauthorityand Marketing Act (CAN-SPAM) 2003information obtained in the course of theirCalifornia Privacy Act SB1386 2003 duties unless disclosure is required by legalThe Audit Program: scope, objectives, resources, procedures Identity Theft and Assumption Deterrence Act 2003authority. Such information shall not be usedBasel II 2004for personal benefit or released toStrategic Audit Planning: inappropriate parties.Payment Card Industry Data Security Standard (PCI- Factors: Business goals and objectives, Initiatives, DSS) 2004 5. Maintain competency in their respective fieldsmarket conditions, changes in technology, regulatoryand agree to undertake only those activities,North American Electric Reliability Corporation (NERC)requirements. which they can reasonably expect to 1968/2006 Changes in Audit Activities: New internal audits, new complete with professional competence.Massachusetts Security Breach Law 20076. Inform appropriate parties of the results ofexternal audits, increase in audit scope, impact onbusiness processwork performed; revealing all significant factsCanadian Regulations: Resource planning: Budget and manpowerknown to them. Interception of Communications Section 184 7. Support the professional education of Unauthorized Use of Computer, Section 342.1 stakeholders in enhancing theirAudit and Technology: Continue learning about newtechnologies Privacy Act 1983understanding of information systems security Personal Information Protection and Electronicand control.Audit Laws and Regulations: Documents Act (PIPEDA)Characteristics: Security, Integrity, PrivacyEuropean Regulations Audit StandardsComputer Security and Privacy Regulations: o Categories: Computer trespass, protection of Convention for the Protection of Individuals with Regard sensitive information, collection and use of to Automatic Processing of Personal Data 1981S1, Audit Charter information, law enforcement investigative Computer Misuse Act (CMA) 1990 S2, Independence powers Directive on the Protection of Personal Data 2003S3, Professional Ethics and StandardsEuropean Union S4, Professional Competencemain2TheAuditProcess o Consequences: Loss of reputation, competitive advantage, sanctions, lawsuits, Data Protection Act (DPA) 1998 S5, Planning fines, prosecution Regulation of Investigatory Powers Act 2000S6, Performance of Audit Work Anti-Terrorism Crime and Security Act 2001 S7, ReportingAn organization should take a systematic approach to determine Privacy and Electronic Communications RegulationsS8, Follow-up Activitiesthe applicability of regulations as well as the steps required to 2003 S9, Irregularities and Illegal Actsattain compliance and remain in this state. Fraud Act 2006 S10, IT Governance Police and Justice Act 2006S11, Use of Risk Assessment in Audit PlanningUS Regulations:S12, Audit Materiality Access Device Fraud 1984Other RegulationsS13, Use the Work of Other Experts Computer Fraud and Abuse Act 1984 Cybercrime Act 2001 AustraliaS14, Audit Evidence Electronic Communications Act 1986 Information Technology Act 2000 IndiaS15, IT Controls Electronic Communications Privacy Act (ECPA) 1986S16, E-Commerce Computer Security Act 1987ISACA AUDITING STANDARS Computer Matching and Privacy Protection Act 1988Audit Guidelines Communications Assistance for Law Enforcement Act Code of Ethics:(CALEA) 1994 G1, Using the Work of Other Auditors Economic and Protection of Proprietary Information Act Members and ISACA certification holders shall: G2, Audit Evidence Requirement1996 G3, Use of Computer-Assisted Audit Techniques Health Insurance Portability and Accountability Act 1. Support the implementation of, and encourage compliance with, appropriate (CAATs)(HIPPA) 1996 G4, Outsourcing of IS Activities to Other Organizations Childrens Online Privacy Protection Act (COPPA) 1998standards, procedures and controls for information systems.G5, Audit Charter Identity Theft and Assumption Deterrence Act 1998G6, Materiality Concepts for Auditing IS2. Perform their duties with objectivity, due Gramm-Leach-Bliley Act 1999G7, Due Professional Care diligence and professional care, in Federal Energy Regulatory Commission (FERC)accordance with professional standards andG8, Audit Documentation best practices. 5. G9, Audit Considerations for Irregularities and Illegal P10, Business Application Change Control PERFORMING AN AUDIT Acts P11, Electronic Funds Transfer G10, Audit Sampling Formal Planning: G11, Effect of Pervasive I